Post on 08-Jan-2016
description
New Methods in Attack Detection
Shambhu Upadhyaya (PI)Computer Science and Engineering
University at Buffalo
Kevin Kwiat (Program Manager)Air Force Research Lab, Rome, NY
CEISARE @2
Overall Outline
Road map
Significant accomplishments
Publications
Specific research projects
Results
Conclusion
CEISARE @3
Road Map I
Research Projects Encapsulation of owner’s intent (1998)
Reasoning framework for IDS (1999)
Secure voting protocol work (2000)
IDS simulation (2001)
Encapsulation of program’s intent, Building secure enclaves (2002)
Funding AFOSR seed grant (1999)
AFOSR grant through AFRL and in part through ACRC (2000 – 2004)
AFOSR summer fellowships (through RDL, II and NRC)
DARPA seedling (2003)
CEISARE @4
Road Map II
Students supported Kiran Mantha, MS, 2001 (Deloitte & Touche, NY)
Ramkumar Chinchani, MS, 2002 (PhD student)
Neelesh Arora, MS, 2003 (Thomson Financial, NY)
Ashish Garg (PhD student)
Anusha Iyer (PhD student)
Aarthie Muthukrishnan (MS student)
Madhu Chandrasekharan (MS student)
Others involved Ben Hardekopf (AFRL)
Alex Eisen (IASP Scholar)
Melissa Thomas (IASP Scholar)
CEISARE @5
Significant Accomplishments Research
Several publications, 1MS Thesis (2001), 1 Ph.D. dissertation (2004)
Funding from other agencies such as DARPA, NSA/ARDA
Conference/Workshops Panel organization (IEEE SRDS 2000), Tutorial in IEEE MILCOM 2002
Plenary talk at MMM-2003, St. Petersburg, Russia (upcoming)
Academic Center of Excellence status from NSA (2002), funding from DoD
Kevin Kwiat appointed as Research Associate Professor in CSE Dept.
Media Research cited in Scientific American, Dec. 2002
Associated Press coverage of MILCOM 2002 work
CEISARE @6
Publications Conferences/Workshops
SCS International SPECTS, 1999 (Upadhyaya & Kwiat)
SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya, Kwiat)
IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat, Upadhyaya)
IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani, Kwiat)
IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat)
SCS Int. SPECTS, 2001 (Hardekopf, Kwiat, Upadhyaya)
IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat)
IEEE Int. IA Workshop, 2003 (Chinchani, Upadhyaya, Kwiat)
Book Chapter Kluwer Academic Press, 2003
Journals Several papers in the works
CEISARE @7
Research Projects Encapsulation of owner’s intent – Concept development, preliminary
simulation, investigation of scalability (Ref: Upadhyaya, Kwiat, SPECTS
1999, Mantha, Chinchani, Upadhyaya, Kwiat, SCSC 2000, IEEE MILCOM
2003)
Reasoning about intrusions (Chinchani, Upadhyaya, Kwiat, IEEE SMC
2001, SRDS 2001)
Building secure enclaves (Chinchani, Upadhyaya, Kwiat, IEEE IAW 2003)
Simulation support for IA experiments (Garg, Upadhyaya, Chinchani,
Kwiat, SCSC 2003)
Secure voting protocols (Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001)
CEISARE @8
Encapsulation of Owner’s Intent – A New Proactive Intrusion Assessment Paradigm
Very few anomaly detection systems work well
A major factor overlooked is User
Bring the user into the loop
Encapsulation of user’s intent serves as a “certificate”
Can you make more accurate detection decisions?
Working at high level attaches greater significance to semantics
to user’s operations
Contributes to user’s affirming the truth in COA
CEISARE @9
Where Does Our Work Fit In?
CEISARE @10
Salient Features of our IDS Handling threats posed by insiders
Rule-based misuse detectors not very successful
Anomaly detectors are more promising, but not practical due to
involved data collection, learning and high false alarms
Based on generation of a run-time plan for users
Composing verifiable assertions based on queries of users
Idea is based on sound principles of signature analysis
Does away with audit trail analysis
Detection of intricate and subtle attacks
Lower detection latency
CEISARE @11
Outline of the Central Topic Background and related work
Guidelines through lessons learned
An analogy and demonstration of Basic principle
Implicit vs Explicit intent encapsulation
Implementation of a small system
Related problems
Reasoning framework
Who watches the watcher?
