Transcript POZNAŃ SUPERCOMPUTING AND NETWORKING

POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
An Approach To Automate a Process of
Detecting Unauthorised Accesses
M. Chmielewski, A. Gowdiak, N. Meyer,
T. Ostwald, M. Stroiński
Poznań Supercomputing and Networking Center
http://www.man.poznan.pl
[email protected]
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
The need for a new security tool in open network environments
• The value of information processed and stored in computer
networks is growing rapidly
• Classical approaches of the information security seem to
be useless, especially in open network environments
• System security is often reached along with a loss of its
functionality
• The threats to the information security have its sources in
software errors
• There is insufficient support from software and hardware
vendors in the security area
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Intrusion Detection Systems (IDS) - definition
The main purpose of such a system is to detect in real time,
all kinds of inappropriate user activity such as attempts to
breach system integrity or gain unauthorized access to
information.
Because the intrusion detection process is a complex task, its
automation seems to be necessary.
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Intrusion Detection Systems - state of the art
Most of currently employed IDS systems:
•
•
•
•
•
Detect only known attack scenarios
Try to detect basic anomalies in user and system activity
Use unreliable information source (network)
Offline use of reliable information source (audit log)
Are passive monitors and detectors but no active
protectors
As for now there are no hybrid Intrusion Detection Systems on the market
ready to be put into practice and providing complex security
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Security Maintaining System as a new approach to open
network environment security
Extension to the intrusion detection model:
• New IDS system functionality
• Hybrid approach to detection process (anomaly and misuse)
• Reliable information source (operating system kernel)
• On-line monitoring of system and user activities
• Active protection of the system
• Global implementation of the security policy in a distributed
environment
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Application of the IDS system in an open network environment
IDS Server:
Data analy sis
Unauthorised access
and attack detection
IDS Client:
Sy stems monitoring
Resources protection
RESOURCES
COMPUTATIONS
IDS Client:
Users and sy stems monitoring
Access policy control
SERVICES
IDS Client:
Sy stems monitoring
Resources protection
Metropolitan Area Network
VISUALISATION
IDS Client:
Users and sy stems
monitoring
INTERNET
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS
A useful and effective tool for security maintenance in
network environments, where other standard security methods
(e.g. network isolation, access restrictions) cannot be used.
An approach to automate a process of detecting unauthorised
accesses in open network environments.
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS design
The VALIS system is designed as a modular architecture:
•
•
•
Flexible to suite the demanded level of security
Scalable
Provides additional functionality
The VALIS system is designed to operate in a distributed
environment:
•
•
•
Easily adaptable to the operating environment
Partially distributed analysis
Capability to monitor and protect all systems
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS - Main Modules
 Information Collecting Module
runs on each of the protected systems and collects
information about their states and user activity
 Communication Module
exchanges data between protected systems and security
management stations
 Analysis and Decision Module
a basic analysis takes place on each protected system and
its extended version on the security management station
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS - Main Modules cont.
 Archive Module
is responsible for storing all important information about
the system and user activities in a safe way, which makes
it possible to track all changes in the system according to
their needs
 Response Module
performs specific actions in a protected system as a
response of the decisions made by the analysis module
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS system architecture
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Analysis and decision modules
ESM (Expert System Module) is the main analysis module of the
VALIS system. Its purpose is to analyze the information provided
by other modules running on client and server systems.
Rules make a core part of the decision mechanism and can express:
•
•
•
Management and coordination between all modules
Global system security policy
Detection process support
• System attacks detection
• Processing of the information obtained from other analysis
modules
Such an architecture allows the use of parallel, different analysis modules
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Information Collecting modules
Information about system state and users activities are
retrieved directly from the operating system kernel
•
•
•
•
Reliability
Full view of protected systems state and its users’ activities
Security
Should not imply any danger to the system and should resist any user
manipulation attempt
Efficiency
Should not have big influence on systems performance and do not disturb
legal users’ activities
Flexibility
Should provide information about system in the proper format ready for
further processing
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Inter-Modules Communication Layer
The main task of IMCL is to provide efficient interface
between all modules of the VALIS system. The
communication protocol has to fulfil the following
assumptions:
• Flexibility (it can be easily adopted to any network
environment)
• Trustworthy (it should be reliable and provide high level
of security)
• Independence (it should be independent of network and
operating system)
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
VALIS - sample architecture
CELL #1
CELL #2
IDS Server
IDS Client
IDS Client
IDS Client
IDS Client
IDS Server
IDS Client
IDS Client
IDS Server
IDS Client
IDS Client
IDS Client
IDS Client
POZNAŃ SUPERCOMPUTING AND NETWORKING CENTER
Summary
There is a need for security maintaining systems that are not
only detecting intrusion attempts but also actively protect
against them.
The main features of the VALIS system architecture:
• Modular architecture
• High level of flexibility
• Hybrid approach to detection process (anomaly and
misuse)
• New functionality along with quality