1 / 15

Common Intrusion Detection Framework

Common Intrusion Detection Framework. By Ganesh Godavari. Paper to review. Intrusion Detection Inter-component Adaptive Negotiation Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection

mariah
Download Presentation

Common Intrusion Detection Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Intrusion Detection Framework By Ganesh Godavari

  2. Paper to review Intrusion Detection Inter-component Adaptive Negotiation Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection A theoretical paper on the possibility of intrusion detection systems automatically negotiating the information they share.

  3. Goal • The Intrusion Detection System (IDS) community is developing better techniques for collecting and analyzing data in order to handle intrusions in large, distributed environments • Goal of IDIAN • Develop a negotiation protocol that is dynamic • Allow distributed collection of heterogeneous ID components • Provide inter-operate ability to reach agreement on ID information processing capability

  4. Motivation • How does IDIAN fit in Distributed and large scale deployment? • What can we learn from the project? • Does it fit to what we want to do?

  5. Challenges in large scale network • Challenges in large scale deployment • Reinforcing • Repetition of the same node • Complementing • One node complements the role of another • Example - Node-a does TCP/IP sniffing Node-b does application attacks on ftpd, httpd

  6. Review CIDF architectecture consumer Producer

  7. Reinforcing • E-box 1, E-box 2 may detect same kind attacks but run on different machines. Negotiation will take place with the machine that advertises first? Not clear lets make this assumption. E-box 1 192.168.0.1 Gateway R-Box E-box 2 192.168.0.2 A-Box

  8. Complementing • E-box 1, E-box 2 may detect different attacks but run on different machines. E-box 1 192.168.0.2 Gateway R-Box E-box 2 192.168.1.2 A-Box

  9. Snort based E-box 1 Ad filter ( SendMessage ( when (Time "!-::*")) ( Initiator (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!-::{*}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}")) ( Message ( TransportProtocol "?+::{{'tcp'}}") ( IPV4SetviceType "?+::{*}") ( IPV4Identifier "?+::{*}") ( IPV4TTL "?+::{*}") ( TCPSequenceNumber "?+::{*}") ( TCPAckNumber "?+::{*}") ( TCPWindow "?+::{*}") ( TCPFlags "?+::{*}") ( TCPMSS "?+::{*}";))))) ( Filter ( Fragment ( ByMeansOf ( Attack ( when (Time "!+::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{*}") ( AtackNickname "!-::{*}")) ( Initiator "!+::{*}") (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.0.2}, {10.0.0.3,10.0.0.4}}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercales'}}"))) !: field always available ?: field might or might not be available -: field is not negotiable +: field is negotiable continued

  10. A-box Template proposal ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{0x00000000,0x000000001}") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.0.3,10.0.1.18}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "?+::{*}") ( HostName "?+::{*}") ( IPv4Address "?+::{*}")))) ( Permit, ''ByMeansOf', 'And', ''HelpedCause')) Permit allows the filter matching code to search for GIDO from the root. So here we are looking for fragment like “ByMeansOf”, “And”, “HelpedCause”

  11. Snort based E-box 2 Ad filter ( SendMessage ( when (Time "!-::*")) ( Initiator (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!-::{*}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercalesGlobe'}}")) ( Message ( TransportProtocol "?+::{{'tcp'}}") ( IPV4SetviceType "?+::{*}") ( IPV4Identifier "?+::{*}") ( IPV4TTL "?+::{*}") ( TCPSequenceNumber "?+::{*}") ( TCPAckNumber "?+::{*}") ( TCPWindow "?+::{*}") ( TCPFlags "?+::{*}") ( TCPMSS "?+::{*}";))))) ( Filter ( Fragment ( ByMeansOf ( Attack ( when (Time "!+::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{*}") ( AtackNickname "!-::{*}")) ( Initiator "!+::{*}") (IPV4Address "!+::{*}") ( HostName "?-::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{10.0.1.0/8}) ( HostName "?-::{*}") ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!-::{{'snort'}}") ( HostName "!-::{{'hercalesGlobe'}}"))) !: field always available ?: field might or might not be available -: field is not negotiable +: field is negotiable continued

  12. Candidate proposal A-box to E-box 1 ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{0x00000000,0x000000001}") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{{10.0.0.1,10.0.0.3}}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!+::{{'snort'}}") ( HostName "!-::{'heracles'}}"))))))

  13. Candidate proposal A-box to E-box 2 ( Filter ( Fragment ( Attack ( When ( Time "!-::*")) ( AttackSpecifics ( Attack-ID "!-::{{0x00000005}}", "!+::{0x00000000,0x000000001}") ( AtackNickname "!-::{*}")) ( Initiator ( IPV4Address "!+::{*}") ( TCPSourcePort "!-::{*}")) ( Target ( IPV4Address "!+::{10.0.1.0/8}) ( TCPDestinationPort "!-::{*}")) ( Observer ( ProcessName "!+::{{'snort'}}") ( HostName "!-::{'heraclesGlobe'}}"))))))

  14. Possible GIDO from E-box to A-box E-box 2 ( ByMeansOf ( Attack ( when ( time "10/04-16:21:48")) ( AttackSpecifics ( Attack-ID 0x00000005, 0x000000000) ( AttackNickname "NMAP TCP Ping")) ( Initiator ( IPV4Address 10.0.0.2) ( TCPSourcePort 52716)) ( Target ( IPV4Address 10.0.1.5) ( TCPDestinationPort 39241)) ( Observer (ProcessName 'snort') (HostName 'heraclesGlobe'))) E-box 1 ( ByMeansOf ( Attack ( when ( time "10/04-16:21:48")) ( AttackSpecifics ( Attack-ID 0x00000005, 0x000000000) ( AttackNickname "NMAP TCP Ping")) ( Initiator ( IPV4Address 10.0.0.2) ( TCPSourcePort 52716)) ( Target ( IPV4Address 10.0.0.5) ( TCPDestinationPort 39241)) ( Observer (ProcessName 'snort') (HostName 'heracles')))

  15. Questions ?

More Related