A Lone Wolf No More:

Supporting Network Intrusion Detection with Real-Time

IntelligenceShane Singh | COMPSCI 726

Introduction

• Looking to expand the ability of current basic Intrusion Detection Systems (IDS) to be able to process real-time complex attack intelligence into their current operation.

Intrusion Detection System (IDS)

• “Device or software application that monitors network or system traffic for malicious activities or policy violations”

The Identified Issue

• Current IDS’ are unable to integrate external information into their processing

• Current approach is to convert to rule language

• “…it severely limits the attainable benefits…”

• Ensuring that by using real-time intelligence the IDS can handle realistic workloads

The Proposed Solution

• Development of an Input Framework with integration to a current open-source IDS.

• Using federated sources to provide valid, consistent attack intelligence

• Real-world scenario deployment and monitoring to test suitability

The Intelligence State

• “Externally provided context that, when correlated with traffic on the wire, can significantly increase the systems detection capabilities.”

Framework Design

Implementation and Integration

• Using the open-source Bro IDS

• Bro fits well with capabilities of Input Framework

• Bro turns streams of packets into “policy neutral” network events

Framework with Bro

Using Federated Blacklists

• The authors use the SES feed from REN-ISAC and the JC3 feed from DOE.

• Confidence in accuracy and quality of intelligence important

• Choice of private sources over public sources

• Integration with Input Framework

Real World Testing

• Tested on a trace of traffic from UC Berkeley network

• Utilised psuedo-realtime mode running on trace file

• Analysed performance on:

• Realistic Workloads

• Sustainable Load

• Latency

• Created Benchmark Reader

Summary

• Input Framework created and deployed on existing open-source IDS - Bro

• Adding another state to IDS – intelligence

• Real-world testing to determine suitability in network

Criticisms

• Firewall Impact

• Testing overall detection effectiveness

• Choice of IDS – Bro

• Access to blacklists used

• Network traffic tested quite limited

Firewall Impact

• The authors make no reference to how a firewall will impact traffic monitoring in their tests

• Testing was only done on trace from one particular network

• Firewalls affect the type of traffic allowed/disallowed

Overall effectiveness

• In the paper, there isn’t a comparison done between a network using Real-Time Intelligence with an IDS and one without any intelligence

Using Bro

• The choice of Bro isn’t very clearly explained

• No comparison between other IDS’s and to why/why not Bro was selected

Access to Federated Blacklists

• SES feed updated once per day

• JC3 feed downloaded manually from a secure server when updates released

• Difficult to access

• Vetting period not accounted for with “real-time”

Limitations of tested traffic

• Only captured of actual network traffic flow

• 5 minute capture – likelihood of attack in this period

• “…Such a volume is much more than a single Bro instance can handle”

Questions?