1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

The Bro Network Security Monitor Overview and Recent Developments.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support. The Research Alliance.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Computer Security and Penetration Testing

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

seminar on Intrusion detection system

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Lecture 11 Intrusion Detection (cont)

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Intrusion Detection System Marmagna Desai [ 520 Presentation]

INTRUSION DETECTION SYSTEM

Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Shunting: Detecting and Blocking Network Attacks at Ultra-High SpeedsVern Paxson, Nicholas Weaver, and José María González Shunting: Detecting and Blocking.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Office of Science U.S. Department of Energy The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ.

Bro GGF Recent Developments with the Bro Network Intrusion Detection System Lawrence Berkeley National Laboratory Brian L. Tierney Office of Science U.S.

COEN 252 Computer Forensics

Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

IIT Indore © Neminah Hubballi

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

1 Action Automated Security Breach Reporting and Corrections.

Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.

Module 7: Advanced Application and Web Filtering.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection System

Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Role Of Network IDS in Network Perimeter Defense.

An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

DETECTING INTRUSIONS By Matthew Morrow. WHAT ARE INTRUSIONS? Definition: “To compromise a computer system by breaking the security of such a system or.

Fermilab Scientific Computing Division Fermi National Accelerator Laboratory, Batavia, Illinois, USA. Off-the-Shelf Hardware and Software DAQ Performance.

Some Great Open Source Intrusion Detection Systems (IDSs)

Access control techniques

Principles of Computer Security

Intrusion Detection Systems (IDS)

Presentation transcript:

1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center for Internet Research International Computer Science Institute Berkeley, CA USA

2 Protect Rather Than Secure Modern science critically depends on diverse, high- performance Internet communication Increasingly difficult given rising security threats Alternative institutional approach: network intrusion detection —Monitor network traffic, look for attacks —Key point: tenable due to threat model at open research institutes Few jewels Low level of compromises is tolerable Particularly effective when combined with dynamic blocking (reactive firewall) Potentially keeps Default Allow viable

3 Bro Design Goals (1990’s) Monitor traffic in a very high performance environment Real-time detection and response Separation of mechanism from policy Ready extensibility of both mechanism and policy Resistant to evasion

4 How Bro Works Taps GigEther fiber link passively, sends up a copy of all network traffic. Network

5 How Bro Works Kernel filters down high-volume stream via standard libpcap packet capture library. Network libpcap Packet Stream Filtered Packet Stream Tcpdump Filter

6 How Bro Works “Event engine” distills filtered stream into high- level, policy-neutral events reflecting underlying network activity —E.g., connection_attempt, http_reply, user_logged_in Network libpcap Event Engine Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control

7 How Bro Works “Policy script” processes event stream, incorporates: —Context from past events —Site’s particular policies Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

8 How Bro Works “Policy script” processes event stream, incorporates: —Context from past events —Site’s particular policies … and takes action : Records to disk Generates alerts via syslog, paging Executes programs as a form of response Sends events to other Bro’s Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

9 Signature Engine Bro also includes a signature engine for matching specific patterns in packet streams: —Conceptually simple —Easy to share —Compatible with Snort ( widely used freeware IDS ) E.g., can run on Snort’s default set of 1,900+ signatures —… but of limited power; basically, a useful hack As with other Bro analysis, signature matches generate events amenable to high- level policy script processing, rather than direct alerts

10 Status Operational 24x7: LBNL (border & internal), NERSC, UC Berkeley, TUM, NCSA Runs on commodity Unix PCs … but getting hard! ~ 80K lines C++, 12K lines of policy scripts, 200 page user manual Main LBNL Bro blocks remote addresses/day, mostly for scanning Provides extensive logs, invaluable for forensics & site traffic analysis

11 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed monitoring …

12 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed monitoring …

13 Making Bro Broadly Available Broader documentation: setup, operational procedures, analysis techniques, FAQ Tutorials (already have in-house) Bug-tracking system Test suites Production vs. research code trees Framework for integrating contributions GUIs for configuration, log analysis Framework for rapid dissemination of new scripts/policies/signatures

14 R&D Support Funded variously via overhead, operations, research grants Current research support: —NSF Strategic Technologies for the Internet Likely DOE support soon for developing as a potential community resource... Pending R&D proposal to DOE for very high-speed (10-40 Gbps) monitoring …

15 Prefiltering (Prototyped at SC02, SC03)

16 Shunting

17 Discussion/Questions?