Transcript PPT - Bro
Research & Development Roadmap
1
Outline
A New Communication Framework
Giving Bro Control over the Network
Security Monitoring for Industrial Control
Systems
Parallelism on Concurrent Architectures
2
COMMUNICATION NG
3
Communication Today
Primitives
Sending events
&synchronized
Limitations
Model doesn’t scale; no hierarchies
Loose semantics: best effort service
No integration with persistence
Implementation lacks robustness
Two separate protocol implementations
4
Initial Proposal
Extend event propagation
Routing
Subscription groups
Push/pull models
Remove &synchronized (and the proxies...)
Add global, persistent data structure
Probably just key/value store
Explicit API
5
Initial Proposal (cont’d.)
Implementation
“Data nodes” in charge of tables; nodes attach
Receive updates and broadcast them back out
Limit values to atomic data types
Use existing libraries
Implement as a library
Trading “magic” for better semantics and control
6
GIVING BRO CONTROL OVER THE
NETWORK
7
Objectives
Bro controls what it sees
Adapt the front-end load-balancing
Bro controls what the network does
Block, steer, shape
8
Science DMZs
100
G
10/10
0G
Source: ESNet
10
100 Gb/s Cluster
Science DMZ
Switch
API
100GE
Border
Router
100G Load-balancer
API
Bro Cluster
11
Control
Control
10GE
Transparent Script Interface
Packet Acquisition
drop(entity)
sample(entity)
notify(entity, cond)
Packet Control
drop(entity)
sample(entity)
throttle(entity)
redirect(entity, destination)
12
Transparent Script Interface
(cont’d.)
“Entity” could be very different things ...
Plugins implement what hardware supports
13
SECURITY MONITORING FOR ICS
14
Industrial Control Systems
Critical resources, yet lacking in protection
Often legacy hardware hard to protect
Not built with security in mind
Class IDS not a good fit
Attacks rare / unknown
Behavioral approaches don’t take context into
account
15
Industrial Control Systems (cont’d.)
Significant potential through incorporating
semantics
Understand protocols Bro-style
Create visibility
Develop models of what we should be seeing
Anomaly detection could actually work here
16
First steps ...
Protocol support in 2.2
Modbus
DNP3
Only basic script analysis so far
17
Research Thrusts (1)
Measurement study: What do we see?
Actors, workloads, cross-site characterization
As we do that, extend Bro’s logging
Environments
Municipal water and gas plants
Campus power-plant
Building automation at a large research lab
Looking for more ...
18
Research Thrusts (2)
Semantic models for monitoring
Statistical profiling
Summary statistics framework
Power Grid State Model
PLC Memory Maps
19
PLC Memory Maps
Categorize registers
Constant, attribute, continuos
Derive predictive models
... and validate them
20
PARALLELISM ON CONCURRENT
ARCHITECTURES
21
Concurrency Potential
22
Concurrent Analysis
Logs
Analysis Logic
Notification
Policy Script
Interpreter
Events
Protocol Decoding
Event Engine
Packets
Network
23
Architecture
Notification
Scripting Language
Script Threads
Detection Logic
Events
Event Engine
Event Engine
Threads
Packet Analysis
Dispatcher
Network
24
Packet Dispatcher (NIC)
New Platform: Abstract Machine
A High-Level Intermediary Language for Traffic Inspection
Domainspecific Data
Types
State
Management
Concurrent
Analysis
Real-time
Performance
Robust/Secure
Execution
High-level
Standard
Components
First-class
networking types
built-in
Containers with
state management
support
Domain-specific
concurrency model
Scalability through
parallelization
Well-defined,
contained
execution
environment
Platform for
building high-level,
reusable
functionality on
Timers can drive
execution
Support for
incremental
processing
Compilation to
native code
Static type-system,
and robust error
handling
Extensive
optimization
potential
26
HILTI Toolchain
A High-Level Intermediary Language for Traffic Inspection
27
Research Questions
How to identify state dependencies?
Static program analysis to drive scheduling
How to leverage hardware capabilities?
E.g., network processors, hardware lookup modules
28
HILTI enables more ...
BinPAC++ Demo
29
Robin Sommer
International Computer Science Institute, &
Lawrence Berkeley National Laboratory
[email protected]
http://www.icir.org/robin
30