Endpoint detection and response is an integral part of the security of large-scale networks. Embedded hardware, such as those found at Ericsson Radio Access Network endpoints, have strict performance requirements that need to be met. This fact makes implementing intrusion detection non-trivial, as intrusion detection software often generate a lot of processing overhead. Wazuh, an established open-source distributed and centralized intrusion detection and response system, shows a lot of promise as a large-scale intrusion detection system. It is very modular and has various capabilities that can be utilized in different ways to minimize processing overhead. One of these capabilities is native support for the native Linux syscall monitoring tool AuditD. While AuditD is very capable, it can introduce severe performance penalties in certain scenarios. Falco is another syscall monitoring tool that shows promise with regards to performance, and also has more features than AuditD; which is why Falco is included as a direct comparison to AuditD. This study evaluates Wazuh, AuditD, and Falco based on a set of requirements set by Ericsson, including flexibility, scalability and reliability, by enacting performance benchmarks with normal background operations active. The results of this study show that, with the correct configuration, Wazuh can be used as an intrusion detection system in embedded systems with limited hardware, where AuditD and Falco can serve as a great addition to detecting indicators of compromise. The solution is to use a minimal intrusion detection ruleset, and in the event of suspicious activity, activate more modules to increase threat detection at the cost of CPU overhead and execution time for normal system operation.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:liu-186362 |
| Date | January 2022 |
| Creators | Hashem, Yousef, Zildzic, Elmedin |
| Publisher | Linköpings universitet, Institutionen för datavetenskap |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0025 seconds