IDS ????? - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

IDS ?????

Description:

IDS 2000. 12. 8 kjchae_at_ewha.ac.kr IDWG Intrusion Detection Exchange Requirements ... – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 52
Provided by: Boyo4
Category:

less

Transcript and Presenter's Notes

Title: IDS ?????


1
IDS ?????
  • 2000. 12. 8
  • ??????? ?????
  • ? ? ?
  • kjchae_at_ewha.ac.kr

2
? ?
  • IDWG ??
  • Intrusion Detection Exchange Requirements
  • Intrusion Detection Exchange Format
  • Data Model
  • IAP Intrusion Alert Protocol
  • ? ?

3
IDWG ??(1/3)
  • Chairs
  • Michael Erlinger (mike_at_cs.hmc.edu)
  • Stuart Staniford-Chen
  • (stanifor_at_cs.ucdavis.edu)
  • ? 43? ?? ? ? ?? (98. 12)
  • General Discussionidwg-public_at_zurich.ibm.com To
    Subscribe idwg-public-request_at_zurich.ibm.com
    Archive http//www.semper.org/idwg-public/

4
IDWG ?? (2/3)
  • ??
  • IDS? ?? ???, ??? ??? ?? ???? ????? ??? ??? ????
    ?? ??? ?? ? ?? ??? ??? ??
  • WG? Outputs
  • Requirements documents
  • Common intrusion language specification
  • (Data formats)
  • Framework documents

5
IDWG ?? (3/3)
  • Internet-Drafts
  • Intrusion Detection Exchange Requirements
  • Intrusion Detection Exchange Format Data Model
  • IAP Intrusion Alert Protocol
  • Intrusion Detection Message Exchange Format
    Extensible Markup Language (XML) Document Type
    Definition
  • Intrusion Detection Message Exchange Format
    Comparison of SMI and XML Implementations
  • No RFC

6
Intrusion Detection Message Exchange
Requirements ltdraft-ietf-idwg-requirements-02.txt
gt
7
? ?
  • IDS, ?? ???, ?? ??? ??? ??? ?? high-level ?????
    ??? (??? ?? ? ???? ??)
  • IDEF
  • IDS? ?????? ???? ???? ???? ??? ???? ?? ??

8
IDS ?? ? ??
9
???? ???
  • Analyzer? sensor? ?? ??? ????? ???? ??? ??? ?
    ???? ????, manager?? alert? ??
  • Alert? ??? ???? ??? IDEF?? ???
  • Analyzer? manager? ??? ????? ????, ???? TCP/IP
    ????? ??? ????? ??

10
????
  • ?? ????
  • ??? ?? ????
  • ?????? ????
  • ??? ?? ? ?? ????
  • ??? ?? ? ???? ????

11
?? ????
  • IDEF? ??? ??? RFC?? ???? ???? ?
  • IDEF? IPv4? IPv6? ??? ???? ???? ?? ????? ?

12
??? ?? ????
  • IDEF ??? ???? ??? ???? ???? ???? ?
  • IDEF ???? manager? ?? ???? filtering/aggregation?
    ???? ?

13
?????? ????(1/2)
  • IDEF? ???? ????? ??? ???? ?
  • IDEF? ??? ???? ???? ??? ??? ???? ?? IDS ???????
    ??? ??? ???? ?
  • IDEF? analyzer? manager ???? ??? ???? ?
  • IDEF? ??? ?? ?? ??? ??? ???? ???? ?

14
?????? ????(2/2)
  • IDEF ??? ??? ???? ???? ?
  • IDEF ?? ????? IDEF ???? ???? ?? ????? ???? ?
  • IDEF ?? ????? ??? ?? ??? ?? ? ??? ?
  • IDEF ?? ????? ???? ??? ??? ?? ? ??? ?

15
??? ??(1/5)
  • IDEF ???? ??? ??? ??? ??
  • ??? ???? ????? ?? ?? ?
  • Signature-based detection system
  • Anomaly-based detection system
  • Correlation-based detection system
  • Network-based detection system
  • Host-based detection system
  • Application-based detection system

16
??? ??(2/5)
  • IDEF ???? ??? ??? ???? ??, ? ???? ??? ??? ????? ?
  • IDEF ???? ???? ???? ??? ?? ??? ???? ??? ? ??? ?
  • IDEF ???? ??? ???? ??? ???? ?? ???? ??? ? ???
    ?(Optional)
  • IDEF ???? ???? ??? ??? ???? ??? ?? ??? ????? ?

17
??? ??(3/5)
  • IDEF ???? ?? ??? device address? ??? ? ??? ?
  • IDEF ???? ????? ???? ??? ???? ?? ??? ????? ?
  • IDEF ???? ???? ?? ???? analyzer? ?? ???? ???? ???
    ?? ??? ????? ?
  • IDEF ???? ???? ???? ??? analyzer? ???? ?? ? ???
    ?? ??? ????? ?

