A Framework for Distributed Intrusion Detection using Interest-Driven Cooperating Agents Rajeev Gopalakrishna and Eugene H. Spafford
Distributed IDS “a system where the analysis of the data is performed on a number of locations proportional to the number of hosts that are being monitored” – Spafford and Zamboni CERIAS, Purdue University 2
Distributed Communication Models Event-based model Push-based model • Any entity may produce, • Specific producers and any entity may consume consumers events • Asymmetric roles • Symmetric roles • Logical channels • Loosely connected • Tighter coupling • Higher scalability • Less scalable • Event advertisement, interest specification and event notification CERIAS, Purdue University 3
Motivation • Concept of agents to perform intrusion detection • Event-based communication model • Concept of interest propagation CERIAS, Purdue University 4
Generic Hierarchical Intrusion Detection Systems Refined Data Event Generator and/or 5 Event Analyzer
Examples • DIDS • GrIDS • EMERALD • AAFID CERIAS, Purdue University 6
Drawbacks • Analysis hierarchy • Data refinement • Bulky modules at all levels of hierarchy • Passive interaction CERIAS, Purdue University 7
Related Work • Crosbie and Spafford • Barrus and Rowe • Ingram • Mell and McLarnon • CARDS CERIAS, Purdue University 8
Our Approach • Agents • No analysis hierarchy • Intelligent cooperation using the concept of interests • Interest propagation • Active communication • Lightweight modules at all levels of hierarchy CERIAS, Purdue University 9
Interest “a specification of data that an agent is interested in, but is not available to the agent because of the locality of data collection or because the agent was not primarily intended to observe those data” DATA DATA AGENT A AGENT B AGENT A AGENT B INTEREST INTEREST DATA DATA MORE OVERHEAD DATA DATA SOURCE SOURCE NOT ACCESSIBLE CERIAS, Purdue University 10
Interest Propagation LEGEND Domain Agent Propagator Local Enterprise 11 Propagator Propagator
Types of Interests • Directed or Propagated Interests • Local, Domain or Enterprise Level Interests • Permanent or Temporal Interests CERIAS, Purdue University 12
Granularity of Interests • Event vs. Alert • Curiosity level • Adds dynamism to agents • Reduces overhead CERIAS, Purdue University 13
Data Delivery Hierarchical delivery Direct delivery • Failure of modules • Scalability • Data Coalescing CERIAS, Purdue University 14
Host IR - Interest Registry IR AR - Agent Registry AR CERIAS, Purdue University 15
Other Considerations • Security of Agents • Clock Synchronization • Redundancy of Propagators CERIAS, Purdue University 16
Future Work • Implementation of the framework • Explore alternatives for implementing the interest mechanism • Impact on size of agents and on host and network performance CERIAS, Purdue University 17
Recommend
More recommend
