Title: New Methods in Attack Detection
1New Methods in Attack Detection
- Shambhu Upadhyaya (PI)
- Computer Science and Engineering
- University at Buffalo
- Kevin Kwiat (Program Manager)
- Air Force Research Lab, Rome, NY
2Overall Outline
- Road map
- Significant accomplishments
- Publications
- Specific research projects
- Results
- Conclusion
3Road Map I
- Research Projects
- Encapsulation of owners intent (1998)
- Reasoning framework for IDS (1999)
- Secure voting protocol work (2000)
- IDS simulation (2001)
- Encapsulation of programs intent, Building
secure enclaves (2002) - Funding
- AFOSR seed grant (1999)
- AFOSR grant through AFRL and in part through ACRC
(2000 2004) - AFOSR summer fellowships (through RDL, II and
NRC) - DARPA seedling (2003)
4Road Map II
- Students supported
- Kiran Mantha, MS, 2001 (Deloitte Touche, NY)
- Ramkumar Chinchani, MS, 2002 (PhD student)
- Neelesh Arora, MS, 2003 (Thomson Financial, NY)
- Ashish Garg (PhD student)
- Anusha Iyer (PhD student)
- Aarthie Muthukrishnan (MS student)
- Madhu Chandrasekharan (MS student)
- Others involved
- Ben Hardekopf (AFRL)
- Alex Eisen (IASP Scholar)
- Melissa Thomas (IASP Scholar)
5Significant Accomplishments
- Research
- Several publications, 1MS Thesis (2001), 1 Ph.D.
dissertation (2004) - Funding from other agencies such as DARPA,
NSA/ARDA - Conference/Workshops
- Panel organization (IEEE SRDS 2000), Tutorial in
IEEE MILCOM 2002 - Plenary talk at MMM-2003, St. Petersburg, Russia
(upcoming) - Academic
- Center of Excellence status from NSA (2002),
funding from DoD - Kevin Kwiat appointed as Research Associate
Professor in CSE Dept. - Media
- Research cited in Scientific American, Dec. 2002
- Associated Press coverage of MILCOM 2002 work
6Publications
- Conferences/Workshops
- SCS International SPECTS, 1999 (Upadhyaya
Kwiat) - SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya,
Kwiat) - IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat,
Upadhyaya) - IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani,
Kwiat) - IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat)
- SCS Int. SPECTS, 2001 (Hardekopf, Kwiat,
Upadhyaya) - IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat)
- IEEE Int. IA Workshop, 2003 (Chinchani,
Upadhyaya, Kwiat) - Book Chapter
- Kluwer Academic Press, 2003
- Journals
- Several papers in the works
7Research Projects
- Encapsulation of owners intent Concept
development, preliminary simulation,
investigation of scalability (Ref Upadhyaya,
Kwiat, SPECTS 1999, Mantha, Chinchani, Upadhyaya,
Kwiat, SCSC 2000, IEEE MILCOM 2003) - Reasoning about intrusions (Chinchani, Upadhyaya,
Kwiat, IEEE SMC 2001, SRDS 2001) - Building secure enclaves (Chinchani, Upadhyaya,
Kwiat, IEEE IAW 2003) - Simulation support for IA experiments (Garg,
Upadhyaya, Chinchani, Kwiat, SCSC 2003) - Secure voting protocols (Hardekopf, Kwiat,
Upadhyaya, IEEE Aero 2001)
8Encapsulation of Owners Intent A New Proactive
Intrusion Assessment Paradigm
- Very few anomaly detection systems work well
- A major factor overlooked is User
- Bring the user into the loop
- Encapsulation of users intent serves as a
certificate - Can you make more accurate detection decisions?
- Working at high level attaches greater
significance to semantics to users operations - Contributes to users affirming the truth in COA
9Where Does Our Work Fit In?
10Salient Features of our IDS
- Handling threats posed by insiders
- Rule-based misuse detectors not very successful
- Anomaly detectors are more promising, but not
practical due to involved data collection,
learning and high false alarms - Based on generation of a run-time plan for users
- Composing verifiable assertions based on queries
of users - Idea is based on sound principles of signature
analysis - Does away with audit trail analysis
- Detection of intricate and subtle attacks
- Lower detection latency
11Outline of the Central Topic
- Background and related work
- Guidelines through lessons learned
- An analogy and demonstration of Basic principle
- Implicit vs Explicit intent encapsulation
- Implementation of a small system
- Related problems
- Reasoning framework
- Who watches the watcher?
