Title: IDS ?????
1IDS ?????
- 2000. 12. 8
- ??????? ?????
- ? ? ?
- kjchae_at_ewha.ac.kr
2? ?
- IDWG ??
- Intrusion Detection Exchange Requirements
- Intrusion Detection Exchange Format
- Data Model
- IAP Intrusion Alert Protocol
- ? ?
3 IDWG ??(1/3)
- Chairs
- Michael Erlinger (mike_at_cs.hmc.edu)
- Stuart Staniford-Chen
- (stanifor_at_cs.ucdavis.edu)
- ? 43? ?? ? ? ?? (98. 12)
- General Discussionidwg-public_at_zurich.ibm.com To
Subscribe idwg-public-request_at_zurich.ibm.com
Archive http//www.semper.org/idwg-public/
4 IDWG ?? (2/3)
- ??
- IDS? ?? ???, ??? ??? ?? ???? ????? ??? ??? ????
?? ??? ?? ? ?? ??? ??? ?? - WG? Outputs
- Requirements documents
- Common intrusion language specification
- (Data formats)
- Framework documents
5 IDWG ?? (3/3)
- Internet-Drafts
- Intrusion Detection Exchange Requirements
- Intrusion Detection Exchange Format Data Model
- IAP Intrusion Alert Protocol
- Intrusion Detection Message Exchange Format
Extensible Markup Language (XML) Document Type
Definition - Intrusion Detection Message Exchange Format
Comparison of SMI and XML Implementations - No RFC
6 Intrusion Detection Message Exchange
Requirements ltdraft-ietf-idwg-requirements-02.txt
gt
7? ?
- IDS, ?? ???, ?? ??? ??? ??? ?? high-level ?????
??? (??? ?? ? ???? ??) - IDEF
- IDS? ?????? ???? ???? ???? ??? ???? ?? ??
8 IDS ?? ? ??
9???? ???
- Analyzer? sensor? ?? ??? ????? ???? ??? ??? ?
???? ????, manager?? alert? ?? - Alert? ??? ???? ??? IDEF?? ???
- Analyzer? manager? ??? ????? ????, ???? TCP/IP
????? ??? ????? ??
10????
- ?? ????
- ??? ?? ????
- ?????? ????
- ??? ?? ? ?? ????
- ??? ?? ? ???? ????
11?? ????
- IDEF? ??? ??? RFC?? ???? ???? ?
- IDEF? IPv4? IPv6? ??? ???? ???? ?? ????? ?
12??? ?? ????
- IDEF ??? ???? ??? ???? ???? ???? ?
- IDEF ???? manager? ?? ???? filtering/aggregation?
???? ?
13?????? ????(1/2)
- IDEF? ???? ????? ??? ???? ?
- IDEF? ??? ???? ???? ??? ??? ???? ?? IDS ???????
??? ??? ???? ? - IDEF? analyzer? manager ???? ??? ???? ?
- IDEF? ??? ?? ?? ??? ??? ???? ???? ?
14?????? ????(2/2)
- IDEF ??? ??? ???? ???? ?
- IDEF ?? ????? IDEF ???? ???? ?? ????? ???? ?
- IDEF ?? ????? ??? ?? ??? ?? ? ??? ?
- IDEF ?? ????? ???? ??? ??? ?? ? ??? ?
15??? ??(1/5)
- IDEF ???? ??? ??? ??? ??
- ??? ???? ????? ?? ?? ?
- Signature-based detection system
- Anomaly-based detection system
- Correlation-based detection system
- Network-based detection system
- Host-based detection system
- Application-based detection system
16??? ??(2/5)
- IDEF ???? ??? ??? ???? ??, ? ???? ??? ??? ????? ?
- IDEF ???? ???? ???? ??? ?? ??? ???? ??? ? ??? ?
- IDEF ???? ??? ???? ??? ???? ?? ???? ??? ? ???
?(Optional) - IDEF ???? ???? ??? ??? ???? ??? ?? ??? ????? ?
17??? ??(3/5)
- IDEF ???? ?? ??? device address? ??? ? ??? ?
- IDEF ???? ????? ???? ??? ???? ?? ??? ????? ?
- IDEF ???? ???? ?? ???? analyzer? ?? ???? ???? ???
?? ??? ????? ? - IDEF ???? ???? ???? ??? analyzer? ???? ?? ? ???
?? ??? ????? ?
18??? ??(4/5)
- IDEF ???? ???? ???? ???? ???? ??? ???? ?
