DARPA Information Survivability Program

1
DERBI Diagnosis, Explanation and Recovery from
Break-Ins
Mabry Tyson Douglas Moran Pauline Berry David
Blei Artificial Intelligence Center SRI
International 333 Ravenswood Avenue Menlo Park CA
94025 http//www.ai.sri.com/derbi
2
Introduction

• PART 1 Presentation of Evaluation Results
• Design assumption
• an out-of-the-box system
• after-the-fact analysis
• no network monitoring or audit trail data
• Data source end-of-day filesystem dumps for
  Pascal
• not available contents of /tmp, /proc, OS
  tables, ...
• PART 2 Status of DERBI System
• PART 3 Future

3
Evaluation Procedure

• Scoring based on .list files. DERBI not designed
  to use those data sources no automatic mapping
• Manual mapping, no additional information used
• Attacks detected but scored as undetected because
  we could not identify corresponding session (3)
• Some false positives similarly unscored (approx.
  5)
• Full DERBI system not used
• to better fit into scoring protocol
• to provide linearized textual output

4
Detection of Buffer Overflow Attacks
5
Visibility of Evidence
6
Attack Evidence Rules Used in the Evaluation Test
Set
18
7
Example Evidence RuleEJECT buffer overflow

• EVIDENCE-TYPE (exploit (setuid
  root) buffer-overflow)
• UNIQUE-NAME eject-1
• EVALUATION-NAME eject
• PATHS
  (follow-links '("/usr/bin/eject"))
• EVIDENCE
• ( ((not (and (command-version-vulnerable-p DIR
  FILE) not vulnerable command or
• (window-of-opportunity
  (TimeAccessed PATH)))) not used in interval
  of interest
• 0 0) assign 0 probability to
  command being used and 0 believe that it was
• ((greater-than (TimeAccessed PATH)
  
  use is later than
• (max (TimeModified
  "/cdrom") (TimeModified "/floppy")))
  expected effects
• 40 100)) 40 probability of exploit, no
  change in believe about whether it was exploited
• POSIT
• ((posit ((TIME (TimeAccessed PATH)))
  (compromised-shell "root" TIME unknown-time)))
• EXPLANATION (next slide)

8
Evidence RuleEJECT buffer overflow (cont)

• UNIQUE-NAME eject-1
• PATHS
  (follow-links '("/usr/bin/eject"))
• EXPLANATION
• (explain-evidence
• ( PATH
  
  variable declarations
• (TIME (print-unix-time
  (TimeAccessed PATH)))
• (TIME2 (print-unix-time
  (TimeModified "/cdrom")))
• (TIME3 (print-unix-time
  (TimeModified "/floppy"))) )
• (TimeAccessed PATH)
  
  as-of time
• "The command S is version vulnerable to
  a buffer overflow attack
• and appears to have been used at
  time A
• which is more recent than two
  associated files
• /cdrom (A) and /floppy (A)."
• PATH TIME TIME2 TIME3)

9
Example Output for an Attack

• 045325 later
• Time 23-Jul-1998 143239 EDT (901218759)
• Exploit Suspicious-login (Suspicious-login)
• Login for user "darleent from host 194.7.248.153
• --------------------------------------------------
  -----------
• 000012 later
• Time 23-Jul-1998 143251 EDT (901218771)
• Exploit DOWNLOADING-EXPLOIT (UUDECODE-1)
• "/usr/bin/uudecode" is often used by crackers and
• rarely by users, and appears to have been used at
• time 23-Jul-1998 143251 EDT.
• --------------------------------------------------
  -----------

• 000023 later
• Time 23-Jul-1998 143314 EDT (901218794)
• Exploit EJECT (EJECT-1)
• The command "/usr/bin/eject" is version
• vulnerable to a buffer overflow attack and
  appears
• to have been used at time
• 23-Jul-1998 143314 EDT
• which is more recent than two associated files
• /cdrom (12-Feb-1998 154246 EST)
• and
• /floppy (20-Jul-1998 103215 EDT).
• Asserting belief/plausibility (40 100)
• --------------------------------------------------
  ----------
• 121032 later

10
More Indirect Detection

• mscan (80) spotted probing of telnet
• saint (53) detected rlogin to root via
• warez (66-1) detected creation of hidden
  directory
• xsnoop (71) detected root remote logins (and
  FTP) paired to immediately preceding SU to root
  by user alie
• HTTP tunnel not matched to session (scored
  undetected)
• detected installation of bogus uudemon.cleanup
• detected use (via CRON uucp and later bramy)

11
Interesting False Detections

• Rlogin from local host to privileged account
  (root) that has in .rhosts
• root SetUID command installed (top)
• login record inconsistencies
• root lastlog date later than last entry in wtmpx
• start of root login missing (wtmpx truncation?)
• root/.cshrc access does not match root login and
  far from SU, but 30 seconds after suspicious
  remote login
• some related to test setup/shutdown (ignored,
  based on timing).

12
DERBI Architecture

• Three major components
• Head analysis, reasoning, and explanation
• Body interface between complex queries of Head
  and simple data from Feet
• Feet simple data collection - may run on remote
  system
• file system information
• log files
• Support heterogeneous clusters low-end systems

13
Log File Information Relationships

• Partial redundancy of info
• Redundancy a common result of the evolution
  growth of systems
• Use to check for tampering
• Also exposes changes to system clock

lastlog
sulog
14
Checking a Suspect System
DERBI
DERBI
DERBI
DERBI
15
Rule Graph

• The presented slide is not included here -- it
  could not be adequately converted into a graphic
  that could be included in a MS PowerPoint file.
• This slide showed a graph with a large number of
  nodes representing rules, and was intended to
  show that although the rules formed a
  predominantly hierarchical structure, there was
  substantial crossing-over of the boundaries.
• A PostScript version of this graph can be found
  at http//www.ai.sri.com/derbi/presentations/idpi
  9812/derbi-graph-1998dec.ps

16
Future

• Analysis for interrelated systems
• overlapping file systems, servers, users, other
  privileges (not just simple client-server)
• Support of multiple OSs and OS families
• Expansion and standardization of attack data
• vulnerabilities, exploits, tools, camouflage,
  packages
• Test and distribution operational clusters
  false positive rates
• Explanation
• More sophisticated analysis
• Identification of higher-level goals