18
??? ??(4/5)
  • IDEF ???? ???? ???? ???? ???? ??? ???? ?
  • IDEF ???? ??? ???? ??? ??? ? ??? ? (Optional)
  • IDEF ???? ?? IDEF ???? ??? ? ??? ???? ?? ????? ?
  • IDEF? ? ???? ??? alert ?? ??? ??? ???? ? (?????
    ??? ?? ??? ??? ??? ? ??)

19
??? ??(5/5)
  • ??? ???? ???? ????? ????? time zone offset??
    ????? ?
  • ??? ???? ??? 2000?? ?? ??? ??? ??? ??, 2038??
    ???? ?? ?? ??? ??? ?
  • ??? ??? ?? ??? ???? IDEF? ?? ??? ??? ??
  • IDEF ???? ????? ?? ?? ???? ???? ?? ??? ?? ?????
    ???? ? (Optional)
  • IDEF ???? ??? ? ????? ?

20
Alert ???? Alert ????? ??
  • IDEF alert? ?? ???? ?? ????? ?
  • IDEF ? ??? ?? ????? ?
  • Alert ???? ?? list? ???? ???? ?? ?? ????? ?
  • ??? alert ???? ???? ????? ??? ??? ?????? ?

21
Intrusion Detection Exchange Format Data
Modelltdraft-ietf-idwg-data-model-03.txtgt
22
? ? (1/2)
  • IDEF? ?? ??? data model ??
  • IDS?? ???? ?? (alert)? ???? ?? data model ??
  • Object-oriented model? ??
  • (1) Alert ??? ???
  • ? Aggregation/subclassing? ?? ??
  • (2) Tool ??? ?? (network traffic/OS
    logs/application audit info.)
  • ? ?? data source?? ???? support class?? ??
  • (3) Tool ??? ?? (lightweight / complex tool)
  • ? Subclassing/association? ?? ??
  • (4) ?? ??? ?? (network/operating system)
  • ? NODE/SERVICE support class? ???? ??? ??? ??
  • (5) ?????? ??? ??
  • ? OO ??? ???? alert? ?? ? ? ?? ??? ???? ??
  • ??? ??

23
? ? (2/2)
  • Design goals
  • Representing events
  • Analyzer/sensor? ??? ?? simple/complex alert ??
  • Alert? ???? ???? data model ??
  • Content driven
  • ??? ???? ???? ??? ??? ?? ?? ???
  • ????
  • Data model? ???? ?
  • Relationship between alerts
  • Alert? ?? level? ?? ?? (simple/complex alerts)
  • Low level? high level alert ??? ??? ???? ???
  • ????? ?

24
Data analysis (1/3)
  • ??? IDS? ?? ??? data?? ??
  • 5?? Network-based vendors
  • 3?? Host-based vendors
  • 1?? Anomaly-based vendor ??
  • IDS ???? ? common/unique data elements ??
  • Common data elements
  • NB Source/Dest. IP addr., Source/Dest. port
    number, Protocol, Priority, Time, Packet data,
    String/Pattern, SA ID
  • HB Time, Attack source, Destination,
    Event/Activity naming
  • Unique data elements
  • NB Number of attacks, Data collected on attack
    ?
  • HB Policy, System software ID, Process ID,
    Priority level ?

25
Data analysis (2/3)
  • ?? ?? attack? ??? ?, 3?? ?? IDS?? ??? ??? ???
  • Port scan attack
  • Host? ???? ????? ???? ???? attack
  • IP spoofing
  • Originator? IP ??? ??? attack
  • SYN flood attack
  • ??? ??? ???? ???? connection request? ???? ?? ??
    ??? ?? ??
  • Buffer overflow
  • ???? data? size boundary? ??? check?? ??? ?
  • PHF attack
  • Apache ???? ?? ??? ?? ??? ??? PHF script? ??

26
Data analysis (3/3)
  • ?? ??
  • ?? attack? ??? ?? IDS?? ?? ???? ??? ??? ?? ? ??
  • Data model? alert? ????? ?? ????? ????? ???? ???
    IDS vendor? ?? ???? ???? ?? ??? ??? ???? ?
  • Data model? support class? ???? sensor? ?? ???
    ??? ?? ?? (names/formats)?? ???? ??? ???
  • Data model? alert? attribute ?? ??? alert?? ??
    ??? ??? ? ??? ?

