Presentation is loading. Please wait.

Presentation is loading. Please wait.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

Published byVictoria Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al."— Presentation transcript:

1 GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al

2 10/06 Overview General facts about GrIDS Scalability Architecture Management Additional features Limitations

3 10/06 Security Policy Used to detect & analyze large-scale attacks Anomaly detection Can report on per-host basis –Worms –Network sweeps –User specified patterns of attack

4 10/06 GrIDS -- Environment Runs on Unix hosts connected by IP nets Intended for large networks (thousands of hosts & hundreds of IP sub-nets) Assumes that network belongs to single organization with autonomous departments No part of network is “actively hostile”

5 10/06 What does GrIDS do? Graph-based Intrusion Detection System Records network activity Aggregates data of interest Builds activity graphs Performs pattern matching Determines “unexpected” behavior

6 10/06 Scalability via Aggregation Models an organization as hierarchy of departments (composed of computers) Each department builds & evaluates graphs of activity within the department Sub-graphs are embedded in larger graphs, so an entire department may be represented by a single node in a high- level graph

7 10/06 Scalability via Aggregation Graphs scale & are always manageable  Low level graphs depict part of organization  High levels summarize information found in low level graphs GrIDS aggregates data; can it see low level intrusion?

8 10/06 Architecture of GrIDS Module controller process - on each host Comprised of modules with standardized interfaces: –data sources: monitor activity on hosts & networks; –graph engine: builds graphs & passes them up the hierarchy –software manager: manages state of hierarchy & distributed modules

9 10/06 Data Sources Monitor net: Network sniffers Monitor the OS/net: Point IDSs (single host or LAN IDSs) Includes extensible mechanism which allows data to be gathered from other security tools without significant change to the tool or to GrIDS

10 10/06 Graph Engine Nodes represent hosts or departments Edges represent network traffic between nodes Graph has global attributes which maintain state information about the graph as a whole Graphs are built based on rule sets

11 10/06 Rule Sets Executable specification of a kind of graph (contains preconditions, combining rules) Each rule set maintains a graph space containing multiple graphs Rules operate independently of one another

12 10/06 Rule Sets Used to –Determine if incoming report (partial graph) should be incorporated into existing graphs –Decide if two graphs should combine –Compute the attributes of the combined graph –Decide what actions to take, if any A rule set is inherited by all descendents of the node to which it is applied

13 Engine Receives Report In Form of Partial Graph Meets Rule Set’s Preconditions? Discard NO YES Meets Rule Set’s Combining Conditions? NO New Graph Formed in Rule Set’s Graph Space YES Incoming Graph Combined With Existing Graph Updating Graphs

14 Example Rule Combine node rule { res.node.combine = !empty({new.node.alerts, cur.node.alerts}) && abs(cur.node.time - new.node.time) < 30; res.node.alerts ={cur.node.alerts,new.node.alerts}; res.node.time = max({cur.node.time, new.node.time}); }

15 Example Assessment Rule assessments rule { (!empty(res.global.alerts)) || (res.global.nnodes >= 8) || (res.global.nedges >= 13) ==> alert(), report-graph(); (3 < res.global.nnodes < 8) || (5 report-graph(); }

16 10/06 Management Modules User interface modules for management functions and display of alerts Central organizational hierarchy server which has a global view of the topology of the hierarchy, and is responsible for ensuring that changes to the hierarchy happen in a consistent manner

17 10/06 Managing the Hierarchy Organizational hierarchy server maintains a global picture of hierarchy Access control system controls who can view and manage the hierarchy  ACL resides at each node & states who can access that node or any node in the sub-tree rooted there System managers perform “transactions”

18 10/06 Transactions Typical transactions include: moving a department adding a new host changing the location of the graph engine, etc.

19 10/06 Limitations Not secure against attacks targeting GrIDS: –substituting in hacked versions of GrIDS at the module level –denial of service attacks –disruptions of the network time protocol –networks or computers faults Widespread attacks which progress slowly might not be diagnosed by aggregation mechanism

20 10/06 Backup

21 10/06 Additional Features: Policy Enforcement Policies are compiled into rule sets which build graphs & evaluate for policy violations Currently, GrIDS only allows for policies stated with respect to a single graph edge (network connection) Rule takes form of a tuple: (action, time, source, destination, protocol, stage, status,....)

Download ppt "GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Managing Agent Platforms with the Simple Network Management Protocol Brian Remick Thesis Defense June 26, 2015.

Managing Agent Platforms with the Simple Network Management Protocol Brian Remick Thesis Defense June 26, 2015.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
DIDS part II The Return of dIDS 2/12 CIS 610. 2 GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
seminar on Intrusion detection system

seminar on Intrusion detection system
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.

Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google