research issues in cooperative intrusion detection between multiple domains don tobin univ. of...
TRANSCRIPT
![Page 1: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/1.jpg)
RESEARCH ISSUESIN
COOPERATIVE INTRUSION DETECTION
BETWEEN MULTIPLE DOMAINS
Don Tobin
Univ. of IdahoRaid ‘98 (15 Sep 98)
![Page 2: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/2.jpg)
WHY CARE?
LangleyAFB
NorfolkNAS
LANTCOM
FortEustis
![Page 3: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/3.jpg)
RESEARCH ISSUES
• Current Prototype
• Trust, Integrity, & Cooperation
• Securing Communications
• Data Reduction, Mining, & Sanitization
• Finishing Up
![Page 4: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/4.jpg)
CURRENT PROTOTYPE
• Inside a HMMR
• Manager-subordinate interactions
• Peer-peer interactions
![Page 5: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/5.jpg)
INSIDE A HMMR
System logfiles
WebServer
Data gathering tools TOOLI
HMMRHMMRlog files
Alert Tools
HMMR on other hosts
HMMR Messages
ActivityData
SQL Query
![Page 6: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/6.jpg)
AUDIT TOOL MANAGEMENT
![Page 7: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/7.jpg)
MGR-SUB INTERACTION BETWEEN HMMRs
LangleyAFB
CD
EG
F
B
![Page 8: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/8.jpg)
INTERACTION BETWEEN HMMRs
LangleyAFB
LangleyAFB
NorfolkNAS
NorfolkNAS
LANT-COM
LANT-COM
FortEustisFort
Eustis
Moderator
![Page 9: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/9.jpg)
#1: TRUST, INTEGRITY, & COOPERATION
• Data (and requests) may be unreliable, inaccurate, or falsified
• Single Domain* Decision made by single local authority* Trust is not a physical property* Opinion - f(verified identity, capability,
reputation, context, …) * Trust is not static, but how dynamic?
![Page 10: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/10.jpg)
#1: TRUST, INTEGRITY, & COOPERATION
• Multiple Domains* Combining different sets of trust assertions
from different authorities * Decision may be “don’t care”* Need to make use of all available
information to assess security posture* Not just a Byzantine Agreement problem
• Cooperation - peer access issues ...
![Page 11: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/11.jpg)
#2: SECURE COMMUNIATIONS
• Kerberos inside a HMMR
• Kerberos inside a domain (mgr./sub.)
• Between domains– “Kerberos-like” mechanism with multiple
token generators might work– Need a degree of survivability– Need to handle different layout topologies
• Avoid “self-inflicted info warfare”
![Page 12: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/12.jpg)
#3: DATA ISSUES
• “Needle in a Haystack!”
• Data conversion/reduction by tools
* Common format for data fusion
• Data mining relevant information
• Levels of granularity of useful info
* Mapping differing local policies
• Sanitizing data for multiple peer groups
![Page 13: RESEARCH ISSUES IN COOPERATIVE INTRUSION DETECTION BETWEEN MULTIPLE DOMAINS Don Tobin Univ. of IdahoRaid ‘98 (15 Sep 98)](https://reader035.vdocuments.mx/reader035/viewer/2022080905/56649e715503460f94b6ee64/html5/thumbnails/13.jpg)
MORE INFORMATION…
• Beta version prototype at: http://www.cs.uidaho.edu/~hummer
• Working on:– HP-UX 9.x and 10.x– Solaris 2.5 and 2.5.1– FreeBSD on Pentium– Linux 2.x, Slackware 2.x, 3.x, Redhat 4.0, 5.0– Windows NT 4.0 (well, not really…)