High-Performance Intrusion Detection with the Open-Source Bro NIDS

More documents

Recommendations

Info

Outline 1. Overview of the Bro Network Intrusion Detection System • Philosophy • Deployment • Architecture and Usage • Specific Capability: Dynamic Protocol Detection 2. High Performance with Concurrent Traffic Analysis • Concurrency Potential • Coarse-grained Parallelism: A cluster for load-balancing • Fine-grained Parallelism: Designing a multi-threaded NIDS 3. Future Directions Guest Lecture, RWTH Aachen 2 Thursday, December 16, 2010
System Philosophy • Bro has been developed at LBNL & ICSI since 1996 • Designed and originally developed by Vern Paxson, now at ICSI & UC Berkeley • Bro provides a real-time network analysis framework • Primary a network intrusion detection system (NIDS) • However it is also used for pure traffic analysis • Focus is on • Application-level semantic analysis (rather than analyzing individual packets) • Tracking information over time • Strong separation of mechanism and policy • The core of the system is policy-neutral (no notion of “good” or “bad”) • User provides local site policy Guest Lecture, RWTH Aachen 3 Thursday, December 16, 2010
Page 1: High-Performance Intrusion Detectio
Page 5 and 6: Target Environments • Bro is spec
Page 7 and 8: Lawrence Berkeley National Lab •
Page 9 and 10: LBNL’s Bro Setup External 10G Tap
Page 11 and 12: LBNL’s Bro Setup External (ESNet)
Page 13 and 14: Activity Logs: Connections • One-
Page 15 and 16: Architecture Packets Network Guest
Page 17 and 18: Architecture Notification Detection
Page 19 and 20: Communication Architecture Bro A Br
Page 21 and 22: Event Model Web Client 1.2.3.4/4321
Page 27 and 28: Event-Engine • Event-engine is wr
Page 29 and 30: Script Example: Tracking SSH Hosts
Page 31 and 32: Port-based Analysis • Bro has lot
Page 33 and 34: Dynamic Protocol Detection Web Clie
Page 41 and 42: Analyzer Trees IP TCP SMTP Interact
Page 43 and 44: High Performance with Concurrent Tr
Page 45 and 46: Internet Traffic: Connections #conn
Page 47 and 48: Internet Traffic: Connections #conn
Page 49 and 50: Outline 1. Overview of the Bro Netw
Page 51 and 52: Traffic Analysis Pipeline Packet An
Page 53 and 54:
Traffic Analysis Pipeline Packet An
Page 55 and 56:
Traffic Analysis Pipeline Packet An
Page 57 and 58:
Building a Concurrent NIDS • Can
Page 59 and 60:
Load-Balancer Approach NIDS 10Gbps
Page 61 and 62:
External Packet Demultiplexer Demux
Page 63 and 64:
The Bro Cluster There are a number
Page 65 and 66:
Simulation of Packet Dispatcher !"#
Page 67 and 68:
cFlow: A Production Load-Balancer
Page 69 and 70:
UC Berkeley Cluster Monitored/gener
Page 71 and 72:
UC Berkeley Cluster Monitored/gener
Page 73 and 74:
Extensions 100GE(!) version is in p
Page 75 and 76:
“Real” Multi-Core NIDS • Clus
Page 77 and 78:
Bro’s Architecture Notification S
Page 79 and 80:
Bro’s Architecture Notification D
Page 81 and 82:
Script Example: Matching URLs Task:
Page 83 and 84:
Script Example 3: Aggregated Task:
Page 85 and 86:
Parallel Event Scheduling Threaded
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Implementation of Multi-Core Bro
Page 95 and 96:
Script-Engine Performance So Far ..
Page 97 and 98:
Outline 1. Overview of the Bro Netw
Page 99 and 100:
Automating the Scoping • Scopes a
Page 101 and 102:
Software Development Support • Br
Page 103 and 104:
Conclusion Guest Lecture, RWTH Aach
Page 105 and 106:
Thanks for your attention. Robin So
Page 107 and 108:
Going Back in Time with the Time Ma
Page 109 and 110:
The Time Machine • The Time Machi
Page 111 and 112:
Query Interface • Interactive con
Page 113 and 114:
Augmenting Bro Alerts with Traffic
Page 115:
Multi-Core Bro Data Flow Main Threa
show all

High-Performance Intrusion Detection with the Open-Source Bro NIDS

Create successful ePaper yourself

Delete template?

Save as template?