Download presentation
Presentation is loading. Please wait.
1
IDS 運用の効率化に関する研究 環境情報学部4年 水谷正慶 (mizutani@SING) 親 : true / サブ親 : minami
2
Background Intrusion Detection System (IDS) outputs; too much log Ex) RG-Net by Snort 2005/1/1 ~ 7/26 Max: 720,679 /day Average: 66,408 /day
3
Issues Operator IDS Event Log It ’ s too difficult to find intrusion by operator What’s Happened? How Much Risk? Amount of Events Intrusion Infected Take Time Human Error Critical Incident
4
Focus(1/2) : Risk of events False Positive Low Risk Event High Risk Event Versatile Signature Low Quality Signature Failure Attack Non-effective Attack Blaster
5
Focus (2/2): Event Assessment Timeline Event-5 Event-6 Event-7 Event-8 Event-1 Event-2 Event-3 Event-4 From Host-A From Host-B
6
System overview Session-based IDS IDS Log Visualizer Target-based IDS Operator Event Log Important Event Log Event Log Network Traffic Conventional IDS Attack ResultEvent RatingAggregate
7
(1) Session-based IDS Session-based IDS Conventional IDS Attacker Target Exploit Code Error Message Exploit Code Unknown Response Attack Attack is succeeded Attack is failure
8
(2) Target-based IDS Target-based IDS Attacker Target (Windows) Target (Linux) Exploit Code For Windows Exploit Code For Windows Attack is Risky Attack is No Risk
9
(3) Log Visualizer EVENT LOG 00:13 Port Scan 00:15 Version Scan 00:17 Exploit Attempt 00:27 Port Scan 00:28 Version Scan 00:55 Exploit Attempt 00:0001:00 Port Scan Version Scan Exploit Code Correlation(?)
10
System design Session-based IDS Target-based IDS & Log Visualizer Event Log DB Operator Host DB + DHCP based OS Fingerprinting Static IP Address
11
Implementation: Session-based IDS
12
Implementation: Log Visualizer ﻪ Demo
13
Implementation: Log Visualizer Correlation From Some IP Address
14
Researches & Activities ﻪ Papers ﻩ 「 IDS のログ視覚化システムの構築」 ﻯ 情報処理学会 分散システム/インターネット運用技術シンポジウム 2003 ﻩ 「 Session Based IDS の設計と実装」 ﻯ 電子情報通信学会 2005 年 次世代インターネットソフトウェア論文特集 ﻩ 「セッション追跡によるプロトコルアノーマリ型防御手法の提案 と実装」 ﻯ 情報処理学会 第 12 回マルチメディア通信と分散処理ワークショップ 2004 ﻩ 「 The Design and Implementation of Session Based IDS 」 ﻯ Technical Typesetters: “Electronics and Communications in Japan, Part I” ﻪ Software ﻩ Session-based IDS “ROOK” ﻯhttp://matinee.sfc.wide.ad.jp/blitz/rook/ ﻩ Log Visualizer “BISHOP” ﻯhttp://matinee.sfc.wide.ad.jp/blitz/bishop
15
Dec -Submit Paper Dec -Submit Paper Aug -Integration Aug -Integration Oct -Evaluation Oct -Evaluation Schedule Jan. 2006 Final Presentation Nov -Write Paper Nov -Write Paper Sep -Integration -Evaluation Sep -Integration -Evaluation To Do - Integration - Evaluation - Paper
16
Evaluation ﻪ Quantitative Evaluation ﻩ Event reduction ﻩ Compare Other IDS Implementation ﻩ Performance ﻩ Properness of Event ﻪ Qualitative Evaluation ﻩ Compare Traditional Log Analyzing Tools
17
Conclusion ﻪ Issues ﻪ Approach ﻩ Session-based IDS ﻩ Target-based IDS ﻩ Log Visualizer ﻪ To Do ﻩ Integration ﻩ Reevaluation ﻩ Paper
18
Thank you.
