Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Trinity College Dublin.
Grid-wide Intrusion Detection
description
Transcript of Grid-wide Intrusion Detection
Grid-wide Intrusion Detection
Stuart Kenny*, Brian Coghlan
Trinity College Dublin
December 2004 Grid-wide Intrusion Detection 2
Overview
• SANTA-G
• SANTA-G NetTracer
• Intrusion Detection System
• Summary
December 2004 Grid-wide Intrusion Detection 3
SANTA-G
• Developed by TCD within CrossGrid• Framework for accessing monitoring
information via Grid InfoSys• Info providers insert data periodically
– Inefficient, or impossible, when dealing with large amounts data
– Better to leave data where it was created– Data transferred when requested by client
December 2004 Grid-wide Intrusion Detection 4
SANTA-G
Grid Information
System
Information Provider
ClientRequest/Data
Data
SANTA-GRequest/DataInformation
Source
December 2004 Grid-wide Intrusion Detection 5
SANTA-G NetTracer
• Demonstrates SANTA-G framework• Access libpcap logfiles via EDG R-GMA
– Tcpdump logfiles, network monitoring– SNORT logfiles, intrusion detection
• Uses R-GMA CanonicalProducer (TCD)
December 2004 Grid-wide Intrusion Detection 6
SANTA-G NetTracer
Log Files
Trace Directory
SANTA-GSensor
LatestProducerAPI
CanonicalProducerAPI
SANTA-GQueryEngine
Sensor andlog file
information
R-GMA
Tcpdump
write network data
invoke
monitor
register log file
infoSensor ID
ConsumerAPI
SANTA-GViewer
December 2004 Grid-wide Intrusion Detection 7
SANTA-G Intrusion Detection
We can use SNORT functionality of NetTracer
as basis of Grid-wide intrusion detection
system.
December 2004 Grid-wide Intrusion Detection 8
SANTA-G Intrusion Detection
Packet log file
Trace Directory
SANTA-GSensor
LatestProducerAPI
CanonicalProducerAPI
SANTA-GQueryEngine
Sensor andlog file
information
R-GMA
SNORT
monitor
Register, log file info,
alertsSensor ID
ConsumerAPI
SANTA-GViewer
Alerts
December 2004 Grid-wide Intrusion Detection 9
SANTA-G Intrusion Detection
December 2004 Grid-wide Intrusion Detection 10
Grid Intrusion Detection
• Each site hosts NetTracer• SNORT sensors on each monitored node• Detected alerts are streamed to R-GMA• Grid-wide intrusion log:
– GOC collects alerts from multiple sites– Uses R-GMA archiver
December 2004 Grid-wide Intrusion Detection 11
Grid Intrusion Detection
Grid Information
System (R-GMA)
Grid Operations Centre
Query for alerts
Multiple Sites
MySQL DB
Archiver
QueryConsumer
QueryStream
Response
EmailsGrid-wide
Intrusion alerts
Sensor + SNORT
Alerts
Worker Nodes
December 2004 Grid-wide Intrusion Detection 12
Grid-wide Intrusion Alerts• Grid-wide alerts:
– GOC runs custom Consumers querying for specific alert patterns
– Consumers send alerts if pattern detected
• An example filter might be:Consumer alert = new Consumer(“SELECT * FROM snortAlerts
WHERE message=“DDOS mstream client to handler”, Consumer.CONTINUOUS);
while(true){
ResultSet ddosAlerts = alerts.pop();
while(ddosAlerts.next()){
sendEmailAlert(ddosAlerts.getString(“alert_timestamp”,…
}
}
December 2004 Grid-wide Intrusion Detection 13
Summary
• SANTA-G framework allows client access to monitoring data through Grid InfoSys
• Example provided by SANTA-G NetTracer• SNORT functionality of NetTracer used to
construct Grid-wide IDS• Alerts from multiple sites collected by GOC• GOC analyses IDS log and generates
Grid-wide intrusion alerts• To be deployed on Grid-Ireland Jan ‘05