- Secure voting in distributed systems
- Generic simulation platform development
- Summary
12Background and Related Work
- Rule based Ilgun et al., 95, Cheng, 02,
Wagner Dean, 01 - Program behavior based Ko et al., 97
- User behavior based Spyrou, 96
- RBAC Ferraiolo Kuhn, 92
- Real-time detection (NADIR)
- Distributed and concurrent schemes (DIDS, GrIDS,
EMERALD)
13Guidelines
- Use the principle of least privilege to achieve
better security - Use mandatory access control wherever appropriate
- Data used for intrusion detection should be kept
simple and small - Intrusion detection capabilities are enhanced if
environment specific factors are taken into
account
14Thinking Out of the Box
- RULES
- All 9 dots should be connected with no more than
4 straight lines - No tracing back and must be done without taking
off your hand
15Analogy from Control Flow Checking
- Generate compile-time signatures assertions and
embed them into instruction stream - Monitor execution and look for discrepancy
- Technique is based on sound principles EDC/ECC
-
16Basic Principle
Session Scope
Filter
Sprint Plan
User
Plan Generator
One-time effort Runtime effort
Runtime Watchdog Engine
Assertion Generator
Runtime Commands
Tolerance limits, Counters, Thresholds etc..
Intrusion Signal
17User Intent Encapsulation
18Intent as a Certificate
- Even when IDS is accurate, decision may be wrong
- User cannot be held accountable if he contests
- Bring the user into loop early on
- User (bona fide or intruder) is queried for his
intent - Expressed intent becomes a certificate of normal
user activity - Issues
- Process of encapsulation shouldnt be intrusive
- Capture maximum information with min. effort to
the user
19Implicit vs. Explicit Intent
20Sketch of the Algorithm
User logs into the system
Chooses the job s/he wishes to perform
Check the size of the session scope
If too large,warn user
YES
User wants to change it
Launch inter work-space level monitor
Create workspaces for the jobs
Launch workspace level monitor thread per
workspace
Launch command level monitor thread per command
Report command type
Authenticate command
Loop
Report object accessed
Monitor Command
21Simulation and Results
- A university environment was simulated
- Client-server architecture using Sun Ultra
Enterprise 450 Model 4400 and Sun Ultra 5s
running Solaris 2.7 - Intrusion scenarios
- Legitimate user
- Intruder
- Two legitimate logins
- First login from user, second login from intruder
- First login from intruder, second login from user
- Two intruders login
22Test Cases
- User activity collected over two months
- Test cases grouped into four categories
- 1-user, 1-user with multiple logins, multiple
users, multiple users with multiple logins - Two sets of experiments worst case and average
case - Legitimate and intrusive operations
- 32 attacks
- Obvious ones such as transferring /etc/passwd
files, exploiting vulnerabilities such as rdist,
perl 5.0.1 - Subtle attacks similar to mimicry attacks
23Screenshots of Query Interface
24Another Illustration
25Runtime Monitoring Setup
26Summary of Results
27Some Research Questions
- What if the user lies to the query?
- How do you enhance performance?
- Who is watching the watcher?
- How do you perform more comprehensive evaluation?
281) What if the User Lies?
- A cognate user is expected to specify a focused
session-scope - Selection of overly permissive session-scope must
be discouraged - Can be done by penalizing a quality of service
- Monitoring cost can be drawn from users budget
292) Performance Enhancements
- Profiling user operations
- Take into consideration frequency of operations
and temporal characteristics of system usage - Dynamically updating session-scope
- In the statistical anomaly detection engine, one
could prune rarely used operations from the
session-scope - One could allow users to update/refine
session-scope (but may disrupt the learning
process) -
30Reasoning Framework
- A critical problem with anomaly detection is
false positive - Intrusion flagging requires more than set
inclusion check - Not a binary decision Sequences of operations
need to be considered - Cost analysis
- Cost of operation
- Cost of deviation
- Cost of monitoring
- Actions at higher levels defined in terms of
actions at lower levels - Eg., (ReadByte, WriteByte) -
(CreateFile,deleteFile,WriteFile) -(HardDisk)
31Cost Analysis Based Reasoning
- Reasoning by stochastic modeling of job activity
- Two thresholds Tl and Th defined
- When cost maps into mid region, situation
ambiguous - Cost gradients used to shrink the window
- Algorithms developed to trigger threshold
movements so that a speedy decision on intrusion
can be arrived - (Ref IEEE SRDS 2001)
323) Who is Protecting the Protector?