19
Road to… Master’s Paper “IDS の利用支援 に関する研究 ” “ インシデントレスポンスの 自動化に関する研究 ” Bachelor’s Course Master’s Course 「 Session-based IDS の 設計と実装」 設計と実装」 「 IDS のログ視覚化 システムの構築」 システムの構築」 「ホスト情報をもとにした攻撃情報のリスク評価」「ホスト情報をもとにした攻撃情報のリスク評価」 「セッション追跡によるプロトコルアノーマリ型防御手法の提案と実装」「セッション追跡によるプロトコルアノーマリ型防御手法の提案と実装」 「安全性・利便性を実現する 動的ネットワークアクセス 制御手法の提案」 「安全性・利便性を実現する 動的ネットワークアクセス 制御手法の提案」 Bachelor’s Paper 「複数イベントによるインシデントリスク判別モデルの提案と評価」「複数イベントによるインシデントリスク判別モデルの提案と評価」 「複数環境に対応す るインシデント自動 対応機構の実現」 「インシデントのリ スクに基づいた自動 対応機構の実装」
20
Approach (1/2) -Add Property to Events- Event-A Event-B Event-C Intrusion Detection Network Forensic Trend Analysis Signature: Exploit Attempt Result: Success Degree of Risk: High Signature: Exploit Attempt Result: Failure Degree of Risk: Low Signature: Scan Event: Success Degree of Risk : Unknown
21
Implementation: Log Visualizer
22
A Flow to Incident Response Event Detection Evaluation Risk Evaluation Risk Information Collection Information Collection Handling IDS (Intrusion Detection System) Someone’s Scream Monitoring Tools Operator Host Information -OS -Application Application Log -DHCP -Application at End Host -Firewall Secluding Host Filter from Attacker Surveying Damage
23
Implementation Session-based IDS “ROOK” Target-based IDS & Log Visualizer “BISHOP” + -Improving Performance -Database Module -Improving Detection Accuracy -Improving Performance -Target-based Engine -Multi-Element Handling Module -Multiple IDS Support
24
Issues -IDSs are a market failure- Take Time Human Error Intrusion Infected Log Analyzing Critical Incident [**] [1:2003:8] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] 07/01-06:27:27.039375 211.140.254.58:3062 -> 203.178.128.202:1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => url vil.nai.com/vil/content/v_99992.htm][Xref => nessus 11214][Xref => cve 2002-0649][Xref => bugtraq 5311][Xref => bugtraq 5310] [**] [1:2050:8] MS-SQL version overflow attempt [**] [Classification: Misc activity] [Priority: 3] 07/01-06:27:27.039375 211.140.254.58:3062 -> 203.178.128.202:1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => nessus 10674][Xref => cve 2002-0649][Xref => bugtraq 5310] [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] 07/01-06:27:29.156692 203.178.142.133:80 -> 66.249.65.138:43775 TCP TTL:63 TOS:0x0 ID:41614 IpLen:20 DgmLen:711 DF ***AP*** Seq: 0x640FE4FA Ack: 0xAC9BC693 Win: 0x822B TcpLen: 32 TCP Options (3) => NOP NOP TS: 1108333338 1221203531 [**] [1:10132:0] SNMP access, public [**] [Priority: 0] 07/01-06:27:44.508905 81.254.130.121:1025 -> 203.178.143.144:161 UDP TTL:109 TOS:0x0 ID:43374 IpLen:20 DgmLen:106 Len: 78 [**] [1:2001621:8] BLEEDING-EDGE Exploit Suspected PHP Injection Attack [**] [Classification: A Network Trojan was detected] [Priority: 1] 07/01-06:29:43.618958 66.249.66.210:55372 -> 203.178.143.19:80 TCP TTL:52 TOS:0x0 ID:18226 IpLen:20 DgmLen:373 DF ***AP*** Seq: 0xB3C71B54 Ack: 0x98D0F55B Win: 0x1658 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2446613623 1783519270 [Xref => cve 2002-0953] ………………………… Huge Log Continue to infinity…
