GrIDS -- A Graph Based Intrusion Detection System For

Large Networks

Paper by S. Staniford-Chen et. al

10/06

Overview

• General facts about GrIDS• Scalability• Architecture• Management• Additional features• Limitations

10/06

Security Policy

• Used to detect & analyze large-scale attacks

• Anomaly detection• Can report on per-host basis

– Worms– Network sweeps– User specified patterns of attack

10/06

GrIDS -- Environment

• Runs on Unix hosts connected by IP nets• Intended for large networks (thousands of

hosts & hundreds of IP sub-nets)• Assumes that network belongs to single

organization with autonomous departments • No part of network is “actively hostile”

10/06

What does GrIDS do?

• Graph-based Intrusion Detection System• Records network activity• Aggregates data of interest • Builds activity graphs• Performs pattern matching• Determines “unexpected” behavior

10/06

Scalability via Aggregation

• Models an organization as hierarchy of departments (composed of computers)

• Each department builds & evaluates graphs of activity within the department

• Sub-graphs are embedded in larger graphs, so an entire department may be represented by a single node in a high-level graph

10/06

Scalability via Aggregation

• Graphs scale & are always manageable Low level graphs depict part of organization High levels summarize information found in

low level graphs• GrIDS aggregates data; can it see low

level intrusion?

10/06

Architecture of GrIDS

• Module controller process - on each host • Comprised of modules with standardized

interfaces:– data sources: monitor activity on hosts &

networks; – graph engine: builds graphs & passes them

up the hierarchy– software manager: manages state of

hierarchy & distributed modules

10/06

Data Sources

• Monitor net: Network sniffers• Monitor the OS/net: Point IDSs (single

host or LAN IDSs)• Includes extensible mechanism which

allows data to be gathered from other security tools without significant change to the tool or to GrIDS

10/06

Graph Engine

• Nodes represent hosts or departments• Edges represent network traffic between

nodes• Graph has global attributes which

maintain state information about the graph as a whole

• Graphs are built based on rule sets

10/06

Rule Sets

• Executable specification of a kind of graph (contains preconditions, combining rules)

• Each rule set maintains a graph space containing multiple graphs

• Rules operate independently of one another

10/06

Rule Sets• Used to

– Determine if incoming report (partial graph) should be incorporated into existing graphs

– Decide if two graphs should combine– Compute the attributes of the combined graph– Decide what actions to take, if any

• A rule set is inherited by all descendents of the node to which it is applied

Engine Receives Report In Form of Partial Graph

Meets Rule Set’s

Preconditions? DiscardNO

YES

Meets Rule Set’s Combining

Conditions? NO

New Graph Formed in Rule

Set’s Graph Space YESIncoming Graph

Combined With Existing Graph

Updating Graphs

Example RuleCombine node rule {

res.node.combine = !empty({new.node.alerts, cur.node.alerts})&& abs(cur.node.time - new.node.time) < 30;

res.node.alerts ={cur.node.alerts,new.node.alerts};

res.node.time = max({cur.node.time, new.node.time});

}

Example Assessment Ruleassessments rule {

(!empty(res.global.alerts)) || (res.global.nnodes >= 8) ||

(res.global.nedges >= 13) ==>alert(), report-graph();

(3 < res.global.nnodes < 8) ||(5 < res.global.nedges < 13) ==>

report-graph();}

10/06

Management Modules

• User interface modules for management functions and display of alerts

• Central organizational hierarchy server which has a global view of the topology of the hierarchy, and is responsible for ensuring that changes to the hierarchy happen in a consistent manner

10/06

Managing the Hierarchy

• Organizational hierarchy server maintains a global picture of hierarchy

• Access control system controls who can view and manage the hierarchy ACL resides at each node & states who can

access that node or any node in the sub-tree rooted there

• System managers perform “transactions”

10/06

Transactions

Typical transactions include:• moving a department• adding a new host• changing the location of the graph

engine, etc.

10/06

Limitations• Not secure against attacks targeting GrIDS:

– substituting in hacked versions of GrIDS at the module level

– denial of service attacks– disruptions of the network time protocol– networks or computers faults

• Widespread attacks which progress slowly might not be diagnosed by aggregation mechanism

10/06

Backup

10/06

Additional Features: Policy Enforcement

• Policies are compiled into rule sets which build graphs & evaluate for policy violations

• Currently, GrIDS only allows for policies stated with respect to a single graph edge (network connection)

• Rule takes form of a tuple:(action, time, source, destination, protocol,

stage, status, . . . .)