Transcript presentation source

RESEARCH ISSUES
IN
COOPERATIVE INTRUSION
DETECTION BETWEEN
MULTIPLE DOMAINS
Raid ‘98 (15 Sep 98)
Don Tobin
Univ. of Idaho
WHY CARE?
Fort
Eustis
Langley
AFB
Norfolk
NAS
LANTCOM
RESEARCH ISSUES
•
•
•
•
•
Current Prototype
Trust, Integrity, & Cooperation
Securing Communications
Data Reduction, Mining, & Sanitization
Finishing Up
CURRENT PROTOTYPE
• Inside a HMMR
• Manager-subordinate interactions
• Peer-peer interactions
INSIDE A HMMR
System log
files
Activity Data gathering
tools
Data
Alert Tools
TOOLI
SQL Query
Web
Server
HMMR
HMMR Messages
HMMR on
other hosts
HMMR
log files
AUDIT TOOL
MANAGEMENT
MGR-SUB INTERACTION
BETWEEN HMMRs
Langley
AFB
B
C
D
E
F
G
INTERACTION
BETWEEN HMMRs
Langley
AFB
Fort
Eustis
Moderator
Norfolk
NAS
LANTCOM
#1: TRUST, INTEGRITY,
& COOPERATION
• Data (and requests) may be unreliable,
inaccurate, or falsified
• Single Domain
* Decision made by single local authority
* Trust is not a physical property
* Opinion - f(verified identity, capability,
reputation, context, …)
* Trust is not static, but how dynamic?
#1: TRUST, INTEGRITY,
& COOPERATION
• Multiple Domains
* Combining different sets of trust assertions
from different authorities
* Decision may be “don’t care”
* Need to make use of all available
information to assess security posture
* Not just a Byzantine Agreement problem
• Cooperation - peer access issues ...
#2: SECURE
COMMUNIATIONS
• Kerberos inside a HMMR
• Kerberos inside a domain (mgr./sub.)
• Between domains
– “Kerberos-like” mechanism with multiple
token generators might work
– Need a degree of survivability
– Need to handle different layout topologies
• Avoid “self-inflicted info warfare”
#3: DATA ISSUES
• “Needle in a Haystack!”
• Data conversion/reduction by tools
* Common format for data fusion
• Data mining relevant information
• Levels of granularity of useful info
* Mapping differing local policies
• Sanitizing data for multiple peer groups
MORE INFORMATION…
• Beta version prototype at:
http://www.cs.uidaho.edu/~hummer
• Working on:
–
–
–
–
–
HP-UX 9.x and 10.x
Solaris 2.5 and 2.5.1
FreeBSD on Pentium
Linux 2.x, Slackware 2.x, 3.x, Redhat 4.0, 5.0
Windows NT 4.0 (well, not really…)