130 likes | 255 Views
Grid-wide Intrusion Detection. Stuart Kenny*, Brian Coghlan Trinity College Dublin. Overview. SANTA-G SANTA-G NetTracer Intrusion Detection System Summary. SANTA-G. Developed by TCD within CrossGrid Framework for accessing monitoring information via Grid InfoSys
E N D
Grid-wide Intrusion Detection Stuart Kenny*, Brian Coghlan Trinity College Dublin
Overview • SANTA-G • SANTA-G NetTracer • Intrusion Detection System • Summary Grid-wide Intrusion Detection
SANTA-G • Developed by TCD within CrossGrid • Framework for accessing monitoring information via Grid InfoSys • Info providers insert data periodically • Inefficient, or impossible, when dealing with large amounts data • Better to leave data where it was created • Data transferred when requested by client Grid-wide Intrusion Detection
SANTA-G Grid-wide Intrusion Detection
SANTA-G NetTracer • Demonstrates SANTA-G framework • Access libpcap logfiles via EDG R-GMA • Tcpdump logfiles, network monitoring • SNORT logfiles, intrusion detection • Uses R-GMA CanonicalProducer (TCD) Grid-wide Intrusion Detection
SANTA-G NetTracer Grid-wide Intrusion Detection
SANTA-G Intrusion Detection We can use SNORT functionality of NetTracer as basis of Grid-wide intrusion detection system. Grid-wide Intrusion Detection
SANTA-G Intrusion Detection Grid-wide Intrusion Detection
SANTA-G Intrusion Detection Grid-wide Intrusion Detection
Grid Intrusion Detection • Each site hosts NetTracer • SNORT sensors on each monitored node • Detected alerts are streamed to R-GMA • Grid-wide intrusion log: • GOC collects alerts from multiple sites • Uses R-GMA archiver Grid-wide Intrusion Detection
Grid Intrusion Detection Grid-wide Intrusion Detection
Grid-wide Intrusion Alerts • Grid-wide alerts: • GOC runs custom Consumers querying for specific alert patterns • Consumers send alerts if pattern detected • An example filter might be: Consumer alert = new Consumer(“SELECT * FROM snortAlerts WHERE message=“DDOS mstream client to handler”, Consumer.CONTINUOUS); while(true){ ResultSet ddosAlerts = alerts.pop(); while(ddosAlerts.next()){ sendEmailAlert(ddosAlerts.getString(“alert_timestamp”,… } } Grid-wide Intrusion Detection
Summary • SANTA-G framework allows client access to monitoring data through Grid InfoSys • Example provided by SANTA-G NetTracer • SNORT functionality of NetTracer used to construct Grid-wide IDS • Alerts from multiple sites collected by GOC • GOC analyses IDS log and generates Grid-wide intrusion alerts • To be deployed on Grid-Ireland Jan ‘05 Grid-wide Intrusion Detection