research issues in cooperative intrusion detection between multiple domains don tobin univ. of...
TRANSCRIPT
RESEARCH ISSUESIN
COOPERATIVE INTRUSION DETECTION
BETWEEN MULTIPLE DOMAINS
Don Tobin
Univ. of IdahoRaid ‘98 (15 Sep 98)
WHY CARE?
LangleyAFB
NorfolkNAS
LANTCOM
FortEustis
RESEARCH ISSUES
• Current Prototype
• Trust, Integrity, & Cooperation
• Securing Communications
• Data Reduction, Mining, & Sanitization
• Finishing Up
CURRENT PROTOTYPE
• Inside a HMMR
• Manager-subordinate interactions
• Peer-peer interactions
INSIDE A HMMR
System logfiles
WebServer
Data gathering tools TOOLI
HMMRHMMRlog files
Alert Tools
HMMR on other hosts
HMMR Messages
ActivityData
SQL Query
AUDIT TOOL MANAGEMENT
MGR-SUB INTERACTION BETWEEN HMMRs
LangleyAFB
CD
EG
F
B
INTERACTION BETWEEN HMMRs
LangleyAFB
LangleyAFB
NorfolkNAS
NorfolkNAS
LANT-COM
LANT-COM
FortEustisFort
Eustis
Moderator
#1: TRUST, INTEGRITY, & COOPERATION
• Data (and requests) may be unreliable, inaccurate, or falsified
• Single Domain* Decision made by single local authority* Trust is not a physical property* Opinion - f(verified identity, capability,
reputation, context, …) * Trust is not static, but how dynamic?
#1: TRUST, INTEGRITY, & COOPERATION
• Multiple Domains* Combining different sets of trust assertions
from different authorities * Decision may be “don’t care”* Need to make use of all available
information to assess security posture* Not just a Byzantine Agreement problem
• Cooperation - peer access issues ...
#2: SECURE COMMUNIATIONS
• Kerberos inside a HMMR
• Kerberos inside a domain (mgr./sub.)
• Between domains– “Kerberos-like” mechanism with multiple
token generators might work– Need a degree of survivability– Need to handle different layout topologies
• Avoid “self-inflicted info warfare”
#3: DATA ISSUES
• “Needle in a Haystack!”
• Data conversion/reduction by tools
* Common format for data fusion
• Data mining relevant information
• Levels of granularity of useful info
* Mapping differing local policies
• Sanitizing data for multiple peer groups
MORE INFORMATION…
• Beta version prototype at: http://www.cs.uidaho.edu/~hummer
• Working on:– HP-UX 9.x and 10.x– Solaris 2.5 and 2.5.1– FreeBSD on Pentium– Linux 2.x, Slackware 2.x, 3.x, Redhat 4.0, 5.0– Windows NT 4.0 (well, not really…)