System Monitoring and Network Intrusion Detection using DDS and CEP

Similar documents
AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Course Title: Penetration Testing: Security Analysis

By Jascha Wanger

Intrusion Detection Systems (IDS)

Intrusion Detection in AlienVault

Wait, How Many Metrics? Monitoring at Quantcast

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 9 Firewalls and Intrusion Prevention Systems

Open Source Security Tool Overview

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Solution of Exercise Sheet 5

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Managing Latency in IPS Networks

PROFESSIONAL SECURITY SYSTEMS

Introduction of Intrusion Detection Systems

CIT 380: Securing Computer Systems

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

RAVEN, Network Security and Health for the Enterprise

From Network Security To Content Filtering

Network Security Platform 7.5

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Application Detection

Name. Description. Rationale

Stateful Firewalls. Hank and Foo

OWASP Logging Project - Roadmap

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Passive Vulnerability Detection

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Blended Security Assessments

System Specification. Author: CMU Team

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Implementing Probes for J2EE Cluster Monitoring

HONE: Correlating Host activities to Network communications to produce insight

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

IBM Security IBM Corporation IBM Corporation

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Fuzzy Network Profiling for Intrusion Detection

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Cisco IPS Tuning Overview

Network Traffic Analysis

IDS / IPS. James E. Thiel S.W.A.T.

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

and InMon Traffic Sentinel

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

FIREWALL AND NAT Lecture 7a

Guideline on Auditing and Log Management

CSCE 465 Computer & Network Security

Windows Filtering Platform, engine for local security

Deployment of Snort IDS in SIP based VoIP environments

Dynamic Rule Based Traffic Analysis in NIDS

Network Defense Tools

Intrusion Detection System (IDS)

McAfee Network Security Platform 8.2

Firewalls. Pehr Söderman KTH-CSC

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Network Security Demonstration - Snort based IDS Integration -

CSCE 465 Computer & Network Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Network Monitoring Comparison

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

PANDORA FMS NETWORK DEVICES MONITORING

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Network Based Intrusion Detection Using Honey pot Deception

Intrusion Detection Systems with Correlation Capabilities

Detecting rogue systems

Intrusion Detection Systems

Fortinet Network Security NSE4 test questions and answers:

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security Information Management

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Security Event Management. February 7, 2007 (Revision 5)

The Power of SNORT SNORT Update

How To Manage Sourcefire From A Command Console

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Basic & Advanced Administration for Citrix NetScaler 9.2

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Maintaining Non-Stop Services with Multi Layer Monitoring

Firewalls, Tunnels, and Network Intrusion Detection

Some Tools for Computer Security Incident Response Team (CSIRT)

Top 3 Issues and Questions (in Network Monitoring!) Developing a Network Monitoring Architecture! infotex. Dan Hadaway CRISC Managing Partner, infotex

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

PANDORA FMS NETWORK DEVICE MONITORING

The SIEM Evaluator s Guide

Transcription:

www.rti.com System Monitoring and Network Intrusion Detection using DDS and CEP Gerardo Pardo-Castellote, Ph.D. (RTI) Joe Schlesselman (RTI) OMG RTESS Workshop Washington DC, July 14-16, 2008 1

Background This presentation describes the results and architecture of a DoD-funded research effort to develop a common normalized information picture combining data from System Monitoring Tools and Intrusion Detection Systems. The purpose of this work is to increase the speed and effectiveness of the technologies used to detect & counter network attacks. 2

Project Partners RTI (Prime) DDS Coral8 SL Promia CEP Visualization IDS Hardware ObjectSecurity Security Manager 3

Outline The problem of [Distributed] System Monitoring System Monitoring Intrusion Detection Available Technologies Ganglia, Nagios Snort, Nessus, Saint Practical solution using DDS and CEP 4

System Monitoring & Network Intrusion Middleware Technologies, such as DDS help build large distributed systems 100s or 1000s or computers with an order of magnitude more processes Functionally the system may be correct but it may still fail operationally These large systems require monitoring. We focus on two aspects: Network Intrusion Detection System Monitoring Information Sharing/Normalization Information Processing The integration of these technologies illustrates the essence of the open integration problem we are trying to address. 5

100 s of Available Tools See: http://sectools.org/ Tool Categories: Network Intrusion Detection Systems Snort OSSEC NDIS Vulnerability Scanners Nessus, Nmap Saint, GFI LanGuard Sniffers Wireshark, Kismet, Netcat, Metasplot, hping, OS fingerprinting, Service identification Nmap, P0f System Monitoring Ganglia Knowledge Repositories IDS Rules Vulnerability Databases (CVE) Analysis, Detection, Decision Making General purpose (e.g. CEP) Specialized (e.g. Snort rules) Monitoring, Visualization/HMI Tools HP OpenView SL RTView, Promia Asset Viewer 6

