EMERALD's component-based approach to network security

[InfoSec News <isn () C4I ORG>]

http://www-106.ibm.com/developerworks/library/co-emrld.html?dwzone=components%3C/A

Claude J. Bauer
Freelance technology journalist
January 2001

Programmers and software developers interested in security
applications for component technology should keep tabs on work
underway at Stanford Research Institute (SRI) International, a
nonprofit research institute based in Menlo Park, California.

Stanford Research Institute (SRI) has been tasked by the Defense
Advanced Research Projects Agency (DARPA) to develop ways to use
component technology to distribute real-time security monitoring
throughout enterprise networks.

According to Phillip Porras, program director of network security for
SRI, the components emerging from DARPA's project, aptly named the
Event Monitoring Enabling Responses to Anomalous Live Disturbances
(EMERALD), are capable of providing anomaly and misuse detection for
networks of all sizes.

EMERALD's intrusion detection architecture is based on software
components that address real-time detection, analysis, and response
for a broad range of external and internal threats. What's more,
EMERALD components were designed to be independent, dynamically
deployable, easily configurable, reusable, and broadly interoperable,
Porras said.

"We developed the methodology for EMERALD ourselves, as a way of
decomposing the intrusion detection process," Porras noted. "There are
really no products commercially available that use component-based
design for this type of problem," he said. "Most vendors out there
aren't taking this approach. They want you to buy a single product.
DARPA has been leading the effort in this area."

As part of the effort, SRI is also building a component-based
correlation engine that can sit anywhere in the network and subscribe
to the alerts being produced by the independent component-based
sensors. "You can then build models for correlating that information,
as well as look for relationships inside the alerts, and discover meta
problems by analyzing the attributes inside the alert stream," he
observed.

Where EMERALD shines
Whether conducting information warfare on an international scale or
simply trying to keep youngsters from running "kiddie scripts" on
corporate networks, programmers can deploy EMERALD components
throughout a network to generate alarms, prevent denials of service
and loss of availability, as well as analyze data collected from
security violations and intrusion events. "For example, one can
install our lightweight Host-IDS component on any number of Solaris
machines. Each sensor operates as a local security daemon, protecting
its host from internal misuse, while simultaneously allowing remote
subscriber components to provide domain-layer analysis and response,"
Porras said.

Once in place, EMERALD components work independently with application
logs and network services to monitor events at the operating system
and network layers. "They can be placed strategically in your network,
as opposed to sitting at the highest level of the network, where they
would be swamped by all the central traffic coming in," Porras said.
EMERALD security components can be embedded in applications that
communicate with the outside world, enabling network administrators to
draw on information from a large suite of small sensors deployed
throughout the network.

EMERALD security components can also help users analyze communications
traffic, collecting Simple Mail Transfer Protocol (SMTP), File
Transfer Protocol (FTP) and Web server data directly from the
Transmission Control Protocol (TCP) traffic stream. "For Web traffic
where we deal with Secure Socket Layer (SSL) and cryptography, we've
created an embedded component to decrypt Apache Web server traffic,
and we're extending it over to Netscape's Web server," Porras said.
EMERALD components are designed to run on UNIX-like operating systems,
such as Solaris and Linux.

Why components
According to Porras, enterprise networks have traditionally relied on
a monolithic architecture for intrusion detection systems that focused
on centralized analysis of TCP packets or audit log trails. This
approach dominated until the 1990s because the intrusion detection
community was working primarily with mainframes. However, once
distributed computing environments emerged, problems with the
monolithic approach began to surface.

"The monolithic approach doesn't scale very well for real-time
monitoring, because it implies that you have to somehow centrally
locate all of the data you need to run intrusion detection
algorithms," Porras said. "It's really difficult to keep up with
real-time data, especially when you're dealing with cryptography and
switched networks," he said.

