Report on Common Intrusion Detection Framework By Ganesh Godavari

Outline of the talk CIDF GIDO Negotiation protocol scenarios

Goal Goal of IDIAN –Develop a negotiation protocol that is dynamic –Allow distributed collection of heterogeneous ID components –Provide inter-operate ability to reach agreement on ID information processing capability

Motivation Understand –Common Intrusion Detection Framework – Common Intrusion Specification Language (CISL)

Common Intrusion Detection Framework (CIDF) CIDF architecture –Divides IDS into Components –Component consists of software code with configuration information –Components can be added/removed –Components interact in real time and exchange data using GIDO

Generalized Intrusion Detection Objects (GIDO) GIDO consists of two components – Fixed Format header CIDF version, timestamp, and length of body –Variable Length Body data

GIDO body (ByMeansOf (Attack (Observer (ProcessName `StackGuard') ) (Target (HostName `somehost.someplace.net') ) (AttackSpecifics (Certainty `100') (Severity `100') (AttackID `1' `0x4f') ) (Outcome (CIDFReturnCode `2') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) (ByMeansOf (Execute (Process (ProcessName `fingerd') ) (When (BeginTime `14:57:36 24 Feb 1999') (EndTime `14:57:36 24 Feb 1999') ) ) ) ) data Semantic Identifier (SID) Where the attack occurred Which process detected Where is the attack targeted at? StackGuard is a compiler that emits programs hardened against "stack smashing" attacks.

SID is associated with each piece of data in the body SID associated with data are called Atom SID Atom SID cannot completely describe an event. Verbs describe events –e.g. Attack SID Verb SID has set of Role SIDs which provide additional information about the event. –e.g. Observer Role provides information about the observer of an event.

Example V is a verb SID R1 and R2 are role SIDs A1 through A3 are Atom SIDs S-expression (V (R1 (A1 data1) (A2 data2) ) (R2 (A3 data3) ) Tree Representation

CIDF components Components –Event generators ("E-boxes") Produce GIDOs –Event analyzers ("A-boxes") Consume GIDOs Conclusions are turned out as GIDOs –Event databases ("D-boxes") store events for later retrieval –Response units ("R-boxes") Consume GIDOs Take action like kill process, reset connections

CIDF Component Interaction

Add/remove an IDS Component New components need to notify others Negotiation protocol –Publish the capabilities of new components Ability to describe and disseminate the description to other components –Collection of components need to interact with each other To determine which components provide specific set of capabilities that the others can utilize

Categorization of overload situations Resources are limited Demand driven overloads –IDS is asked to provide additional detection facilities –Fluctuation in the amount of data to be processed Flooding !! Supply driven overloads –Computer/network down!! –Compromised components unavailable –Number crunching jobs competing with IDS for jobs

Adapting to overload situations Solution –Supply of resources/components is increased Human assistance, killing processes/files competing for resources –Reduction in the demand Modify the packet filtering rules to eliminate flooding the system from outside; Killing processes that generate massive floods of OS audit records –Adapt to ensure important jobs are met Reduce the number and kinds of attacks detected, number of systems/network covered by IDS

New Attack Signatures and Responses Install new signatures – computational cost Cost –Determine if the capability exists in the IDS to respond to the attack signature –Cost of response i.e. degradation in performance, loss of functionality E-box needs to specify the cost of sensor data R-box needs to specify the cost executing requested actions A-box needs to asses (stress) the cost of deploying a new attack signature

New producer E-box – can I supply the capabilities with in cost limits? –If true send acceptance message to A-box –If false send rejection message to A-box If the minimum cost is relatively close to the upper bound set by A-box. Send a counter proposal to A- box The counter proposal can be accepted or rejected by A-box

New Consumer Enhanced/diminished capability New Consumer –R-box advertises its capabilities to existing A- Boxes Enhanced/diminished capability –Upgraded/degraded E-box advertises to A- box. –A-box renegotiates its utilization of the capabilities of E-box

How does one know what are the existing capabilities? –generate new proposals that contain more arbitrary lists of capabilities –For example, suppose that an R-box R announces a list of capabilities L0. An A-box A requests a list L1 that is a subset of L0. R comes back with a list L2 that is a subset of L1. Unsatisfied, A proposes an entirely new list M that is a subset of L0 but that may share only some capabilities with L1.

Scenario 1: a new capability new host machine with detection component is added to LAN. Network under connection laundering attack

solution E-box supplies system-call audit trail A-box might correlate all inbound TCP/IP connections with outbound connections.

Scenario 2: flooding IDS Stolen company laptop with VPN Connection to the company that has detection component and is used to launch an attack. Hacker generate lot of spurious audit data to deflect suspicion. Second host is also compromised. Generate more audit data and crash the central IDS?

Solution Request the event generator to switch to a pre-negotiated fallback setting in which only critical audit data is sent. Request that other event generators reduce their output so the analyzer can concentrate on the attack.

References Intrusion Detection Inter-component Adaptive NegotiationIntrusion Detection Inter-component Adaptive Negotiation – Richard Feiertag et al 2000 IEEE Computer Networks special issue on intrusion detection A Common Intrusion Specification Language, CIDF working group document. Communication in the Common Intrusion Detection Framework, CIDF working group document.