- Tamper-resistant security monitoring
- Available choices
- Replication (Chameleon at UIUC) ?
- Layered Hierarchy (AAFID at Purdue)
- Both can be easily compromised
- Proposed solution
- Circulant graph
- Overhead is manageable
- There is no mutual trust
- among the watchers
- (Ref IEEE IWIA 2003)
334) Comprehensive Evaluation
140
120
100
80
Intrusion detection models
60
40
20
0
1980
1985
1990
1995
2000
2005
Time
Current status of IDS
34Our Approach
- A generic platform for intrusion modeling and
testing of IDS - Desirable features
- Test and evaluate any intrusion detection model
- Measure performance for improvement
- Consider variety of intrusion scenarios
- Collect pre-deployment measures
- Analogy is drawn from network simulators
35What Exists in the Open?
- Other approaches
- Razak Network intrusion simulation
- Schiavo Rowe Intrusion detection tutors
- Roberts Simulation of Malicious Intruders
- What is lacking above?
- None of the above provide a generic platform for
modeling and simulation - Performance of models cannot be evaluated
36Our Steps
- Study features of a variety of IDS
- Consider network simulation and OS simulation
- Develop a common language to facilitate various
formats conversion (interoperability) - Perform some case studies
- (Ref SCS SCSC 2003)
- Even monitoring, Access control subsystems
37SIMS Event Monitoring
Running IDS Model (event probes)
1. register event listener with EMS
2. if listener sends event then report it
Memory subsystem
Process subsystem
Probe
Probe
EMS
File subsystem
Network subsystem
Probe
Probe
Nachos
Logs
Event Management System
38SIMS Access Control
Running IDS Model (security policy, ACLs)
Memory subsystem
Process subsystem
Probe
Probe
if exists ACL then enforce ACL else do
nothing
File subsystem
Network subsystem
Probe
Probe
Nachos
Access Control Mechanism
39Design of experiment
Analyst
R if accessed (password file) notify me
N Password file accessed
User Interface
R event registration N event notification
EMS
User processes running
Nachos
SIMS
Event management system
40Design of experiment (cont)
Analyst
N attempt to open a file without sufficient
permissions
R enforce ACLs
User Interface
R event registration N event notification
Enforce ACLs
User processes running
Nachos
SIMS
Access control mechanism
41Work in Progress
- Intrusion detection and Proactive recovery
(subcontract to Colorado State University) - Dynamic Reasoning based User Intent Driven IDS
(DRUID) prototype development (DARPA seedling) - GUI for session scope input
- Command monitor
- Statistical Engine
- Data analysis, training and testing
42Prototype Status
43Security Enhancement in Distributed Voting A
Related Project
- Joint work with UB and AFRL
- Guaranteeing owners intended result by
distributed monitoring and voter isolation - Uniquely combines fault tolerance and security
- Doesnt require trusted third party
44Danger of 2-Phase Commit Protocol
majority trustworthy
- Phase 1 processors distribute their results and
vote on them such that each processor determines
the majority - Phase 2 processor in the majority commits
result to the user
User waits for majority result
User is sent malicious result -
SELF-DESTRUCT
45Timed-Buffer Distributed Voting
trustworthy
- Addresses last mile of distributed voting
- Buffer until silence is consent
- Reverses 2-phase commit protocol
- Instead of voting then committing - commits
first (to buffer) then votes (period of
dissension) - Prevents disastrous commit phase - unlikely for
classical fault tolerance but not information
attack
untrustworthy
Suspect results buffered
Integrity restored and buffer released
46ACRC Application of TB-DVA
WIRELESS CLIENT
GATEWAY
SECURE SERVER
SECURE WIRELESS LINK
SECURE WIRED LINK
(when translated from IP standards to wireless
and vice-a-versa)
- Apply fault tolerance techniques to protect,
detect, and react to attacks and enable service
restoration
47Summary
- Developed a new intrusion assessment paradigm
Encapsulation of owners intent - Brings user into the loop
- Users encapsulated intent serves as a
certificate - Feasibility study
- Practical implementation study