S i Seminar M h i Mahasiswa S3

Kamis, 26 September 2013, Labtek 8, Ruang JCC

Muhammad Nur Kholish Abdurrazaq 33212011

Promotor: Prof. Prof Dr. Dr Ir. Ir Bambang Riyanto Trilaksono Ko-Promotor: KoDr. Ir. Budi Rahardjo, Rahardjo, M.Sc

SEKOLAH TEKNIK ELEKTRO DAN INFORMATIKA INSTITUT TEKNOLOGI BANDUNG 2013

Referensi: A Distributed Intrusion Detection System Using Cooperating Agents Jaydip Sen
Innovation Lab Lab, Tata Consultancy Services Ltd Ltd, Bengal Intelligent Park Park, Salt Lake Electronic Complex, Kolkata- 700091, INDIA

Pendahuluan

INTRUSION DETECTION SYSTEM ( (IDS) ) & DISTRIBUTED-IDS

IDS: WHAT?
Definition:

A piece of software Monitors a computer system to detect:

Intrusion I t i : unauthorized th i d attempts tt t to t use the th system t Misuse: abuse of existing privileges

Responds:
Log activity Notify a designated authority Take appropriate countermeasures

IDS: WHY?
Security is often expensive or cumbersome:

Cost Restrictions on users/functionality

Designers g try y to offer users reasonable levels of security Security breaches will still occur Detection D t ti allows: ll

Finding and fixing the most serious security holes Perhaps p holding g intruders responsible p for their actions Limiting the amount of damage an attacker can do

IDS: GOAL?
Run continually Be fault tolerant Resist subversion Minimize overhead Be easily configurable Cope with changing system behavior Be difficult to fool

Minimize false positives and false negatives

IDS: CHARACTERISTICS?
Detection Model

Misuse detection vs. anomaly detection Host based, multihost based, network based Off li vs. real-time Off-line l ti C t li d vs. distributed Centralized di t ib t d

Scope

Operation

Architecture

IDS: Detection Model

Misuse detection - recognize known attacks

Define a set of attack signature g s Detect actions that match a signature Add new signatures often

Examples: Bro, Tripwire

Anomaly detection - recognize a typical behavior

Define a set of metrics for the system Build a statistical model for those metrics during normal operation Detect when metrics differ significantly from normal

Examples: AAFID, MIDAS

Hybrid

Examples: EMERALD, NIDES

IDS: Scope
Host based

Scrutinize data from a single host Examples: Tripwire

Multihost based

Analyze data from multiple hosts Examples: AAFID

Network based

Examine network traffic (and possibly data from the connected hosts) Examples: Bro

IDS: Operation
Off-line

Inspect I t system t logs l at t set t intervals i t l Report any suspicious activity that was logged Examples: Tripwire

Real-time

Monitor the system continuously Report suspicious activity as soon as it is detected Examples: AAFID, Bro, EMERALD, NIDES

IDS: Architecture
Centralized

Data collected from single or multiple hosts All data shipped to a central location for analysis Examples: NIDES

http://www.csl.sri.com/projects/nides/screenshots.html

IDS: Architecture
Hierarchical

Data collected from multiple hosts Data is analyzed as it is passed up through the layers Examples: EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances)

http://www.csl.sri.com/projects/emerald/project.html

IDS: Architecture
Distributed

Data collected at each host Distributed analysis of the data Examples: AAFID (Autonomous Agents for Intrusion Detection)

http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/zamboni_slides.html/ppframe.htm

IDS:ISSUES
Heading towards a distributed framework of systems that do local detection and provide information to perform global detection of intrusions.

Is that really distributed?

Most of these distributed systems are hierarchical in nature

not fully distributed systems because of the centralized data analysis performed at the higher levels of the hierarchy

Prof. Jaydip Sen

Wireless & Multimedia Innovation Lab Tata Consultancy Services, Kolkata, India

Alamat: CA 223, Sector 1, Salt Lake City, Kolkata 700064, West Bengal, INDIA e p +919836189765 9 9836 89 65 Telp:

Pembahasan Paper

DISTRIBUTED IDS USING DISTRIBUTED-IDS COOPERATING AGENTS

http://nist orissa.academia.edu/JaydipSen http://nist-orissa.academia.edu/JaydipSen

Registries

The agent registry maintains information about the basic agents, the events these agents collect, collect and the alerts they generate. The interest registry g y Keeps track of the interests originating from the basic agents and interests being serviced.

WCA1

BA1-2

BA1-1

SMA

ECA

Interests, data

DCA1
WCA 2-1

DCA2

WCA 1-1
BA1-2 BA1-1 BA2-1

BA2-2

WCA 1-2

WCA 1-2

BA2-2 BA2 2 BA2-2 BA2-1 BA2-1

Two types of communication agents: Among agents in the same host Among agents in different host

Implementation Of The Agents Under JADE Framework 1. Determination of the agent behavior. 2. Implementation of the agent class (extending the existing g classes of JADE). ) 3. Implementation of agent meta-behavior by instantiating an existing class or introducing a new class and then instantiating it it. The meta meta-behavior behavior provides an agent with a self-control mechanism to dynamically schedule its behavior in accordance with its internal state. 4. Instantiation of the agent class. g the agent g acquaintances. q 5. Initializing 6. Deployment and activation of the agents.

BA1: monitors ICMP requests & block the access if the requests exceeds threshold specified in its rule of detection