Report on Common Intrusion Detection Framework By Ganesh Godavari

Outline of the talk CIDF GIDO GIDO Filters

Goal Goal of IDIAN –Develop a negotiation protocol that is dynamic –Allow distributed collection of heterogeneous ID components –Provide inter-operate ability to reach agreement on ID information processing capability

Motivation Understand –Common Intrusion Detection Framework – Common Intrusion Specification Language (CISL)

Scenario 1: a new capability new host machine with detection component is added to LAN. Network under connection laundering attack Solution ?

solution Analysis component detects the number of inbound and outbound connections for the service provided by the host.

Scenario 2: flooding IDS Stolen company laptop with detection component is used to launch an attack. Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS

Common Intrusion Detection Framework (CIDF) CIDF architecture –Divides IDS into Components –Component consists of software code with configuration information –Components can be added/removed –Components interact in real time and exchange data using GIDO

CIDF components Components –Event generators ("E-boxes") Produce GIDOs –Event analyzers ("A-boxes") Consume GIDOs Conclusions are turned out as GIDOs –Event databases ("D-boxes") store events for later retrieval –Response units ("R-boxes") Consume GIDOs Take action like kill process, reset connections

Generalized Intrusion Detection Objects (GIDO) GIDO consists of two components – Fixed Format header CIDF version, timestamp, and length of body –Variable Length Body data

GIDO body (ByMeansOf (Attack (Observer (ProcessName `StackGuard') ) (Target (HostName `somehost.someplace.net') ) (AttackSpecifics (Certainty `100') (Severity `100') (AttackID `1' `0x4f') ) (Outcome (CIDFReturnCode `2') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) (ByMeansOf (Execute (Process (ProcessName `fingerd') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) ) ) data Semantic Identifier (SID) Where the attack occurred Which process detected Where the attack is targeted at? StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.

SID is associated with each piece of data in the body SID associated with data are called Atom SID Atom SID cannot completely describe an event. Verbs describe events –e.g. Attack SID Verb SID has set of Role SIDs which provide additional information about the event. –e.g. Observer Role provides information about the observer of an event.

Example V is a verb SID R1 and R2 are role SIDs A1 through A3 are Atom SIDs S-expression (V (R1 (A1 data1) (A2 data2) ) (R2 (A3 data3) ) Tree Representation

IDIAN Components IDIAN architecture components –Detection Sensors like audit mechanisms and packet sniffers Record activity –Analysis Detect attacks –Response Accept commands to take specific action to stop attacks

IDIAN component Interaction Analysis component uses recorded activity to detect attacks Detection Analysis Response Recorded Activity Specific Action Commands

GIDO Filters GIDO Filter –Method of describing a set of GIDOs –Use same basic structure as GIDOS –Interesting fields identified in the filter can easily be extracted from GIDO => filtering unneeded information Major difference between a GIDO and Filter is in the body

GIDO filter Requirements –Expressive Ability to specify all sets of useful GIDOs –Ability to specify sets of hosts, users –Precise Ability to determine which GIDOs satisfy a filter or not –Allow the extraction of particular data values from matching GIDOS –Filter language must allow for efficient implementation of encoding, decoding and matching GIDOs to filters –Easy to construct filters from existing subsets of existing filters –Easy to determine if a filter is equivalent to a null filter (no matching GIDO)

Sample filter (Filter (Fragment (Attack (observer (ProcessName ‘observer:exp1’)) (Target (HostName ‘target:exp2) ) ) ) (Permit ‘ByMeansOf’) (variables ‘observer’ ‘target’) ) GIDO in Figure 1 matches the fragment in Figure 2, with the variables observer and target instantiating to `StackGuard' and `somehost.someplace.net‘ resp. Specifies piece of GIDO

References Intrusion Detection Inter-component Adaptive NegotiationIntrusion Detection Inter-component Adaptive Negotiation – Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection A Common Intrusion Specification Language, CIDF working group document. Communication in the Common Intrusion Detection Framework, CIDF working group document.

Negotiation Protocol IDIAN negotiation protocol allows components to –Discover the services of other components. –Negotiate for the use of those services. –Intelligently manage the use of IDS resources by components. –Dynamically adjust the use of services, perhaps in order to respond to changes in the environment.

Agreement –relationship between a producer and a consumer. –species a set of services which the producer must provide to the consumer. –example, an event generator may agree to provide a particular set of audit data to an analyzer. At a minimum, an agreement must specify the producer, consumer, and the set of services to be provided. Contract – set of agreements, each of which involve the same producer and consumer (the partners to the contract). –exactly one agreement in a contract is in effect. Contract Database –set of contracts. –Every component has a contract database containing all the contracts to which it is a partner. Capability Database –associates services (e.g., provide IP audit data, filter packets, etc.) with the components which can provide those services. –Each component has a database containing its own capabilities and, possibly, those of other components.