The tool Integration problem Many open source and COTS tools Complementary functionality Overlapping functionality Each tool must combine: Sensors, Rules, Alerts/Notifications, Visualization Each Tool and Isolated Island Rules/knowledge bound to the tool/sensor Must learn specifics of each sensor Can t easily multiple sensors in a rule Limited to what each sensor offers The Result: Cost, Complexity, Limited Power: Cannot aggregate, correlate, extend 7

Each tool an isolated island Sensor1 Detection Engine1 Visualization1 Rules1 Sensor2 Detection Engine2 Visualization2 Rules2 Sensor3 Detection Engine3 Visualization3 Rules3 8

A better approach! Snort nmap ossec Visualization (3D Asset Viewer) Visualization normalized sensor data inputs nessus Ganglia SAINT Archive Network Management normalized alarm/event outputs Shared Information Bus / Normalized Information Picture Custom Classified IDS Detection Engine General Analysis Engine Custom Code 9 new sensors COTS UTM custom CEP new processors

A better approach with Standards & COTS COTS System Sensors (Ganglia) COTS IDS Sensors (Snort) Custom Sensors Host Sensor Host Sensor COTS Vulnerability Sensors (Nmap, Nessus, Saint) COTS Middleware (DDS Global Data Space) ` Send updated signature Vulnerability Signature Database Custom/Classified IDS Sensors COTS Event Processing COTS Recording/ Auditing 10 COTS HMI/ Dashboards Email

Infrastructure Technology Selection DDS was selected because it provides a Standard API and Network Protocol able to handle large volumes of real-time information and prioritize it by setting QoS policies. CEP was selected because it provides a familiar (SQL-like), powerful and extensible language able to process large amounts of streaming data, aggregate the information, correlate it, and uncover interesting events and threats. 11

Focus: Network Intrusion & System Monitoring Network Intrusion Detection System (IDS) Sensor: Monitor raw network packets Process Dissect packets, Identify conversations, Look inside Look for: known attack patterns, scans, unusual activity Output: Generate Alarms, Filter/drop packets Example: Snort, OSSEC System Monitor Sensor: Host sensors, look at CPU, memory, file system, network, Process: Detect unusual loads or changes Output: Status, Alarms Example: Ganglia System and Service Identification Sensors: Host sensors, Network packet capture Output: List of hosts, OS fingerprints, List of open services Examples: nmap, P0f 12

IDS: Snort Overview Open source software (Linux, Windows) Commercial support available Can operate as: Sniffer / packet logger, Inline Mode: Intrusion Prevention System (IPS) Interfaces with IP tables to drop/reject packets/connections and log the alert Can also modify bytes in the packets Network intrusion detection system (NDIS) Uses lib PCAP to monitor traffic & generate alerts Can also operate from a saved PCAP file Can match src/dst and do deep packet inspection Can produce references to know attack databases (e.g. NIST s CVE) Simple rule language for NDIS Customizable/extensible by end user Active community-based rules database 13

Snort deployment Internet Detect all intrusion events Detect intrusion events that get thought the firewall 14

Snort Implementation Outputs alerts To files, database, Socket, Applies rules Detects intrusion events Analyzes, modifies and takes actions like: Alert, Log, Drop, Reject. 15

Snort rules <action> <proto> <src> <direction> <dst> (<options>) action protocol source destination alert tcp any any -> 10.10.100.0/24 111 \ (content: 00 01 86 a5 ; msg: mountd access ;) keyword keyword 16 The rule matches if all elements match: protocol, src, destination, content, etc. <direction> can be -> or <> content: used for deep-packet inspection. There is a mini language: Can specify offsets and depth, Can relate to other matches in same packet Can use PERL regular expressions Can also do matches in the packet (IP/TCP,UDP) headers If a rule matches the action is taken: Alert, log, pass, Rules are applied in sequence

Snort Actions alert generate alert and log packet log - log packet pass ignore packet activate alert and turn on dynamic rule dynamic inactive rule until activated then log Inline-mode only: drop drop packet and log sdrop drop packet without logging reject drop packet, log, and send reset/icmp port unreachable to sender Custom actions can also be used to bind to specific output plugins: Ruletype dds_alert { type alert output dds_write: domain=36 topic= SnortAlert } 17

