purdue university center for education and research in information assurance and security building a...
TRANSCRIPT
![Page 1: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/1.jpg)
Purdue University
Center for Education and Research in Information Assurance and Security
Building a distributed intrusion Building a distributed intrusion detection system with Perldetection system with Perl
Diego Zamboni
CERIAS, Purdue University
![Page 2: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/2.jpg)
What is AAFID?What is AAFID?
• Autonomous Agents for Intrusion Detection
• Architecture for distributed monitoring• Test bed for intrusion detection
techniques and algorithms• Basis for a prototype implementation
![Page 3: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/3.jpg)
System ArchitectureSystem Architecture
D
E
C
B
A UIAgents
Monitors
Transceivers
Control
Data
Filters
![Page 4: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/4.jpg)
System architectureSystem architecture
UI A
B
C
D
E
![Page 5: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/5.jpg)
Some design objectivesSome design objectives
• All entities must run both as stand-alone programs and as loadable modules
• All infrastructure functionality must be provided by base entities
• Different types of entities have different functionality requirements
![Page 6: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/6.jpg)
Why Perl?Why Perl?
• Ease of prototyping• Portability
![Page 7: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/7.jpg)
Our object hierarchy Our object hierarchy (AAFID::)(AAFID::)
Entity
ControllerEntityAgentFilter
MonitorTransceiver
Message
Log
Config
Constants
Common
Reactor Comm
Event handling/communication
Individualagents
Individualfilters
![Page 8: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/8.jpg)
Event handlerEvent handler
• Comm::Reactor implements a general event handler
• Can react to file, time and signal events• Arbitrary callbacks (code refs)• Implemented using IO::Select• Using class methods instead of instance
methods caused some nasty bugs
![Page 9: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/9.jpg)
Cool uses of Perl #1:Cool uses of Perl #1:defining new commandsdefining new commands
• Entities react to commands• Command CMD is defined by a
subroutine called command_CMD• New commands can be added with very
little effort just by defining the appropriate subroutines
![Page 10: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/10.jpg)
Cool uses of Perl #2: Cool uses of Perl #2: named parametersnamed parameters
• Entity objects are represented by a hash reference
• Entity parameters are stored as elements in that hash
• Each entity is tied to a hash to allow easy access to parameters ($Params{param} instead of$self->{param})
![Page 11: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/11.jpg)
Cool uses of Perl #3: Cool uses of Perl #3: hash syntaxhash syntax
• Allows having a very general “data” field in AAFID messages:command add_fs … FS=>”/”, Limit=>85
• Data::Dumper and eval do all the work for generating and interpreting data fields
• Eval: potential security problems
![Page 12: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/12.jpg)
Cool uses of Perl #4: Cool uses of Perl #4: code generation toolcode generation tool
• Reads a description file, writes Perl code• Inserts # line “file” comments to
produce meaningful error messages• Allows definition of new commands with
named parameters
![Page 13: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/13.jpg)
A very simple agentA very simple agentNAME: CheckRootAUTHOR: Diego ZamboniDESCRIPTION: Check root dir permissionsVERSION: 0.1PERIOD: 10CHECK: if (-w “/”) {
return(10,”Root dir is writable”);else {
return(0,”Everything ok”);}
![Page 14: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/14.jpg)
Communication Communication mechanismsmechanisms
• Transceiver-agent: Unix pipes• Monitor-transceiver: TCP
• Both are transparently used as IO::Handles (at least in Unix)
• All communications are encapsulated, so they are easy to replace or upgrade
![Page 15: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/15.jpg)
Other aspectsOther aspects
• Graphical User Interface
– Uses Tk package
– Very early stages
– Subject for a lot of future research
![Page 16: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/16.jpg)
AAFIDAAFIDGUIGUI
![Page 17: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/17.jpg)
AAFIDAAFIDGUIGUI
![Page 18: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/18.jpg)
Some CPAN modules Some CPAN modules we usedwe used
• IO::{Handle,Select,Socket,File}• Data::Dumper• Resources• Log::Topics• Tk
![Page 19: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/19.jpg)
Did Perl live up to our Did Perl live up to our original expectations?original expectations?
• Ease of prototyping
– Yes: we had the first working entities in ~2 weeks
• Portability
– So-so: we are still struggling with NT
![Page 20: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/20.jpg)
Some lessons learned Some lessons learned (1)(1)
• Perl made it easy to build a large system quickly
• Perl was the right choice for most entities (data manipulation)
• Object-oriented design made growth much easier
![Page 21: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/21.jpg)
Some lessons learned Some lessons learned (2)(2)
• Big resource usage for our needs
– We need tens, maybe hundreds of agents per host
• Even within the Unix domain, some things differ (Linux/Solaris, for example)
![Page 22: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/22.jpg)
Some things we learned Some things we learned (3)(3)
• It’s difficult to debug a distributed system
– A detailed “debug log” mode helps• In a big system, Perl requires
programmers to be very careful
![Page 23: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/23.jpg)
Current stateCurrent state
• AAFID2 is now in its second public release
• http://www.cerias.purdue.edu/projects/aafid/
• Runs on 5.005 (haven’t tested in 5.6.0)
![Page 24: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/24.jpg)
The futureThe future
• Try using threads instead of separate processes
• Combine Perl components with low-level sensors
• Fix all those bugs
![Page 25: Purdue University Center for Education and Research in Information Assurance and Security Building a distributed intrusion detection system with Perl Diego](https://reader036.vdocuments.us/reader036/viewer/2022081516/55147d88550346ea6e8b47ce/html5/thumbnails/25.jpg)
Purdue University
Center for Education and Research in Information Assurance and Security
Thank youThank you