Enriching intrusion alerts through multi-host causality - PowerPoint PPT Presentation

About This Presentation
Title:

Enriching intrusion alerts through multi-host causality

Description:

Enriching intrusion alerts through multi-host causality Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 29
Provided by: SamK48
Category:

less

Transcript and Presenter's Notes

Title: Enriching intrusion alerts through multi-host causality


1
Enriching intrusion alerts through multi-host
causality
  • Sam King
  • Morley Mao
  • Dominic Lucchetti
  • Peter Chen
  • University of Michigan

2
Motivation
  • IDS alerts highlight suspicious activity
  • Network and host level
  • Alerts lack context
  • How did this activity happen?
  • What were the effects of this activity?

3
Causality to connect alerts
Remote socket
4
Causality to connect alerts
Remote socket
5
Overview
  • Causality BackTracker
  • Bi-directional distributed BackTracker
  • Correlating IDS alerts
  • Conclusions

6
BackTracker
  • Help figure out what application was exploited
  • Show chain of events between exploit and
    detection point
  • Track causal operating system events and objects

7
BackTracker Example
backdoor
8
BackTracker
  • Objects processes, files
  • Events read/write, fork, exec, mmap
  • Online component logs events, objects
  • Offline component generates graphs
  • Causality effective technique for highlighting
    actions of attacker

9
Extending BackTracker
  • Use send/receive events to connect hosts on
    separate hosts
  • identify packets by source/destination IP address
    and TCP sequence number
  • Forward tracking

10
Bi-directional distributed BackTracker (BDB)
  • Common configuration firewall
  • Given a single infected host, track attack
  • Tracking multi-host attacks
  • Follow attack upstream
  • Find original source of intrusion
  • Patch vulnerable server, fix infected laptop
  • Follow attack downstream
  • Find other compromised hosts

11
Prioritize Packets
init
remote socket
rc
remote socket
httpd
bash
wget
/tmp/xploit/backdoor
backdoor
12
Highest process, most recent packet
init
remote socket
rc
remote socket
httpd
bash
wget
/tmp/xploit/backdoor
backdoor
13
Guess and check
  • Follow all packets, examine other host
  • Search for causally linked intrusions

Host B
Host A
httpd
bash
backdoor
spread_worm
14
Use NIDS to highlight packets
smb socket
socket
smbd
bash
wget
/tmp/xploit/backdoor
backdoor
15
Multi-host attacks
  • Examined Slapper worm and manual attack on local
    network
  • Significant background noise
  • 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd
  • All hosts both clients and servers
  • Download source code, compile
  • Gigabytes of network traffic
  • Millions of events and objects
  • 20 minute experiments, break in after 10
  • Goal given a single infected host find source of
    attack and all infected hosts

16
Slapper Worm
Firewall
Host B
Host A
Host C
External Network
Host D
17
(No Transcript)
18
Slapper Worm
Firewall
Host B
Host A
Host C
External Network
Host D
19
(No Transcript)
20
Tracking Slapper Forward
21
Slapper Worm
Firewall
Host B
Host A
Host C
External Network
Host D
22
Multi-host manual attack
  • Highest process, most recent packet does not
    always work
  • Use Snort to highlight suspicious packets
  • Stealthy attack, difficult to detect
  • Attack one host at a time
  • Wait for next target to communicate with current
    host
  • Break into various services
  • Services under heavy legitimate use
  • Use previously unknown attacks
  • Perform different tasks on each host

23
Multi-host manual attack
External Network
Host A
Host C
Host B
Host D
Host E
Host G
Host F
Host H
Host I
Host K
Host J
Host L
24
Correlating IDS alerts
  • Many independent sources of IDS alerts
  • Host/network
  • Host/host
  • Correlate multiple sources, reduce false
    positives
  • correlate through syntactic or timing
    relationships
  • correlate through manually specified semantic
    relationships
  • BDB can correlate IDS alerts through causal
    relationships

25
Zero Configuration Snort
  • Difficult to configure
  • False positives
  • Services not used
  • Failed exploit attempts
  • New rules developed frequently
  • Setup system with all default Snort rules
  • Also enabled several other rules
  • Use causality to verify Snort alerts
  • Detect any processes running as root

26
Zero Configuration Snort Results
  • Ran honeypot for two days
  • Without correlating alerts
  • 39 Snort alerts
  • Many processes run as root
  • Zero Configuration Snort
  • Zero false positives
  • One true positive

27
(No Transcript)
28
Conclusions
  • Can use causality to provide context for
    intrusion alerts
  • Follow multi-host attacks
  • Correlate IDS alerts
  • Causality effective mechanism for adding context
    to intrusion alerts

29
Questions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Enriching intrusion alerts through multi-host causality" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!