Algebra For Capability Based Attack Correlation
description
Transcript of Algebra For Capability Based Attack Correlation
![Page 1: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/1.jpg)
ALGEBRA FOR CAPABILITY BASED ATTACK CORRELATIONWISTP 20081
![Page 2: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/2.jpg)
OUTLINE
Introduction Capability Model Algebraic structures of Capability model Alert correlation using Capability model Conclusion
2
![Page 3: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/3.jpg)
INTRODUCTION
Increasing security concern More sensitive data is stored than before
Increasing use of sophisticated attack tools & their automation (CERT’s overview of attack trends (04-18-02))
IDS Mostly used security and surveillance
monitoring tool for the network infrastructure
3
![Page 4: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/4.jpg)
INTRODUCTION
Reasoning type
Rules-basedAttack
Scenarios-based
Uncertainty TemporalNeural
Networks-based
Bayesian-belief
Others
Manual knowledge acquisition
Prolog tools
SEC
ASAX
LAMBDA(MIRADOR
Project)
AdeLe
JIGSAW
Hyper-alerts
Fuzzy Logic techniques
Possibilistic models
Dempster-Shafer Theory
Chronicles
Feed-forward Networks (BP
based algorithms)
Self-Organizing
Maps
CIDS
EMERALD e-Bayes
STAT
M2D2
IMPACT
M-Correlator EMERALD
Automatic Knowledge acquisition
Clustering techniques
Data Mining: (Association
rules, etc)
Log Weaver SPICE
Source:- Pouget, Fabien, and Marc Dacier. Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institute Eurecom, France, Dec 2003.
Attack Correlation techniques
4
![Page 5: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/5.jpg)
DRAWBACKS
State based approach can not handle missing alerts
Intermediate redundant step
Attack Variants
5
![Page 6: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/6.jpg)
EXAMPLE
Attack correlation using system state Example
Establish connection Buffer overflow Password File modified
Capability based Example
Can access a host Have credential to use a service Have root privilege
Zhou et. Al., Modeling Network Intrusion Detection Alerts for Correlation, ACM Transactions on Information and System Security, Vol. 10, No. 1, Article 4, February 2007.
6
![Page 7: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/7.jpg)
RELATED WORK
Logical connections among alerts in an intrusion incident? Requires/Provides Model (JIGSAW, Templeton and
Levitt, 2000)
A systematic model to precisely define the logical relationship? Capability Model(Jingmin at el. ( Feb, 2007))
To make a mature capability model need to know basic characteristic of Capability in
context of attack correlation Need identification of Algebraic properties
7
![Page 8: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/8.jpg)
CAPABILITY MODEL
Alerts
Capability of connection Capability is a 6-tuple
“From the source to destination can perform the action with credential (on the property) of the service within a time interval”
Attacker will have Capability set
source DestinationTime
ActionService & Property
8
![Page 9: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/9.jpg)
ServiceService …..………..……File ManagementFile Management
Database ManageDatabase Manage
PropertyFile ManagementProperty
File Management
…..………..……PathPath
PermissionPermission
IntervalInterval …..………..……FromFrom
BetweenBetween
ActionAction …..………..……ReadRead
BlockBlockblock, delay, spoof, pause, abort, unblock
Attributes
CredentialCredential …..………..……UpdatersUpdatersAdministratorAdministrator
root, navneet9
![Page 10: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/10.jpg)
ACTION TYPE
Action Type Action Value
Read read, list, know,
Write create, modify, append, delete,
Communicate send, recv, connect, encrypt, decrypt
Exec invoke, exec ,
Block block(not permitted to run), delay(slow down), spoof( can replace), pause ( can be stopped at any time), abort( forcefully terminate), unbolck
10
![Page 11: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/11.jpg)
Mail Server
INTERNET
External User
Web Server
DNS Sever
Firewall
Router
LAN
DMZ
Intruder
DIRECT & INDIRECT CAPABILITY
![Page 12: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/12.jpg)
Success
Direct Capability• Know file exist• Can open File
Indirect Capability
• Can use credit card• Can send fake mail• Can masquerade as benign user etc….
