a robust snmp based infrastructure for intrusion
play

A robust SNMP based Infrastructure for Intrusion Detection and - PowerPoint PPT Presentation

May 22, 2023 •471 likes •641 views

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tlle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg,

  1. A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tölle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg, Germany Computer Networks Dept. July 2006 RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006

  2. Outline • Introduction • Deployment Scenario: Tactical MANETs • Network Management Domain: SNMP • Modelling IDS Infrastructures w/ SNMP • Performance Simulation • Implementation Status • Conclusions & Further Work RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 2

  3. Terminology: Distributed IDS Components • Agent – Sensors – Detectors – Responders – Message processing modules • Console – Message consolidation – Databases – Correlation engines – Other analysis modules RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 3

  4. Types of IDS Infrastructures To Meta IDS • Event Message IS Console node(s) • Sensor Data IS • Response Trigger IS IDS Agent IDS Console • Configuration IS IDS Agent IDS Agent IDS Agent Observed node Observed node Observed node RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 4

  5. Existing Data Models & Communication Protocols <IDMEF-Message version="1.0"> <Alert ident="abc123456789"> • IETF IDWG <Analyzer analyzerid="hq-dmz-analyzer01"> <Node category="dns"> <location>Headquarters DMZ Network</location> Recommendations <name>analyzer01.example.com</name> </Node> who reports </Analyzer> <CreateTime ntpstamp="0xbc723b45.0xef449129"> IDMEF 2000-03-09T10:01:25.93464-05:00 when </CreateTime> <Source ident="a1b2c3d4"> <Node ident="a1b2c3d4-001" category="dns"> IDXP BEEP <name>badguy.example.net</name> <Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <address>192.0.2.50</address> <netmask>255.255.255.255</netmask> TLS TCP </Address> </Node> who </Source> <Target ident="d1c2b3a4"> IP <Node ident="d1c2b3a4-001" category="dns"> <Address category="ipv4-addr-hex"> <address>0xde796f70</address> </Address> </Node> • Drawbacks: Overhead where </Target> <Classification origin="bugtraqid"> – TCP/SSL/BEEP Handshakes <name>124</name> <url>http://www.securityfocus.com</url> what happened – Channel Management </Classification> </Alert> </IDMEF-Message> – XML Encoding RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 5

  6. Deployment Scenario: Tactical MANETs Environment: – Infantry Mission – 5-15 high performance PDAs – Network characteristics similar to IEEE 802.11 – IPsec and application encryption – Fully equipped node w/ HQ Backlink Differences to civilian Challenges: scenarios: – Limited Resources – Precisely defined, homogeneous – Attacks e.g. against environment MANET routing – Significant resources for security – Insider attacks measures RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 6

  7. Management Domain: SNMPv3 • Monitoring & Configuration • Agent/Manager based concept • UDP based • Security in SNMPv3 • Management Information Base (MIB) • Object and Instance Identifier (OID/IID) • get/setValue Requests (single value, list or bulk) • Traps and Notifications RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 7

  8. Modeling IDS Infrastructure w/ SNMP • Sensor IS – getValue – getNext / Bulk • Response Trigger IS – setValue • Configuration IS – get/setValue Aligned to IDMEF Structure • Message IS – Insert new alerts into MIB as single subtree structure – Send an acknowledged notification to console, containing most important fields – Console may request additional message fields RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 8

  9. Performance Simulations (1): Overall Traffic • Network – IEEE 802.11b • Applications – VoIP (2.4 kbit/s) – C2IS (JMS) – UChat – SMTP/HTTP • IDS Messages – Events/Heartbeats (E/H) n → 1 – Neighborhood Watching (NW) n → m – Traffic Statistics (TS) n → 1 RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 9

  10. Performance Simulations (2): Packet Delivery • PDF decreases due to significant amount of IDS traffic • Maximum rates for IDS Messages for PDF>99% – E/H: 2 Hz – NW: 0.1 Hz – TS: 0.1 Hz • Higher packet loss can be expected in reality: – Buffer overflows – Radio interference RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 10

