Information Security News mailing list archives
EMERALD's component-based approach to network security
From: InfoSec News <isn () C4I ORG>
Date: Sat, 6 Jan 2001 13:19:25 -0600
http://www-106.ibm.com/developerworks/library/co-emrld.html?dwzone=components%3C/A Claude J. Bauer Freelance technology journalist January 2001 Programmers and software developers interested in security applications for component technology should keep tabs on work underway at Stanford Research Institute (SRI) International, a nonprofit research institute based in Menlo Park, California. Stanford Research Institute (SRI) has been tasked by the Defense Advanced Research Projects Agency (DARPA) to develop ways to use component technology to distribute real-time security monitoring throughout enterprise networks. According to Phillip Porras, program director of network security for SRI, the components emerging from DARPA's project, aptly named the Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD), are capable of providing anomaly and misuse detection for networks of all sizes. EMERALD's intrusion detection architecture is based on software components that address real-time detection, analysis, and response for a broad range of external and internal threats. What's more, EMERALD components were designed to be independent, dynamically deployable, easily configurable, reusable, and broadly interoperable, Porras said. "We developed the methodology for EMERALD ourselves, as a way of decomposing the intrusion detection process," Porras noted. "There are really no products commercially available that use component-based design for this type of problem," he said. "Most vendors out there aren't taking this approach. They want you to buy a single product. DARPA has been leading the effort in this area." As part of the effort, SRI is also building a component-based correlation engine that can sit anywhere in the network and subscribe to the alerts being produced by the independent component-based sensors. "You can then build models for correlating that information, as well as look for relationships inside the alerts, and discover meta problems by analyzing the attributes inside the alert stream," he observed. Where EMERALD shines Whether conducting information warfare on an international scale or simply trying to keep youngsters from running "kiddie scripts" on corporate networks, programmers can deploy EMERALD components throughout a network to generate alarms, prevent denials of service and loss of availability, as well as analyze data collected from security violations and intrusion events. "For example, one can install our lightweight Host-IDS component on any number of Solaris machines. Each sensor operates as a local security daemon, protecting its host from internal misuse, while simultaneously allowing remote subscriber components to provide domain-layer analysis and response," Porras said. Once in place, EMERALD components work independently with application logs and network services to monitor events at the operating system and network layers. "They can be placed strategically in your network, as opposed to sitting at the highest level of the network, where they would be swamped by all the central traffic coming in," Porras said. EMERALD security components can be embedded in applications that communicate with the outside world, enabling network administrators to draw on information from a large suite of small sensors deployed throughout the network. EMERALD security components can also help users analyze communications traffic, collecting Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP) and Web server data directly from the Transmission Control Protocol (TCP) traffic stream. "For Web traffic where we deal with Secure Socket Layer (SSL) and cryptography, we've created an embedded component to decrypt Apache Web server traffic, and we're extending it over to Netscape's Web server," Porras said. EMERALD components are designed to run on UNIX-like operating systems, such as Solaris and Linux. Why components According to Porras, enterprise networks have traditionally relied on a monolithic architecture for intrusion detection systems that focused on centralized analysis of TCP packets or audit log trails. This approach dominated until the 1990s because the intrusion detection community was working primarily with mainframes. However, once distributed computing environments emerged, problems with the monolithic approach began to surface. "The monolithic approach doesn't scale very well for real-time monitoring, because it implies that you have to somehow centrally locate all of the data you need to run intrusion detection algorithms," Porras said. "It's really difficult to keep up with real-time data, especially when you're dealing with cryptography and switched networks," he said. For Porras and his colleague Peter Neumann, EMERALD's component approach offered the ideal alternative to the monolithic strategy because it allows programmers to introduce lightweight, embeddable security components into the network and collect data from a variety of sources. Besides providing a more comprehensive approach to intrusion detection, EMERALD components help ease the burden of upgrading and maintaining network security features. "When new sensors come out, you can replace old sensor [components] much more easily than replacing an entire system," Porras observed. Thinking globally While Porras and Neumann found that EMERALD's distributed component approach excelled at monitoring local activity, they also realized that the wealth of information generated could sometimes make it difficult to obtain a global picture of network activity. This led them to devise a solution where the security components work in conjunction with independent analysis engines. "As the analysis engines produce intrusion reports and alarms, the security components forward the reports and alarms to other components for visualization, response, correlation, and data logging, which provides a global picture of what's occurring throughout the network," Porras said. "We've moved to kind of a 'subscription model' where you have 'subscribers' [within the network] that want to hear about the alarms being generated, and 'producers,' or sensor components, that generate the intrusion alarms," he said. Porras believes the subscriber/producer paradigm may also hold promise for other applications, such as network management and performance/availability management. For example, companies acting as managed service providers, or operating a remote MIS group, could gain insight into activity that occurs at the local administrative domain level by collecting data from distributed components. They would also be able to view that activity across organizations and compare activity in one domain with activity in another. This capability would help them isolate trends and common problems. "This type of component-based design could benefit any application where you want to distribute local sensors that collect information and propagate it up, allowing you to gain a more global view of what's happening layer to layer," he said. What's available SRI plans to gradually release selected EMERALD components to the public domain. One such component, eXpert-BSM, is currently available for download from SRI's Web site (see Resources). eXpert-BSM, a small, host-based sensor that acts as a security daemon, is "particularly good for detecting misuse on Solaris operating systems," Porras said. Since SRI is a nonprofit research institute, the components made available on its Web site are released without charge to the public domain. "If we don't make certain components available on the Internet, we will still make them available to [government organizations] and to the entire DoD research community," Porras remarked. SRI is also contemplating the release of its eBayes-TCP component, which is based on a probabilistic reasoning engine that can be used to detect network phenomena that indicate failures or probes of a system. "It's good against stealth probes and unexpected or malicious [data] floods of the network," Porras said. The eBayes-TCP component can also detect losses of system services and the creation of new services and communications channels within a network. In addition, it acts as an availability monitor, detecting when systems come on line and go off line. eXpert-Net is an EMERALD component SRI will release to academic institutions early next year. SRI will also make it available to "any government organization that wants to run it," Porras said. eXpert-Net is a "signature-based" component designed for intrusion detection on Hypertext Transfer Protocol (HTTP), FTP, SMTP, low-level TCP, User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic. "eXpert-Net is a small component that can be added to an FTP or Web server to generate alarms on just about any HTTP or FTP data," Porras said. eXpert-Net can also perform security monitoring on SSL-protected HTTP traffic. "This is a rather unique capability, and I'm not aware of anyone else doing it," Porras noted. "We've integrated extensions into a Web server and provided, with those extensions, the ability to pass their transactions on to an intrusion detection engine." Porras predicts that in the years to come "you will see more activity in the security space toward the componentization of monitoring and security services, as well as toward the development of visualization products for network security." As a security expert should, he also cautions that in today's network environments "you're going to need applications and operating systems that are capable of identifying when someone is misusing them. That's what EMERALD is all about." Resources For more information on EMERALD's security components, visit SRI's Web site. * Read SRI's overview of the project with links to more information. * Download EMERALD components. (Development of more releases is underway.) About the author Claude J. Bauer is a freelance technology journalist located in Middletown, MD. His work appears in numerous technology-oriented publications and on a variety of Web sites. Visit Mr. Bauer's home page or contact him at claudebauer () claudebauer com. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- EMERALD's component-based approach to network security InfoSec News (Jan 08)