Report on Common Intrusion Detection Framework

1
Report on Common Intrusion Detection Framework

• By
• Ganesh Godavari

2
Outline of the talk

• CIDF
• GIDO
• GIDO Filters

3
Goal

• Goal of IDIAN
• Develop a negotiation protocol that is dynamic
• Allow distributed collection of heterogeneous ID
  components
• Provide inter-operate ability to reach agreement
  on ID information processing capability

4
Motivation

• Understand
• Common Intrusion Detection Framework
• Common Intrusion Specification Language (CISL)

5
Scenario 1 a new capability

• new host machine with detection component is
  added to LAN.
• Network under connection laundering attack
• Solution ?

6
solution

• Analysis component detects the number of inbound
  and outbound connections for the service provided
  by the host.

7
Scenario 2 flooding IDS

• Stolen company laptop with detection component is
  used to launch an attack.
• Hacker generate lot of spurious audit data to
  deflect suspicion. Second host is also
  compromised. Generate more audit data and crash
  the central IDS

8
Common Intrusion Detection Framework (CIDF)

• CIDF architecture
• Divides IDS into Components
• Component consists of software code with
  configuration information
• Components can be added/removed
• Components interact in real time and exchange
  data using GIDO

9
CIDF components

• Components
• Event generators ("E-boxes")
• Produce GIDOs
• Event analyzers ("A-boxes")
• Consume GIDOs
• Conclusions are turned out as GIDOs
• Event databases ("D-boxes")
• store events for later retrieval
• Response units ("R-boxes")
• Consume GIDOs
• Take action like kill process, reset connections

10
Generalized Intrusion Detection Objects (GIDO)

• GIDO consists of two components
• Fixed Format header
• CIDF version, timestamp, and length of body
• Variable Length Body
• data

11
GIDO body
Which process detected
Where the attack occurred

• (ByMeansOf
• (Attack
• (Observer (ProcessName StackGuard') )
• (Target (HostName somehost.someplace.net') )
• (AttackSpecifics
• (Certainty 100')
• (Severity 100')
• (AttackID 1' 0x4f') )
• (Outcome (CIDFReturnCode 2') )
• (When
• (BeginTime 145736 24 Feb 1999')
• (EndTime 145736 24 Feb 1999') ) )
• (ByMeansOf
• (Execute
• (Process (ProcessName fingerd') )
• (When
• (BeginTime 145736 24 Feb 1999')
• (EndTime 145736 24 Feb 1999') ) ) ) )

data
Where the attack is targeted at?
Semantic Identifier (SID)
StackGuard is a compiler that emits programs
hardened against "stack smashing" attacks.
12

• SID is associated with each piece of data in the
  body
• SID associated with data are called Atom SID
• Atom SID cannot completely describe an event.
• Verbs describe events
• e.g. Attack SID
• Verb SID has set of Role SIDs which provide
  additional information about the event.
• e.g. Observer Role provides information about the
  observer of an event.

13
Example

• V is a verb SID
• R1 and R2 are role SIDs
• A1 through A3 are Atom SIDs
• S-expression
• (V
• (R1
• (A1 data1) (A2 data2)
• )
• (R2
• (A3 data3)
• )
• )

Tree Representation
14
IDIAN Components

• IDIAN architecture components
• Detection
• Sensors like audit mechanisms and packet sniffers
• Record activity
• Analysis
• Detect attacks
• Response
• Accept commands to take specific action to stop
  attacks

15
IDIAN component Interaction
Recorded Activity
Specific Action Commands
Detection
Analysis
Response

• Analysis component uses recorded activity to
  detect attacks

16
GIDO Filters

• GIDO Filter
• Method of describing a set of GIDOs
• Use same basic structure as GIDOS
• Interesting fields identified in the filter can
  easily be extracted from GIDO gt filtering
  unneeded information
• Major difference between a GIDO and Filter is in
  the body

17
GIDO filter Requirements

• GIDO filter Requirements
• Expressive
• Ability to specify all sets of useful GIDOs
• Ability to specify sets of hosts, users
• Precise
• Ability to determine which GIDOs satisfy a filter
  or not
• Allow the extraction of particular data values
  from matching GIDOS
• Filter language must allow for efficient
  implementation of encoding, decoding and matching
  GIDOs to filters
• Easy to construct filters from existing subsets
  of existing filters
• Easy to determine if a filter is equivalent to a
  null filter (no matching GIDO)

18
Sample filter

• (Filter
• (Fragment
• (Attack
• (observer (ProcessName observerexp1))
• (Target (HostName targetexp2) ) ) )
• (Permit ByMeansOf)
• (variables observer target) )
• GIDO in Figure 1 matches the fragment in Figure
  2, with the variables observer and target
  instantiating to StackGuard' and
  somehost.someplace.net resp.

Specifies piece of GIDO
19
References

• Intrusion Detection Inter-component Adaptive
  Negotiation
• Richard Feiertag et al 2000 IEEE Computer
  Networks special issue on intrusion detection
• A Common Intrusion Specification Language, CIDF
  working group document.
• Communication in the Common Intrusion Detection
  Framework, CIDF working group document.

20
Negotiation Protocol

• IDIAN negotiation protocol allows components to
• Discover the services of other components.
• Negotiate for the use of those services.
• Intelligently manage the use of IDS resources by
  components.
• Dynamically adjust the use of services, perhaps
  in order to respond to changes in the environment.

21

• Agreement
• relationship between a producer and a consumer.
• species a set of services which the producer must
  provide to the consumer.
• example, an event generator may agree to provide
  a particular set of audit data to an analyzer. At
  a minimum, an agreement must specify the
  producer, consumer, and the set of services to be
  provided.
• Contract
• set of agreements, each of which involve the
  same producer and consumer (the partners to the
  contract).
• exactly one agreement in a contract is in effect.
  
• Contract Database
• set of contracts.
• Every component has a contract database
  containing all the contracts to which it is a
  partner.
• Capability Database
• associates services (e.g., provide IP audit data,
  filter packets, etc.) with the components which
  can provide those services.
• Each component has a database containing its own
  capabilities and, possibly, those of other
  components.