230 likes | 345 Views
Report on Common Intrusion Detection Framework. By Ganesh Godavari. Outline of the talk. CIDF GIDO Negotiation protocol scenarios. Goal. Goal of IDIAN Develop a negotiation protocol that is dynamic Allow distributed collection of heterogeneous ID components
E N D
Report on Common Intrusion Detection Framework By Ganesh Godavari
Outline of the talk • CIDF • GIDO • Negotiation protocol • scenarios
Goal • Goal of IDIAN • Develop a negotiation protocol that is dynamic • Allow distributed collection of heterogeneous ID components • Provide inter-operate ability to reach agreement on ID information processing capability
Motivation • Understand • Common Intrusion Detection Framework • Common Intrusion Specification Language (CISL)
Common Intrusion Detection Framework (CIDF) • CIDF architecture • Divides IDS into Components • Component consists of software code with configuration information • Components can be added/removed • Components interact in real time and exchange data using GIDO
Generalized Intrusion Detection Objects (GIDO) • GIDO consists of two components • Fixed Format header • CIDF version, timestamp, and length of body • Variable Length Body • data
GIDO body Which process detected Where the attack occurred (ByMeansOf (Attack (Observer (ProcessName `StackGuard') ) (Target (HostName `somehost.someplace.net') ) (AttackSpecifics (Certainty `100') (Severity `100') (AttackID `1' `0x4f') ) (Outcome (CIDFReturnCode `2') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) (ByMeansOf (Execute (Process (ProcessName `fingerd') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) ) ) data Where is the attack targeted at? Semantic Identifier (SID) StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.
SID is associated with each piece of data in the body • SID associated with data are called Atom SID • Atom SID cannot completely describe an event. • Verbs describe events • e.g. Attack SID • Verb SID has set of Role SIDs which provide additional information about the event. • e.g. Observer Role provides information about the observer of an event.
Example V is a verb SID R1 and R2 are role SIDs A1 through A3 are Atom SIDs S-expression (V (R1 (A1 data1) (A2 data2) ) (R2 (A3 data3) ) ) Tree Representation
CIDF components • Components • Event generators ("E-boxes") • Produce GIDOs • Event analyzers ("A-boxes") • Consume GIDOs • Conclusions are turned out as GIDOs • Event databases ("D-boxes") • store events for later retrieval • Response units ("R-boxes") • Consume GIDOs • Take action like kill process, reset connections
Add/remove an IDS Component • New components need to notify others • Negotiation protocol • Publish the capabilities of new components • Ability to describe and disseminate the description to other components • Collection of components need to interact with each other • To determine which components provide specific set of capabilities that the others can utilize
Categorization of overload situations • Resources are limited • Demand driven overloads • IDS is asked to provide additional detection facilities • Fluctuation in the amount of data to be processed • Flooding !! • Supply driven overloads • Computer/network down!! • Compromised components unavailable • Number crunching jobs competing with IDS for jobs
Adapting to overload situations • Solution • Supply of resources/components is increased • Human assistance, killing processes/files competing for resources • Reduction in the demand • Modify the packet filtering rules to eliminate flooding the system from outside; • Killing processes that generate massive floods of OS audit records • Adapt to ensure important jobs are met • Reduce the number and kinds of attacks detected, number of systems/network covered by IDS
New Attack Signatures and Responses • Install new signatures • computational cost • Cost • Determine if the capability exists in the IDS to respond to the attack signature • Cost of response i.e. degradation in performance, loss of functionality • E-box needs to specify the cost of sensor data • R-box needs to specify the cost executing requested actions • A-box needs to asses (stress) the cost of deploying a new attack signature
New producer • E-box – can I supply the capabilities with in cost limits? • If true send acceptance message to A-box • If false • send rejection message to A-box • If the minimum cost is relatively close to the upper bound set by A-box. Send a counter proposal to A-box The counter proposal can be accepted or rejected by A-box
New ConsumerEnhanced/diminished capability • New Consumer • R-box advertises its capabilities to existing A-Boxes • Enhanced/diminished capability • Upgraded/degraded E-box advertises to A-box. • A-box renegotiates its utilization of the capabilities of E-box
How does one know what are the existing capabilities? • generate new proposals that contain more arbitrary lists of capabilities • For example, suppose that an R-box R announces a list of capabilities L0. An A-box A requests a list L1 that is a subset of L0. R comes back with a list L2 that is a subset of L1. Unsatisfied, A proposes an entirely new list M that is a subset of L0 but that may share only some capabilities with L1.
Scenario 1: a new capability new host machine with detection component is added to LAN. Network under connection laundering attack
solution • E-box supplies system-call audit trail • A-box might correlate all inbound TCP/IP connections with outbound connections.
Scenario 2: flooding IDS Stolen company laptop with VPN Connection to the company that has detection component and is used to launch an attack. Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS?
Solution • Request the event generator to switch to a pre-negotiated fallback setting in which only critical audit data is sent. • Request that other event generators reduce their output so the analyzer can concentrate on the attack.
References • Intrusion Detection Inter-component Adaptive Negotiation • Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection • A Common Intrusion Specification Language, CIDF working group document. • Communication in the Common Intrusion Detection Framework, CIDF working group document.