case study: the ia:aide system at two
TRANSCRIPT
1
Case Study:Case Study:The IA:AIDE System at TwoThe IA:AIDE System at Two
Aaron L. Temin, Aaron L. Temin, PhPh. D.. D.Litton PRCLitton PRC
temintemin__aaronaaron@@prcprc.com.com
212/20/1999 8:00 AM
OverviewOverview
•• BackgroundBackground
•• Conceptual ArchitectureConceptual Architecture
•• Initial Design and ImplementationInitial Design and Implementation
•• Results of Live DemonstrationsResults of Live Demonstrations
•• Changes for the FutureChanges for the Future
•• ConclusionConclusion
312/20/1999 8:00 AM
BackgroundBackground
•• Less than Less than 4%4% of penetrated systems detected an of penetrated systems detected anattack, Less than attack, Less than 1%1% responded to the penetration responded to the penetration
•• Attack correlation and attack prediction elusiveAttack correlation and attack prediction elusive
•• Hard to differentiate between serious attacks andHard to differentiate between serious attacks and“ankle-biters”“ankle-biters”
•• Auto-parsing and query mechanisms needed acrossAuto-parsing and query mechanisms needed acrossDODDOD
•• Demand for rapid dissemination of detect patternsDemand for rapid dissemination of detect patterns
•• No technical capability for detecting wide-scaleNo technical capability for detecting wide-scaleattacksattacks
412/20/1999 8:00 AM
BackgroundBackground
•• IA:AIDE is an advanced concept technologyIA:AIDE is an advanced concept technologydemonstration (ACTD) for the demonstration (ACTD) for the DoDDoD
•• Limited Limited lifespan lifespan program to demonstrate theprogram to demonstrate thebenefit of:benefit of:–– Visual integration of existing sensorsVisual integration of existing sensors
–– Correlation of multiple sensorsCorrelation of multiple sensors
–– Hierarchical/network distribution and correlationHierarchical/network distribution and correlationof alerts across the DIIof alerts across the DII
512/20/1999 8:00 AM
EventsASCII Data
EventsASCII Data
ASCII
Checksums
ProtocolPackets
Some ExistingTool/Technologies
Interface Layer
IntrusionIntrusionDetectionDetection
FirewallFirewall
NETWORK INTERFACE
Filtering
Correlation
ROSC
LCC
LCC
*126&Integration Infrastructure
LCC
ROSC
Data Visualization
DATA
BRIDGE
OperationsOperationsLaw EnforcementLaw Enforcement
IntelIntelComm/ComputersComm/Computers
SWSWIntegrityIntegrity
NetworkNetworkMngmntMngmnt
VirusVirusCheckersCheckers
WARNING
Conceptual ArchitectureConceptual Architecture
612/20/1999 8:00 AM
Initial Design and ImplementationInitial Design and Implementation
G2GUI
Correlation6510 reports
Oracle DB
Real Secure
Net Radar
Wrappers
Bridge / Normalization
Netscape
Sensor data passedSensor data passedto central AIDE systemto central AIDE system
All data passed initiallyAll data passed initiallyto G2 for display and to G2 for display and correlationcorrelation
Data sent to OracleData sent to Oraclefor archiving andfor archiving andquery via web browserquery via web browser
Oracle web serviceOracle web serviceused to query archivedused to query archiveddata for non-real time analysisdata for non-real time analysis
712/20/1999 8:00 AM
Results of Live DemonstrationsResults of Live Demonstrations
•• NetworksNetworks
•• SensorsSensors
•• AccomplishmentsAccomplishments
•• Warfighter Warfighter FeedbackFeedback
812/20/1999 8:00 AM
NetworksNetworks
Year 1: 7 nodes, 2 levels Year 2: 12 nodes, 3 levels
912/20/1999 8:00 AM
JID
ASIM
TCP Wrap
NetRadar
Raptor
SunScreen
Gauntlet
SideWinder
RealSecure
NetRanger
DTF
2
2
2
2
2 = added in year 2
SensorsSensors
HP OV
1012/20/1999 8:00 AM
Year One AccomplishmentsYear One Accomplishments