Secure voting in distributed systems
Generic simulation platform development
Summary
CEISARE @12
Background and Related Work
Rule based [Ilgun et al., 95], [Cheng, 02], Wagner & Dean,
01]
Program behavior based [Ko et al., 97]
User behavior based [Spyrou, 96]
RBAC [Ferraiolo & Kuhn, 92]
Real-time detection (NADIR)
Distributed and concurrent schemes (DIDS, GrIDS,
EMERALD)
CEISARE @13
Guidelines
Use the principle of least privilege to achieve better
security
Use mandatory access control wherever appropriate
Data used for intrusion detection should be kept
simple and small
Intrusion detection capabilities are enhanced if
environment specific factors are taken into account
CEISARE @14
Thinking Out of the Box
RULES:
All 9 dots should be connected with no more than 4 straight lines
No tracing back and must be done without taking off your hand
CEISARE @15
Analogy from Control Flow Checking
Generate compile-time signatures & assertions and embed them into instruction stream
Monitor execution and look for discrepancy Technique is based on sound principles – EDC/ECC
SIG-REG SIG-GEN CU BD
COMPARATOR
AddressProcessorMemory
BUS
Tags Reset
Error Signal
CEISARE @16
Basic Principle
AssertionGenerator
SessionScope
FilterPlan
Generator
SprintPlan
RuntimeWatchdog
Engine
Tolerance limits,Counters,
Thresholds etc..
User
One-time effort
Runtime effort
RuntimeCommands
Intrusion Signal
CEISARE @17
User Intent Encapsulation
CEISARE @18
Intent as a Certificate
Even when IDS is accurate, decision may be wrong
User cannot be held accountable if he contests
Bring the user into loop early on
User (bona fide or intruder) is queried for his intent
Expressed intent becomes a certificate of normal user
activity
Issues
Process of encapsulation shouldn’t be intrusive
Capture maximum information with min. effort to the user
CEISARE @19
Implicit vs. Explicit Intent
CEISARE @20
Sketch of the Algorithm User logs into the system
Chooses the job s/he wishes to performCheck the size of the session scope
If too large,warn userUser wants to change it
Launch inter work-space level monitor
Create workspaces for the jobs
Launch workspace level monitor thread per workspaceLaunch command level monitor thread per command
Authenticate command
Monitor Command
YES
LoopReport command type
Report object accessed
CEISARE @21
Simulation and Results
A university environment was simulated
Client-server architecture using Sun Ultra Enterprise 450 Model
4400 and Sun Ultra 5’s running Solaris 2.7
Intrusion scenarios
Legitimate user
Intruder
Two legitimate logins
First login from user, second login from intruder
First login from intruder, second login from user
Two intruders login
CEISARE @22
Test Cases
User activity collected over two months
Test cases grouped into four categories
1-user, 1-user with multiple logins, multiple users, multiple users
with multiple logins
Two sets of experiments – worst case and average case
Legitimate and intrusive operations
32 attacks
Obvious ones such as transferring /etc/passwd files, exploiting
vulnerabilities such as rdist, perl 5.0.1
Subtle attacks similar to mimicry attacks
CEISARE @23
Screenshots of Query Interface
CEISARE @24
Another Illustration
CEISARE @25
Runtime Monitoring Setup
CEISARE @26
Summary of Results
Summary 1 User, No Multiple Logins 1 User, With Multiple Logins 2 Users, No Multiple Logins 2 Users, With Multiple LoginsUser Detection 87.50% 78.60% 74.90% 91.90%and Latency 33.4 35 36.1 29User False Positives 12.50% 21.40% 25.10% 8.10%
False Negatives 0% 0% 0% 0%User Detection 98% 89% 100% 94.70%and Latency 0 11 0 9.6
Intruder False Positives 0% 0% 0% 0%False Negatives 2% 11% 0% 5.30%
Intruder Detection 99% 100% 98.20% 100%and Latency 0.4 0.7 0.6 0.5User False Positives 0% 0% 0% 0%
False Negatives 1.40% 0% 1.80% 0%Intruder Detection 56% 81.30% 77.40% 91.50%
and Latency 15.9 14.8 17 27Intruder False Positives 0% 0% 0% 0%
False Negatives 44% 18.70% 22.60% 8.50%
CEISARE @27
Some Research Questions
What if the user lies to the query?
How do you enhance performance?
Who is watching the watcher?
How do you perform more comprehensive
evaluation?
CEISARE @28
1) What if the User Lies?
