GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al

10/06 Overview General facts about GrIDS Scalability Architecture Management Additional features Limitations

10/06 Security Policy Used to detect & analyze large-scale attacks Anomaly detection Can report on per-host basis –Worms –Network sweeps –User specified patterns of attack

10/06 GrIDS -- Environment Runs on Unix hosts connected by IP nets Intended for large networks (thousands of hosts & hundreds of IP sub-nets) Assumes that network belongs to single organization with autonomous departments No part of network is “actively hostile”

10/06 What does GrIDS do? Graph-based Intrusion Detection System Records network activity Aggregates data of interest Builds activity graphs Performs pattern matching Determines “unexpected” behavior

10/06 Scalability via Aggregation Models an organization as hierarchy of departments (composed of computers) Each department builds & evaluates graphs of activity within the department Sub-graphs are embedded in larger graphs, so an entire department may be represented by a single node in a high- level graph

10/06 Scalability via Aggregation Graphs scale & are always manageable  Low level graphs depict part of organization  High levels summarize information found in low level graphs GrIDS aggregates data; can it see low level intrusion?

10/06 Architecture of GrIDS Module controller process - on each host Comprised of modules with standardized interfaces: –data sources: monitor activity on hosts & networks; –graph engine: builds graphs & passes them up the hierarchy –software manager: manages state of hierarchy & distributed modules

10/06 Data Sources Monitor net: Network sniffers Monitor the OS/net: Point IDSs (single host or LAN IDSs) Includes extensible mechanism which allows data to be gathered from other security tools without significant change to the tool or to GrIDS

10/06 Graph Engine Nodes represent hosts or departments Edges represent network traffic between nodes Graph has global attributes which maintain state information about the graph as a whole Graphs are built based on rule sets

10/06 Rule Sets Executable specification of a kind of graph (contains preconditions, combining rules) Each rule set maintains a graph space containing multiple graphs Rules operate independently of one another

10/06 Rule Sets Used to –Determine if incoming report (partial graph) should be incorporated into existing graphs –Decide if two graphs should combine –Compute the attributes of the combined graph –Decide what actions to take, if any A rule set is inherited by all descendents of the node to which it is applied

Engine Receives Report In Form of Partial Graph Meets Rule Set’s Preconditions? Discard NO YES Meets Rule Set’s Combining Conditions? NO New Graph Formed in Rule Set’s Graph Space YES Incoming Graph Combined With Existing Graph Updating Graphs

Example Rule Combine node rule { res.node.combine = !empty({new.node.alerts, cur.node.alerts}) && abs(cur.node.time - new.node.time) < 30; res.node.alerts ={cur.node.alerts,new.node.alerts}; res.node.time = max({cur.node.time, new.node.time}); }

Example Assessment Rule assessments rule { (!empty(res.global.alerts)) || (res.global.nnodes >= 8) || (res.global.nedges >= 13) ==> alert(), report-graph(); (3 < res.global.nnodes < 8) || (5 report-graph(); }

10/06 Management Modules User interface modules for management functions and display of alerts Central organizational hierarchy server which has a global view of the topology of the hierarchy, and is responsible for ensuring that changes to the hierarchy happen in a consistent manner

10/06 Managing the Hierarchy Organizational hierarchy server maintains a global picture of hierarchy Access control system controls who can view and manage the hierarchy  ACL resides at each node & states who can access that node or any node in the sub-tree rooted there System managers perform “transactions”

10/06 Transactions Typical transactions include: moving a department adding a new host changing the location of the graph engine, etc.

10/06 Limitations Not secure against attacks targeting GrIDS: –substituting in hacked versions of GrIDS at the module level –denial of service attacks –disruptions of the network time protocol –networks or computers faults Widespread attacks which progress slowly might not be diagnosed by aggregation mechanism

10/06 Backup

10/06 Additional Features: Policy Enforcement Policies are compiled into rule sets which build graphs & evaluate for policy violations Currently, GrIDS only allows for policies stated with respect to a single graph edge (network connection) Rule takes form of a tuple: (action, time, source, destination, protocol, stage, status,....)