Normalized IDS Alert information 18 struct NormalizedAlert { SensorDetails sensor; NodeInfo source; NodeInfo target; ProtocolInfo protocolinfo; Timestamp alarmtimestamp; string alertmsg; short priority; sequence<extravalue> extra; }; struct SensorDetails { string name; string version; long agentid; long type; NodeInfo node; }; struct NodeInfo { NetworkAddr networkaddr; unsigned short port; PhysicalAddress phyladdr; string hostname; }; struct ProtocolInfo { string type; UdpInfo udpinfo; TcpInfo tcpinfo; IpInfo ipinfo; IcmpInfo icmpinfo; EthernetInfo ethinfo; };

System Monitoring: Ganglia Overview Open source software (Linux, Windows) Originally developed at UC berkeley Distributed Monitoring system for Clusters/Grids Has scaled to clusters with 2000 nodes Many built-in metrics CPU, Network, IO, Memory, Disk Can be extended with user-defined metrics 19

Ganglia Deployment (data collection) Host-based (gmond daemon on each host) monitor changes in host state announce relevant changes listen to the state of other ganglia nodes answer requests for an XML description of the cluster state. Outputs: Metrics to multicast UDP Sent at configured period or when value changes beyond configurable threshold Responses to requests received via TCP multicast GMOND GMOND GMOND GMOND GMOND GMOND 20 (standard metrics) GMETRIC APP (custom metrics)

Ganglia Implementation & Deployment Apache Web Server HMI RR Database GMETAD Poll TCP Cluster 1 GMOND GMETAD RR Database multicast TCP Poll GMOND GMOND Cluster 2 GMOND Cluster 3 GMOND GMETRIC APP 21

Normalized System Monitoring Information struct NormalizedSysMon { SensorDetails sensordetails; ClusterInfo clusterinfo; StandardMetrics stdmetrics; }; struct ClusterInfo { string name; Timestamp localtime; string owner; string latlong; string url; }; struct StandardMetrics{ DoubleMetric disk_total; LongMetric cpu_speed; LongMetric swap_total; StringMetric os_name; FloatMetric cpu_user; FloatMetric cpu_system; FloatMetric bytes_out; FloatMetric pckts_in; }; 22

CEP Overview Capabilities: Filtering Pattern Detection Aggregation, transformation Time-Correlation Across multiple streams Real-Time Data Feeds Composite Events... Alerts CEP Engine Actions 23 Event Storage

CEP Example 1 activity: ftp request tool: Snort activity: disk free DDS Topic CEP CEP DDS Topic RTView RTI Recorder tool: Ganglia DDS Topic Rule: If free disk < 10% and ftp request Then send DDS topic alert 24

CEP Example 2 activity: ssh tool: Snort event: CPU load DDS Topic CEPCEP DDS Topic RTView RTI Recorder tool: Ganglia DDS Topic Rule: If CPU > 50% and ssh request Then send DDS topic alert 25

Potential Information normalization would allow rules to be written independent of sensors Use of CEP would allow rules to apply across sensors enable much more sophisticated rules that mix historical data, time-windows, causality, etc. Use of DDS would enable prioritization and other QoS provide unified API to access all data with highest performance allow segmentation and parallelization of processing enable easy visualization using general purpose tools Provide many out of the box services: recording, durability across all sensors with no additional work 26

Status: RTI Prototype Demo CONOPS v0.1 Shapes Traffic Generic Traffic Windows Shapes Traffic Generic Traffic Solaris Shapes Traffic Generic Traffic Linux Producers Rogue DDS Naughtiness Linux Promia Raven UTM CEP via Coral8 Engine Processors RTI DDS Ganglia Nmap Snort Nessus SAINT OpenPMF Sensors Shapes Traffic Generic Traffic Shapes Traffic Generic Traffic Shapes Traffic Generic Traffic Windows Solaris Linux Consumers SL RTView RTI Developer Platform Tools (Analyzer, Wireshark) RTC Database (SQL, Archive) 27 Shapes traffic = UDP/IPv4 DDS traffic created by RTI DDS Shapes demo application Generic Traffic = legitimate and illegitimate random TCP/IPv4 network traffic Legitimate = valid, well-formed packets of various protocols created using network traffic stimulator Illegitimate = invalid, non-well-formed but not malicious packets of various protocols Rogue = packets that violate one or more security policies, whether or not malicious

Future objectives Integrate additional sensors of each class & refine the Normalized data format Gather IDS data in real scenarios Develop more sophisticated CEP rules based on IDS data Develop CONOPS v 1.0 28

Questions Gerardo Pardo-Castellote, Ph.D. gerardo.pardo@rti.com www.rti.com 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information