New Methods in Attack Detection - PowerPoint PPT Presentation

About This Presentation
Title:

New Methods in Attack Detection

Description:

Road Map I. Research Projects. Encapsulation of owner's intent (1998) ... Road Map II. Students supported. Kiran Mantha, MS, 2001 (Deloitte & Touche, NY) ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 44
Provided by: Ashis99
Learn more at: https://cse.buffalo.edu
Category:
Tags: attack | detection | maps | methods | new | road

less

Transcript and Presenter's Notes

Title: New Methods in Attack Detection


1
New Methods in Attack Detection
  • Shambhu Upadhyaya (PI)
  • Computer Science and Engineering
  • University at Buffalo
  • Kevin Kwiat (Program Manager)
  • Air Force Research Lab, Rome, NY

2
Overall Outline
  • Road map
  • Significant accomplishments
  • Publications
  • Specific research projects
  • Results
  • Conclusion

3
Road Map I
  • Research Projects
  • Encapsulation of owners intent (1998)
  • Reasoning framework for IDS (1999)
  • Secure voting protocol work (2000)
  • IDS simulation (2001)
  • Encapsulation of programs intent, Building
    secure enclaves (2002)
  • Funding
  • AFOSR seed grant (1999)
  • AFOSR grant through AFRL and in part through ACRC
    (2000 2004)
  • AFOSR summer fellowships (through RDL, II and
    NRC)
  • DARPA seedling (2003)

4
Road Map II
  • Students supported
  • Kiran Mantha, MS, 2001 (Deloitte Touche, NY)
  • Ramkumar Chinchani, MS, 2002 (PhD student)
  • Neelesh Arora, MS, 2003 (Thomson Financial, NY)
  • Ashish Garg (PhD student)
  • Anusha Iyer (PhD student)
  • Aarthie Muthukrishnan (MS student)
  • Madhu Chandrasekharan (MS student)
  • Others involved
  • Ben Hardekopf (AFRL)
  • Alex Eisen (IASP Scholar)
  • Melissa Thomas (IASP Scholar)

5
Significant Accomplishments
  • Research
  • Several publications, 1MS Thesis (2001), 1 Ph.D.
    dissertation (2004)
  • Funding from other agencies such as DARPA,
    NSA/ARDA
  • Conference/Workshops
  • Panel organization (IEEE SRDS 2000), Tutorial in
    IEEE MILCOM 2002
  • Plenary talk at MMM-2003, St. Petersburg, Russia
    (upcoming)
  • Academic
  • Center of Excellence status from NSA (2002),
    funding from DoD
  • Kevin Kwiat appointed as Research Associate
    Professor in CSE Dept.
  • Media
  • Research cited in Scientific American, Dec. 2002
  • Associated Press coverage of MILCOM 2002 work

6
Publications
  • Conferences/Workshops
  • SCS International SPECTS, 1999 (Upadhyaya
    Kwiat)
  • SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya,
    Kwiat)
  • IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat,
    Upadhyaya)
  • IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani,
    Kwiat)
  • IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat)
  • SCS Int. SPECTS, 2001 (Hardekopf, Kwiat,
    Upadhyaya)
  • IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat)
  • IEEE Int. IA Workshop, 2003 (Chinchani,
    Upadhyaya, Kwiat)
  • Book Chapter
  • Kluwer Academic Press, 2003
  • Journals
  • Several papers in the works

7
Research Projects
  • Encapsulation of owners intent Concept
    development, preliminary simulation,
    investigation of scalability (Ref Upadhyaya,
    Kwiat, SPECTS 1999, Mantha, Chinchani, Upadhyaya,
    Kwiat, SCSC 2000, IEEE MILCOM 2003)
  • Reasoning about intrusions (Chinchani, Upadhyaya,
    Kwiat, IEEE SMC 2001, SRDS 2001)
  • Building secure enclaves (Chinchani, Upadhyaya,
    Kwiat, IEEE IAW 2003)
  • Simulation support for IA experiments (Garg,
    Upadhyaya, Chinchani, Kwiat, SCSC 2003)
  • Secure voting protocols (Hardekopf, Kwiat,
    Upadhyaya, IEEE Aero 2001)

8
Encapsulation of Owners Intent A New Proactive
Intrusion Assessment Paradigm
  • Very few anomaly detection systems work well
  • A major factor overlooked is User
  • Bring the user into the loop
  • Encapsulation of users intent serves as a
    certificate
  • Can you make more accurate detection decisions?
  • Working at high level attaches greater
    significance to semantics to users operations
  • Contributes to users affirming the truth in COA

9
Where Does Our Work Fit In?

10
Salient Features of our IDS
  • Handling threats posed by insiders
  • Rule-based misuse detectors not very successful
  • Anomaly detectors are more promising, but not
    practical due to involved data collection,
    learning and high false alarms
  • Based on generation of a run-time plan for users
  • Composing verifiable assertions based on queries
    of users
  • Idea is based on sound principles of signature
    analysis
  • Does away with audit trail analysis
  • Detection of intricate and subtle attacks
  • Lower detection latency

