Analysis of the US-CERT DAC...(Figure of Merit) –Evaluate hours –Record # alerts, # source IP...
Transcript of Analysis of the US-CERT DAC...(Figure of Merit) –Evaluate hours –Record # alerts, # source IP...
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University
CERT® Network Situational Awareness GroupSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
The CERT Network Situational Awareness Group is part of the Software Engineering Institute.The Software Engineering Institute is sponsored bythe U.S. Department of Defense.
Analysis of the US-CERT DACJosh McNutt <[email protected]>
FloCon: Netflow Analysis Workshop
July 21, 2004
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 2
Outline
• Data• Graphical Displays
• Detecting Trends• Anomaly Detection• Roadmap
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 3
Data
• Snort– Signature-based alerts– Pre-processor alerts
• Origin– Multiple networks of varying size
• Volume– ~30-50 million alerts per month
• Ancillary Information– Country code– Netblock
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 4
IDS Data: challenges
• No new attacks– Only matches known signatures
• Lack of context– Don’t know what we are not seeing
• Non-standardized signature rule sets– No administrative control
• Missing Data– Uncertainty: Sensor failure vs. no intrusion attempts
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 5
TCP Destination Port Changes
-30.0%
-20.0%
-10.0%
0.0%
10.0%
20.0%
30.0%
40.0%
sid2sid9sid11sid13
sid2 39.7% 9.7% 4.2% 7.3% 5.2%
sid9 10.2% 4.1% 1.3% -18.0% -0.9%
sid11 4.0% 0.0% -15.9%-25.0% -7.6%
sid13 17.2% 0.0% -1.2% -0.4% -12.5%
Port 80
Port 119
Port 1080
Port 3128
Port 8080
Comparison of port activity across organizations shows monthlytrends.
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 6
Share of New Source IP Addresses
0%
20%
40%
60%
80%
100%
1/1/
2004
1/8/
2004
1/15
/200
4
1/22
/200
4
1/29
/200
4
2/5/
2004
2/12
/200
4
2/19
/200
4
2/26
/200
4
Old source IP's
New source IP's
Share of new daily source IP addresses stays fairly consistent.
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 7
Signature Class Transition
Transition probabilities highlight sequential patterns in data.• Current State
– Source IP records alert onDestination IP
• Transition probability– Percent chance for next
class of alert recorded
• Most source/dest combosinvolve only one signatureclass
• Small transition probabilityfor– Privilege Escalation
0.0% 5.0% 10.0% 15.0%
Transition Probability
Policy Violation
PrivilegeEscalation
Reconnaissance
SuspiciousActivity
Denial-of-Service
Cu
rren
t S
tate
Policy ViolationPrivilege EscalationReconnaissanceSuspicious ActivityDenial-of-Service
May 1, 2004
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 8
Daily Transition Probabilities
Transition probabilities can be monitored over time toidentify consistent sequences.
Reconnaissance to Suspicious Activity
0%5%
10%15%20%25%30%35%40%45%50%
5/1/
2004
5/8/
2004
5/15
/200
4
5/22
/200
4
5/29
/200
4
Reconnaissance toSuspicious Activity
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 9
Trend Detection
• Current month vs.previous month– Across organizations– % changes
• Time Series– Fit trend line
– Arbitrary time period
– Seasonal Components– Regression with ARMA
errors
-30.0%
-20.0%
-10.0%
0.0%
10.0%
20.0%
30.0%
40.0%
sid2sid9sid11sid13
sid2 39.7% 9.7% 4.2% 7.3% 5.2%
sid9 10.2% 4.1% 1.3% -18.0% -0.9%
sid11 4.0% 0.0% -15.9%-25.0% -7.6%
sid13 17.2% 0.0% -1.2% -0.4% -12.5%
Port 80
Port 119
Port 1080
Port 3128
Port 8080
0
10000
20000
30000
40000
50000
60000
1 3 5 7 9 11 13 15 17 19 21 23 25 27
data
fit
Linear (data)
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 10
Anomaly Detection
• Goal: Identify data points whichdeviate from overall pattern ofdata
• Our current implementation(Figure of Merit)– Evaluate hours
– Record # alerts, # source IPaddresses, # destination IPaddresses, # signatures
• For each hour, we wantmeasure of how deviant it was.
figure_of_merit
050
100150200250300350400
2004
-04-
01 0
0
2004
-04-
03 1
1
2004
-04-
05 2
2
2004
-04-
08 0
9
2004
-04-
10 2
0
2004
-04-
13 0
7
2004
-04-
15 1
8
2004
-04-
18 0
5
2004
-04-
20 1
6
2004
-04-
23 0
3
2004
-04-
25 1
4
2004
-04-
28 0
1
2004
-04-
30 1
2
figure_of_merit
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 11
-5 0 5
-50
5
destination IP addresses
sour
ce IP
add
ress
es
Mahalanobis distance: 2D case
Euclidean Distance (based on circle)
Mahalanobis Distance (based on ellipse)• Compute distance metricbetween each hour and theaverage hour
• When measuring Euclidean(Mahalanobis) Distance, allpoints along circle (ellipse) aresame distance from the center– Points on larger circle/ellipse
are greater distance fromcenter
• Shape of the ellipse– Function of correlation
between variables
• Generalizes to n dimensions(Ellipsoid)
Data is for Illustration Only
CERTCERTSituationalSituationalAwarenessAwareness
© 2004 by Carnegie Mellon University 12
Analysis Roadmap
• Incorporate flow data• Automating trend detection
– Time series analysis
• Clustering– Group sources by similar activity patterns
– Temporal correlation– Targeting similarities
– Signature usage
– Look for evidence of possible coordination