- IDEF ???? ??? ???? ??? ??? ? ??? ? (Optional)
- IDEF ???? ?? IDEF ???? ??? ? ??? ???? ?? ????? ?
- IDEF? ? ???? ??? alert ?? ??? ??? ???? ? (?????
??? ?? ??? ??? ??? ? ??)
19??? ??(5/5)
- ??? ???? ???? ????? ????? time zone offset??
????? ? - ??? ???? ??? 2000?? ?? ??? ??? ??? ??, 2038??
???? ?? ?? ??? ??? ? - ??? ??? ?? ??? ???? IDEF? ?? ??? ??? ??
- IDEF ???? ????? ?? ?? ???? ???? ?? ??? ?? ?????
???? ? (Optional) - IDEF ???? ??? ? ????? ?
20Alert ???? Alert ????? ??
- IDEF alert? ?? ???? ?? ????? ?
- IDEF ? ??? ?? ????? ?
- Alert ???? ?? list? ???? ???? ?? ?? ????? ?
- ??? alert ???? ???? ????? ??? ??? ?????? ?
21Intrusion Detection Exchange Format Data
Modelltdraft-ietf-idwg-data-model-03.txtgt
22 ? ? (1/2)
- IDEF? ?? ??? data model ??
- IDS?? ???? ?? (alert)? ???? ?? data model ??
- Object-oriented model? ??
- (1) Alert ??? ???
- ? Aggregation/subclassing? ?? ??
- (2) Tool ??? ?? (network traffic/OS
logs/application audit info.) - ? ?? data source?? ???? support class?? ??
- (3) Tool ??? ?? (lightweight / complex tool)
- ? Subclassing/association? ?? ??
- (4) ?? ??? ?? (network/operating system)
- ? NODE/SERVICE support class? ???? ??? ??? ??
- (5) ?????? ??? ??
- ? OO ??? ???? alert? ?? ? ? ?? ??? ???? ??
- ??? ??
23 ? ? (2/2)
- Design goals
- Representing events
- Analyzer/sensor? ??? ?? simple/complex alert ??
- Alert? ???? ???? data model ??
- Content driven
- ??? ???? ???? ??? ??? ?? ?? ???
- ????
- Data model? ???? ?
- Relationship between alerts
- Alert? ?? level? ?? ?? (simple/complex alerts)
- Low level? high level alert ??? ??? ???? ???
- ????? ?
24Data analysis (1/3)
- ??? IDS? ?? ??? data?? ??
- 5?? Network-based vendors
- 3?? Host-based vendors
- 1?? Anomaly-based vendor ??
- IDS ???? ? common/unique data elements ??
- Common data elements
- NB Source/Dest. IP addr., Source/Dest. port
number, Protocol, Priority, Time, Packet data,
String/Pattern, SA ID - HB Time, Attack source, Destination,
Event/Activity naming - Unique data elements
- NB Number of attacks, Data collected on attack
? - HB Policy, System software ID, Process ID,
Priority level ?
25Data analysis (2/3)
- ?? ?? attack? ??? ?, 3?? ?? IDS?? ??? ??? ???
- Port scan attack
- Host? ???? ????? ???? ???? attack
- IP spoofing
- Originator? IP ??? ??? attack
- SYN flood attack
- ??? ??? ???? ???? connection request? ???? ?? ??
??? ?? ?? - Buffer overflow
- ???? data? size boundary? ??? check?? ??? ?
- PHF attack
- Apache ???? ?? ??? ?? ??? ??? PHF script? ??
26Data analysis (3/3)
- ?? ??
- ?? attack? ??? ?? IDS?? ?? ???? ??? ??? ?? ? ??
- Data model? alert? ????? ?? ????? ????? ???? ???
IDS vendor? ?? ???? ???? ?? ??? ??? ???? ? - Data model? support class? ???? sensor? ?? ???
??? ?? ?? (names/formats)?? ???? ??? ??? - Data model? alert? attribute ?? ??? alert?? ??
??? ??? ? ??? ?
27 Data model (1/9)
- UML(Universal Modeling Language)? ???? ??
- Entity? ??? ??? ???? ?? framework ??
- Entity? class? ??
- Class? ??? attribute? ??
- ??? ?? (relationship)? ??
