building a distributed intrusion detection system with perl n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Building a distributed intrusion detection system with Perl PowerPoint Presentation
Download Presentation
Building a distributed intrusion detection system with Perl

Loading in 2 Seconds...

play fullscreen
1 / 25

Building a distributed intrusion detection system with Perl - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

Building a distributed intrusion detection system with Perl. Diego Zamboni CERIAS, Purdue University zamboni@cerias.purdue.edu. What is AAFID?. Autonomous Agents for Intrusion Detection Architecture for distributed monitoring Test bed for intrusion detection techniques and algorithms

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Building a distributed intrusion detection system with Perl' - clark-alston


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
building a distributed intrusion detection system with perl

Building a distributed intrusion detection system with Perl

Diego Zamboni

CERIAS, Purdue University

zamboni@cerias.purdue.edu

what is aafid
What is AAFID?
  • Autonomous Agents for Intrusion Detection
  • Architecture for distributed monitoring
  • Test bed for intrusion detection techniques and algorithms
  • Basis for a prototype implementation
system architecture
System Architecture

D

C

B

E

A

UI

Agents

Control

Monitors

Data

Transceivers

Filters

some design objectives
Some design objectives
  • All entities must run both as stand-alone programs and as loadable modules
  • All infrastructure functionality must be provided by base entities
  • Different types of entities have different functionality requirements
why perl
Why Perl?
  • Ease of prototyping
  • Portability
our object hierarchy aafid
Our object hierarchy (AAFID::)

Log

Event handling/communication

Reactor

Comm

Entity

Message

Filter

Agent

ControllerEntity

Common

Individual

filters

Individual

agents

Config

Constants

Transceiver

Monitor

event handler
Event handler
  • Comm::Reactor implements a general event handler
  • Can react to file, time and signal events
  • Arbitrary callbacks (code refs)
  • Implemented using IO::Select
  • Using class methods instead of instance methods caused some nasty bugs
cool uses of perl 1 defining new commands
Cool uses of Perl #1:defining new commands
  • Entities react to commands
  • Command CMD is defined by a subroutine called command_CMD
  • New commands can be added with very little effort just by defining the appropriate subroutines
cool uses of perl 2 named parameters
Cool uses of Perl #2: named parameters
  • Entity objects are represented by a hash reference
  • Entity parameters are stored as elements in that hash
  • Each entity is tied to a hash to allow easy access to parameters ($Params{param} instead of$self->{param})
cool uses of perl 3 hash syntax
Cool uses of Perl #3: hash syntax
  • Allows having a very general “data” field in AAFID messages:

command add_fs … FS=>”/”, Limit=>85

  • Data::Dumper and eval do all the work for generating and interpreting data fields
  • Eval: potential security problems
cool uses of perl 4 code generation tool
Cool uses of Perl #4: code generation tool
  • Reads a description file, writes Perl code
  • Inserts # line “file”comments to produce meaningful error messages
  • Allows definition of new commands with named parameters
a very simple agent
A very simple agent

NAME: CheckRoot

AUTHOR: Diego Zamboni

DESCRIPTION: Check root dir permissions

VERSION: 0.1

PERIOD: 10

CHECK:

if (-w “/”) {

return(10,”Root dir is writable”);

else {

return(0,”Everything ok”);

}

communication mechanisms
Communication mechanisms
  • Transceiver-agent: Unix pipes
  • Monitor-transceiver: TCP
  • Both are transparently used as IO::Handles (at least in Unix)
  • All communications are encapsulated, so they are easy to replace or upgrade
other aspects
Other aspects
  • Graphical User Interface
    • Uses Tk package
    • Very early stages
    • Subject for a lot of future research
some cpan modules we used
Some CPAN modules we used
  • IO::{Handle,Select,Socket,File}
  • Data::Dumper
  • Resources
  • Log::Topics
  • Tk
did perl live up to our original expectations
Did Perl live up to our original expectations?
  • Ease of prototyping
    • Yes: we had the first working entities in ~2 weeks
  • Portability
    • So-so: we are still struggling with NT
some lessons learned 1
Some lessons learned (1)
  • Perl made it easy to build a large system quickly
  • Perl was the right choice for most entities (data manipulation)
  • Object-oriented design made growth much easier
some lessons learned 2
Some lessons learned (2)
  • Big resource usage for our needs
    • We need tens, maybe hundreds of agents per host
  • Even within the Unix domain, some things differ (Linux/Solaris, for example)
some things we learned 3
Some things we learned (3)
  • It’s difficult to debug a distributed system
    • A detailed “debug log” mode helps
  • In a big system, Perl requires programmers to be very careful
current state
Current state
  • AAFID2 is now in its second public release
  • http://www.cerias.purdue.edu/projects/aafid/
  • Runs on 5.005 (haven’t tested in 5.6.0)
the future
The future
  • Try using threads instead of separate processes
  • Combine Perl components with low-level sensors
  • Fix all those bugs