An Introduction to Intrusion Detection System using Elytron
Intrusion Detection is the art of sensing when a system or network is being used inappropriately or without authorization. Without intrusion detection, an attacker can attempt attacks many times until an attack is finally successful. Intrusion detection allows for these attacks to be identified before a successful attack is likely to occur.
In this blog, we’ll talk about an architectural overview of a system that uses Elytron’s security events for intrusion detection & prevention and discuss briefly about each component and their interactions within the system as a whole. Later, we’ll understand the implementation & how the system’s architecture has been realised.
Elyton’s core concepts comprises Authentication & Authorization and is based on a Security Policy that utilises several smaller components together to work. In addition to that it provides support for security events which can indicate things like a failed authentication attempt for a particular user. These security events can be used to detect various attacks such as Brute force, Dictionary attack etc. So the high level idea is to log the security events in a data store system, and harness information provided to make predictions on a possible network breach.
The proposed architecture is as depicted in Figure 1. The idea here is to evaluate the risk posed by an authentication & authorization event based on its attributes & forfeit the event auth if the posed risk is above set threshold limits.
NOTE: A general IDS like any other auditing systems, consists of three parts: an agent, a director, and a notifier.
The agent corresponds to the logger. It acquires information from the target. The director corresponds to the analyzer.
It analyzes the data from the agents to determine if an attack is in progress or has occurred. The director then passes
this information to the notifier, which determines whether and how to notify the requisite entity.
The various components of our Intrusion Detection System (IDS) are :
-
Elytron’s Query System (Trigger)
-
Risk Analyzer (Director & Notifier)
-
Syslog Server (Passive Agent)
-
Elytron’s Syslogger (Agent)
In this architecture, Elytron’s Query System acts as a trigger, it resides inside of Elytron & queries the IDS for risk analysis of an event. Risk Analyzer has two submodules & acts as a Director i.e. it receives the query & analyses it for threats; as well as Notifier i.e. it provides the system with risk analysis. Elytron’s Syslogger resides inside Elytron and acts as Agent by logging every security event to an external Syslog server, which is a part of IDS & acts as a passive agent. Let’s discuss each component in greater detail.
Elytron’s Query System (Risk Role Decoder)
Elytron’s Query System resides in Elytron & implemented as a RoleDecoder. An Elytron RoleDecoder takes the raw AuthorizationIdentity return from SecurityRealm and converts its attributes into roles. RiskRoleDecoder makes use of runtime attributes to get hold of remote client’s IP addresses & provides a way to query the Risk Analyzer via Sockets to receive a risk score.
RiskRoleDecoder is provided with a threshold risk score, exceeding which leads to assigning empty roles to the auth event, which ultimately leads to authorization failure and further access is denied. In case an event is deemed safe, roles are assigned accordingly.
RiskRoleDecoder’s implementation can be found here.
Risk Analyzer
Risk Analyzer is a server module that acts as Director as well as Notifier in IDS. It takes in an IP address & returns a risk score in the range of 0 to 100. The risk score is used to make the authorization decisions based on a set threshold risk. Risk Analyzer comprises several different components : Risk Server Socket, Main Analyzer & Risk Calculator.
-
Risk Server Socket : Risk Server Socket is used to declare a socket server instance, required to open connection to the client. Once the socket has been set up, it will listen for connection until terminated. Current maximum connection limit has been set at 5. While introducing socket threading in future, a more versatile approach will be taken.
-
Risk Calculator : When Risk Analyzer receives a query, it sends the IP Address to Risk Calculator, which is backed by Blacklist IP dump, Rule Engine & a Learning Module. Results from all these will be aggregated & returned to the client.
Risk Analyzer is implemented in Python & communicates directly with Elytron via RiskRoleDecoder, which makes use of runtime attributes to access remote client’s IP address, & communicate via a temporary socket.
Implementation available at : https://github.com/piyush-palta/risk-analyzer
Syslog Server
Syslog server is a python based external server for syslogging of Elytron security events and acts as a Passive Agent. These events are logged using the inherent syslogging capabilities of the wildfly or undertow server. For now we’re using an undertow server, due to its sheer versatility. Both TCP & UDP syslogging is possible & with connections served as threads, it will easily scale for practical applications.
Implementation available at : https://github.com/piyush-palta/syslog-server
Elytron’s Syslogger (Inbuilt Syslog Auditing)
Elytron’s Syslogger acts as an agent and logs security events directly to the Syslog server. We are using inbuilt syslog auditing capabilities of the server. Undertow Standalone is a servlet implementation, which uses Wildfly Elytron. We are using this implementation to emit the security events.
Implementation available at : https://github.com/piyush-palta/undertow-standalone