A Framework for Distributed Intrusion Detection using - - PowerPoint PPT Presentation

a framework for distributed intrusion detection using
SMART_READER_LITE
LIVE PREVIEW

A Framework for Distributed Intrusion Detection using - - PowerPoint PPT Presentation

Dec 27, 2023 200 likes •389 views

A Framework for Distributed Intrusion Detection using Interest-Driven Cooperating Agents Rajeev Gopalakrishna and Eugene H. Spafford Distributed IDS a system where the analysis of the data is performed on a number of locations

slide-1
SLIDE 1

A Framework for Distributed Intrusion Detection using Interest-Driven Cooperating Agents

Rajeev Gopalakrishna and Eugene H. Spafford

slide-2
SLIDE 2

CERIAS, Purdue University 2

Distributed IDS

“a system where the analysis of the data is performed on a number of locations proportional to the number of hosts that are being monitored” – Spafford and Zamboni

slide-3
SLIDE 3

CERIAS, Purdue University 3

Distributed Communication Models

  • Any entity may produce,

any entity may consume events

  • Symmetric roles
  • Loosely connected
  • Higher scalability
  • Event advertisement,

interest specification and event notification

  • Specific producers and

consumers

  • Asymmetric roles
  • Logical channels
  • Tighter coupling
  • Less scalable

Event-based model Push-based model

slide-4
SLIDE 4

CERIAS, Purdue University 4

Motivation

  • Concept of agents to perform intrusion

detection

  • Event-based communication model
  • Concept of interest propagation
slide-5
SLIDE 5

5

Generic Hierarchical Intrusion Detection Systems

Event Generator Refined Data and/or Event Analyzer

slide-6
SLIDE 6

CERIAS, Purdue University 6

Examples

  • DIDS
  • GrIDS
  • EMERALD
  • AAFID
slide-7
SLIDE 7

CERIAS, Purdue University 7

Drawbacks

  • Analysis hierarchy
  • Data refinement
  • Bulky modules at all levels of hierarchy
  • Passive interaction
slide-8
SLIDE 8

CERIAS, Purdue University 8

Related Work

  • Crosbie and Spafford
  • Barrus and Rowe
  • Ingram
  • Mell and McLarnon
  • CARDS
slide-9
SLIDE 9

CERIAS, Purdue University 9

Our Approach

  • Agents
  • No analysis hierarchy
  • Intelligent cooperation using the concept of

interests

  • Interest propagation
  • Active communication
  • Lightweight modules at all levels of

hierarchy

slide-10
SLIDE 10

CERIAS, Purdue University 10

Interest

“a specification of data that an agent is interested in, but is not available to the agent because of the locality of data collection or because the agent was not primarily intended to

  • bserve those data”

AGENT A AGENT A AGENT B AGENT B DATA MORE OVERHEAD DATA NOT ACCESSIBLE DATA SOURCE DATA SOURCE INTEREST DATA INTEREST DATA

slide-11
SLIDE 11

11

LEGEND

Agent Domain Enterprise Local Propagator Propagator Propagator

Interest Propagation

slide-12
SLIDE 12

CERIAS, Purdue University 12

Types of Interests

  • Directed or Propagated Interests
  • Local, Domain or Enterprise Level Interests
  • Permanent or Temporal Interests
slide-13
SLIDE 13

CERIAS, Purdue University 13

Granularity of Interests

  • Event vs. Alert
  • Curiosity level
  • Adds dynamism to agents
  • Reduces overhead
slide-14
SLIDE 14

CERIAS, Purdue University 14

Data Delivery

Hierarchical delivery Direct delivery

  • Failure of modules
  • Scalability
  • Data Coalescing
slide-15
SLIDE 15

CERIAS, Purdue University 15

Host

IR AR IR - Interest Registry AR - Agent Registry

slide-16
SLIDE 16

CERIAS, Purdue University 16

Other Considerations

  • Security of Agents
  • Clock Synchronization
  • Redundancy of Propagators
slide-17
SLIDE 17

CERIAS, Purdue University 17

Future Work

  • Implementation of the framework
  • Explore alternatives for implementing the

interest mechanism

  • Impact on size of agents and on host and

network performance