11
Outline of the Central Topic
  • Background and related work
  • Guidelines through lessons learned
  • An analogy and demonstration of Basic principle
  • Implicit vs Explicit intent encapsulation
  • Implementation of a small system
  • Related problems
  • Reasoning framework
  • Who watches the watcher?
  • Secure voting in distributed systems
  • Generic simulation platform development
  • Summary

12
Background and Related Work
  • Rule based Ilgun et al., 95, Cheng, 02,
    Wagner Dean, 01
  • Program behavior based Ko et al., 97
  • User behavior based Spyrou, 96
  • RBAC Ferraiolo Kuhn, 92
  • Real-time detection (NADIR)
  • Distributed and concurrent schemes (DIDS, GrIDS,
    EMERALD)

13
Guidelines
  • Use the principle of least privilege to achieve
    better security
  • Use mandatory access control wherever appropriate
  • Data used for intrusion detection should be kept
    simple and small
  • Intrusion detection capabilities are enhanced if
    environment specific factors are taken into
    account

14
Thinking Out of the Box
  • RULES
  • All 9 dots should be connected with no more than
    4 straight lines
  • No tracing back and must be done without taking
    off your hand

15
Analogy from Control Flow Checking
  • Generate compile-time signatures assertions and
    embed them into instruction stream
  • Monitor execution and look for discrepancy
  • Technique is based on sound principles EDC/ECC

16
Basic Principle

Session Scope
Filter
Sprint Plan
User
Plan Generator
One-time effort Runtime effort
Runtime Watchdog Engine
Assertion Generator
Runtime Commands
Tolerance limits, Counters, Thresholds etc..
Intrusion Signal
17
User Intent Encapsulation

18
Intent as a Certificate
  • Even when IDS is accurate, decision may be wrong
  • User cannot be held accountable if he contests
  • Bring the user into loop early on
  • User (bona fide or intruder) is queried for his
    intent
  • Expressed intent becomes a certificate of normal
    user activity
  • Issues
  • Process of encapsulation shouldnt be intrusive
  • Capture maximum information with min. effort to
    the user

19
Implicit vs. Explicit Intent
20
Sketch of the Algorithm
User logs into the system
Chooses the job s/he wishes to perform
Check the size of the session scope
If too large,warn user
YES
User wants to change it
Launch inter work-space level monitor
Create workspaces for the jobs
Launch workspace level monitor thread per
workspace
Launch command level monitor thread per command
Report command type
Authenticate command
Loop
Report object accessed
Monitor Command
21
Simulation and Results
  • A university environment was simulated
  • Client-server architecture using Sun Ultra
    Enterprise 450 Model 4400 and Sun Ultra 5s
    running Solaris 2.7
  • Intrusion scenarios
  • Legitimate user
  • Intruder
  • Two legitimate logins
  • First login from user, second login from intruder
  • First login from intruder, second login from user
  • Two intruders login

22
Test Cases
  • User activity collected over two months
  • Test cases grouped into four categories
  • 1-user, 1-user with multiple logins, multiple
    users, multiple users with multiple logins
  • Two sets of experiments worst case and average
    case
  • Legitimate and intrusive operations
  • 32 attacks
  • Obvious ones such as transferring /etc/passwd
    files, exploiting vulnerabilities such as rdist,
    perl 5.0.1
  • Subtle attacks similar to mimicry attacks

23
Screenshots of Query Interface
24
Another Illustration
25
Runtime Monitoring Setup

26
Summary of Results
27
Some Research Questions
  • What if the user lies to the query?
  • How do you enhance performance?
  • Who is watching the watcher?
  • How do you perform more comprehensive evaluation?

28
1) What if the User Lies?
  • A cognate user is expected to specify a focused
    session-scope
  • Selection of overly permissive session-scope must
    be discouraged
  • Can be done by penalizing a quality of service
  • Monitoring cost can be drawn from users budget

29
2) Performance Enhancements
  • Profiling user operations
  • Take into consideration frequency of operations
    and temporal characteristics of system usage
  • Dynamically updating session-scope
  • In the statistical anomaly detection engine, one
    could prune rarely used operations from the
    session-scope
  • One could allow users to update/refine
    session-scope (but may disrupt the learning
    process)

30
Reasoning Framework
  • A critical problem with anomaly detection is
    false positive
  • Intrusion flagging requires more than set
    inclusion check
  • Not a binary decision Sequences of operations
    need to be considered
  • Cost analysis
  • Cost of operation
  • Cost of deviation
  • Cost of monitoring
  • Actions at higher levels defined in terms of
    actions at lower levels
  • Eg., (ReadByte, WriteByte) -
    (CreateFile,deleteFile,WriteFile) -(HardDisk)