A cognate user is expected to specify a focused
session-scope
Selection of overly permissive session-scope
must be discouraged
Can be done by penalizing a quality of service
Monitoring cost can be drawn from user’s
budget
CEISARE @29
2) Performance Enhancements
Profiling user operations
Take into consideration frequency of operations and
temporal characteristics of system usage
Dynamically updating session-scope
In the statistical anomaly detection engine, one could
prune rarely used operations from the session-scope
One could allow users to update/refine session-scope
(but may disrupt the learning process)
CEISARE @30
Reasoning Framework A critical problem with anomaly detection is false positive
Intrusion flagging requires more than set inclusion check
Not a binary decision – Sequences of operations need to be considered
Cost analysis
Cost of operation
Cost of deviation
Cost of monitoring
Actions at higher levels defined in terms of actions at lower levels
Eg.,: (ReadByte, WriteByte) -> (CreateFile,deleteFile,WriteFile) -
>(HardDisk)
CEISARE @31
Cost Analysis Based Reasoning
Reasoning by stochastic modeling of job activity
Two thresholds Tl and Th defined
When cost maps into mid region, situation ambiguous
Cost gradients used to shrink the window
Algorithms developed to trigger threshold movements so that a speedy decision on intrusion can
be arrived
(Ref: IEEE SRDS 2001)
Tl Th
Non-intrusive Indeterminate Intrusive
Accumulated Cost, monotone, non-decreasing
CEISARE @32
3) Who is Protecting the Protector?
Tamper-resistant security monitoring Available choices
Replication (Chameleon at UIUC) Layered Hierarchy (AAFID at Purdue) Both can be easily compromised
Proposed solution Circulant graph Overhead is manageable There is no mutual trust
among the watchers (Ref: IEEE IWIA 2003)
CEISARE @33
4) Comprehensive Evaluation
0
20
40
60
80
100
120
140
1980 1985 1990 1995 2000 2005
Time
Intr
usi
on
det
ecti
on
mo
del
s
Current status of IDS
CEISARE @34
Our Approach
A generic platform for intrusion modeling and testing of
IDS
Desirable features
Test and evaluate any intrusion detection model
Measure performance for improvement
Consider variety of intrusion scenarios
Collect pre-deployment measures
Analogy is drawn from network simulators
CEISARE @35
What Exists in the Open? Other approaches
Razak: Network intrusion simulation
Schiavo & Rowe: Intrusion detection tutors
Roberts: Simulation of Malicious Intruders
What is lacking above?
None of the above provide a generic platform for
modeling and simulation
Performance of models cannot be evaluated
CEISARE @36
Our Steps
Study features of a variety of IDS
Consider network simulation and OS simulation
Develop a common language to facilitate various formats
conversion (interoperability)
Perform some case studies
(Ref: SCS SCSC 2003)
Even monitoring, Access control subsystems
CEISARE @41
Work in Progress
Intrusion detection and Proactive recovery (subcontract
to Colorado State University)
Dynamic Reasoning based User Intent Driven IDS
(DRUID) prototype development (DARPA seedling)
GUI for session scope input
Command monitor
Statistical Engine
Data analysis, training and testing
CEISARE @42
Prototype Status
CEISARE @43
Security Enhancement in Distributed Voting – A Related Project
Joint work with UB and AFRL
Guaranteeing owner’s intended result by
distributed monitoring and voter isolation
Uniquely combines fault tolerance and security
Doesn’t require trusted third party
CEISARE @44
Danger of 2-Phase Commit Protocol
• Phase 1: processors distribute their results and vote on them such that each processor determines the majority
• Phase 2: processor in the majority commits result to the user
User waits for
majority result
User is sent
malicious result -
majority trustworthy
SELF-DESTRUCT
CEISARE @45
Timed-Buffer Distributed Voting
• Addresses “last mile” of distributed voting
• Buffer until “silence is consent”
• Reverses 2-phase commit protocol
– Instead of voting then committing - commits first (to buffer) then votes (period of dissension)
– Prevents disastrous commit phase - unlikely for classical fault tolerance but not information attack
Suspect results buffered
Integrity restored and buffer released
untrustworthy trustworthy
CEISARE @46
ACRC Application of TB-DVAWIRELESS CLIENT
SECURE WIRELESS LINKSECURE WIRED LINK
GATEWAYSECURE SERVER
SECURE DATA IS EXPOSED
(when translated from IP standards to wireless and vice-a-versa)• Apply fault tolerance techniques to protect, detect, and react to attacks and enable service restoration
CEISARE @47
Summary
Developed a new intrusion assessment
paradigm – Encapsulation of owner’s intent
Brings user into the loop
User’s encapsulated intent serves as a
certificate
Feasibility study
Practical implementation study