Upload
matty
View
25
Download
0
Embed Size (px)
DESCRIPTION
Report on Common Intrusion Detection Framework. By Ganesh Godavari. Outline of the talk. CIDF GIDO GIDO Filters. Goal. Goal of IDIAN Develop a negotiation protocol that is dynamic Allow distributed collection of heterogeneous ID components - PowerPoint PPT Presentation
Citation preview
Report on Common Intrusion Detection Framework
By Ganesh Godavari
Outline of the talk
• CIDF• GIDO• GIDO Filters
Goal
• Goal of IDIAN– Develop a negotiation protocol that is dynamic– Allow distributed collection of heterogeneous
ID components– Provide inter-operate ability to reach
agreement on ID information processing capability
Motivation
• Understand– Common Intrusion Detection Framework– Common Intrusion Specification Language
(CISL)
Scenario 1: a new capability
new host machine with detection component is added to LAN.
Network under connection laundering attack Solution ?
solution
• Analysis component detects the number of inbound and outbound connections for the service provided by the host.
Scenario 2: flooding IDS
Stolen company laptop with detection component is used to launch an attack.
Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS
Common Intrusion Detection Framework (CIDF)
• CIDF architecture– Divides IDS into Components– Component consists of software code with
configuration information– Components can be added/removed– Components interact in real time and
exchange data using GIDO
CIDF components
• Components – Event generators ("E-boxes")
• Produce GIDOs
– Event analyzers ("A-boxes") • Consume GIDOs • Conclusions are turned out as GIDOs
– Event databases ("D-boxes")• store events for later retrieval
– Response units ("R-boxes") • Consume GIDOs • Take action like kill process, reset connections
Generalized Intrusion Detection Objects (GIDO)
• GIDO consists of two components– Fixed Format header
• CIDF version, timestamp, and length of body– Variable Length Body
• data
GIDO body(ByMeansOf
(Attack(Observer (ProcessName `StackGuard') )(Target (HostName `somehost.someplace.net') )(AttackSpecifics
(Certainty `100')(Severity `100')(AttackID `1' `0x4f') )
(Outcome (CIDFReturnCode `2') )(When
(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) )
(ByMeansOf(Execute
(Process (ProcessName `fingerd') )(When(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) ) ) )
data
Semantic Identifier (SID)
Where the attack occurred
Which process detected
Where the attack is targeted at?
StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.
• SID is associated with each piece of data in the body
• SID associated with data are called Atom SID• Atom SID cannot completely describe an event.• Verbs describe events
– e.g. Attack SID• Verb SID has set of Role SIDs which provide
additional information about the event.– e.g. Observer Role provides information about the
observer of an event.
ExampleV is a verb SIDR1 and R2 are role SIDsA1 through A3 are Atom SIDsS-expression (V
(R1 (A1 data1) (A2 data2)
) (R2
(A3 data3) )
) Tree Representation
IDIAN Components
• IDIAN architecture components– Detection
• Sensors like audit mechanisms and packet sniffers• Record activity
– Analysis • Detect attacks
– Response • Accept commands to take specific action to stop
attacks
IDIAN component Interaction
• Analysis component uses recorded activity to detect attacks
Detection Analysis Response
Recorded Activity
Specific Action Commands
GIDO Filters
• GIDO Filter– Method of describing a set of GIDOs– Use same basic structure as GIDOS– Interesting fields identified in the filter can
easily be extracted from GIDO => filtering unneeded information
Major difference between a GIDO and Filter is in the body
GIDO filter Requirements• GIDO filter Requirements
– Expressive • Ability to specify all sets of useful GIDOs
– Ability to specify sets of hosts, users– Precise
• Ability to determine which GIDOs satisfy a filter or not– Allow the extraction of particular data values from matching
GIDOS– Filter language must allow for efficient implementation of
encoding, decoding and matching GIDOs to filters– Easy to construct filters from existing subsets of existing filters– Easy to determine if a filter is equivalent to a null filter (no
matching GIDO)
Sample filter(Filter
(Fragment(Attack
(observer (ProcessName ‘observer:exp1’))(Target (HostName ‘target:exp2) ) ) )
(Permit ‘ByMeansOf’)(variables ‘observer’ ‘target’) )
• GIDO in Figure 1 matches the fragment in Figure 2, with the variables observer and target instantiating to `StackGuard' and `somehost.someplace.net‘ resp.
Specifies piece of GIDO
References
• Intrusion Detection Inter-component Adaptive Negotiation– Richard Feiertag et al 2000 IEEE Computer
Networks special issue on intrusion detection• A Common Intrusion Specification
Language, CIDF working group document.• Communication in the Common Intrusion
Detection Framework, CIDF working group document.
Negotiation Protocol
• IDIAN negotiation protocol allows components to– Discover the services of other components.– Negotiate for the use of those services.– Intelligently manage the use of IDS resources
by components.– Dynamically adjust the use of services,
perhaps in order to respond to changes in the environment.
Agreement – relationship between a producer and a consumer.– species a set of services which the producer must provide to the
consumer.– example, an event generator may agree to provide a particular set of
audit data to an analyzer. At a minimum, an agreement must specify the producer, consumer, and the set of services to be provided.
Contract– set of agreements, each of which involve the same producer and
consumer (the partners to the contract). – exactly one agreement in a contract is in effect.
Contract Database– set of contracts.– Every component has a contract database containing all the contracts to
which it is a partner.Capability Database
– associates services (e.g., provide IP audit data, filter packets, etc.) with the components which can provide those services.
– Each component has a database containing its own capabilities and, possibly, those of other components.