31
Cost Analysis Based Reasoning
  • Reasoning by stochastic modeling of job activity
  • Two thresholds Tl and Th defined
  • When cost maps into mid region, situation
    ambiguous
  • Cost gradients used to shrink the window
  • Algorithms developed to trigger threshold
    movements so that a speedy decision on intrusion
    can be arrived
  • (Ref IEEE SRDS 2001)

32
3) Who is Protecting the Protector?
  • Tamper-resistant security monitoring
  • Available choices
  • Replication (Chameleon at UIUC) ?
  • Layered Hierarchy (AAFID at Purdue)
  • Both can be easily compromised
  • Proposed solution
  • Circulant graph
  • Overhead is manageable
  • There is no mutual trust
  • among the watchers
  • (Ref IEEE IWIA 2003)

33
4) Comprehensive Evaluation
140
120
100
80
Intrusion detection models
60
40
20
0
1980
1985
1990
1995
2000
2005
Time
Current status of IDS
34
Our Approach
  • A generic platform for intrusion modeling and
    testing of IDS
  • Desirable features
  • Test and evaluate any intrusion detection model
  • Measure performance for improvement
  • Consider variety of intrusion scenarios
  • Collect pre-deployment measures
  • Analogy is drawn from network simulators

35
What Exists in the Open?
  • Other approaches
  • Razak Network intrusion simulation
  • Schiavo Rowe Intrusion detection tutors
  • Roberts Simulation of Malicious Intruders
  • What is lacking above?
  • None of the above provide a generic platform for
    modeling and simulation
  • Performance of models cannot be evaluated

36
Our Steps
  • Study features of a variety of IDS
  • Consider network simulation and OS simulation
  • Develop a common language to facilitate various
    formats conversion (interoperability)
  • Perform some case studies
  • (Ref SCS SCSC 2003)
  • Even monitoring, Access control subsystems

37
SIMS Event Monitoring
Running IDS Model (event probes)
1. register event listener with EMS
2. if listener sends event then report it
Memory subsystem
Process subsystem
Probe
Probe
EMS
File subsystem
Network subsystem
Probe
Probe
Nachos
Logs
Event Management System
38
SIMS Access Control
Running IDS Model (security policy, ACLs)
Memory subsystem
Process subsystem
Probe
Probe
if exists ACL then enforce ACL else do
nothing
File subsystem
Network subsystem
Probe
Probe
Nachos
Access Control Mechanism
39
Design of experiment
Analyst
R if accessed (password file) notify me
N Password file accessed
User Interface
R event registration N event notification
EMS
User processes running
Nachos
SIMS
Event management system
40
Design of experiment (cont)
Analyst
N attempt to open a file without sufficient
permissions
R enforce ACLs
User Interface
R event registration N event notification
Enforce ACLs
User processes running
Nachos
SIMS
Access control mechanism
41
Work in Progress
  • Intrusion detection and Proactive recovery
    (subcontract to Colorado State University)
  • Dynamic Reasoning based User Intent Driven IDS
    (DRUID) prototype development (DARPA seedling)
  • GUI for session scope input
  • Command monitor
  • Statistical Engine
  • Data analysis, training and testing

42
Prototype Status
43
Security Enhancement in Distributed Voting A
Related Project
  • Joint work with UB and AFRL
  • Guaranteeing owners intended result by
    distributed monitoring and voter isolation
  • Uniquely combines fault tolerance and security
  • Doesnt require trusted third party

44
Danger of 2-Phase Commit Protocol
majority trustworthy
  • Phase 1 processors distribute their results and
    vote on them such that each processor determines
    the majority
  • Phase 2 processor in the majority commits
    result to the user

User waits for majority result
User is sent malicious result -
SELF-DESTRUCT
45
Timed-Buffer Distributed Voting
trustworthy
  • Addresses last mile of distributed voting
  • Buffer until silence is consent
  • Reverses 2-phase commit protocol
  • Instead of voting then committing - commits
    first (to buffer) then votes (period of
    dissension)
  • Prevents disastrous commit phase - unlikely for
    classical fault tolerance but not information
    attack

untrustworthy
Suspect results buffered
Integrity restored and buffer released
46
ACRC Application of TB-DVA
WIRELESS CLIENT
GATEWAY
SECURE SERVER
SECURE WIRELESS LINK
SECURE WIRED LINK
(when translated from IP standards to wireless
and vice-a-versa)
  • Apply fault tolerance techniques to protect,
    detect, and react to attacks and enable service
    restoration

47
Summary
  • Developed a new intrusion assessment paradigm
    Encapsulation of owners intent
  • Brings user into the loop
  • Users encapsulated intent serves as a
    certificate
  • Feasibility study
  • Practical implementation study
Write a Comment
User Comments (0)
About PowerShow.com