IDS運用の効率化に関する研究環境情報学部４年

水谷正慶 (mizutani@SING)親 : true / サブ親 : minami

Background

Intrusion Detection System (IDS) outputs; too much log

0100002000030000400005000060000700008000090000

100000

2005

-01-

01

2005

-01-

11

2005

-01-

21

2005

-01-

31

2005

-02-

10

2005

-02-

20

2005

-03-

02

2005

-03-

12

2005

-03-

22

2005

-04-

01

2005

-04-

11

2005

-04-

21

2005

-05-

01

2005

-05-

11

2005

-05-

21

2005

-05-

31

2005

-06-

10

2005

-06-

20

2005

-06-

30

2005

-07-

10

2005

-07-

20

Ex) RG-Net by Snort2005/1/1 ~ 7/26

Max:

720,679/day

Average:

66,408/day

Issues

OperatorIDS

Event Log

It’s too difficult to find intrusion by operator

What’s Happened?

How Much Risk?

Amount of Events

Intrusion

Infected

Take Time

Human Error Critical Incident

Focus(1/2): Risk of events

False Positive

Low Risk Event

High Risk Event

Versatile Signature

Low Quality Signature

Failure Attack

Non-effective Attack

BlasterBlaster

BlasterBlaster

Blaster

Blaster

Focus (2/2): Event Assessment

Timeline

Event-5 Event-6 Event-7 Event-8

Event-1 Event-2 Event-3 Event-4

From Host-AFrom Host-B

System overview

Session-based Session-based IDSIDS

IDS Log IDS Log VisualizerVisualizer

Target-based Target-based IDS IDS

Operator

Event Log

ImportantImportant Event LogEvent LogNetwork

Traffic

Conventional IDS

Attack Result Event Rating Aggregate

(1) Session-based IDS

Session-based IDSSession-based IDS

Conventional IDS

Attacker

Target

Target

Exploit Code

Error Message

Exploit Code

Unknown Response

Attack

Attack

Attack is succeede

d

Attack is

failure

(2) Target-based IDS

Target-based IDSTarget-based IDS

Attacker

Target(Windows)

Target(Linux)

Exploit CodeFor Windows

Exploit CodeFor WindowsAttack

is Risky

Attack is No Risk

(3) Log Visualizer

EVENT LOG00:13 Port Scan00:15 Version Scan00:17 Exploit Attempt00:27 Port Scan00:28 Version Scan00:55 Exploit Attempt

00:00 01:00

Port ScanVersion ScanExploit Code

Correlation(?)

System design

Session-based IDS

Target-based IDS & Log Visualizer

Event Log DB

Operator

Host DB

+

DHCP based OS Fingerprinting

Static IP Address

Implementation:

Session-based IDS

Implementation:

Log Visualizer

ه Demo

Implementation:

Log Visualizer

Correlation

From Some IP Address

Researches & Activities

ه Papersه 「 IDS のログ視覚化システムの構築」

ى 情報処理学会 分散システム／インターネット運用技術シンポジウム 2003ه 「 Session Based IDS の設計と実装」

ى 電子情報通信学会 2005 年 次世代インターネットソフトウェア論文特集ه 「セッション追跡によるプロトコルアノーマリ型防御手法の提案

と実装」ى 情報処理学会 第 12 回マルチメディア通信と分散処理ワークショップ 2004

ه 「 The Design and Implementation of Session Based IDS 」ى Technical Typesetters: “Electronics and Communications in Japan, Part I”

ه Softwareه Session-based IDS “ROOK”

ى http://matinee.sfc.wide.ad.jp/blitz/rook/ه Log Visualizer “BISHOP”

ى http://matinee.sfc.wide.ad.jp/blitz/bishop

Dec-Submit Paper

Aug-Integration

Oct-Evaluation

Schedule

Jan. 2006Final Presentation

Nov-Write Paper

Sep-Integration-Evaluation

To DoTo Do- Integration- Evaluation- Paper

Evaluation

ه Quantitative Evaluationه Event reductionه Compare Other IDS Implementationه Performanceه Properness of Event

ه Qualitative Evaluationه Compare Traditional Log Analyzing Tools

Conclusion

ه Issues ه Approach

ه Session-based IDSه Target-based IDSه Log Visualizer

ه To Doه Integrationه Reevaluationه Paper

Thank you.