Presentation on theme: "Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari."— Presentation transcript:
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari
Outline of Talk Need for Intrusion Detection and Information Fusion Intrusion Detection Message Exchange Format (IDMEF) Plan of action Conclusion
Intrusion Detection Intrusion detection –process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities –Goal is to discover violations of confidentiality, integrity, and availability of information and resources
Problems with Intrusion Detection Network traffic and computer activity falls in one of three categories: –Normal –Abnormal but not malicious –Malicious Properly classifying these events are the single most difficult problem
Problems contd.. IDSes generally provide –a constant feed of new alerts –which are written into a log file How can one minimize the number of alerts? Does Alert Aggregation and correlation solve the problem?
Problem in alert correlation Alerts are correlated based on certain keywords Is tomato a fruit? Or vegetable? You want to get general information associated with an IPaddress, Port no’s Solutions? –Can anyone suggest any? –Is this problem unique ? –No web search engines often encounter these problems –How about applying the Latent Semantic Indexing *? –Worked for search engines like google can work for information retrieval of Intrusion Detection alerts too!!.
Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) EMERALD HIDS provides –distributed scalable tool suite for tracking malicious activity through and across large networks –Requires Sun Microsystems Sparc platform running one of: SunOS 5.6 (Solaris 2.6) with service patch 105621-24 or newer Solaris 7 with service patch 106541-12 or newer Solaris 8 with service patch 108875-07 or newer
TripWire Need to get the complete version inorder to perform tests using tripwire Currently being negotiated between tripwire and dr chow
Some of the important fields IDS important fields –src/dest ipaddress or username –src/dest portnumber –Ip packet type –Detect time of the attack –Packet content on the attack packet or malicious activity report incase of HIDS –Any other packet information required?
conclusion Can perform packet capture normal and attack traffic on both NIDS and HIDS For HIDS if I get license for tripwire or have a Solaris box using emerald would be helpful for capturing data Shall provide the packet dumps and ASCII packet dumps.