1. dIDS part II The Return of dIDS 2/12 CIS 610

2. 2 GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks with up to several thousand hosts. Detects and analyzes large-scale attacks by aggregating network activity of interest into activity graphs. Evaluates activity graphs and reports to a system security officer (SSO).

3. 3 Detecting Attacks GrIDS aims specifically to detect certain types of large-scale attacks. –Sweep: Single host systematically contacts other hosts. –Coordinated Attacks: Parallel distributed attacks aimed to obscure the nature of the attack, or enable the attack to be carried out more quickly. How do these definitions fit worm attacks?

4. 4 Assumed Properties of Worm Attacks Large amount of traffic form a tree-like structure Similar activity initiated by infected hosts GrIDS aims to detect worm attacks by analyzing the connection patterns between hosts.

5. 5 Graph based example The beginning of a worm graph, and a more extensive view of the same worm.

6. 6 Graph Ideas Use heuristics to detect the tree-like graph of a potential worm. Use specific network information to filter network activity into different graphs. This information can be supplied by the user to customize the graph building behavior.

7. 7 A (non-GrIDS) Connection Graph

8. 8 GrIDS Architecture

9. 9 Hierarchy of Departments Departments consist of: –Software Manager: Administrative hierarchy management –Graph Engine: Builds graphs, creates summary graphs for parent level graphs –Hosts Data Sources: Source of network data. Reports to graph engine in the form of nodes or edges to be included in an activity graph. Module Controller: Manages modules on each host Central hierarchy server with global view of node hierarchy ensures that changes to the structure happen consistently across nodes.

10. 10 Activity Graphs (More Detailed) Graph nodes represent hosts or departments Edges represent network traffic Graphs also carry global information about the graph’s state as a whole.

11. 11 Rule Sets Rule sets defined by users to specify details about graph construction. Independent of other rule sets (do not influence each other) Connection data is applied to all rule sets? Rule sets contain preconditions to filter out data which is not relevant to the rule set. If the data passes the preconditions, it can then be added into the graph space.

12. 12 Graph Aggregation When network activity crosses outside of departmental boundaries, the graphs are passed up the hierarchy for more analysis. As graphs are reduced, a collection of hosts belonging to the same department can be reduced to a single node representing the whole department. In reduction, graph attributes are kept even though some subgraph topology information is lost. Example attributes: size of subgraph, branching factor, entrance and exit points.

13. 13 Hierarchy Management Centralized server keeps a consistent view of the department hierarchies. Rule sets are also managed by the same central hierarchy server. A rule set is inherited by all descendants of that node. Ultimately, this is not scalable. What instead would be a better way to solve this problem?

14. 14 Conclusions GrIDS Conclusions Conclusions for dIDS in general –Data mining / Data “fusion”