- Inheritance (?) superclass/subclass type
- is-a or kind-of
relationship - Aggregation (ltgt) part-of relationship
- multiplicity
indicators ?? - Multiplicity indicators class? ???
object ? - 1 Exactly One 0..1 Zero
or One - 0.. Zero or More 5..8
Specific Range (5,6,7 8) - 1.. One or More
28 Data model (2/9)
- Overview
- ALERT class main component
- ANALYZER class alert? sender
- CLASSIFICATION class alert? subject
- Zero or more TARGET/SOURCE class
- Subclassing? ?? ???? alert data ?? ??
- Data model? alert? ??? ???? ?????? ???? ?? ???,
?? alert type? ???? ? alert? ????? ?? ??? ??
29 Data model (3/9)
- Attribute? Types
- BOOLEAN TRUE/FALSE
- INTEGER
- CHARACTER
- STRING
- BYTE 8 bits, no parity
- TIME ??? ???? structure/schema
- ENUM INTEGER-based enumerated type
30 Data model (4/9)
31 Data model (5/9)
- Core of the data model
- ALERT class central component of the data model
- TOOLALERT class attack tool?? trojan horse? ???
??? ???? ?? ?? - CORRELATIONALERT class alert ??? ?? ??? ?? ????
?? ?? - OVERFLOWALERT class overflow attack? ??? ????
?? ?? - ANALYZER class alert? ???? analyzer? identify
- CLASSIFICATION class alert? ??? ???? ??
- TARGET class alert? target? ?? ?? ??
- SOURCE class alert? (possible) source ?? ??
32 Data model (6/9)
33 Data model (7/9)
- Support classes ??? ??? ???? entities
- IDENT class ?? support class?? superclass.
Analyzer? manager? ?? ?? ??? object? ?? reference
?? - ADDRESS class ?? ?? ?? (N/W, H/W, Appl. Addr.)
- USER class ???? identify?? ??? ??? ??
- NODE class ???? ???? ?? ??? identify ?? ??? ???
?? - PROCESS class ???? ?????? ?? ?? ??
- SERVICE class ???? ??? ???? ???? ??? ???
identify - WEBSERVICE class ? ???? ??? ???? ?? ??
- SNMPSERVICE class SNMP ???? ??? ???? ?? ??
34 Data model (8/9)
IDENT
INTEGER ident
/_\
------
-------------------
-----------------------
-----------------------
---
---
----------------------
---------
PROCESS
SERVICE
NODE
0..
INTEGER pid STRING name STRING
path STRING arguments STRING environ
STRING name INTEGER dport INTEGER sport STRING
protocol
STRING name STRING location INTEGER domain
0..
ADDRESS
ltgt----
-
0..
INTEGER category STRING address STRING netmask
-------------
USER
---
/_\
-------------------
---
INTEGER category STRING name INTEGER
uid STRING group INTEGER gid STRING
serialID
-
ltgt--
SNMPSERVICE
WEBSERVICE
STRING Oid STRING Community STRING command
STRING url STRING cgi STRING method STRING args
35 Data model (9/9)
- Data model? ??
- Alert? ??? ???? ??? ???? ?? vendor?? ?? ?? ?????
? - Aggregation? ?? ??
- ??? class? ? ??? ? class?
- aggregate ?
- ?) Associate NAME class with ALERT class
- Subclassing? ?? ??
- Model? ?? ??? class? ? ???
- specialize ?
- ?) Specialize SERVICE class into
- WEBSERVICE class
-
36 Example
- Teardrop attack
- ???? ??? ???? ??? ???? ??? ?? ??
- Alert.version 1
- Alert.alertID
14285812 - Alert.impact 6
- Alert.time
1999/12/02 100125.34125 UTC2 - Alert.Analyzer.ident
123123123 - Alert.Classification0.origin 3
- Alert.Classification0.name
GENERIC-MAP-NOMATCH - Alert.Classification0.url
iap//my.ids.vendor/doc/teardrop - Alert.Target0.Node.Address.category 2
- Alert.Target0.Node.Address.data
123.234.231.121 - Alert.Source0.Node.Address.category 2
- Alert.Source0.Node.Address.data
222.121.111.112
37Security considerations
- ???? entity? ??? ???? ???? ?? ???? ?? ????? ????
? - Data model ??? security consideration? ??? ?? ??
38Intrusion Alert Protocol (IAP/0.3)
ltdraft-ietf-idwg-iap-01.txtgt
39 ? ?
- ? ?
- IAP? IP ???? ??? ???? ?? ??? ??
(sensor/analyzers ? managers)? ?? ?? ???
