Firewall, IDS, IPS, Cryptography, Access Control are Simply Not Sufficient.
Malicious Users are Using Legitimate Application Protocols, such as HTTP, HTTPS and SOAP.
An CSI/FBI Study Showed that Almost 50% of Security Breaches came from Internal Resources.
Recently fired employees
And disgruntled or curious employees
A Sample of the Problems with Network Security malicious users malicious users
Background – the Current state of IDS “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.” - Gartner Group Most of Firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System) are act at the Network/System Layer, not at the “ Application Layer ”.
Rapidly detect intrusions with a low false alarm rate and a high intrusion detection rate…
Intrusion Detection System Design Goals What are the overall design goals for IDS? (Illustrative Purposes Only)
Classification of Intrusion Detection Systems Traditional View Before Data Fusion Approach to IDS Intrusion Detection Systems Agent Based Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive
TIBCO’s Real-Time Agent-Based IDS Approach A Multisensor Data Fusion Approach to IDS Intrusion Detection Systems Detection Approach Systems Protected Architecture Data Sources Analysis Timing Detection Actions HIDS NIDS Hybrid Audit Logs Net Traffic System Stats Real Time Data Mining Anomaly Detection Signature Detection Centralized Distributed Active Passive Agent Based Next-Generation Fusion of IDS Sensor Functions
Intrusion Detection and Data Fusion (2000) Next-Generation Intrusion Detection Systems Source: Bass, T., CACM, 2000
Event-Decision Reference Architecture Next-Generation Functional Architecture for Intrusion Detection 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction Event-Decision Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM
Event-Decision High Level Architecture 22 Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS
Multi-level inference in a distributed event-decision architectures
Human visualization, monitoring, interaction and situation management
Level 4 – Process Refinement
Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment
Level 3 – Impact Assessment
Impact assessment, i.e. assess intent on the basis of situation development, recognition and prediction
Level 2 – Situation Refinement
Identify situations based on sets of complex events, state estimation, etc.
Level 1 – Event Refinement
Identify events & make initial decisions based on association and correlation
Level 0 – Event Preprocessing
Cleansing of event-stream to produce semantically understandable data
Level of Inference Low Med High
Event-Driven Intrusion Detection Flexible SOA and Event-Driven Architecture
Next-Gen Intrusion Detection System (NGIDS) High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS System System System System System System System System