Failure
Direct and Indirect Capability
12
![Page 13: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/13.jpg)
WHY TIME NOTION
Attacker A can read any file of machine M from his machine H using credential labUser
Capability :- { source-H, destination-M, labUser, read, (file(all),content)}
User U has opened his email account between 10AM to 11 AM
Capability :- { source-H, destination-M, labUser, read, (file(email), content)}
Unbounded validation period
bounded validation period
i.e. [10AM-11AM]]
13
![Page 14: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/14.jpg)
Algebraic structuresAlgebraic structures
RelationsRelations
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
14
![Page 15: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/15.jpg)
OPERATIONS
15
![Page 16: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/16.jpg)
JOIN
IP:10.20.5.2IP:10.20.1.1root
send
IIS
ftp
Time
IP:10.20.5.2IP:10.20.1.1root
receiveIIS
ftp
Time
IP:10.20.5.2IP:10.20.1.1
root
communicate
IIS
ftp
Time
16
![Page 17: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/17.jpg)
JOIN
17
![Page 18: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/18.jpg)
SPLIT
IP:10.20.5.2IP:10.20.1.1root
read and write /etc/password
content
Tmp
IP:10.20.5.2IP:10.20.1.1root
read
/etc/password
content
Tmp
IP:10.20.5.2IP:10.20.1.1
root
write
/etc/password
content
Tmp
18
![Page 19: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/19.jpg)
REDUCE
Reduce
C2C1
Example:-
Cap1=(SLab,Dlab, W,/home/Bob/xyz, content, root,Between:1997-07-16T19:20:30+01:00[+1H])Cap2=(SLab,Dlab, W, /home/Bob/xyz, content, Bob,Between:1997-07-16T19:20:30+01:00[+1H])
19
![Page 20: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/20.jpg)
SUBTRACT
20
![Page 21: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/21.jpg)
AlgebraAlgebra
RelationRelation
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
21
Algebraic structuresAlgebraic structures
![Page 22: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/22.jpg)
CAPABILITY RELATION
Contain ship Overlapped vs Independent Mutually Exclusive
C1
C2
Contain ship
C1 C2
C1 C2
Overlapped
Independent
22
![Page 23: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/23.jpg)
AlgebraAlgebra
RelationRelation InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
23
Algebraic structuresAlgebraic structures
![Page 24: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/24.jpg)
COMPARABLE
Two capabilities are comparable if they have Same value of source, destination, action Same type of service, property Within same time interval
Example C1 = (pushpa, dblab, read, /etc/passwd,
content, user1,at:1997-07-16T19:20:30+01:00)
C2 = (pushpa, dblab, read, All files, content, user1, at:1997-07-16T19:20:30+01:00) 24
![Page 25: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/25.jpg)
COMPARABLE INFERENCE
One cap. can be logically inferred from another cap.
C1 = (src, dst, read, (/etc/passwd), content, user1,t1) C2 = (src, dst, read, (All files, content,) user1,t2)C1 can be logically inferred from C2 if t1,t2 belongs to
same time window
C3 = (src, dst, know, All accounts, name, user1,t1) C4 = (src, dst, read, /etc/passwd, content, user1,t2)C3 can be logically inferred from C4 if t1,t2 belongs to
same time window 25
![Page 26: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/26.jpg)
EXTERNAL INFERENCE
If C1 and C2 is two Capability then
c2.dest=c1.source c2 has capability to run arbitrary program
26
![Page 27: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/27.jpg)
CAPABILITY MODEL BASED CORRELATION
27
![Page 28: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/28.jpg)
CORRELATING ALERT USING MODIFIED CAPABILITY MODEL
H-alert M-Attack Correlation Algorithm
28
![Page 29: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/29.jpg)
H-ALERT
IDS
H-alert
Require Provide Raw
•Time•Direction . . .
capsethaset
H-alert i1
H-alert i1H-alert i1
Timestamp M-attack[2007-12-06T18 : 13 :30 + 05 :30]
29
![Page 30: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/30.jpg)
CORRELATION ALGORITHM
30
![Page 31: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/31.jpg)
31
![Page 32: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/32.jpg)
PROS
Join Benefit
minimize the number of comparison Pitfall
Costly due to recursive
Split Benefit
Only need direct inference while corr. Pitfall
Redundancy Unnecessary split increase no. of comparison
32
![Page 33: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/33.jpg)
ALTERNATE WAYS
Way1 :- Only join Way2:- Only split Way 3:- Join and split both
33
![Page 34: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/34.jpg)
CONCLUSION
Defined modified capability model and logical association between capabilities.
Added semantic notion to avoid false correlation
Identified and defined relations between capabilities and derived Inference rules along with semantic that have been used in correlation
34
![Page 35: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/35.jpg)
FUTURE WORK
Develop language for whole framework
Other Optimize algorithms and to achieve better
performance. Optimize the algorithm of join operation and
to use that in given alternate correlation algorithm. This would help in making whole system real time with low false rate.
To model the defence capability of security administrator 35
![Page 36: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/36.jpg)
THANK YOU
36
![Page 37: Algebra For Capability Based Attack Correlation](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813e00550346895da7dd93/html5/thumbnails/37.jpg)
QUESTION?
37