Report on Common Intrusion Detection Framework

By Ganesh Godavari

Outline of the talk

• CIDF• GIDO• GIDO Filters

Goal

• Goal of IDIAN– Develop a negotiation protocol that is dynamic– Allow distributed collection of heterogeneous

ID components– Provide inter-operate ability to reach

agreement on ID information processing capability

Motivation

• Understand– Common Intrusion Detection Framework– Common Intrusion Specification Language

(CISL)

Scenario 1: a new capability

new host machine with detection component is added to LAN.

Network under connection laundering attack Solution ?

solution

• Analysis component detects the number of inbound and outbound connections for the service provided by the host.

Scenario 2: flooding IDS

Stolen company laptop with detection component is used to launch an attack.

Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS

Common Intrusion Detection Framework (CIDF)

• CIDF architecture– Divides IDS into Components– Component consists of software code with

configuration information– Components can be added/removed– Components interact in real time and

exchange data using GIDO

CIDF components

• Components – Event generators ("E-boxes")

• Produce GIDOs

– Event analyzers ("A-boxes") • Consume GIDOs • Conclusions are turned out as GIDOs

– Event databases ("D-boxes")• store events for later retrieval

– Response units ("R-boxes") • Consume GIDOs • Take action like kill process, reset connections

Generalized Intrusion Detection Objects (GIDO)

• GIDO consists of two components– Fixed Format header

• CIDF version, timestamp, and length of body– Variable Length Body

• data

GIDO body(ByMeansOf

(Attack(Observer (ProcessName `StackGuard') )(Target (HostName `somehost.someplace.net') )(AttackSpecifics

(Certainty `100')(Severity `100')(AttackID `1' `0x4f') )

(Outcome (CIDFReturnCode `2') )(When

(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) )

(ByMeansOf(Execute

(Process (ProcessName `fingerd') )(When(BeginTime `14:57:36 24 Feb 1999')(EndTime `14:57:36 24 Feb 1999') ) ) ) )

data

Semantic Identifier (SID)

Where the attack occurred

Which process detected

Where the attack is targeted at?

StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.

• SID is associated with each piece of data in the body

• SID associated with data are called Atom SID• Atom SID cannot completely describe an event.• Verbs describe events

– e.g. Attack SID• Verb SID has set of Role SIDs which provide

additional information about the event.– e.g. Observer Role provides information about the

observer of an event.

ExampleV is a verb SIDR1 and R2 are role SIDsA1 through A3 are Atom SIDsS-expression (V

(R1 (A1 data1) (A2 data2)

) (R2

(A3 data3) )

) Tree Representation

IDIAN Components

• IDIAN architecture components– Detection

• Sensors like audit mechanisms and packet sniffers• Record activity

– Analysis • Detect attacks

– Response • Accept commands to take specific action to stop

attacks

IDIAN component Interaction

• Analysis component uses recorded activity to detect attacks

Detection Analysis Response

Recorded Activity

Specific Action Commands

GIDO Filters

• GIDO Filter– Method of describing a set of GIDOs– Use same basic structure as GIDOS– Interesting fields identified in the filter can

easily be extracted from GIDO => filtering unneeded information

Major difference between a GIDO and Filter is in the body

GIDO filter Requirements• GIDO filter Requirements

– Expressive • Ability to specify all sets of useful GIDOs

– Ability to specify sets of hosts, users– Precise

• Ability to determine which GIDOs satisfy a filter or not– Allow the extraction of particular data values from matching

GIDOS– Filter language must allow for efficient implementation of

encoding, decoding and matching GIDOs to filters– Easy to construct filters from existing subsets of existing filters– Easy to determine if a filter is equivalent to a null filter (no

matching GIDO)

Sample filter(Filter

(Fragment(Attack

(observer (ProcessName ‘observer:exp1’))(Target (HostName ‘target:exp2) ) ) )

(Permit ‘ByMeansOf’)(variables ‘observer’ ‘target’) )

• GIDO in Figure 1 matches the fragment in Figure 2, with the variables observer and target instantiating to `StackGuard' and `somehost.someplace.net‘ resp.

Specifies piece of GIDO

References

• Intrusion Detection Inter-component Adaptive Negotiation– Richard Feiertag et al 2000 IEEE Computer

Networks special issue on intrusion detection• A Common Intrusion Specification

Language, CIDF working group document.• Communication in the Common Intrusion

Detection Framework, CIDF working group document.

Negotiation Protocol

• IDIAN negotiation protocol allows components to– Discover the services of other components.– Negotiate for the use of those services.– Intelligently manage the use of IDS resources

by components.– Dynamically adjust the use of services,

perhaps in order to respond to changes in the environment.

Agreement – relationship between a producer and a consumer.– species a set of services which the producer must provide to the

consumer.– example, an event generator may agree to provide a particular set of

audit data to an analyzer. At a minimum, an agreement must specify the producer, consumer, and the set of services to be provided.

Contract– set of agreements, each of which involve the same producer and

consumer (the partners to the contract). – exactly one agreement in a contract is in effect.

Contract Database– set of contracts.– Every component has a contract database containing all the contracts to

which it is a partner.Capability Database

– associates services (e.g., provide IP audit data, filter packets, etc.) with the components which can provide those services.

– Each component has a database containing its own capabilities and, possibly, those of other components.