ids 運用の効率化に関する研究
DESCRIPTION
IDS 運用の効率化に関する研究. 環境情報学部4年 水谷正慶 (mizutani@SING) 親 : true / サブ親 : minami. Background. Intrusion Detection System (IDS) outputs; too much log. Ex) RG-Net by Snort 2005/1/1 ~ 7/26. Average: 66,408 /day. Max : 720,679 /day. Intrusion. Take Time. Infected. Human Error. Issues. - PowerPoint PPT PresentationTRANSCRIPT
IDS運用の効率化に関する研究環境情報学部4年
水谷正慶 (mizutani@SING)親 : true / サブ親 : minami
Background
Intrusion Detection System (IDS) outputs; too much log
0100002000030000400005000060000700008000090000
100000
2005
-01-
01
2005
-01-
11
2005
-01-
21
2005
-01-
31
2005
-02-
10
2005
-02-
20
2005
-03-
02
2005
-03-
12
2005
-03-
22
2005
-04-
01
2005
-04-
11
2005
-04-
21
2005
-05-
01
2005
-05-
11
2005
-05-
21
2005
-05-
31
2005
-06-
10
2005
-06-
20
2005
-06-
30
2005
-07-
10
2005
-07-
20
Ex) RG-Net by Snort2005/1/1 ~ 7/26
Max:
720,679/day
Average:
66,408/day
Issues
OperatorIDS
Event Log
It’s too difficult to find intrusion by operator
What’s Happened?
How Much Risk?
Amount of Events
Intrusion
Infected
Take Time
Human Error Critical Incident
Focus(1/2): Risk of events
False Positive
Low Risk Event
High Risk Event
Versatile Signature
Low Quality Signature
Failure Attack
Non-effective Attack
BlasterBlaster
BlasterBlaster
Blaster
Blaster
Focus (2/2): Event Assessment
Timeline
Event-5 Event-6 Event-7 Event-8
Event-1 Event-2 Event-3 Event-4
From Host-AFrom Host-B
System overview
Session-based Session-based IDSIDS
IDS Log IDS Log VisualizerVisualizer
Target-based Target-based IDS IDS
Operator
Event Log
ImportantImportant Event LogEvent LogNetwork
Traffic
Conventional IDS
Attack Result Event Rating Aggregate
(1) Session-based IDS
Session-based IDSSession-based IDS
Conventional IDS
Attacker
Target
Target
Exploit Code
Error Message
Exploit Code
Unknown Response
Attack
Attack
Attack is succeede
d
Attack is
failure
(2) Target-based IDS
Target-based IDSTarget-based IDS
Attacker
Target(Windows)
Target(Linux)
Exploit CodeFor Windows
Exploit CodeFor WindowsAttack
is Risky
Attack is No Risk
(3) Log Visualizer
EVENT LOG00:13 Port Scan00:15 Version Scan00:17 Exploit Attempt00:27 Port Scan00:28 Version Scan00:55 Exploit Attempt
00:00 01:00
Port ScanVersion ScanExploit Code
Correlation(?)
System design
Session-based IDS
Target-based IDS & Log Visualizer
Event Log DB
Operator
Host DB
+
DHCP based OS Fingerprinting
Static IP Address
Implementation:
Session-based IDS
Implementation:
Log Visualizer
ه Demo
Implementation:
Log Visualizer
Correlation
From Some IP Address
Researches & Activities
ه Papersه 「 IDS のログ視覚化システムの構築」
ى 情報処理学会 分散システム/インターネット運用技術シンポジウム 2003ه 「 Session Based IDS の設計と実装」
ى 電子情報通信学会 2005 年 次世代インターネットソフトウェア論文特集ه 「セッション追跡によるプロトコルアノーマリ型防御手法の提案
と実装」ى 情報処理学会 第 12 回マルチメディア通信と分散処理ワークショップ 2004
ه 「 The Design and Implementation of Session Based IDS 」ى Technical Typesetters: “Electronics and Communications in Japan, Part I”
ه Softwareه Session-based IDS “ROOK”
ى http://matinee.sfc.wide.ad.jp/blitz/rook/ه Log Visualizer “BISHOP”
ى http://matinee.sfc.wide.ad.jp/blitz/bishop
Dec-Submit Paper
Aug-Integration
Oct-Evaluation
Schedule
Jan. 2006Final Presentation
Nov-Write Paper
Sep-Integration-Evaluation
To DoTo Do- Integration- Evaluation- Paper
Evaluation
ه Quantitative Evaluationه Event reductionه Compare Other IDS Implementationه Performanceه Properness of Event
ه Qualitative Evaluationه Compare Traditional Log Analyzing Tools
Conclusion
ه Issues ه Approach
ه Session-based IDSه Target-based IDSه Log Visualizer
ه To Doه Integrationه Reevaluationه Paper
Thank you.