Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Trinity College Dublin.
Grid-wide Intrusion Detection
description
Transcript of Grid-wide Intrusion Detection
![Page 1: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/1.jpg)
Grid-wide Intrusion Detection
Stuart Kenny*, Brian Coghlan
Trinity College Dublin
![Page 2: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/2.jpg)
December 2004 Grid-wide Intrusion Detection 2
Overview
• SANTA-G
• SANTA-G NetTracer
• Intrusion Detection System
• Summary
![Page 3: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/3.jpg)
December 2004 Grid-wide Intrusion Detection 3
SANTA-G
• Developed by TCD within CrossGrid• Framework for accessing monitoring
information via Grid InfoSys• Info providers insert data periodically
– Inefficient, or impossible, when dealing with large amounts data
– Better to leave data where it was created– Data transferred when requested by client
![Page 4: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/4.jpg)
December 2004 Grid-wide Intrusion Detection 4
SANTA-G
Grid Information
System
Information Provider
ClientRequest/Data
Data
SANTA-GRequest/DataInformation
Source
![Page 5: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/5.jpg)
December 2004 Grid-wide Intrusion Detection 5
SANTA-G NetTracer
• Demonstrates SANTA-G framework• Access libpcap logfiles via EDG R-GMA
– Tcpdump logfiles, network monitoring– SNORT logfiles, intrusion detection
• Uses R-GMA CanonicalProducer (TCD)
![Page 6: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/6.jpg)
December 2004 Grid-wide Intrusion Detection 6
SANTA-G NetTracer
Log Files
Trace Directory
SANTA-GSensor
LatestProducerAPI
CanonicalProducerAPI
SANTA-GQueryEngine
Sensor andlog file
information
R-GMA
Tcpdump
write network data
invoke
monitor
register log file
infoSensor ID
ConsumerAPI
SANTA-GViewer
![Page 7: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/7.jpg)
December 2004 Grid-wide Intrusion Detection 7
SANTA-G Intrusion Detection
We can use SNORT functionality of NetTracer
as basis of Grid-wide intrusion detection
system.
![Page 8: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/8.jpg)
December 2004 Grid-wide Intrusion Detection 8
SANTA-G Intrusion Detection
Packet log file
Trace Directory
SANTA-GSensor
LatestProducerAPI
CanonicalProducerAPI
SANTA-GQueryEngine
Sensor andlog file
information
R-GMA
SNORT
monitor
Register, log file info,
alertsSensor ID
ConsumerAPI
SANTA-GViewer
Alerts
![Page 9: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/9.jpg)
December 2004 Grid-wide Intrusion Detection 9
SANTA-G Intrusion Detection
![Page 10: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/10.jpg)
December 2004 Grid-wide Intrusion Detection 10
Grid Intrusion Detection
• Each site hosts NetTracer• SNORT sensors on each monitored node• Detected alerts are streamed to R-GMA• Grid-wide intrusion log:
– GOC collects alerts from multiple sites– Uses R-GMA archiver
![Page 11: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/11.jpg)
December 2004 Grid-wide Intrusion Detection 11
Grid Intrusion Detection
Grid Information
System (R-GMA)
Grid Operations Centre
Query for alerts
Multiple Sites
MySQL DB
Archiver
QueryConsumer
QueryStream
Response
EmailsGrid-wide
Intrusion alerts
Sensor + SNORT
Alerts
Worker Nodes
![Page 12: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/12.jpg)
December 2004 Grid-wide Intrusion Detection 12
Grid-wide Intrusion Alerts• Grid-wide alerts:
– GOC runs custom Consumers querying for specific alert patterns
– Consumers send alerts if pattern detected
• An example filter might be:Consumer alert = new Consumer(“SELECT * FROM snortAlerts
WHERE message=“DDOS mstream client to handler”, Consumer.CONTINUOUS);
while(true){
ResultSet ddosAlerts = alerts.pop();
while(ddosAlerts.next()){
sendEmailAlert(ddosAlerts.getString(“alert_timestamp”,…
}
}
![Page 13: Grid-wide Intrusion Detection](https://reader036.fdocuments.us/reader036/viewer/2022081603/56815c29550346895dc9fe9f/html5/thumbnails/13.jpg)
December 2004 Grid-wide Intrusion Detection 13
Summary
• SANTA-G framework allows client access to monitoring data through Grid InfoSys
• Example provided by SANTA-G NetTracer• SNORT functionality of NetTracer used to
construct Grid-wide IDS• Alerts from multiple sites collected by GOC• GOC analyses IDS log and generates
Grid-wide intrusion alerts• To be deployed on Grid-Ireland Jan ‘05