360 likes | 458 Views
Mohammad F. Tolba Mohammad S. Abdel-Wahab Ismail A. Taha Ahmad M. Al-Shishtawy Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Cairo, Egypt. DISTRIBUTED INTRUSION DETECTION SYSTEM FOR COMPUTATIONAL GRIDS. Agenda. Introduction.
E N D
Mohammad F. Tolba Mohammad S. Abdel-Wahab Ismail A. Taha Ahmad M. Al-Shishtawy Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Cairo, Egypt DISTRIBUTED INTRUSION DETECTION SYSTEM FOR COMPUTATIONAL GRIDS
Agenda • Introduction. • The Grid Intrusion Detection Architecture (GIDA). • GIDA implementation. • Testing and Results. • Conclusions and Future Work.
Introduction • The Grid is a new approach to computing. • Still under research and development. • Couples multiple sites administrated locally and independently. • Security is important for the success of this field.
Introduction • Basic security requirements. • Concentrates on authentication, access control, single sign on, ... • No intrusion detection. • Intrusion detection needed as a second line of defense. • Bugs. • Protection against insiders.
Agenda • Introduction. • The Grid Intrusion Detection Architecture. • GIDA implementation. • Testing and Results. • Conclusions and Future Work.
Grid Intrusion Detection Architecture • Intrusion Detection Agent (IDA) • Data Gathering Module • Intrusion Detection Server (IDS) • Analyzing Module • Cooperation Module
Grid Intrusion Detection Architecture SSL GIS SSH IDS Kerberos IDS Plain Text TLS GIS
Agenda • Introduction. • The Grid Intrusion Detection Architecture. • GIDA implementation. • Testing and Results. • Conclusions and Future Work.
GIDA Implementation • Simulated Grid environment. • Simulated IDA. • Homogeneous IDSs with LVQ Neural Network. • Simple cooperation with sharing results. • No trust relationships.
Why Simulation? • No real Grid for testing (Expensive). • Best for testing and evaluation new architectures. • Control experiments in dynamic environment.
Grid Simulators • Many Grid simulation tools (GridSim, SimGrid, MicroGrid). • Unfortunately they concentrate on resource management problems. • Develop our own simulator for security and intrusion detection.
Generated Log Files . . . Log Log Intrusion Detection Servers . . . IDS IDS Resources (IDAs) . . . Requests . . . . . . Users Intruders The Simulated Grid
Intrusion Detection Classifications Misuse Anomaly Network Based x x 1 2 Host Based x √ 3 4
Why LVQ? • Similar to SOM and used for classification. • Does not require anomalous records in training data. • Classes and their labels (User Name) are known.
Log IDS Log Log Peer-to-peer Network or GIS IDS IDS IDS Analyzing Module
Analyzing and detection module Log Preprocessing Trained LVQ Response Decision Module Cooperation Module IDS Analyzing Module
IDS Cooperation Module • Sharing results among IDSs. • Using P2P or GIS. • The IDS query others for analysis results of users in its scope. • Inform other IDSs when intrusion is detected.
Agenda • Introduction. • The Grid Intrusion Detection Architecture (GIDA). • GIDA implementation. • Testing and Results. • Conclusions and Future Work.
Measured Parameters • False Positive. • False Negative. • Recognition. • Training Time. • Detection Duration
Tested Issues • Controllable (Internal) • Data Preprocessing • Number of IDSs • Uncontrollable (External) • Number of Users • Number of Resources • Number of Intruders
Type 1: Fixed number of events. Type 2: Fixed time period window. Type 3: Fixed number of events with time limit. Type 4: Fixed events with time limit ignoring incomplete. Type 5: Fixed events with time limit fixing incomplete. Different Types of Windows(Preprocessing)
Agenda • Introduction. • The Grid Intrusion Detection Architecture (GIDA). • GIDA implementation. • Testing and Results. • Conclusions and Future Work.
Conclusions • Intrusion Detection needed for real Grids as second line of defense. • GIDA suitable for grid environments. • Simulation prove applicability. • LVQ produced good results. • Better that centralized system. • Results help in building real systems. • Better understanding of the problem of intrusion detection in Grid environments.
Future Work • Trust Relationships in Grid environment. • Heterogeneous Analyzing modules. • More complicated algorithms for cooperation. • Misuse detection. • Testing on real Grid testbeds.
The End Thank you for careful listening