Transcript Intrusion_Detection

Report on Common Intrusion
Detection Framework
By
Ganesh Godavari
Outline of the talk
•
•
•
•
CIDF
GIDO
Negotiation protocol
scenarios
Goal
• Goal of IDIAN
– Develop a negotiation protocol that is dynamic
– Allow distributed collection of heterogeneous
ID components
– Provide inter-operate ability to reach
agreement on ID information processing
capability
Motivation
• Understand
– Common Intrusion Detection Framework
– Common Intrusion Specification Language
(CISL)
Common Intrusion Detection
Framework (CIDF)
• CIDF architecture
– Divides IDS into Components
– Component consists of software code with
configuration information
– Components can be added/removed
– Components interact in real time and
exchange data using GIDO
Generalized Intrusion Detection
Objects (GIDO)
• GIDO consists of two components
– Fixed Format header
• CIDF version, timestamp, and length of body
– Variable Length Body
• data
GIDO body
Which process
detected
(ByMeansOf
(Attack
(Observer (ProcessName `StackGuard') )
(Target (HostName `somehost.someplace.net') )
(AttackSpecifics
(Certainty `100')
(Severity `100')
(AttackID `1' `0x4f') )
(Outcome (CIDFReturnCode `2') )
(When
(BeginTime `14:57:36 24 Feb 1999')
(EndTime `14:57:36 24 Feb 1999') ) )
(ByMeansOf
(Execute
(Process (ProcessName `fingerd') )
(When
(BeginTime `14:57:36 24 Feb 1999')
(EndTime `14:57:36 24 Feb 1999') ) ) ) )
Where the
attack occurred
data
Where is the
attack targeted
at?
Semantic
Identifier
(SID)
StackGuard is a compiler that emits programs hardened against "stack smashing"
attacks.
• SID is associated with each piece of data in the
body
• SID associated with data are called Atom SID
• Atom SID cannot completely describe an event.
• Verbs describe events
– e.g. Attack SID
• Verb SID has set of Role SIDs which provide
additional information about the event.
– e.g. Observer Role provides information about the
observer of an event.
Example
V is a verb SID
R1 and R2 are role SIDs
A1 through A3 are Atom SIDs
S-expression
(V
(R1
(A1 data1) (A2 data2)
)
(R2
(A3 data3)
)
)
Tree Representation
CIDF components
• Components
– Event generators ("E-boxes")
• Produce GIDOs
– Event analyzers ("A-boxes")
• Consume GIDOs
• Conclusions are turned out as GIDOs
– Event databases ("D-boxes")
• store events for later retrieval
– Response units ("R-boxes")
• Consume GIDOs
• Take action like kill process, reset connections
CIDF Component Interaction
Add/remove an IDS Component
• New components need to notify others
• Negotiation protocol
– Publish the capabilities of new components
• Ability to describe and disseminate the description
to other components
– Collection of components need to interact with
each other
• To determine which components provide specific
set of capabilities that the others can utilize
Categorization of overload
situations
• Resources are limited
• Demand driven overloads
– IDS is asked to provide additional detection facilities
– Fluctuation in the amount of data to be processed
• Flooding !!
• Supply driven overloads
– Computer/network down!!
– Compromised components unavailable
– Number crunching jobs competing with IDS for jobs
Adapting to overload situations
• Solution
– Supply of resources/components is increased
• Human assistance, killing processes/files competing for
resources
– Reduction in the demand
• Modify the packet filtering rules to eliminate flooding the
system from outside;
• Killing processes that generate massive floods of OS audit
records
– Adapt to ensure important jobs are met
• Reduce the number and kinds of attacks detected, number of
systems/network covered by IDS
New Attack Signatures and
Responses
• Install new signatures
– computational cost
• Cost
– Determine if the capability exists in the IDS to
respond to the attack signature
– Cost of response i.e. degradation in performance,
loss of functionality
• E-box needs to specify the cost of sensor data
• R-box needs to specify the cost executing
requested actions
• A-box needs to asses (stress) the cost of
deploying a new attack signature
New producer
• E-box – can I supply the capabilities with
in cost limits?
– If true send acceptance message to A-box
– If false
• send rejection message to A-box
• If the minimum cost is relatively close to the upper
bound set by A-box. Send a counter proposal to Abox
The counter proposal can be accepted or
rejected by A-box
New Consumer
Enhanced/diminished capability
• New Consumer
– R-box advertises its capabilities to existing ABoxes
• Enhanced/diminished capability
– Upgraded/degraded E-box advertises to Abox.
– A-box renegotiates its utilization of the
capabilities of E-box
How does one know what are the
existing capabilities?
– generate new proposals that contain more
arbitrary lists of capabilities
– For example, suppose that an R-box R
announces a list of capabilities L0. An A-box A
requests a list L1 that is a subset of L0. R
comes back with a list L2 that is a subset of
L1. Unsatisfied, A proposes an entirely new
list M that is a subset of L0 but that may share
only some capabilities with L1.
Scenario 1: a new capability
new host machine with detection component
is added to LAN.
Network under connection laundering attack
solution
• E-box supplies system-call audit trail
• A-box might correlate all inbound TCP/IP
connections with outbound connections.
Scenario 2: flooding IDS
Stolen company laptop with VPN
Connection to the company that has
detection component and is used to
launch an attack.
Hacker generate lot of spurious audit data to
deflect suspicion. Second host is also
compromised. Generate more audit data
and crash the central IDS?
Solution
• Request the event generator to switch to a
pre-negotiated fallback setting in which
only critical audit data is sent.
• Request that other event generators
reduce their output so the analyzer can
concentrate on the attack.
References
• Intrusion Detection Inter-component
Adaptive Negotiation
– Richard Feiertag et al 2000 IEEE Computer
Networks special issue on intrusion detection
• A Common Intrusion Specification
Language, CIDF working group document.
• Communication in the Common Intrusion
Detection Framework, CIDF working group
document.