Transcript Intrusion Detection Inter-component Adaptive Negotiation (IDIAN)

Report on Common Intrusion
Detection Framework
By
Ganesh Godavari
Outline of the talk
• CIDF
• GIDO
• GIDO Filters
Goal
• Goal of IDIAN
– Develop a negotiation protocol that is dynamic
– Allow distributed collection of heterogeneous
ID components
– Provide inter-operate ability to reach
agreement on ID information processing
capability
Motivation
• Understand
– Common Intrusion Detection Framework
– Common Intrusion Specification Language
(CISL)
Scenario 1: a new capability
new host machine with detection component
is added to LAN.
Network under connection laundering attack
Solution ?
solution
• Analysis component detects the number of
inbound and outbound connections for the
service provided by the host.
Scenario 2: flooding IDS
Stolen company laptop with detection
component is used to launch an attack.
Hacker generate lot of spurious audit data to
deflect suspicion. Second host is also
compromised. Generate more audit data
and crash the central IDS
Common Intrusion Detection
Framework (CIDF)
• CIDF architecture
– Divides IDS into Components
– Component consists of software code with
configuration information
– Components can be added/removed
– Components interact in real time and
exchange data using GIDO
CIDF components
• Components
– Event generators ("E-boxes")
• Produce GIDOs
– Event analyzers ("A-boxes")
• Consume GIDOs
• Conclusions are turned out as GIDOs
– Event databases ("D-boxes")
• store events for later retrieval
– Response units ("R-boxes")
• Consume GIDOs
• Take action like kill process, reset connections
Generalized Intrusion Detection
Objects (GIDO)
• GIDO consists of two components
– Fixed Format header
• CIDF version, timestamp, and length of body
– Variable Length Body
• data
GIDO body
Which process
detected
(ByMeansOf
(Attack
(Observer (ProcessName `StackGuard') )
(Target (HostName `somehost.someplace.net') )
(AttackSpecifics
(Certainty `100')
(Severity `100')
(AttackID `1' `0x4f') )
(Outcome (CIDFReturnCode `2') )
(When
(BeginTime `14:57:36 24 Feb 1999')
(EndTime `14:57:36 24 Feb 1999') ) )
(ByMeansOf
(Execute
(Process (ProcessName `fingerd') )
(When
(BeginTime `14:57:36 24 Feb 1999')
(EndTime `14:57:36 24 Feb 1999') ) ) ) )
Where the
attack occurred
data
Where the
attack is
targeted at?
Semantic
Identifier
(SID)
StackGuard is a compiler that emits programs hardened against "stack smashing"
attacks.
• SID is associated with each piece of data in the
body
• SID associated with data are called Atom SID
• Atom SID cannot completely describe an event.
• Verbs describe events
– e.g. Attack SID
• Verb SID has set of Role SIDs which provide
additional information about the event.
– e.g. Observer Role provides information about the
observer of an event.
Example
V is a verb SID
R1 and R2 are role SIDs
A1 through A3 are Atom SIDs
S-expression
(V
(R1
(A1 data1) (A2 data2)
)
(R2
(A3 data3)
)
)
Tree Representation
IDIAN Components
• IDIAN architecture components
– Detection
• Sensors like audit mechanisms and packet sniffers
• Record activity
– Analysis
• Detect attacks
– Response
• Accept commands to take specific action to stop
attacks
IDIAN component Interaction
Recorded
Activity
Detection
Specific Action
Commands
Analysis
Response
• Analysis component uses recorded activity
to detect attacks
GIDO Filters
• GIDO Filter
– Method of describing a set of GIDOs
– Use same basic structure as GIDOS
– Interesting fields identified in the filter can
easily be extracted from GIDO => filtering
unneeded information
Major difference between a GIDO and Filter is
in the body
GIDO filter Requirements
• GIDO filter Requirements
– Expressive
• Ability to specify all sets of useful GIDOs
– Ability to specify sets of hosts, users
– Precise
• Ability to determine which GIDOs satisfy a filter or not
– Allow the extraction of particular data values from matching
GIDOS
– Filter language must allow for efficient implementation of
encoding, decoding and matching GIDOs to filters
– Easy to construct filters from existing subsets of existing filters
– Easy to determine if a filter is equivalent to a null filter (no
matching GIDO)
Sample filter
(Filter
(Fragment
Specifies piece of GIDO
(Attack
(observer (ProcessName ‘observer:exp1’))
(Target (HostName ‘target:exp2) ) ) )
(Permit ‘ByMeansOf’)
(variables ‘observer’ ‘target’) )
• GIDO in Figure 1 matches the fragment in
Figure 2, with the variables observer and
target instantiating to `StackGuard' and
`somehost.someplace.net‘ resp.
References
• Intrusion Detection Inter-component
Adaptive Negotiation
– Richard Feiertag et al 2000 IEEE Computer
Networks special issue on intrusion detection
• A Common Intrusion Specification
Language, CIDF working group document.
• Communication in the Common Intrusion
Detection Framework, CIDF working group
document.
Negotiation Protocol
• IDIAN negotiation protocol allows
components to
– Discover the services of other components.
– Negotiate for the use of those services.
– Intelligently manage the use of IDS resources
by components.
– Dynamically adjust the use of services,
perhaps in order to respond to changes in the
environment.
Agreement
– relationship between a producer and a consumer.
– species a set of services which the producer must provide to the
consumer.
– example, an event generator may agree to provide a particular set of
audit data to an analyzer. At a minimum, an agreement must specify the
producer, consumer, and the set of services to be provided.
Contract
– set of agreements, each of which involve the same producer and
consumer (the partners to the contract).
– exactly one agreement in a contract is in effect.
Contract Database
– set of contracts.
– Every component has a contract database containing all the contracts to
which it is a partner.
Capability Database
– associates services (e.g., provide IP audit data, filter packets, etc.) with
the components which can provide those services.
– Each component has a database containing its own capabilities and,
possibly, those of other components.