Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Dept. of Computer Science Trinity.

Published byShauna Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Dept. of Computer Science Trinity."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Dept. of Computer Science Trinity College Dublin 27th Oct. 2005

2 Enabling Grids for E-sciencE INFSO-RI-508833 2 Introduction Goal –“To provide the Grid-Ireland OpsCentre with an overall picture of the state of security of the entire Grid-Ireland infrastructure at any time”  Starting with intrusion detection Difficulties for Grid –Infrastructure spans multiple networks –Don’t know about state of security at other sites –Similar infrastructure at sites, i.e. OS, services –Speed of response depends on speed of access to information Grid-Ireland approach –Develop Grid-wide intrusion detection system  Instrument all sites to detect attempted security intrusions  All security alerts generated at sites to be visible at OpsCentre

3 Enabling Grids for E-sciencE INFSO-RI-508833 3 Grid-wide Intrusion Detection System building blocks: –Snort  Open-source network intrusion detection system –CrossGrid NetTracer  System for accessing log files through Grid InfoSys  Supports Tcpdump and Snort –R-GMA  Relational grid monitoring and information system

4 Enabling Grids for E-sciencE INFSO-RI-508833 4 Grid-wide Intrusion Detection System comprised of two levels: 1.Alert aggregation  Snort + NetTracer Sensor Snort: generates alerts for suspect packets NetTracer: streams alerts to R-GMA  R-GMA Secondary Producer Collects alerts to central ‘Grid-wide intrusion log’

5 Enabling Grids for E-sciencE INFSO-RI-508833 5 Alert Aggregation R-GMA SNORT + SENSOR SNORT + SENSOR SNORT + SENSOR SNORT + SENSOR Site A Site CSite B Site D SnortAlerts, “where siteId = ‘Site A’” SnortAlerts, “where siteId = ‘Site C’” SnortAlerts, “where siteId = ‘Site B’” SnortAlerts, “where siteId = ‘Site D’”

6 Enabling Grids for E-sciencE INFSO-RI-508833 6 Alert Aggregation

7 Enabling Grids for E-sciencE INFSO-RI-508833 7 Alert Analysis System comprised of two levels: 1.Alert aggregation  Snort + NetTracer sensor Snort: generates alerts for suspect packets NetTracer: streams alerts to R-GMA  R-GMA Secondary Producer Collects alerts to central ‘Grid-wide intrusion log’ 2.Alert analysis  Custom R-GMA consumers Currently 3 different kinds  Detect attempted attack on grid infrastructure  Generate ‘Grid-alert’

8 Enabling Grids for E-sciencE INFSO-RI-508833 8 Alert Analysis

9 Enabling Grids for E-sciencE INFSO-RI-508833 9 Example Analyser Detect scanning of Grid infrastructure Consumer filters log for portscan alerts If multiple sites scanned by single source –Grid infrastructure portscan ‘grid-alert’ –Alert generated:  email  published to R-GMA Consumer alert = consumerFactory.createConsumer(timeInterval, “SELECT * FROM snortAlerts WHERE generator_id=122”, QueryProperties.CONTINUOUS);

10 Enabling Grids for E-sciencE INFSO-RI-508833 10 Example Analyser Grid Alert: Grid Infrastructure Portscan From: To: stuart.kenny@cs.tcd.ie Date: Yesterday 00:26:05 [**] 08/04-00:26:05.244 Grid Infrastructure Portscan [**] Source: 59.44.51.80 (59.44.51.80) Site: giULie 08/04-00:17:56.418485 (portscan) TCP Portscan gridmon.grid.ul.ie (193.1.96.134) Site: giRCSIie 08/04-00:26:04.005235 (portscan) TCP Portscan gridmon.rcsi.ie (193.1.229.24) Site: giAITie 08/04-00:13:41.395764 (portscan) TCP Portscan 192.168.32.154 (192.168.32.154)

11 Enabling Grids for E-sciencE INFSO-RI-508833 11 Sample Results First 4 week period: 25,378 Current Total: 194,390 (16 weeks)

12 Enabling Grids for E-sciencE INFSO-RI-508833 12 Sample Results

13 Enabling Grids for E-sciencE INFSO-RI-508833 13 Sample Results

14 Enabling Grids for E-sciencE INFSO-RI-508833 14 Deployment –Site  R-GMA MON box  Snort  NetTracer, 2 components: Sensor – must be co-located with Snort QueryEngine – requires the R-GMA API –GOC  Intrusion log secondary producer  Intrusion log analysers Configuration –Manual  configuration script –Automatic  LCFG component  Quattor component (to be tested)  YAIM will be provided

15 Enabling Grids for E-sciencE INFSO-RI-508833 15 Future Work Customise Snort rules for Grid –Based on:  Site configurations  Host types  Services Incorporate additional security components –Tripwire –Bro Attack detection –New intrusion log analysers  Bayesian  AI/Category Theory Active response –Automated responses to detected attacks

16 Enabling Grids for E-sciencE INFSO-RI-508833 16 The End Any Questions? Email: –stuart.kenny@cs.tcd.ie

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Dept. of Computer Science Trinity."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
HEAnet Conference 2006 John Walsh Grid-Ireland Grid Manager Trinity College Dublin The Grid Computing Infrastructure in Ireland and Abroad.

HEAnet Conference 2006 John Walsh Grid-Ireland Grid Manager Trinity College Dublin The Grid Computing Infrastructure in Ireland and Abroad.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam.

Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam.
Security administrators The experts need better tools too!

Security administrators The experts need better tools too!
Sept 27 th – 29 th, 2002Linz 2002, Task 3.3.2 Task 3.3 Grid Monitoring Subtask 3.3.2 SANTA-G Brian Coghlan, Stuart Kenny Trinity College Dublin.

Sept 27 th – 29 th, 2002Linz 2002, Task Task 3.3 Grid Monitoring Subtask SANTA-G Brian Coghlan, Stuart Kenny Trinity College Dublin.
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Active Security Infrastructure Stuart Kenny Trinity College Dublin.

Active Security Infrastructure Stuart Kenny Trinity College Dublin.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
The National Computational Grid for Ireland OpsCentre Infrastructure Staff TestGrid Porting Current Issues Future Plans Grid-Ireland OpsCentre.

The National Computational Grid for Ireland OpsCentre Infrastructure Staff TestGrid Porting Current Issues Future Plans Grid-Ireland OpsCentre.
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Similar presentations

Ads by Google