report on common intrusion detection framework by ganesh godavari
Post on 22-Dec-2015
214 views
TRANSCRIPT
Report on Common Intrusion Detection Framework
By
Ganesh Godavari
Outline of the talk
• CIDF
• GIDO
• Negotiation protocol
• scenarios
Goal
• Goal of IDIAN– Develop a negotiation protocol that is dynamic– Allow distributed collection of heterogeneous
ID components– Provide inter-operate ability to reach
agreement on ID information processing capability
Motivation
• Understand– Common Intrusion Detection Framework– Common Intrusion Specification Language
(CISL)
Common Intrusion Detection Framework (CIDF)
• CIDF architecture– Divides IDS into Components– Component consists of software code with
configuration information– Components can be added/removed– Components interact in real time and
exchange data using GIDO
Generalized Intrusion Detection Objects (GIDO)
• GIDO consists of two components– Fixed Format header
• CIDF version, timestamp, and length of body
– Variable Length Body• data
GIDO body(ByMeansOf
(Attack(Observer (ProcessName `StackGuard') )(Target (HostName `somehost.someplace.net') )(AttackSpecifics
(Certainty `100')(Severity `100')(AttackID `1' `0x4f') )
(Outcome (CIDFReturnCode `2') )(When
(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) )
(ByMeansOf(Execute
(Process (ProcessName `fingerd') )(When(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) ) ) )
data
Semantic Identifier (SID)
Where the attack occurred
Which process detected
Where is the attack targeted at?
StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.
• SID is associated with each piece of data in the body
• SID associated with data are called Atom SID• Atom SID cannot completely describe an event.• Verbs describe events
– e.g. Attack SID
• Verb SID has set of Role SIDs which provide additional information about the event.– e.g. Observer Role provides information about the
observer of an event.
Example
V is a verb SIDR1 and R2 are role SIDsA1 through A3 are Atom SIDsS-expression (V
(R1 (A1 data1) (A2 data2)
) (R2
(A3 data3) )
) Tree Representation
CIDF components
• Components – Event generators ("E-boxes")
• Produce GIDOs
– Event analyzers ("A-boxes") • Consume GIDOs • Conclusions are turned out as GIDOs
– Event databases ("D-boxes")• store events for later retrieval
– Response units ("R-boxes") • Consume GIDOs • Take action like kill process, reset connections
CIDF Component Interaction
Add/remove an IDS Component
• New components need to notify others
• Negotiation protocol– Publish the capabilities of new components
• Ability to describe and disseminate the description to other components
– Collection of components need to interact with each other
• To determine which components provide specific set of capabilities that the others can utilize
Categorization of overload situations
• Resources are limited• Demand driven overloads
– IDS is asked to provide additional detection facilities– Fluctuation in the amount of data to be processed
• Flooding !!
• Supply driven overloads– Computer/network down!!– Compromised components unavailable– Number crunching jobs competing with IDS for jobs
Adapting to overload situations
• Solution– Supply of resources/components is increased
• Human assistance, killing processes/files competing for resources
– Reduction in the demand• Modify the packet filtering rules to eliminate flooding the
system from outside;• Killing processes that generate massive floods of OS audit
records
– Adapt to ensure important jobs are met• Reduce the number and kinds of attacks detected, number of
systems/network covered by IDS
New Attack Signatures and Responses
• Install new signatures – computational cost
• Cost– Determine if the capability exists in the IDS to
respond to the attack signature– Cost of response i.e. degradation in performance,
loss of functionality• E-box needs to specify the cost of sensor data• R-box needs to specify the cost executing
requested actions• A-box needs to asses (stress) the cost of
deploying a new attack signature
New producer
• E-box – can I supply the capabilities with in cost limits?– If true send acceptance message to A-box– If false
• send rejection message to A-box• If the minimum cost is relatively close to the upper
bound set by A-box. Send a counter proposal to A-box
The counter proposal can be accepted or rejected by A-box
New ConsumerEnhanced/diminished capability
• New Consumer– R-box advertises its capabilities to existing A-
Boxes
• Enhanced/diminished capability– Upgraded/degraded E-box advertises to A-
box. – A-box renegotiates its utilization of the
capabilities of E-box
How does one know what are the existing capabilities?
– generate new proposals that contain more arbitrary lists of capabilities
– For example, suppose that an R-box R announces a list of capabilities L0. An A-box A requests a list L1 that is a subset of L0. R comes back with a list L2 that is a subset of L1. Unsatisfied, A proposes an entirely new list M that is a subset of L0 but that may share only some capabilities with L1.
Scenario 1: a new capability
new host machine with detection component is added to LAN.
Network under connection laundering attack
solution
• E-box supplies system-call audit trail
• A-box might correlate all inbound TCP/IP connections with outbound connections.
Scenario 2: flooding IDS
Stolen company laptop with VPN Connection to the company that has detection component and is used to launch an attack.
Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS?
Solution
• Request the event generator to switch to a pre-negotiated fallback setting in which only critical audit data is sent.
• Request that other event generators reduce their output so the analyzer can concentrate on the attack.
References
• Intrusion Detection Inter-component Adaptive Negotiation– Richard Feiertag et al 2000 IEEE Computer
Networks special issue on intrusion detection
• A Common Intrusion Specification Language, CIDF working group document.
• Communication in the Common Intrusion Detection Framework, CIDF working group document.