•• Firsts:Firsts:–– Automated alert capability:Automated alert capability:
•• Between multiple services and agenciesBetween multiple services and agencies•• Between multiple sensors at the services and agenciesBetween multiple sensors at the services and agencies
•• Improvements to DOD capabilityImprovements to DOD capability–– Data Display: Single display of multi-sensor alertsData Display: Single display of multi-sensor alerts
–– Communication: Secure reporting of events in realCommunication: Secure reporting of events in realtime both laterally and verticallytime both laterally and vertically
–– Database Storage: Single database for allDatabase Storage: Single database for allintrusion and anomalous event dataintrusion and anomalous event data
1112/20/1999 8:00 AM
Year Two AccomplishmentsYear Two Accomplishments
•• Firsts:Firsts:–– Three-tiered automated reporting structure includingThree-tiered automated reporting structure including
multiple services and agenciesmultiple services and agencies
–– Normalized intrusion data across sensors and sitesNormalized intrusion data across sensors and sites
–– Automated CJCSI 6510 Reporting requirementAutomated CJCSI 6510 Reporting requirement
–– Secure Remote Access to local and regional intrusionSecure Remote Access to local and regional intrusiondatabasesdatabases
–– Alert correlation across sensors and sitesAlert correlation across sensors and sites
•• Improvements to existing DOD capabilityImprovements to existing DOD capability–– Web accessible alert database with built-in query capabilityWeb accessible alert database with built-in query capability
–– Standardized alert and event times across sensors and sitesStandardized alert and event times across sensors and sites
1212/20/1999 8:00 AM
WarfighterWarfighter Feedback Feedback
•• ManagementManagement–– Considerable improvement in the conduct and planning ofConsiderable improvement in the conduct and planning of
the demonstrationthe demonstration
•• TechnicalTechnical
–– 3 Best Aspects of AIDE3 Best Aspects of AIDE•• Viewing multiple sensors in one place and the integrationViewing multiple sensors in one place and the integration
of commercial sensors in particularof commercial sensors in particular•• Having web server access to the databaseHaving web server access to the database•• Automatic 6510 reportingAutomatic 6510 reporting
–– 3 Worst Aspects of AIDE3 Worst Aspects of AIDE•• User Interface difficult to useUser Interface difficult to use•• Performance problemsPerformance problems•• Data needs to be better displayedData needs to be better displayed
1312/20/1999 8:00 AM
Changes for the FutureChanges for the Future
•• Data FlowData Flow
•• CorrelationCorrelation
•• G2’s RoleG2’s Role
•• Oracle’s RoleOracle’s Role
•• Visualization ToolsVisualization Tools
1412/20/1999 8:00 AM
Java Browser
G2Correlation
Oracle DBTriggers
Real Secure
Net Radar
Wrappers
Bridge / Normalization
Query “Table”
Data Correlated inData Correlated inG2 for ImmediateG2 for Immediate“Real Time” Attack“Real Time” AttackData. DataData. DataCorrelation turnedCorrelation turnedover to Oracleover to Oracle“Temp QUE” for long“Temp QUE” for longterm Correlationterm Correlation
Correlation in G2 will consist of current tablesCorrelation in G2 will consist of current tables(updated), plus added “categories”. These(updated), plus added “categories”. These“categories” will be based on target, destination,“categories” will be based on target, destination,and type of data seen.and type of data seen.
MappingMappingDOSDOSService ScanService ScanCorrelated EventCorrelated Event
AddedAddedrules andrules andfilteringfilteringcapability.capability.
