Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.

Published byDerrick Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center."— Presentation transcript:

1 1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA vern@icir.org http://www-nrg.ee.lbl.gov/bro.html

2 2 Protect Rather Than Secure Modern science critically depends on diverse, high- performance Internet communication Increasingly difficult given rising security threats Alternative institutional approach: network intrusion detection —Monitor network traffic, look for attacks —Key point: tenable due to threat model at open research institutes Few jewels Low level of compromises is tolerable Particularly effective when combined with dynamic blocking (reactive firewall) Potentially keeps Default Allow viable

3 3 Bro Design Goals (1990’s) Monitor traffic in a very high performance environment Real-time detection and response Separation of mechanism from policy Ready extensibility of both mechanism and policy Resistant to evasion

4 4 How Bro Works Taps GigEther fiber link passively, sends up a copy of all network traffic. Network

5 5 How Bro Works Kernel filters down high-volume stream via standard libpcap packet capture library. Network libpcap Packet Stream Filtered Packet Stream Tcpdump Filter

6 6 How Bro Works “Event engine” distills filtered stream into high- level, policy-neutral events reflecting underlying network activity —E.g., connection_attempt, http_reply, user_logged_in Network libpcap Event Engine Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control

7 7 How Bro Works “Policy script” processes event stream, incorporates: —Context from past events —Site’s particular policies Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

8 8 How Bro Works “Policy script” processes event stream, incorporates: —Context from past events —Site’s particular policies … and takes action : Records to disk Generates alerts via syslog, paging Executes programs as a form of response Sends events to other Bro’s Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

9 9 Signature Engine Bro also includes a signature engine for matching specific patterns in packet streams: —Conceptually simple —Easy to share —Compatible with Snort ( widely used freeware IDS ) E.g., can run on Snort’s default set of 1,900+ signatures —… but of limited power; basically, a useful hack As with other Bro analysis, signature matches generate events amenable to high- level policy script processing, rather than direct alerts

10 10 Status Operational 24x7: LBNL (border & internal), NERSC, UC Berkeley, TUM, NCSA Runs on commodity Unix PCs … but getting hard! ~ 80K lines C++, 12K lines of policy scripts, 200 page user manual Main LBNL Bro blocks 50-500 remote addresses/day, mostly for scanning Provides extensive logs, invaluable for forensics & site traffic analysis

11 11 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed monitoring …

12 12 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed monitoring …

13 13 Making Bro Broadly Available Broader documentation: setup, operational procedures, analysis techniques, FAQ Tutorials (already have in-house) Bug-tracking system Test suites Production vs. research code trees Framework for integrating contributions GUIs for configuration, log analysis Framework for rapid dissemination of new scripts/policies/signatures

14 14 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed (10-40 Gbps) monitoring …

15 15 Prefiltering (Prototyped at SC02, SC03)

16 16 Shunting

17 17 Discussion/Questions? http://www-nrg.ee.lbl.gov/bro.html vern@icir.org

Download ppt "1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
The Bro Network Security Monitor Overview and Recent Developments.

The Bro Network Security Monitor Overview and Recent Developments.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support. The Research Alliance.

I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support. The Research Alliance.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.

Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
seminar on Intrusion detection system

seminar on Intrusion detection system
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Similar presentations

Ads by Google