27
Data model (1/9)
  • UML(Universal Modeling Language)? ???? ??
  • Entity? ??? ??? ???? ?? framework ??
  • Entity? class? ??
  • Class? ??? attribute? ??
  • ??? ?? (relationship)? ??
  • Inheritance (?) superclass/subclass type
  • is-a or kind-of
    relationship
  • Aggregation (ltgt) part-of relationship
  • multiplicity
    indicators ??
  • Multiplicity indicators class? ???
    object ?
  • 1 Exactly One 0..1 Zero
    or One
  • 0.. Zero or More 5..8
    Specific Range (5,6,7 8)
  • 1.. One or More

28
Data model (2/9)
  • Overview
  • ALERT class main component
  • ANALYZER class alert? sender
  • CLASSIFICATION class alert? subject
  • Zero or more TARGET/SOURCE class
  • Subclassing? ?? ???? alert data ?? ??
  • Data model? alert? ??? ???? ?????? ???? ?? ???,
    ?? alert type? ???? ? alert? ????? ?? ??? ??

29
Data model (3/9)
  • Attribute? Types
  • BOOLEAN TRUE/FALSE
  • INTEGER
  • CHARACTER
  • STRING
  • BYTE 8 bits, no parity
  • TIME ??? ???? structure/schema
  • ENUM INTEGER-based enumerated type

30
Data model (4/9)
31
Data model (5/9)
  • Core of the data model
  • ALERT class central component of the data model
  • TOOLALERT class attack tool?? trojan horse? ???
    ??? ???? ?? ??
  • CORRELATIONALERT class alert ??? ?? ??? ?? ????
    ?? ??
  • OVERFLOWALERT class overflow attack? ??? ????
    ?? ??
  • ANALYZER class alert? ???? analyzer? identify
  • CLASSIFICATION class alert? ??? ???? ??
  • TARGET class alert? target? ?? ?? ??
  • SOURCE class alert? (possible) source ?? ??

32
Data model (6/9)
33
Data model (7/9)
  • Support classes ??? ??? ???? entities
  • IDENT class ?? support class?? superclass.
    Analyzer? manager? ?? ?? ??? object? ?? reference
    ??
  • ADDRESS class ?? ?? ?? (N/W, H/W, Appl. Addr.)
  • USER class ???? identify?? ??? ??? ??
  • NODE class ???? ???? ?? ??? identify ?? ??? ???
    ??
  • PROCESS class ???? ?????? ?? ?? ??
  • SERVICE class ???? ??? ???? ???? ??? ???
    identify
  • WEBSERVICE class ? ???? ??? ???? ?? ??
  • SNMPSERVICE class SNMP ???? ??? ???? ?? ??

34
Data model (8/9)
IDENT
INTEGER ident
/_\
------
-------------------
-----------------------
-----------------------
---
---
----------------------
---------
PROCESS
SERVICE
NODE
0..
INTEGER pid STRING name STRING
path STRING arguments STRING environ
STRING name INTEGER dport INTEGER sport STRING
protocol
STRING name STRING location INTEGER domain
0..
ADDRESS
ltgt----
-
0..
INTEGER category STRING address STRING netmask
-------------
USER
---
/_\
-------------------
---
INTEGER category STRING name INTEGER
uid STRING group INTEGER gid STRING
serialID
-
ltgt--
SNMPSERVICE
WEBSERVICE
STRING Oid STRING Community STRING command
STRING url STRING cgi STRING method STRING args
35
Data model (9/9)
  • Data model? ??
  • Alert? ??? ???? ??? ???? ?? vendor?? ?? ?? ?????
    ?
  • Aggregation? ?? ??
  • ??? class? ? ??? ? class?
  • aggregate ?
  • ?) Associate NAME class with ALERT class
  • Subclassing? ?? ??
  • Model? ?? ??? class? ? ???
  • specialize ?
  • ?) Specialize SERVICE class into
  • WEBSERVICE class

36
Example
  • Teardrop attack
  • ???? ??? ???? ??? ???? ??? ?? ??
  • Alert.version 1
  • Alert.alertID
    14285812
  • Alert.impact 6
  • Alert.time
    1999/12/02 100125.34125 UTC2
  • Alert.Analyzer.ident
    123123123
  • Alert.Classification0.origin 3
  • Alert.Classification0.name
    GENERIC-MAP-NOMATCH
  • Alert.Classification0.url
    iap//my.ids.vendor/doc/teardrop
  • Alert.Target0.Node.Address.category 2
  • Alert.Target0.Node.Address.data
    123.234.231.121
  • Alert.Source0.Node.Address.category 2
  • Alert.Source0.Node.Address.data
    222.121.111.112

37
Security considerations
  • ???? entity? ??? ???? ???? ?? ???? ?? ????? ????
    ?
  • Data model ??? security consideration? ??? ?? ??

