Grid-wide Intrusion Detection

Stuart Kenny*, Brian Coghlan

Trinity College Dublin

December 2004 Grid-wide Intrusion Detection 2

Overview

• SANTA-G

• SANTA-G NetTracer

• Intrusion Detection System

• Summary

December 2004 Grid-wide Intrusion Detection 3

SANTA-G

• Developed by TCD within CrossGrid• Framework for accessing monitoring

information via Grid InfoSys• Info providers insert data periodically

– Inefficient, or impossible, when dealing with large amounts data

– Better to leave data where it was created– Data transferred when requested by client

December 2004 Grid-wide Intrusion Detection 4

SANTA-G

Grid Information

System

Information Provider

ClientRequest/Data

Data

SANTA-GRequest/DataInformation

Source

December 2004 Grid-wide Intrusion Detection 5

SANTA-G NetTracer

• Demonstrates SANTA-G framework• Access libpcap logfiles via EDG R-GMA

– Tcpdump logfiles, network monitoring– SNORT logfiles, intrusion detection

• Uses R-GMA CanonicalProducer (TCD)

December 2004 Grid-wide Intrusion Detection 6

SANTA-G NetTracer

Log Files

Trace Directory

SANTA-GSensor

LatestProducerAPI

CanonicalProducerAPI

SANTA-GQueryEngine

Sensor andlog file

information

R-GMA

Tcpdump

write network data

invoke

monitor

register log file

infoSensor ID

ConsumerAPI

SANTA-GViewer

December 2004 Grid-wide Intrusion Detection 7

SANTA-G Intrusion Detection

We can use SNORT functionality of NetTracer

as basis of Grid-wide intrusion detection

system.

December 2004 Grid-wide Intrusion Detection 8

SANTA-G Intrusion Detection

Packet log file

Trace Directory

SANTA-GSensor

LatestProducerAPI

CanonicalProducerAPI

SANTA-GQueryEngine

Sensor andlog file

information

R-GMA

SNORT

monitor

Register, log file info,

alertsSensor ID

ConsumerAPI

SANTA-GViewer

Alerts

December 2004 Grid-wide Intrusion Detection 9

SANTA-G Intrusion Detection

December 2004 Grid-wide Intrusion Detection 10

Grid Intrusion Detection

• Each site hosts NetTracer• SNORT sensors on each monitored node• Detected alerts are streamed to R-GMA• Grid-wide intrusion log:

– GOC collects alerts from multiple sites– Uses R-GMA archiver

December 2004 Grid-wide Intrusion Detection 11

Grid Intrusion Detection

Grid Information

System (R-GMA)

Grid Operations Centre

Query for alerts

Multiple Sites

MySQL DB

Archiver

QueryConsumer

QueryStream

Response

EmailsGrid-wide

Intrusion alerts

Sensor + SNORT

Alerts

Worker Nodes

December 2004 Grid-wide Intrusion Detection 12

Grid-wide Intrusion Alerts• Grid-wide alerts:

– GOC runs custom Consumers querying for specific alert patterns

– Consumers send alerts if pattern detected

• An example filter might be:Consumer alert = new Consumer(“SELECT * FROM snortAlerts

WHERE message=“DDOS mstream client to handler”, Consumer.CONTINUOUS);

while(true){

ResultSet ddosAlerts = alerts.pop();

while(ddosAlerts.next()){

sendEmailAlert(ddosAlerts.getString(“alert_timestamp”,…

}

}

December 2004 Grid-wide Intrusion Detection 13

Summary

• SANTA-G framework allows client access to monitoring data through Grid InfoSys

• Example provided by SANTA-G NetTracer• SNORT functionality of NetTracer used to

construct Grid-wide IDS• Alerts from multiple sites collected by GOC• GOC analyses IDS log and generates

Grid-wide intrusion alerts• To be deployed on Grid-Ireland Jan ‘05