For Porras and his colleague Peter Neumann, EMERALD's component
approach offered the ideal alternative to the monolithic strategy
because it allows programmers to introduce lightweight, embeddable
security components into the network and collect data from a variety
of sources. Besides providing a more comprehensive approach to
intrusion detection, EMERALD components help ease the burden of
upgrading and maintaining network security features. "When new sensors
come out, you can replace old sensor [components] much more easily
than replacing an entire system," Porras observed.

Thinking globally
While Porras and Neumann found that EMERALD's distributed component
approach excelled at monitoring local activity, they also realized
that the wealth of information generated could sometimes make it
difficult to obtain a global picture of network activity. This led
them to devise a solution where the security components work in
conjunction with independent analysis engines. "As the analysis
engines produce intrusion reports and alarms, the security components
forward the reports and alarms to other components for visualization,
response, correlation, and data logging, which provides a global
picture of what's occurring throughout the network," Porras said.
"We've moved to kind of a 'subscription model' where you have
'subscribers' [within the network] that want to hear about the alarms
being generated, and 'producers,' or sensor components, that generate
the intrusion alarms," he said.

Porras believes the subscriber/producer paradigm may also hold promise
for other applications, such as network management and
performance/availability management. For example, companies acting as
managed service providers, or operating a remote MIS group, could gain
insight into activity that occurs at the local administrative domain
level by collecting data from distributed components. They would also
be able to view that activity across organizations and compare
activity in one domain with activity in another. This capability would
help them isolate trends and common problems. "This type of
component-based design could benefit any application where you want to
distribute local sensors that collect information and propagate it up,
allowing you to gain a more global view of what's happening layer to
layer," he said.

What's available
SRI plans to gradually release selected EMERALD components to the
public domain. One such component, eXpert-BSM, is currently available
for download from SRI's Web site (see Resources). eXpert-BSM, a small,
host-based sensor that acts as a security daemon, is "particularly
good for detecting misuse on Solaris operating systems," Porras said.
Since SRI is a nonprofit research institute, the components made
available on its Web site are released without charge to the public
domain. "If we don't make certain components available on the
Internet, we will still make them available to [government
organizations] and to the entire DoD research community," Porras
remarked.

SRI is also contemplating the release of its eBayes-TCP component,
which is based on a probabilistic reasoning engine that can be used to
detect network phenomena that indicate failures or probes of a system.
"It's good against stealth probes and unexpected or malicious [data]
floods of the network," Porras said. The eBayes-TCP component can also
detect losses of system services and the creation of new services and
communications channels within a network. In addition, it acts as an
availability monitor, detecting when systems come on line and go off
line.

eXpert-Net is an EMERALD component SRI will release to academic
institutions early next year. SRI will also make it available to "any
government organization that wants to run it," Porras said. eXpert-Net
is a "signature-based" component designed for intrusion detection on
Hypertext Transfer Protocol (HTTP), FTP, SMTP, low-level TCP, User
Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP)
traffic. "eXpert-Net is a small component that can be added to an FTP
or Web server to generate alarms on just about any HTTP or FTP data,"
Porras said. eXpert-Net can also perform security monitoring on
SSL-protected HTTP traffic. "This is a rather unique capability, and
I'm not aware of anyone else doing it," Porras noted. "We've
integrated extensions into a Web server and provided, with those
extensions, the ability to pass their transactions on to an intrusion
detection engine."

Porras predicts that in the years to come "you will see more activity
in the security space toward the componentization of monitoring and
security services, as well as toward the development of visualization
products for network security." As a security expert should, he also
cautions that in today's network environments "you're going to need
applications and operating systems that are capable of identifying
when someone is misusing them. That's what EMERALD is all about."

Resources

For more information on EMERALD's security components, visit SRI's Web
site.

* Read SRI's overview of the project with links to more information.
* Download EMERALD components. (Development of more releases is
  underway.)

About the author

Claude J. Bauer is a freelance technology journalist located in
Middletown, MD. His work appears in numerous technology-oriented
publications and on a variety of Web sites. Visit Mr. Bauer's home
page or contact him at claudebauer () claudebauer com.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".