IDS 運用の効率化に関する研究
description
Transcript of IDS 運用の効率化に関する研究
![Page 1: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/1.jpg)
IDS運用の効率化に関する研究環境情報学部4年
水谷正慶 (mizutani@SING)親 : true / サブ親 : minami
![Page 2: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/2.jpg)
Background
Intrusion Detection System (IDS) outputs; too much log
0100002000030000400005000060000700008000090000
100000
2005
-01-
01
2005
-01-
11
2005
-01-
21
2005
-01-
31
2005
-02-
10
2005
-02-
20
2005
-03-
02
2005
-03-
12
2005
-03-
22
2005
-04-
01
2005
-04-
11
2005
-04-
21
2005
-05-
01
2005
-05-
11
2005
-05-
21
2005
-05-
31
2005
-06-
10
2005
-06-
20
2005
-06-
30
2005
-07-
10
2005
-07-
20
Ex) RG-Net by Snort2005/1/1 ~ 7/26
Max:
720,679/day
Average:
66,408/day
![Page 3: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/3.jpg)
Issues
OperatorIDS
Event Log
It’s too difficult to find intrusion by operator
What’s Happened?
How Much Risk?
Amount of Events
Intrusion
Infected
Take Time
Human Error Critical Incident
![Page 4: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/4.jpg)
Focus(1/2): Risk of events
False Positive
Low Risk Event
High Risk Event
Versatile Signature
Low Quality Signature
Failure Attack
Non-effective Attack
BlasterBlaster
BlasterBlaster
Blaster
Blaster
![Page 5: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/5.jpg)
Focus (2/2): Event Assessment
Timeline
Event-5 Event-6 Event-7 Event-8
Event-1 Event-2 Event-3 Event-4
From Host-AFrom Host-B
![Page 6: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/6.jpg)
System overview
Session-based Session-based IDSIDS
IDS Log IDS Log VisualizerVisualizer
Target-based Target-based IDS IDS
Operator
Event Log
ImportantImportant Event LogEvent LogNetwork
Traffic
Conventional IDS
Attack Result Event Rating Aggregate
![Page 7: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/7.jpg)
(1) Session-based IDS
Session-based IDSSession-based IDS
Conventional IDS
Attacker
Target
Target
Exploit Code
Error Message
Exploit Code
Unknown Response
Attack
Attack
Attack is succeede
d
Attack is
failure
![Page 8: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/8.jpg)
(2) Target-based IDS
Target-based IDSTarget-based IDS
Attacker
Target(Windows)
Target(Linux)
Exploit CodeFor Windows
Exploit CodeFor WindowsAttack
is Risky
Attack is No Risk
![Page 9: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/9.jpg)
(3) Log Visualizer
EVENT LOG00:13 Port Scan00:15 Version Scan00:17 Exploit Attempt00:27 Port Scan00:28 Version Scan00:55 Exploit Attempt
00:00 01:00
Port ScanVersion ScanExploit Code
Correlation(?)
![Page 10: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/10.jpg)
System design
Session-based IDS
Target-based IDS & Log Visualizer
Event Log DB
Operator
Host DB
+
DHCP based OS Fingerprinting
Static IP Address
![Page 11: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/11.jpg)
Implementation:
Session-based IDS
![Page 12: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/12.jpg)
Implementation:
Log Visualizer
ه Demo
![Page 13: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/13.jpg)
Implementation:
Log Visualizer
Correlation
From Some IP Address
![Page 14: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/14.jpg)
Researches & Activities
ه Papersه 「 IDS のログ視覚化システムの構築」
ى 情報処理学会 分散システム/インターネット運用技術シンポジウム 2003ه 「 Session Based IDS の設計と実装」
ى 電子情報通信学会 2005 年 次世代インターネットソフトウェア論文特集ه 「セッション追跡によるプロトコルアノーマリ型防御手法の提案
と実装」ى 情報処理学会 第 12 回マルチメディア通信と分散処理ワークショップ 2004
ه 「 The Design and Implementation of Session Based IDS 」ى Technical Typesetters: “Electronics and Communications in Japan, Part I”
ه Softwareه Session-based IDS “ROOK”
ى http://matinee.sfc.wide.ad.jp/blitz/rook/ه Log Visualizer “BISHOP”
ى http://matinee.sfc.wide.ad.jp/blitz/bishop
![Page 15: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/15.jpg)
Dec-Submit Paper
Aug-Integration
Oct-Evaluation
Schedule
Jan. 2006Final Presentation
Nov-Write Paper
Sep-Integration-Evaluation
To DoTo Do- Integration- Evaluation- Paper
![Page 16: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/16.jpg)
Evaluation
ه Quantitative Evaluationه Event reductionه Compare Other IDS Implementationه Performanceه Properness of Event
ه Qualitative Evaluationه Compare Traditional Log Analyzing Tools
![Page 17: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/17.jpg)
Conclusion
ه Issues ه Approach
ه Session-based IDSه Target-based IDSه Log Visualizer
ه To Doه Integrationه Reevaluationه Paper
![Page 18: IDS 運用の効率化に関する研究](https://reader036.fdocuments.net/reader036/viewer/2022062316/568138b4550346895da0751e/html5/thumbnails/18.jpg)
Thank you.