Upload
dinah-fisher
View
215
Download
0
Embed Size (px)
Citation preview
A Lone Wolf No More:
Supporting Network Intrusion Detection with Real-Time
IntelligenceShane Singh | COMPSCI 726
Introduction
• Looking to expand the ability of current basic Intrusion Detection Systems (IDS) to be able to process real-time complex attack intelligence into their current operation.
Intrusion Detection System (IDS)
• “Device or software application that monitors network or system traffic for malicious activities or policy violations”
The Identified Issue
• Current IDS’ are unable to integrate external information into their processing
• Current approach is to convert to rule language
• “…it severely limits the attainable benefits…”
• Ensuring that by using real-time intelligence the IDS can handle realistic workloads
The Proposed Solution
• Development of an Input Framework with integration to a current open-source IDS.
• Using federated sources to provide valid, consistent attack intelligence
• Real-world scenario deployment and monitoring to test suitability
The Intelligence State
• “Externally provided context that, when correlated with traffic on the wire, can significantly increase the systems detection capabilities.”
Framework Design
Implementation and Integration
• Using the open-source Bro IDS
• Bro fits well with capabilities of Input Framework
• Bro turns streams of packets into “policy neutral” network events
Framework with Bro
Using Federated Blacklists
• The authors use the SES feed from REN-ISAC and the JC3 feed from DOE.
• Confidence in accuracy and quality of intelligence important
• Choice of private sources over public sources
• Integration with Input Framework
Real World Testing
• Tested on a trace of traffic from UC Berkeley network
• Utilised psuedo-realtime mode running on trace file
• Analysed performance on:
• Realistic Workloads
• Sustainable Load
• Latency
• Created Benchmark Reader
Summary
• Input Framework created and deployed on existing open-source IDS - Bro
• Adding another state to IDS – intelligence
• Real-world testing to determine suitability in network
Criticisms
• Firewall Impact
• Testing overall detection effectiveness
• Choice of IDS – Bro
• Access to blacklists used
• Network traffic tested quite limited
Firewall Impact
• The authors make no reference to how a firewall will impact traffic monitoring in their tests
• Testing was only done on trace from one particular network
• Firewalls affect the type of traffic allowed/disallowed
Overall effectiveness
• In the paper, there isn’t a comparison done between a network using Real-Time Intelligence with an IDS and one without any intelligence
Using Bro
• The choice of Bro isn’t very clearly explained
• No comparison between other IDS’s and to why/why not Bro was selected
Access to Federated Blacklists
• SES feed updated once per day
• JC3 feed downloaded manually from a secure server when updates released
• Difficult to access
• Vetting period not accounted for with “real-time”
Limitations of tested traffic
• Only captured of actual network traffic flow
• 5 minute capture – likelihood of attack in this period
• “…Such a volume is much more than a single Bro instance can handle”
Questions?