Data Correlation turned over to OracleData Correlation turned over to Oracle“Query Table” for long term Correlation“Query Table” for long term Correlation
CorrelatedCorrelatedevent returnedevent returnedto DBto DB
Correlated event returnedCorrelated event returnedto DBto DBNet Flare
Decision SupportDecision Support
Data FlowData Flow
CIDF/IETF IDWG formatCIDF/IETF IDWG format
1512/20/1999 8:00 AM
CorrelationCorrelation
•• Correlate data from multiple sensors andCorrelate data from multiple sensors andsupport near-term and longer-term analysissupport near-term and longer-term analysisof collected data:of collected data:–– DuplicateDuplicate events across sensors events across sensors
–– RelatedRelated events within/across sensors events within/across sensors
–– Related events Related events across sitesacross sites
1612/20/1999 8:00 AM
•• G2 correlates using current rules plusG2 correlates using current rules plusadded categoriesadded categories
•• Categories of AttacksCategories of AttacksICMP AttacksICMP Attacks
Host LoginHost Login
System ChangesSystem Changes
Web Server AttacksWeb Server Attacks
TCP Port ActivityTCP Port Activity
UDP Port ActivityUDP Port Activity
FTP Server AttacksFTP Server Attacks
G2Correlation
Oracle DBTriggers
Data Correlated in G2 for Immediate “Real Time” Attack DataData Correlated in G2 for Immediate “Real Time” Attack DataData Correlation turned over to Oracle “Temp QUE” for long termData Correlation turned over to Oracle “Temp QUE” for long termCorrelationCorrelation
Correlated event returned to DBCorrelated event returned to DB
Network Network LoginLogin
IP Attacks IP Attacks
TCP/UDP Attacks TCP/UDP Attacks
SMTP (Email) Attacks SMTP (Email) Attacks
Misc Misc. Network Attacks. Network Attacks
Telnet Attacks Telnet Attacks
G2’s RoleG2’s Role
1712/20/1999 8:00 AM
Oracle DBTriggers
Temp “QUE”
Data Correlation turned over to OracleData Correlation turned over to Oracle“Temp QUE” for long term Correlation“Temp QUE” for long term Correlation To BrowserTo Browser
•• All events assigned Oracle sequence numberAll events assigned Oracle sequence number
•• Sequenced events sent to Query TableSequenced events sent to Query Table
•• Rule set to be run at time interval on tableRule set to be run at time interval on table
•• Rule set can be different than G2’sRule set can be different than G2’s
•• Once event triggered sent to Java front endOnce event triggered sent to Java front endand databaseand database
•• Filtering capabilitiesFiltering capabilities
Oracle’s RoleOracle’s Role
1812/20/1999 8:00 AM
SidewinderRRS16:33:43 09Aug9923128.132.192.33200.200.200.200Proxy Access
Net_RangerRRS15:22:33 07Aug9921128.132.39.220.0.0.1FTP Improper Address
Real_SecureRRS14:33:44 07Aug9931337128.132.1.200199.34.222.104Windows_BackOrifice
ASIM_2.0RRS14:28:33 07Aug9955555128.132.39.141128.132.39.143JACK-A-LOPE
SensorSiteTimeDestination PortDestination IPSource IPAttack Type or Signature
View Priority1 2 3
G2 CorrelationOn
NewMessage
New 6510 6510 LogPriority Change
Site Status Sensor Status Browser View Regional/Global View Database Browser
Alert TableAlert Table
1912/20/1999 8:00 AM
Web Browser to Web Browser to DBDB
Site Status Sensor Status Browser View Regional/Global View Database Browser
2012/20/1999 8:00 AM
3D Consolidated View3D Consolidated View
Site Status Sensor Status Browser View Regional/Global View Database Browser
2112/20/1999 8:00 AM
•• In the first two years IA:AIDE has significant impact onIn the first two years IA:AIDE has significant impact onIA developmentsIA developments
•• IA:AIDE enhancements provide a system which:IA:AIDE enhancements provide a system which:
–– Optimizes the output of multiple types of intrusion detectionOptimizes the output of multiple types of intrusion detectiontoolstools
–– Receives and processes data beyond traditional intrusionReceives and processes data beyond traditional intrusiondetection toolsdetection tools
–– Provides an attack correlation and warning capabilityProvides an attack correlation and warning capability
–– Provides an ability to detect patternsProvides an ability to detect patternsindicating wide scale attackindicating wide scale attack
ConclusionConclusion
2212/20/1999 8:00 AM
IA:AIDEIA:AIDEPoints of ContactPoints of Contact
Brian Brian SpinkSpinkAFRL/IFGB IA:AIDE Program ManagerAFRL/IFGB IA:AIDE Program Manager(315) 330-7596 DSN587(315) 330-7596 DSN587
Brad Brad JobeJobeLitton PRC Program ManagerLitton PRC Program Manager315 330-4988315 330-4988
AaronAaron Temin TeminLitton PRCLitton PRC IA Technical ExpertIA Technical Expert703 556-2108703 556-2108