GrIDS -- A Graph Based Intrusion Detection System For …jones/cs451/slides/grids3.ppt · PPT...
Transcript of GrIDS -- A Graph Based Intrusion Detection System For …jones/cs451/slides/grids3.ppt · PPT...
GrIDS -- A Graph Based Intrusion Detection System For
Large Networks
Paper by S. Staniford-Chen et. al
10/06
Overview
• General facts about GrIDS• Scalability• Architecture• Management• Additional features• Limitations
10/06
Security Policy
• Used to detect & analyze large-scale attacks
• Anomaly detection• Can report on per-host basis
– Worms– Network sweeps– User specified patterns of attack
10/06
GrIDS -- Environment
• Runs on Unix hosts connected by IP nets• Intended for large networks (thousands of
hosts & hundreds of IP sub-nets)• Assumes that network belongs to single
organization with autonomous departments • No part of network is “actively hostile”
10/06
What does GrIDS do?
• Graph-based Intrusion Detection System• Records network activity• Aggregates data of interest • Builds activity graphs• Performs pattern matching• Determines “unexpected” behavior
10/06
Scalability via Aggregation
• Models an organization as hierarchy of departments (composed of computers)
• Each department builds & evaluates graphs of activity within the department
• Sub-graphs are embedded in larger graphs, so an entire department may be represented by a single node in a high-level graph
10/06
Scalability via Aggregation
• Graphs scale & are always manageable Low level graphs depict part of organization High levels summarize information found in
low level graphs• GrIDS aggregates data; can it see low
level intrusion?
10/06
Architecture of GrIDS
• Module controller process - on each host • Comprised of modules with standardized
interfaces:– data sources: monitor activity on hosts &
networks; – graph engine: builds graphs & passes them
up the hierarchy– software manager: manages state of
hierarchy & distributed modules
10/06
Data Sources
• Monitor net: Network sniffers• Monitor the OS/net: Point IDSs (single
host or LAN IDSs)• Includes extensible mechanism which
allows data to be gathered from other security tools without significant change to the tool or to GrIDS
10/06
Graph Engine
• Nodes represent hosts or departments• Edges represent network traffic between
nodes• Graph has global attributes which
maintain state information about the graph as a whole
• Graphs are built based on rule sets
10/06
Rule Sets
• Executable specification of a kind of graph (contains preconditions, combining rules)
• Each rule set maintains a graph space containing multiple graphs
• Rules operate independently of one another
10/06
Rule Sets• Used to
– Determine if incoming report (partial graph) should be incorporated into existing graphs
– Decide if two graphs should combine– Compute the attributes of the combined graph– Decide what actions to take, if any
• A rule set is inherited by all descendents of the node to which it is applied
Engine Receives Report In Form of Partial Graph
Meets Rule Set’s
Preconditions? DiscardNO
YES
Meets Rule Set’s Combining
Conditions? NO
New Graph Formed in Rule
Set’s Graph Space YESIncoming Graph
Combined With Existing Graph
Updating Graphs
Example RuleCombine node rule {
res.node.combine = !empty({new.node.alerts, cur.node.alerts})&& abs(cur.node.time - new.node.time) < 30;
res.node.alerts ={cur.node.alerts,new.node.alerts};
res.node.time = max({cur.node.time, new.node.time});
}
Example Assessment Ruleassessments rule {
(!empty(res.global.alerts)) || (res.global.nnodes >= 8) ||
(res.global.nedges >= 13) ==>alert(), report-graph();
(3 < res.global.nnodes < 8) ||(5 < res.global.nedges < 13) ==>
report-graph();}
10/06
Management Modules
• User interface modules for management functions and display of alerts
• Central organizational hierarchy server which has a global view of the topology of the hierarchy, and is responsible for ensuring that changes to the hierarchy happen in a consistent manner
10/06
Managing the Hierarchy
• Organizational hierarchy server maintains a global picture of hierarchy
• Access control system controls who can view and manage the hierarchy ACL resides at each node & states who can
access that node or any node in the sub-tree rooted there
• System managers perform “transactions”
10/06
Transactions
Typical transactions include:• moving a department• adding a new host• changing the location of the graph
engine, etc.
10/06
Limitations• Not secure against attacks targeting GrIDS:
– substituting in hacked versions of GrIDS at the module level
– denial of service attacks– disruptions of the network time protocol– networks or computers faults
• Widespread attacks which progress slowly might not be diagnosed by aggregation mechanism
10/06
Backup
10/06
Additional Features: Policy Enforcement
• Policies are compiled into rule sets which build graphs & evaluate for policy violations
• Currently, GrIDS only allows for policies stated with respect to a single graph edge (network connection)
• Rule takes form of a tuple:(action, time, source, destination, protocol,
stage, status, . . . .)