  11. Advantages of SNMP approach • Characteristics of MANETs are considered – Dynamic behaviour and short link lifetimes � Connectionless and robust communication – Low CPU performance and limited battery capacity � Lightweight protocol and architecture • Compatibility w/ existing protocols & data models � (Meta-)IDS-interconnection � Integration into SNMP Management Frameworks • Free configurability for different IDS setups due to different deployment scenarios and network sizes • Usage of existing products for message transport and security RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 11

  12. External Implementation: IDS Agents Trust Sensor Management Data IDMEF / SNMP Message Neigh- IMF = Engine Local Resp. NIDS Logfile IMF bour- InterMediate Trust Selec- Watcher hood SNMPv3 Format Ass. tor Notific. IMF Ass. Generator Server Traps / Notifications MIB Manager Wrapper Wrapper IMF Request Handler SNMP API External Detectors SNMP API Detectors Sensors Internal Responders Check CPU GPS Integr. Kill Reconf. Shutd. Procs CPU Routing Signal GPS sums Checker Procs. Routing System Profiler Checker Sensor Data Request/Response Infrastructure (SNMPd) Encr. Encr. Integr. Integr. Authent. Authent. MANET MANET RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS MANET MANET Computer Networks KIE July 2006 12

  13. Conclusions & Further Work • Current IDS infrastructure protocols do not meet the requirements of tactical MANETs. • SNMPv3 provides mechanisms for implementing all necessary types of IDS infrastructures. • Development of architecture components • Prototypical implementation – Sensor / detector / responder infrastructure – Dynamic storage of IDS event messages in the Management Information Base (MIB) • Further Work: – Integration of more sensors / detectors / responders – Anomaly detection approach for traffic statistics RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 13

  14. RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 14

  15. Implementation (2): Event Message Handling IMF = InterMediate Format Encr. NG = Notification Generator Encr. Integr. ACM = Agent Connection Manager Integr. MANET Authent. Authent. MANET SNMPv3 SNMPv3 Fully Equipped Node Lightweight Node SNMPTrapd Message Engine Detector Trap Receiver IMF NG Buffer G Server IDMEF ACM XML U XML XML Detector MIB Manager I Connector Adapter Pipe IMF Request Handler Notification Sockets Engine IDMEF based Wired IDS SNMPd SNMPd RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP

Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP

Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP SNMP is old, complicated and has many competitors SNMP is still ubiquitous in monitoring SNMP is well-understood by many We have

275 views • 3 slides
Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF

Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF

Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF WIMS Working Group CIM Project 19 February 2007 PWG Maui Ira McDonald (High North) M2M Background Background M2M DMTF/PWG

437 views • 7 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
SNMP MIBs to manage G.698.2 parameters

SNMP MIBs to manage G.698.2 parameters

SNMP MIBs to manage G.698.2 parameters draft-galikunze-ccamp-g-698-2-snmp-mib-02.txt Gabriele Galimberti Cisco Systems Ruediger Kunze Deutsche Telekom Lam, Hing-Kam Alcatel-Lucent Dharini Hiremagalur Juniper

361 views • 8 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI,

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI,

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE ARIZONA STATE UNIVERSITY, USA CREDC Workshop 2017 1 What is Cyber Physical Intrusion Detection CPS Cyber Physical System

123 views • 11 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP

56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP

56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP version 1. Describe SNMP version 2. Simple Network Management Protocol Background The Simple Network Management Protocol (SNMP) is an

482 views • 12 slides
Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation by Frederic Massicotte, Mathieu Couture and Annie De Montigny Leboeuf http://www.crc.ca/networksystems_security/ {frederic.massicotte,

409 views • 8 slides
Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert

Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert

Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert Cunningham MIT Lincoln Laboratory *This work is sponsored by the U.S. Air Force under Air Force Contract F19628-00-C-0002. Opinions, interpretations,

571 views • 34 slides
MySQL Through SNMP Gerardo Gerry Narvaja @seattlegaucho Agenda - Introduction to our

