Intrusion Detection and Isolation Protocol by MikeJenny

VIEWS: 18 PAGES: 18

									                                             IDIP
National Institute of Science & Technology




                                                     Intrusion Detection
                                                              and
                                                      Isolation Protocol
                                                            Under The Guidance
                                                                    Of
                                                      Mr. RABINDRA KUMAR SHIAL

                                                              Presented by
                                             PREETAM KUMAR THAKUR            CS200118077

                                             Preetam Kumar Thakur                          [1]
                                             IDIP
National Institute of Science & Technology



                                             INTRODUCTION
                                               • Limitations in Current Intrusion
                                                 Detection System
                                               • Development of Intrusion Detection and
                                                 Isolation Protocol (IDIP)
                                               • Layers of IDIP
                                                 • Application Layer
                                                 • Message Layer

                                             Preetam Kumar Thakur                         [2]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Concept
                                             •   IDIP Systems are organized
                                                 into IDIP communities.
                                             •   Each IDIP community is an
                                                 administrative domain, with
                                                 intrusion    detection  and
                                                 response functions managed
                                                 by a component called
                                                 Discovery Coordinator.
                                             •   IDIP neighborhoods are
                                                 collection    of components
                                                 with     no    other   IDIP
                                                 components between them.

                                             Preetam Kumar Thakur              [3]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Application-Layer Protocol
                                             This layer accomplishes intrusion tracking and containment
                                             through three major message types
                                             • Trace
                                             • Report
                                             • Discovery coordinator directive
                                             Trace-:
                                             • IDIP trace message is sent when a sufficiently intrusive
                                                Event(s) detected to warrant a response.
                                             • It includes description of the event, including a description of
                                                the connection used by the intruder.


                                             Preetam Kumar Thakur                                             [4]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Application-Layer Protocol
                                             • Each node must perform the trace function but the blocking is
                                               done as suggested or based on local policy.
                                             Report-:
                                             • This is copy of trace sent to Discovery Coordinator by each
                                               Component that receives a trace message.
                                             • The Discovery Coordinator discovers the attack path and
                                               Determines an optimal response by getting the report.
                                             Directive-:
                                             Two types of directive.
                                             • An undo message
                                             • A do message

                                             Preetam Kumar Thakur                                         [5]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Message Layer
                                             It is used by IDIP application layer to provide secure, reliable
                                             and multicast messaging between neighbors of the IDIP
                                             Neighborhoods.

                                             It provides the following services:
                                             • Multicast
                                             • Privacy and integrity/authentication
                                             • Reliability
                                             • Time synchronization



                                             Preetam Kumar Thakur                                               [6]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Message Layer
                                             Objectives-:
                                             • Minimal dependence on network infrastructure to improve
                                               system survivability and is supported by using UDP.
                                             • Minimal performance impact on the protected system.
                                             IDIP Protocol Dependencies-:
                                             • IDIP Hello Protocol for building each neighborhood
                                             • Neighborhood Key information distribution(NKID)
                                             • IDIP Transport Security Protocol
                                                    -IDIP Encapsulating Security Payload(IDIP ESP)
                                                    -IDIP Authentication Header(IDIP AH)

                                             Preetam Kumar Thakur                                        [7]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Architecture




                                             Preetam Kumar Thakur   [8]
                                             IDIP
                                               IDIP Message Layer Services
National Institute of Science & Technology




                                             • Protocol Initialization
                                             • Reliable message transmission
                                             • Calculations of time deltas for each neighbors
                                             • Generation of unique message Ids
                                             • Managing the TTL field
                                             • Multicast and Unicast message
                                             • Forwarding message
                                             • Source authentication, integrity and privacy

                                             Preetam Kumar Thakur                               [9]
                                             IDIP
National Institute of Science & Technology



                                             Protocol Specification




                                                     IDIP Header




                                                               IDIP Option Header




                                             Preetam Kumar Thakur                   [10]
                                             IDIP
National Institute of Science & Technology



                                              Cryptographic Requirements
                                             Basic requirements for IDIP cryptography includes
                                             • Efficient cryptography for messages
                                             • Support for multicast
                                             • Minimal impact on IDIP message size
                                             • Availability on multiple platforms
                                             • Ease of integration
                                             • Support for multiple multicast groups within a neighborhood



                                             Preetam Kumar Thakur                                        [11]
                                             IDIP
National Institute of Science & Technology



                                             Software Architecture



                                                                                      IDIP system architecture




                                             Objectives-:
                                             •Ease of integration with various components
                                             •Flexibility in modifying generic component behavior

                                             Preetam Kumar Thakur                                          [12]
                                             IDIP
National Institute of Science & Technology



                                              IDIP Backplane & Generic Agent




                                               IDIP Backplane Architecture     IDIP Generic Agent Architecture

                                             The IDIP backplane executes on all IDIP nodes, providing
                                             reliable, secure communication between IDIP applications.

                                             Preetam Kumar Thakur                                          [13]
                                             IDIP
National Institute of Science & Technology



                                             IDIP Backplane & Generic Agent
                                             • The IDIP generic agent application provides a framework for
                                               building component-specific detection and response Engines.

                                             • IDIP detection interface-:provides a simple bridge from the
                                               local detection system to the socket-based interface of the
                                               IDIP agent .

                                             • IDIP audit-:monitors connections to and from the local node
                                               and records this traffic in the IDIP audit data format.



                                             Preetam Kumar Thakur                                      [14]
                                             IDIP
National Institute of Science & Technology



                                              IDIP Backplane & Generic Agent
                                             • Detection functions
                                             • Response functions
                                                • trace message processing
                                                • discovery coordinator directive message processing


                                                                                       Discovery Coordinator
                                                                                         Application View




                                             Preetam Kumar Thakur                                         [15]
                                             IDIP
                                              Discovery coordinator application
National Institute of Science & Technology




                                             Discovery coordinator core services
                                             • Data management
                                             • Situation display
                                             • Access to network management
                                             • Response policy management




                                             Preetam Kumar Thakur                  [16]
                                             IDIP
National Institute of Science & Technology



                                             Conclusion
                                             • The architecture presented here provides a foundation
                                               upon which experimentation in automated intrusion
                                               response can be performed.

                                             • This architecture enables low cost integration of new intrusion
                                               detection technologies, new response mechanisms, and new
                                               algorithms for determining responses either at a local node
                                               level or at a system level.




                                             Preetam Kumar Thakur                                          [17]
                       National Institute of Science & Technology
                                                                    IDIP




Preetam Kumar Thakur
                                        Thank You!!!



[18]

								
To top