Post on 28-Dec-2015
Toward Self-directed Intrusion Toward Self-directed Intrusion DetectionDetection
Paul BarfordAssistant ProfessorComputer ScienceUniversity of Wisconsin
June, 2005
wail.cs.wisc.edu 2
Motivation - the goodMotivation - the good
• Network security analysts have many tasks– Abuse monitoring– Audit and forensic analysis– Firewall/ACL configuration– Vulnerability testing– Policy– Liaison
• Network management• End host management
wail.cs.wisc.edu 3
Motivation - the badMotivation - the bad• Adversaries are smart• Vulnerabilities and threats are significant
– Worms• Slammer, Blaster, Sasser, Witty, MyDoom, etc.• Persistent and growing background radiation (Pang et al. ‘04)
– Scans• Billions per day Internet-wide and growing (Yegneswaran et al.
‘03)
– Viruses• No longer clearly defined (eg. Agobot)
– DDos• Bot-nets consisting of hundreds of thousands of drones
wail.cs.wisc.edu 4
Motivation - the ugly (sort of)Motivation - the ugly (sort of)
• Network intrusion detection systems (NIDS)– Static signatures - hard to tune and maintain– Lots of alarms– Scalability problems
• Firewalls and intrusion prevention systems– Limited capability
• Bulletin boards and commercial services– May not be timely enough
• Traffic monitors (eg. FlowScan, AutoFocus)– A step in the right direction
wail.cs.wisc.edu 5
ObjectiveObjective• Network situational awareness based on self-
directed network intrusion detection– “The degree of consistency between one’s perception
of their situation and reality”– “An accurate set of information about one’s
environment scaled to a specific level of interest”– Expand notions of traditional abuse monitoring and
forensic analysis• Adapts to malicious traffic
– Front-end for firewalls/IPS
wail.cs.wisc.edu 6
MechanismsMechanisms• Data sharing between networks
– Eg. DOMINO (Yegneswaran et al., NDSS ‘04)
• Monitoring unused address space– Eg. iSink (Yegneswaran et al., RAID ‘04)– Eg. BroSA (Yegneswaran et al. ‘05)
• Automatic generation of resilient signatures– Eg. Nemean (Yegneswaran et al., USENIX Security
‘05)
wail.cs.wisc.edu 7
DOMINO architectureDOMINO architecture
• Hierarchical overlay network– Descending order of security and trust
• Data sharing– XML-based schema– Summary exchange protocol extends IDMEF– Push or pulling periodically
• Data/alert fusion and filtering – Subject of on-going research (eg, Barford et al.
Allerton, ‘04)
wail.cs.wisc.edu 8
Unused address monitoringUnused address monitoring• Packets are (nearly) all malicious
– There have been some very weird misconfigurations• Enables active responses
– Key for understanding details• Widely available
– We monitor four class B’s and one class A– Useful in large and small
• Easier to share this data
wail.cs.wisc.edu 9
iSink architectureiSink architecture
• Passive component: Argus– libpcap-based monitoring tool
• Active component: based on Click modular router– Library of stateless responders to collect details
of intrusions
• NAT filter: to manage (redundant) traffic– Source/destination filtering
wail.cs.wisc.edu 10
Activities on ports (port 135)Activities on ports (port 135)
• Distribution of exploits varies with network– 170 byte requests on Class
A– Blaster, RPC-X1 all 3
networks– Welchia LBL– Empty connections
• UW Networks
wail.cs.wisc.edu 11
Real-time honeynet reportsReal-time honeynet reports
• Bro plug-in for situational summary generation– Periodic reports
• New events• High variance events• Low variance events• Top profiles
– Adaptive
• NetSA in depth– Identify large events quickly– On-going
wail.cs.wisc.edu 12
Semantics-aware signaturesSemantics-aware signatures
• Objective: automated generation of resilient NIDS signatures– Signatures must be both specific and general
• Challenge: generate signatures for attack vectors that have never been seen– Multi-step and polymorphic attacks
• Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data– Session and application protocol semantic awareness
(Sommer & Paxson, ‘03)
wail.cs.wisc.edu 13
Nemean architectureNemean architecture• Data abstraction
– Transport normalizer– Aggregation– Service normalizer
• Clustering– Group sessions/connections using similarity metric
• Signature generation– Machine learning to build finite state automata
wail.cs.wisc.edu 14
Signature example (Welchia)Signature example (Welchia)
• Multistage attack (3 steps)– GET / 200 OK– SEARCH / 411
Length Required– SEARCH /AAAA…
Start
Get /200
Search /411
Search /411 Get /
200
Search /AAAAA[more]400
Search /AAAAA[more]400Search /AAAAA[more]
400
wail.cs.wisc.edu 15
SummarySummary
• Malicious activity in the Internet is a huge problem and is likely to persist for a long time
• Current network security analysis tools are largely inadequate
• We advocate network situational awareness through self-directed intrusion detection– Distributed data sharing– Unused address space monitoring– Automated semantics-aware signature generation