Indra A Peertopeer Approach to Intrusion Detection and Prevention

1
Indra A Peer-to-peer Approach to Intrusion
Detection and Prevention

• Ramaprabhu Janakiraman
• Marcel Waldvogel
• Qi Zhang

2
Intrusion Detection

• Intrusion
• Break-in Unauthorized access to resources and
  data
• Denial-of-service Use of resources in
  undesirable ways
• Detection
• Signature Bad guy's activity different from
  regular users'
• Detection depends on monitoring system for
  suspicious activity

What happens upon detection?
3
Intrusion Prevention

• Passive Systems
• Notify a human agent (system administrator)
• Response time relatively high, depends on human
  factors
• Active Systems
• System automatically takes action to
  contain/eliminate threat
• Low response times
• Potential for abuse

We will focus on active systems
4
Collaborative Intrusion Detection

• Basis
• Spatial correlation same attacker tries multiple
  hosts
• Temporal correlation many attackers try same
  attack at once
• Statistic gt 100 failed attempts for every
  successful crack

5
What is Indra?

• INDRA Intrusion Detection and Rapid Action
• Features
• Distributed, collaborative active intrusion
  detection system
• Active takes preventive action with low
  response time
• Collaborative scales well with size of network
• Uses peer-to-peer mechanisms for group
  communication
• Ensures secure communication using trust and
  reputation (soon)
• Extensible to support new services, and fix new
  vulnerabilities
• Written in Java, so code can execute in secure
  sandbox

6
Peer-to-peer Collaboration

• Group communication
• Collaborative IDS need secure group communication
• IP Multicast cannot be relied on
• Overlay, or end-system multicast over
  peer-to-peer networks
• Randomized sending
• Layer-7 throttling

7
Why is Indra useful?

• IDS techniques
• Collaborative scales well with size of network
• Active takes preventive action with low
  response time
• Security
• Uses strong cryptographic primitives for secure
  communication
• Implemented in Java, code executes in sandbox
• Communication
• Variety of communication protocols (TCP/UDP,
  overlay multicast, Java RMI)
• E-mail gateway enables admin to send patches to
  thousands of vulnerable machines instantly
• Use existing work on overlay multicast mechanisms
  instead of reinventing the wheel

8
How does Indra work?

• Indra basics
• Every node on the IDS network runs a set of Indra
  daemons
• Daemons watch for intrusion activity locally and
  in peers
• Report intrusion attempts to peers using the peer
  network
• Controls access to resources accordingly

9
Indra Layers
10
Trust and Indra

• Cryptographic primitives
• Public key cryptography for both security and
  authentication
• Indra daemons identified by unique keys generated
  by admin
• Security layer encapsulates cryptographic
  functions
• Cryptographic primitives
• Depends on central key server to certify public
  keys
• Existing PGP key server network may be used
• Does not scale well with number of nodes
• Web of trust model
• Certain nodes have pre-assigned trust
• Trust for new nodes computed using transitive
  trust relations
• Heuristics like maximum flow may be used

11
Indra Daemons

• Watcher
• Monitors inputs for suspicious activity
• Existing IDS may be implemented as pluggable
  watcher
• Listener
• Gathers warnings from watchers and informs Access
  Controller
• Central point of information gathering
• Access Controller
• Controls access to resources based on advice from
  listener
• Reporter
• Reports intrusion attempts to Indra peers
• Gives Indra distributed functionality
• Plugin Loader
• Loads pluggable Watchers, Access Controllers, . .
  .

12
Daemon Architecture
Input 1
Watcher
Input 2
Watcher
Input 3
Watcher
Input 4
Watcher
13
Further Work

• Practical applications
• Better interface with existing intrusion
  detection systems
• Deployment on real systems (Honeypots/-nets?)
• Peer-to-peer aspects
• Secure, efficient, reliable P2P group
  communication
• Randomized rumor-spreading versus deterministic
  multicast
• Security
• Refinements of the Web of trust model (Bayesian
  inference)
• Reputation model
• Efficiency
• Stripped version of Indra on constrained nodes
  (routers etc.)
• Randomized load balancing

14
Related Work

• Intrusion detection
• Immunology, epidemic spreading
• NADIR Distributed data collection and central
  analysis
• GrIDS, AAFID Distributed and passive
• CSM, EMERALD Distributed, active, but not
  extensiblepropose ad-hoc communication, not
  peer-to-peer mechanisms
• Peer-to-peer communications
• Scribe Publish-subscribe multicast on the Pastry
  P2P network
• Bayeux Multicast on the Tapestry network
• AMcast, ALMI
• Randomized rumor spreading

15
Summary and Current Status

• Contributions
• Collaborative and active IDS with support for
  peer-to-peer communication
• Secure communication by the use of strong
  cryptography
• Java implementation allows fine-grained access
  control
• On-the-fly loadable plugins allows rapid fixing
  of vulnerabilities
• E-mail gateway allows admin to mail plugins
  instantly to multiple machines
• Status
• Current prototype version has toy watchers,
  port scanning etc.
• Needs interfacing with existing intrusion
  detection software, e.g. Tripwire
• Need to improve efficiency
• Currently only centralized key server supported

Questions?