![Issues -IDSs are a market failure- Take Time Human Error Intrusion Infected Log Analyzing Critical Incident [**] [1:2003:8] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] 07/01-06:27: :3062 -> :1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => url vil.nai.com/vil/content/v_99992.htm][Xref => nessus 11214][Xref => cve ][Xref => bugtraq 5311][Xref => bugtraq 5310] [**] [1:2050:8] MS-SQL version overflow attempt [**] [Classification: Misc activity] [Priority: 3] 07/01-06:27: :3062 -> :1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => nessus 10674][Xref => cve ][Xref => bugtraq 5310] [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] 07/01-06:27: :80 -> :43775 TCP TTL:63 TOS:0x0 ID:41614 IpLen:20 DgmLen:711 DF ***AP*** Seq: 0x640FE4FA Ack: 0xAC9BC693 Win: 0x822B TcpLen: 32 TCP Options (3) => NOP NOP TS: [**] [1:10132:0] SNMP access, public [**] [Priority: 0] 07/01-06:27: :1025 -> :161 UDP TTL:109 TOS:0x0 ID:43374 IpLen:20 DgmLen:106 Len: 78 [**] [1: :8] BLEEDING-EDGE Exploit Suspected PHP Injection Attack [**] [Classification: A Network Trojan was detected] [Priority: 1] 07/01-06:29: : > :80 TCP TTL:52 TOS:0x0 ID:18226 IpLen:20 DgmLen:373 DF ***AP*** Seq: 0xB3C71B54 Ack: 0x98D0F55B Win: 0x1658 TcpLen: 32 TCP Options (3) => NOP NOP TS: [Xref => cve ] ………………………… Huge Log Continue to infinity…](http://images.slideplayer.com./30/9557492/slides/slide_24.jpg "Issues -IDSs are a market failure- Take Time Human Error Intrusion Infected Log Analyzing Critical Incident [**] [1:2003:8] MS-SQL Worm propagation attempt [**] [Classification: Misc Attack] [Priority: 2] 07/01-06:27: :3062 -> :1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => url vil.nai.com/vil/content/v_99992.htm][Xref => nessus 11214][Xref => cve ][Xref => bugtraq 5311][Xref => bugtraq 5310] [**] [1:2050:8] MS-SQL version overflow attempt [**] [Classification: Misc activity] [Priority: 3] 07/01-06:27: :3062 -> :1434 UDP TTL:48 TOS:0x0 ID:64355 IpLen:20 DgmLen:404 Len: 376 [Xref => nessus 10674][Xref => cve ][Xref => bugtraq 5310] [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] 07/01-06:27: :80 -> :43775 TCP TTL:63 TOS:0x0 ID:41614 IpLen:20 DgmLen:711 DF ***AP*** Seq: 0x640FE4FA Ack: 0xAC9BC693 Win: 0x822B TcpLen: 32 TCP Options (3) => NOP NOP TS: [**] [1:10132:0] SNMP access, public [**] [Priority: 0] 07/01-06:27: :1025 -> :161 UDP TTL:109 TOS:0x0 ID:43374 IpLen:20 DgmLen:106 Len: 78 [**] [1: :8] BLEEDING-EDGE Exploit Suspected PHP Injection Attack [**] [Classification: A Network Trojan was detected] [Priority: 1] 07/01-06:29: : > :80 TCP TTL:52 TOS:0x0 ID:18226 IpLen:20 DgmLen:373 DF ***AP*** Seq: 0xB3C71B54 Ack: 0x98D0F55B Win: 0x1658 TcpLen: 32 TCP Options (3) => NOP NOP TS: [Xref => cve ] ………………………… Huge Log Continue to infinity…")
Similar presentations
