GrIDS -- A Graph Based
Intrusion Detection System For
Large Networks
Paper by S. Staniford-Chen et. al
Overview
•
•
•
•
•
•
General facts about GrIDS
Scalability
Architecture
Management
Additional features
Limitations
10/06
Security Policy
• Used to detect & analyze large-scale
attacks
• Anomaly detection
• Can report on per-host basis
– Worms
– Network sweeps
– User specified patterns of attack
10/06
GrIDS -- Environment
• Runs on Unix hosts connected by IP nets
• Intended for large networks (thousands of
hosts & hundreds of IP sub-nets)
• Assumes that network belongs to single
organization with autonomous departments
• No part of network is “actively hostile”
10/06
What does GrIDS do?
•
•
•
•
•
•
Graph-based Intrusion Detection System
Records network activity
Aggregates data of interest
Builds activity graphs
Performs pattern matching
Determines “unexpected” behavior
10/06
Scalability via Aggregation
• Models an organization as hierarchy of
departments (composed of computers)
• Each department builds & evaluates
graphs of activity within the department
• Sub-graphs are embedded in larger
graphs, so an entire department may be
represented by a single node in a highlevel graph
10/06
Scalability via Aggregation
• Graphs scale & are always manageable
 Low level graphs depict part of organization
 High levels summarize information found in
low level graphs
• GrIDS aggregates data; can it see low
level intrusion?
10/06
Architecture of GrIDS
• Module controller process - on each host
• Comprised of modules with standardized
interfaces:
– data sources: monitor activity on hosts &
networks;
– graph engine: builds graphs & passes them
up the hierarchy
– software manager: manages state of
hierarchy & distributed modules
10/06
Data Sources
• Monitor net: Network sniffers
• Monitor the OS/net: Point IDSs (single
host or LAN IDSs)
• Includes extensible mechanism which
allows data to be gathered from other
security tools without significant change
to the tool or to GrIDS
10/06
Graph Engine
• Nodes represent hosts or departments
• Edges represent network traffic between
nodes
• Graph has global attributes which
maintain state information about the graph
as a whole
• Graphs are built based on rule sets
10/06
Rule Sets
• Executable specification of a kind of graph
(contains preconditions, combining rules)
• Each rule set maintains a graph space
containing multiple graphs
• Rules operate independently of one
another
10/06
Rule Sets
• Used to
– Determine if incoming report (partial graph)
should be incorporated into existing graphs
– Decide if two graphs should combine
– Compute the attributes of the combined graph
– Decide what actions to take, if any
• A rule set is inherited by all descendents of
the node to which it is applied
10/06
Updating Graphs
Engine Receives Report
In Form of Partial Graph
Meets Rule Set’s
NO
Discard
Preconditions?
YES
Incoming Graph
YES
Combined With
Existing Graph
Meets Rule
Set’s Combining
Conditions?
NO
New Graph
Formed in Rule
Set’s Graph Space
Example Rule
Combine node rule {
res.node.combine = !empty({new.node.alerts,
cur.node.alerts})
&& abs(cur.node.time - new.node.time) < 30;
res.node.alerts ={cur.node.alerts,new.node.alerts};
res.node.time = max({cur.node.time,
new.node.time});
}
Example Assessment Rule
assessments rule {
(!empty(res.global.alerts)) ||
(res.global.nnodes >= 8) ||
(res.global.nedges >= 13) ==>
alert(), report-graph();
(3 < res.global.nnodes < 8) ||
(5 < res.global.nedges < 13) ==>
report-graph();
}
Management Modules
• User interface modules for management
functions and display of alerts
• Central organizational hierarchy server
which has a global view of the topology
of the hierarchy, and is responsible for
ensuring that changes to the hierarchy
happen in a consistent manner
10/06
Managing the Hierarchy
• Organizational hierarchy server maintains
a global picture of hierarchy
• Access control system controls who can
view and manage the hierarchy
 ACL resides at each node & states who can
access that node or any node in the sub-tree
rooted there
• System managers perform “transactions”
10/06
Transactions
Typical transactions include:
• moving a department
• adding a new host
• changing the location of the graph
engine, etc.
10/06
Limitations
• Not secure against attacks targeting GrIDS:
– substituting in hacked versions of GrIDS at the
module level
– denial of service attacks
– disruptions of the network time protocol
– networks or computers faults
• Widespread attacks which progress slowly
might not be diagnosed by aggregation
mechanism
10/06
Backup
10/06
Additional Features:
Policy Enforcement
• Policies are compiled into rule sets which
build graphs & evaluate for policy violations
• Currently, GrIDS only allows for policies
stated with respect to a single graph edge
(network connection)
• Rule takes form of a tuple:
(action, time, source, destination, protocol,
stage, status, . . . .)
10/06