Transcript IntrusionDetectionandInformationFusion_dec905

Intrusion Detection and
Information Fusion/Decision
Making
By
Ganesh Godavari
Outline of Talk
• Need for Intrusion Detection and
Information Fusion
• Intrusion Detection Message Exchange
Format (IDMEF)
• Plan of action
• Conclusion
Intrusion Detection
• Intrusion detection
– process of discovering, analyzing, and
reporting unauthorized or damaging network
or computer activities
– Goal is to discover violations of confidentiality,
integrity, and availability of information and
resources
Problems with Intrusion Detection
• Network traffic and computer activity falls
in one of three categories:
– Normal
– Abnormal but not malicious
– Malicious
• Properly classifying these events are the
single most difficult problem
Problems contd..
• IDSes generally provide
– a constant feed of new alerts
– which are written into a log file
• How can one minimize the number of
alerts?
• Does Alert Aggregation and correlation
solve the problem?
Problem in alert correlation
• Alerts are correlated based on certain keywords
• Is tomato a fruit? Or vegetable?
• You want to get general information associated
with an IPaddress , Port no’s
• Solutions?
– Can anyone suggest any?
– Is this problem unique ?
– No web search engines often encounter these
problems
– How about applying the Latent Semantic Indexing *?
– Worked for search engines like google can work for
information retrieval of Intrusion Detection alerts too!!.
IDMEF Format
Distributed IDs
Event Monitoring Enabling Responses to
Anomalous Live Disturbances (EMERALD)
• EMERALD HIDS provides
– distributed scalable tool suite for tracking
malicious activity through and across large
networks
– Requires Sun Microsystems Sparc platform
running one of:
• SunOS 5.6 (Solaris 2.6) with service patch
105621-24 or newer
• Solaris 7 with service patch 106541-12 or newer
• Solaris 8 with service patch 108875-07 or newer
TripWire
• Need to get the complete version inorder
to perform tests using tripwire
• Currently being negotiated between
tripwire and dr chow
Some of the important fields
• IDS important fields
– src/dest ipaddress or username
– src/dest portnumber
– Ip packet type
– Detect time of the attack
– Packet content on the attack packet or
malicious activity report incase of HIDS
– Any other packet information required?
conclusion
• Can perform packet capture normal and
attack traffic on both NIDS and HIDS
• For HIDS if I get license for tripwire or
have a Solaris box using emerald would
be helpful for capturing data
• Shall provide the packet dumps and ASCII
packet dumps.