1 / 18

IDS 運用の効率化に関する研究

IDS 運用の効率化に関する研究. 環境情報学部4年 水谷正慶 (mizutani@SING) 親 : true / サブ親 : minami. Background. Intrusion Detection System (IDS) outputs; too much log. Ex) RG-Net by Snort 2005/1/1 ~ 7/26. Average: 66,408 /day. Max : 720,679 /day. Intrusion. Take Time. Infected. Human Error. Issues.

kendis
Download Presentation

IDS 運用の効率化に関する研究

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IDS運用の効率化に関する研究 環境情報学部4年 水谷正慶 (mizutani@SING) 親: true / サブ親: minami

  2. Background Intrusion Detection System (IDS) outputs; too much log Ex) RG-Net by Snort 2005/1/1 ~ 7/26 Average: 66,408/day Max: 720,679/day

  3. Intrusion Take Time Infected Human Error Issues It’s too difficult to find intrusion by operator Event Log IDS Operator Amount of Events Critical Incident How Much Risk? What’s Happened?

  4. Focus(1/2): Risk of events Versatile Signature Blaster False Positive Low Quality Signature Blaster Blaster Failure Attack Low Risk Event Blaster Non-effective Attack Blaster High Risk Event Blaster

  5. Focus (2/2): Event Assessment Event-1 Event-2 Event-3 Event-4 From Host-A From Host-B Timeline Event-5 Event-6 Event-7 Event-8

  6. System overview Attack Result Event Rating Aggregate Target-based IDS Session-based IDS IDS Log Visualizer Important Event Log Network Traffic Event Log Operator Conventional IDS

  7. (1) Session-based IDS Attack Conventional IDS Attack Exploit Code Target Error Message Attacker Exploit Code Unknown Response Attack is succeeded Attack is failure Target Session-based IDS

  8. (2) Target-based IDS Target (Windows) Exploit Code For Windows Attacker Exploit Code For Windows Attack is Risky Target (Linux) Target-based IDS Attack is No Risk

  9. (3) Log Visualizer EVENT LOG 00:13 Port Scan 00:15 Version Scan 00:17 Exploit Attempt 00:27 Port Scan 00:28 Version Scan 00:55 Exploit Attempt Port Scan Version Scan Exploit Code 00:00 01:00 Correlation(?)

  10. System design Event Log DB + Target-based IDS & Log Visualizer Host DB Session-based IDS Operator Static IP Address DHCP based OS Fingerprinting

  11. Implementation:Session-based IDS

  12. Implementation:Log Visualizer • Demo

  13. Implementation:Log Visualizer From Some IP Address Correlation

  14. Researches & Activities • Papers • 「IDSのログ視覚化システムの構築」 • 情報処理学会 分散システム/インターネット運用技術シンポジウム2003 • 「Session Based IDSの設計と実装」 • 電子情報通信学会 2005年 次世代インターネットソフトウェア論文特集 • 「セッション追跡によるプロトコルアノーマリ型防御手法の提案と実装」 • 情報処理学会 第12回マルチメディア通信と分散処理ワークショップ 2004 • 「The Design and Implementation of Session Based IDS」 • Technical Typesetters: “Electronics and Communications in Japan, Part I” • Software • Session-based IDS “ROOK” • http://matinee.sfc.wide.ad.jp/blitz/rook/ • Log Visualizer “BISHOP” • http://matinee.sfc.wide.ad.jp/blitz/bishop

  15. Schedule Jan. 2006 Final Presentation To Do - Integration - Evaluation - Paper • Dec • Submit Paper • Oct • Evaluation • Nov • Write Paper • Aug • Integration • Sep • Integration • Evaluation

  16. Evaluation • Quantitative Evaluation • Event reduction • Compare Other IDS Implementation • Performance • Properness of Event • Qualitative Evaluation • Compare Traditional Log Analyzing Tools

  17. Conclusion • Issues • Approach • Session-based IDS • Target-based IDS • Log Visualizer • To Do • Integration • Reevaluation • Paper

  18. Thank you.

More Related