38
Intrusion Alert Protocol (IAP/0.3)
ltdraft-ietf-idwg-iap-01.txtgt
39
? ?
  • ? ?
  • IAP? IP ???? ??? ???? ?? ??? ??
    (sensor/analyzers ? managers)? ?? ?? ???
    (Intrusion alert data)? ???? ?? ?? ??? ????
  • ? ?
  • ??? ??? alert data? IP ????? ?? ???? ?? ???? ?? ?
    ?? ??? ??? ? ??? ??
  • ?????? ???? sensor/analyzers? ????, ??? ?? ? ???
    ??
  • IAP? ???? ????? TCP? ??

40
Operation (1/2)
  • Sensor/analyzer? alert data? manager
  • ?? ??
  • Sensor/analyzer ???? ??? ????
  • alert data? ??
  • Manager Alert data? ??? ????? ??
  • ???, ??????? ?????,
  • ??? ??? ??

41
Operation (2/2)
  • The simplest case
  • More than one intermediaries
  • SA Sensor/Analyzer, M Manager
  • P Proxy , G Gateway

42
IAP Communication Model
  • IAP ??? TCP ??? ???
  • TCP ??? HTTP? ??? request/response? ??? (??
    Initiator? SA/M ??)
  • Phases
  • Setup phase
  • Data phase
  • Proxies
  • IAP ???? ??? ?? ??
  • ??? ???? ?? ?? ???
  • Alert? ?? ??? ??? ?? ??? Rewrite ??

43
IAP Setup Phase (1/2)
  • TCP setup
  • iap-connect-request/iap-response
  • (success 200, failure 403)
  • Proxy iap-proxy-via? ????, receiving entity?
    ???
  • Security setup
  • iap-upgrade-request/iap-response? ??? ??? upgrade
    ?? ?? ???
  • Handshake TLS 1.0 protocol ????? ??, ?? ????,
    ?? ??? ???? ??? ?? (analyzer? ??)
  • Channel setup
  • TLS record layer? ???? ??? ??, ?? ??
  • iap-channel-setup-request/iap-response? ???? IAP
    ??? ????, ???? ??? payload? ??? ??

44
IAP Setup Phase (2/2)
  • Secured data transport
  • ???? IDEF alerts? TLS record layer ???
    sensor/analyzer? ?? manager? ???
  • Termination
  • Sender TLS close-notify alert? ??
  • Recipient ???? close-notify alert? ??

45
Setup Phase

iap-connect-request
iap-connect-request
Proxy is now a transparent forwarding agent
iap-response
iap-response
iap-upgrade-request
iap-response
(TLS handshake negotiation) TLS handshake
completed data sent using the TLS record layer
iap-channel-setup-request
iap-response
Data Phase
iap-content
iap-response
46
IAP Wire Protocol-Syntax
  • IAP? IDEF alert? ??? ?? HTTP/1.1 syntax? ??? ???
    (?, request/response? setup phase ?? IAP version
    number? prefix ?)
  • Request/response? CRLF? ??
  • IAP ???
  • iap-message(iap-connect-request iap-upgrade-
  • request
    iap-channel-request
  • iap-content iap-response)
    CRLF
  • Version
  • iap-t-version IAP/0.3
  • TCP connection initiator? ??
  • sender-receiver Sender Receiver

47
IAP Wire Protocol ??? (1/2)
  • iap-response
  • iap-connect-request
  • iap-upgrade-request

48
IAP Wire Protocol ??? (2/2)
  • iap-channel-setup-request
  • iap-content

49
Security Considerations
  • Fast unreliable delivery
  • gt SNMP trap? ???? alert? ??
  • TCP? ????? ?? 3-message handshake ??? ??? ?? ??
    ??
  • ?? ??? IP ??? ???
  • ??? ?? ??? peer? ??? ???? ??? ??? ???? ? ??? ?
  • pkix WG?? ???? ?? ??? ????? ??
  • ???? ??? ???? alert? ?? ?? ??
  • gt ???? pad?? ??? ??? ?? ??? ?? ?
  • Proxy? ?? ??? ??? ? ??? ????? ?

50
XML Document Type Definition
  • XML DTD
  • XML? element, attribute, value? ??
  • XML? IDMEF? ?? ????? ??
  • ??? ??? ???/???? ??
  • ??? ??? filtering/aggregation? ??
  • IDMEF? alert ???? XML? ?? ?

51
IDMEF Comparison of SMI and XML Implementations
  • SMI MIB?? ???? datatype? ????, MIB ??? ?? ?
    ???? ?? ??
  • 2000? 2? ???? XML ??
  • XML? ???
  • XML? ??? ??
  • gt ??? ??? ?? ??
  • XML? ?? ? ?????? ???? Tell-only ??? ??

52
? ?
  • IDS? ?? ?? ??
  • ??? IDS?? ????? ??? ?? ??? ?? gt IDWG? ??
  • ??? ??? IDS ??
  • IEFT ?? ?? ??? ??? ?? ??? ?? ?? ??? ???
Write a Comment
User Comments (0)
About PowerShow.com