collaborative incident handling based on the blackboard
play

Collaborative Incident Handling Based on the Blackboard-Pattern - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of


  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Contents Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 2

  3. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 3

  4. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation • Amount and variants of attacks on networks is growing • Defending networks manually is impossible • Automated incident handling is highly beneficial • Continuously defend the network • Respond quickly • Less error-prone • Systematical incident response • We focus on intrusion handling Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 4

  5. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Background: Typical Intrusion Handling Steps • Network Monitoring (NMS) and Intrusion Detection Systems (IDS) collect information about the network and its healthiness • NMS: collect infrastructure information • IDS: raise alerts when an intrusion is detected • Alert Processing Systems (APS) aggregate, correlate and priori- tize alerts • Gain more insights into the intrusion by analyzing the situation • Intrusion Response Systems (IRS) counteract automatically • Identify suitable responses • Execute reponses on the target network, e.g., block a rogue host Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 5

  6. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 6

  7. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Execution Model: Pipelined Intrusion Handling NMS I n f o Correlated or Aggregated Alerts Response Alert NIDS APS IRS t r e l A HIDS Amount of Information Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 7

  8. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Other Execution Models • Pipelined intrusion handling - Information loss from step to step - Limited information sharing capabilities • Intrusion handling using Complex Event Processing (CEP) - Window size difficult to determine (too large → low performance; too small → information loss) - Limited information sharing capabilities • Agent-based systems for intrusion handling - Central intelligent master component needed to dispatch informa- tion to agents Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 8

  9. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 9

  10. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Problem Statement • Significant effort has been made to improve each intrusion step individually • No solution exists that interleaves steps and creates a compre- hensive view on the target network • Information already collected/computed in previous steps is lost for being used by subsequent steps • Information and intermediate results cannot be shared efficiently between single steps • Post-incident forensics of intrusion handling activities difficult Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 10

  11. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Motivation and Background Related Work Problem Statement System Design and Implementation Evaluation Conclusion Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 11

  12. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Introducing the Blackboard Pattern • The blackboard pattern is applicable to problems that can be de- composed into smaller sub-problems / sub-tasks • Example: (distributed) incident handling / intrusion handling • Sub-tasks solve their sub-problem and share their intermediate results with other sub-tasks • Original information remains untouched • Original information + intermediate results can be reused by sub- tasks to further tackle the problem • Blackboard needs an Information Model specifically designed for the problem domain Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 12

  13. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Blackboard-based Intrusion Handling Alert NMS Alerts Processing I n f o Intermediate Results (Aggregated or Corre- lated Alerts) Alert NIDS Blackboard Original, Aggregated or Correlated Alerts and Info Alert Information Model HIDS IRS Response Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 13

  14. Chair of Network Architectures and Services Department of Informatics Technical University of Munich System Overview NMS NIDS HIDS . . . Interface 1 Interface N Target System Aggregation Priorisation Correlation Insert Response Response Response Response Evaluation Execution Selection Identification Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 14

  15. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Requirements on an Information Model ... suitable for intrusion handling • R1: Separation – Segmentation of information enables updating/ad- ding of information by different modules • R2: Completeness – Information for all steps of Incident Handling needs to be present • R3: Compatibility to the IDMEF standard 1 used by many IDSes 1 Intrusion Detection Message Exchange Format, RFC 4765 Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 15

  16. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Information Model for Intrusion Response - Overview Alert Processing Intrusion Response Infrastructure Information Conse- Alert Response quences Network- Network Based L3- L2- Host- Network Network Based Attack Active Service- IP- Interface Based Address Target Passive User- MAC- Based Port Address Source Service Device Metric User Alert Response Imple- Priority Context Bundle mentation Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 16

  17. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Infrastructure Information Model – Examples Infrastructure Information Network • NMSes send their scanning results to L3- L2- specific interfaces which add the info Network Network to the Blackboard IP- • A Service runs at a Port opened on a Interface Address NIC with an IP-Address belonging to a L3-Network MAC- Port Address • A Device has a NIC with MAC-Address and assigned IP-Address Service Device • A User is logged into Device User • A User uses Service Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 17

  18. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Alert Information Model – Examples Alert Processing Conse- Alert quences • IDSes send IDMEF messages con- taining alerts to specific Blackboard Interfaces Attack • IDMEF alerts are normalized and Target combined into an Alert Context • Source (of attack) Source • Target (of attack) • Attack (type) • Alert and Alert Context nodes have Alert Priority a Priority Context Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 18

  19. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Implementation • Python 3 • Object oriented implementation of Information Model • Automatic translation of class structures to suitable database de- sign • Two different databases/database types used: • Relational: postgreSQL • Graph-based: OrientDB Holger Kinkelin – Collaborative Incident Handling Based on the Blackboard-Pattern 19

Recommend


More recommend