22C3 - 2.2
22nd Chaos Communication Congress
Private Investigations
| Speakers | |
|---|---|
|
Matthias Petermann |
|
Alien8 |
| Schedule | |
|---|---|
| Day | 3 |
| Room | Saal 2 |
| Start time | 21:00 |
| Duration | 01:00 |
| Info | |
| ID | 561 |
| Event type | Lecture |
| Track | Hacking |
| Language | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
Intrusion Detection Systems
Elevated to the Next Level
Currently there exist many different IDS techniques. However, none of them is the superior one. Best results can only be determined by a combination of them. We introduce an approach how to do that efficiently.
Currently there exist many different Intrusion Detection techniques. Starting from network based systems, such as pattern matching, traffic correlation, traffic anomaly detection... or host based systems such as file integrity checkers, log file parsers or root kit detectors up to things like Honeypots are widely used.
Todays major problem is that most people simply don't have enough monitors to look at all the different IDS consoles at the same time. Also, for some quite popular IDSs there doesn't exist a usable console at all. Since each IDS has it's own analysis tools, correlation of the big variety of events detected by different systems has to be done manually - if even possible. That gets even more tricky if one has multiple IDSs at certain places in the network.
So, how to deal with that complexity? What we are going to introduce first is the IDMEF (Intrusion Detection Message Exchange Format) approach to normalize and standardize log events that are coming out of IDSs. That gives you all the events of all those different IDSs in a common format.
So far so good. But how to get valuable clues out of all this data? To correlate IDS events in order to get an automatic decision if a certain system has been attacked or misused isn't that simple - obviously. Is an outbound connection of let's say a web server ok? Maybe not if the admin is not logged in. Is changing /etc/shadow valid if there is just a web server running? It may depend on many things as the time of the day, source, further events on the system, who is logged on, what other processes are running, certain system states, system load ...
We will present a method correlating those IDS events using Fuzzy Logic and Neural Networks as an extension of the Prelude Hybrid IDS framework. After a short introduction of the Prelude framework we explain how those methods can be used to get more reliable results out of this hybrid IDS. To illustrate the concept behind in a more demonstrative way we will use IDS events of common attacks to give an idea how it can be employed to make IDSs work more efficiently.