MySQL Through SNMP Gerardo Gerry Narvaja @seattlegaucho Agenda - Introduction to our

MySQL Through SNMP Gerardo Gerry Narvaja @seattlegaucho Agenda - Introduction to our MySQL SNMP agent (sort of) fork - Why SNMP - Why MySQL agent - Why pass_persist - Why fork - Short introduction on how to measure &quot;bytes

366 views • 20 slides
Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC

Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC

Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC 27. Januar 2014 What is SNMP? Simple Network Management Protocol (SNMP) is protocol for network management. It allows collecting

471 views • 19 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Robust GPS-Based Timing for Phasor Measurement Units October 3, 2014 Grace Xingxin Gao

Robust GPS-Based Timing for Phasor Measurement Units October 3, 2014 Grace Xingxin Gao

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG Robust GPS-Based Timing for Phasor Measurement Units October 3, 2014 Grace Xingxin Gao University of Illinois at Urbana-Champaign UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE |

656 views • 34 slides
SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de

SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de

SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de International University Bremen Campus Ring 1 28725 Bremen, Germany http://www.ibr.cs.tu-bs.de/projects/nmrg/ urgen Sch onw slides.tex SNMP Traffic

1.09k views • 45 slides
CS 730/830: Intro AI What is AI? This class Problems in AI Prof. Wheeler Ruml Search TA

CS 730/830: Intro AI What is AI? This class Problems in AI Prof. Wheeler Ruml Search TA

CS 730/830: Intro AI What is AI? This class Problems in AI Prof. Wheeler Ruml Search TA Tianyi Gu Thinking inside the box. 5 handouts: course info, project info, schedule, slides, asst 1 sign up sheet/laptop (grading email, piazza)

482 views • 35 slides
Apache Flume Getting data into Hadoop Problem Getting data into HDFS is not difficult: %

Apache Flume Getting data into Hadoop Problem Getting data into HDFS is not difficult: %

Apache Flume Getting data into Hadoop Problem Getting data into HDFS is not difficult: % hadoop fs --put data.csv . works great when data is neatly packaged and ready to upload Unfortunately, e.g. a webserver is creating data

495 views • 24 slides
IT 2 EC 2020 Train, Reflect, Learn, and Train again Chris Duncalfe 1 , and John Gardner 2 1 SO2

IT 2 EC 2020 Train, Reflect, Learn, and Train again Chris Duncalfe 1 , and John Gardner 2 1 SO2

IT 2 EC 2020 IT 2 EC Extended Abstract Template Presentation/Panel IT 2 EC 2020 Train, Reflect, Learn, and Train again Chris Duncalfe 1 , and John Gardner 2 1 SO2 Training Capability Systems, Training Capability Branch, Army Headquarters,

244 views • 3 slides
Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and

Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and

Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and generalize flaws Flaw Hypothesis Methodology does not provide a way to examine system systematically Vulnerability classification schemes help

1.11k views • 74 slides
Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2

Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2

October 18, 2016 Tabled CLP for Reasoning over Stream Data Joaqun Arias 1 , 2 1 IMDEA Software Institute, 2 Technical University of Madrid madrid institute for advanced studies in software development technologies www.software.imdea.org Goal:

401 views • 25 slides
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

685 views • 30 slides
Lectur ture e 12 Planni anning: ng: Intro and For Forward Planning, Slide 1 Announ

Lectur ture e 12 Planni anning: ng: Intro and For Forward Planning, Slide 1 Announ

Computer Science CPSC 322 Lectur ture e 12 Planni anning: ng: Intro and For Forward Planning, Slide 1 Announ nouncem emen ents Material for midterm available in Connect 1. List of Learning Goals 2. Short questions on material

651 views • 64 slides
Architectural Patterns Architectural Patterns The fundamental problem to be solved with a large

Architectural Patterns Architectural Patterns The fundamental problem to be solved with a large

Architectural Patterns Architectural Patterns The fundamental problem to be solved with a large system is how to break it into chunks manageable for human programmers to understand, implement, and maintain. Dr. James A. Bednar Large-scale

893 views • 12 slides

More recommend