Documente Academic
Documente Profesional
Documente Cultură
Promotor: Prof. Prof Dr. Dr Ir. Ir Bambang Riyanto Trilaksono Ko-Promotor: KoDr. Ir. Budi Rahardjo, Rahardjo, M.Sc
Referensi: A Distributed Intrusion Detection System Using Cooperating Agents Jaydip Sen
Innovation Lab Lab, Tata Consultancy Services Ltd Ltd, Bengal Intelligent Park Park, Salt Lake Electronic Complex, Kolkata- 700091, INDIA
Pendahuluan
IDS: WHAT?
Definition:
Responds:
Log activity Notify a designated authority Take appropriate countermeasures
IDS: WHY?
Security is often expensive or cumbersome:
Designers g try y to offer users reasonable levels of security Security breaches will still occur Detection D t ti allows: ll
Finding and fixing the most serious security holes Perhaps p holding g intruders responsible p for their actions Limiting the amount of damage an attacker can do
IDS: GOAL?
Run continually Be fault tolerant Resist subversion Minimize overhead Be easily configurable Cope with changing system behavior Be difficult to fool
IDS: CHARACTERISTICS?
Detection Model
Misuse detection vs. anomaly detection Host based, multihost based, network based Off li vs. real-time Off-line l ti C t li d vs. distributed Centralized di t ib t d
Scope
Operation
Architecture
Define a set of attack signature g s Detect actions that match a signature Add new signatures often
Define a set of metrics for the system Build a statistical model for those metrics during normal operation Detect when metrics differ significantly from normal
Hybrid
IDS: Scope
Host based
Multihost based
Network based
Examine network traffic (and possibly data from the connected hosts) Examples: Bro
IDS: Operation
Off-line
Inspect I t system t logs l at t set t intervals i t l Report any suspicious activity that was logged Examples: Tripwire
Real-time
Monitor the system continuously Report suspicious activity as soon as it is detected Examples: AAFID, Bro, EMERALD, NIDES
IDS: Architecture
Centralized
Data collected from single or multiple hosts All data shipped to a central location for analysis Examples: NIDES
http://www.csl.sri.com/projects/nides/screenshots.html
IDS: Architecture
Hierarchical
Data collected from multiple hosts Data is analyzed as it is passed up through the layers Examples: EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances)
http://www.csl.sri.com/projects/emerald/project.html
IDS: Architecture
Distributed
Data collected at each host Distributed analysis of the data Examples: AAFID (Autonomous Agents for Intrusion Detection)
http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/zamboni_slides.html/ppframe.htm
IDS:ISSUES
Heading towards a distributed framework of systems that do local detection and provide information to perform global detection of intrusions.
not fully distributed systems because of the centralized data analysis performed at the higher levels of the hierarchy
Alamat: CA 223, Sector 1, Salt Lake City, Kolkata 700064, West Bengal, INDIA e p +919836189765 9 9836 89 65 Telp:
Pembahasan Paper
Registries
The agent registry maintains information about the basic agents, the events these agents collect, collect and the alerts they generate. The interest registry g y Keeps track of the interests originating from the basic agents and interests being serviced.
WCA1
BA1-2
BA1-1
SMA
ECA
Interests, data
DCA1
WCA 2-1
DCA2
WCA 1-1
BA1-2 BA1-1 BA2-1
BA2-2
WCA 1-2
WCA 1-2
Two types of communication agents: Among agents in the same host Among agents in different host
Implementation Of The Agents Under JADE Framework 1. Determination of the agent behavior. 2. Implementation of the agent class (extending the existing g classes of JADE). ) 3. Implementation of agent meta-behavior by instantiating an existing class or introducing a new class and then instantiating it it. The meta meta-behavior behavior provides an agent with a self-control mechanism to dynamically schedule its behavior in accordance with its internal state. 4. Instantiation of the agent class. g the agent g acquaintances. q 5. Initializing 6. Deployment and activation of the agents.
BA1: monitors ICMP requests & block the access if the requests exceeds threshold specified in its rule of detection