(Intrusion alert data)? ???? ?? ?? ??? ???? - ? ?
- ??? ??? alert data? IP ????? ?? ???? ?? ???? ?? ?
?? ??? ??? ? ??? ?? - ?????? ???? sensor/analyzers? ????, ??? ?? ? ???
?? - IAP? ???? ????? TCP? ??
40Operation (1/2)
- Sensor/analyzer? alert data? manager
- ?? ??
- Sensor/analyzer ???? ??? ????
- alert data? ??
- Manager Alert data? ??? ????? ??
- ???, ??????? ?????,
- ??? ??? ??
41Operation (2/2)
- The simplest case
- More than one intermediaries
- SA Sensor/Analyzer, M Manager
- P Proxy , G Gateway
42IAP Communication Model
- IAP ??? TCP ??? ???
- TCP ??? HTTP? ??? request/response? ??? (??
Initiator? SA/M ??) - Phases
- Setup phase
- Data phase
- Proxies
- IAP ???? ??? ?? ??
- ??? ???? ?? ?? ???
- Alert? ?? ??? ??? ?? ??? Rewrite ??
43IAP Setup Phase (1/2)
- TCP setup
- iap-connect-request/iap-response
- (success 200, failure 403)
- Proxy iap-proxy-via? ????, receiving entity?
??? - Security setup
- iap-upgrade-request/iap-response? ??? ??? upgrade
?? ?? ??? - Handshake TLS 1.0 protocol ????? ??, ?? ????,
?? ??? ???? ??? ?? (analyzer? ??) - Channel setup
- TLS record layer? ???? ??? ??, ?? ??
- iap-channel-setup-request/iap-response? ???? IAP
??? ????, ???? ??? payload? ??? ??
44IAP Setup Phase (2/2)
- Secured data transport
- ???? IDEF alerts? TLS record layer ???
sensor/analyzer? ?? manager? ??? - Termination
- Sender TLS close-notify alert? ??
- Recipient ???? close-notify alert? ??
45Setup Phase
iap-connect-request
iap-connect-request
Proxy is now a transparent forwarding agent
iap-response
iap-response
iap-upgrade-request
iap-response
(TLS handshake negotiation) TLS handshake
completed data sent using the TLS record layer
iap-channel-setup-request
iap-response
Data Phase
iap-content
iap-response
46IAP Wire Protocol-Syntax
- IAP? IDEF alert? ??? ?? HTTP/1.1 syntax? ??? ???
(?, request/response? setup phase ?? IAP version
number? prefix ?) - Request/response? CRLF? ??
- IAP ???
- iap-message(iap-connect-request iap-upgrade-
- request
iap-channel-request - iap-content iap-response)
CRLF - Version
- iap-t-version IAP/0.3
- TCP connection initiator? ??
- sender-receiver Sender Receiver
47IAP Wire Protocol ??? (1/2)
- iap-response
- iap-connect-request
- iap-upgrade-request
48IAP Wire Protocol ??? (2/2)
- iap-channel-setup-request
- iap-content
49Security Considerations
- Fast unreliable delivery
- gt SNMP trap? ???? alert? ??
- TCP? ????? ?? 3-message handshake ??? ??? ?? ??
?? - ?? ??? IP ??? ???
- ??? ?? ??? peer? ??? ???? ??? ??? ???? ? ??? ?
- pkix WG?? ???? ?? ??? ????? ??
- ???? ??? ???? alert? ?? ?? ??
- gt ???? pad?? ??? ??? ?? ??? ?? ?
- Proxy? ?? ??? ??? ? ??? ????? ?
50XML Document Type Definition
- XML DTD
- XML? element, attribute, value? ??
- XML? IDMEF? ?? ????? ??
- ??? ??? ???/???? ??
- ??? ??? filtering/aggregation? ??
- IDMEF? alert ???? XML? ?? ?
51IDMEF Comparison of SMI and XML Implementations
- SMI MIB?? ???? datatype? ????, MIB ??? ?? ?
???? ?? ?? - 2000? 2? ???? XML ??
- XML? ???
- XML? ??? ??
- gt ??? ??? ?? ??
- XML? ?? ? ?????? ???? Tell-only ??? ??
52? ?
- IDS? ?? ?? ??
- ??? IDS?? ????? ??? ?? ??? ?? gt IDWG? ??
- ??? ??? IDS ??
- IEFT ?? ?? ??? ??? ?? ??? ?? ?? ??? ???