Presentation is loading. Please wait.

Presentation is loading. Please wait.

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry.

Published bySamuel Arnold Modified over 10 years ago

Similar presentations

Presentation on theme: "15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry."— Presentation transcript:

1 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA 94025 http://www.ai.sri.com/~derbi

2 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 2 Introduction PART 1: Presentation of Evaluation Results –Design assumption: an out-of-the-box system after-the-fact analysis no network monitoring or audit trail data –Data source: end-of-day filesystem dumps for Pascal not available: contents of /tmp, /proc, OS tables,... PART 2: Status of DERBI System PART 3: Future

3 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 3 Evaluation Procedure Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping Manual mapping, no additional information used Attacks detected but scored as undetected because we could not identify corresponding session (3) Some false positives similarly unscored (approx. 5) Full DERBI system not used –to better fit into scoring protocol –to provide linearized textual output

4 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 4 Detection of Buffer Overflow Attacks Detected, but session not identified X major + contributing DetectedUndetected False x + x + + 137147 x x Inconsistent uudemon.cleanup FileSys Changes x 115 EJECT: 7 of 7; 1 falseFORMAT: 6 of 7; 1 false FFB: 2 of 2 112 x x x 77 x /etc/passwd 11 x Normal Access uudecode 22 x + 8 + 28 x + 35 x + 63 + + Suspicious login 54 x + 75 x + 120 x + + 104 x + 60 Attack ID 13612987102 Exploit Script: Created Accessed 6* x x x x x PS: 3 of 4 + failed attack* 5%50% Probability (blank if 100%)

5 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 5 Visibility of Evidence exploit detected failed exploit detectedfalse positive normal usage MTuThWFMTuThWF uud.clean eject format ffb uudecode 137147 115112 772822 608 75351112063 351202822863 11516 136 102 87 6 129 10454 read create ps 687 exploit evidence overwritten

6 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 6 Attack Evidence Rules Used in the Evaluation Test Set = 18%

7 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 7 Example Evidence Rule: EJECT buffer overflow EVIDENCE-TYPE (exploit (setuid root) buffer-overflow) UNIQUE-NAME eject-1 EVALUATION-NAME eject PATHS (follow-links '("/usr/bin/eject")) EVIDENCE ( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or (window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest 0 0) ;;; assign 0% probability to command being used and 0% believe that it was ((greater-than (TimeAccessed PATH) ;;; use is later than (max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects 40 100)) ;;; 40% probability of exploit, no change in believe about whether it was exploited POSIT ((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*))) EXPLANATION (next slide)

8 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 8 Evidence Rule: EJECT buffer overflow (cont) UNIQUE-NAME eject-1 PATHS (follow-links '("/usr/bin/eject")) EXPLANATION (explain-evidence ( PATH ;;; variable declarations (TIME (print-unix-time (TimeAccessed PATH))) (TIME2 (print-unix-time (TimeModified "/cdrom"))) (TIME3 (print-unix-time (TimeModified "/floppy"))) ) (TimeAccessed PATH) ;;; as-of time "The command ~S is version vulnerable to a buffer overflow attack and appears to have been used at time ~A which is more recent than two associated files: /cdrom (~A) and /floppy (~A)." PATH TIME TIME2 TIME3)

9 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 9 Example Output for an Attack +04:53:25 later ==================================== Time: 23-Jul-1998 14:32:39 EDT (901218759) Exploit: Suspicious-login (Suspicious-login) Login for user "darleent from host 194.7.248.153 ------------------------------------------------------------- +00:00:12 later ==================================== Time: 23-Jul-1998 14:32:51 EDT (901218771) Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1) "/usr/bin/uudecode" is often used by crackers and rarely by users, and appears to have been used at time 23-Jul-1998 14:32:51 EDT. ------------------------------------------------------------- +00:00:23 later ==================================== Time: 23-Jul-1998 14:33:14 EDT (901218794) Exploit: EJECT (EJECT-1) The command "/usr/bin/eject" is version vulnerable to a buffer overflow attack and appears to have been used at time 23-Jul-1998 14:33:14 EDT which is more recent than two associated files: /cdrom (12-Feb-1998 15:42:46 EST) and /floppy (20-Jul-1998 10:32:15 EDT). Asserting belief/plausibility = (40 100) ------------------------------------------------------------ +12:10:32 later

10 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 10 mscan (#80): spotted probing of telnet saint (#53): detected rlogin to root via ++ warez (#66-1): detected creation of hidden directory xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie HTTP tunnel: not matched to session (scored undetected) –detected installation of bogus uudemon.cleanup –detected use (via CRON: uucp and later bramy) More Indirect Detection

11 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 11 Interesting False Detections Rlogin from local host to privileged account (root) that has + + in.rhosts root SetUID command installed (top) login record inconsistencies –root: lastlog date later than last entry in wtmpx –start of root login missing (wtmpx truncation?) –~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login –some related to test setup/shutdown (ignored, based on timing).

12 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 12 DERBI Architecture Three major components: –Head: analysis, reasoning, and explanation –Body: interface between complex queries of Head and simple data from Feet –Feet: simple data collection - may run on remote system file system information log files Support heterogeneous clusters & low-end systems

13 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 13 Log File Information Relationships utmp utmpx wtmp wtmpx lastlog syslog messages authlog sulog File system Shell Init Files cronlogcrontabs Partial redundancy of info Redundancy a common result of the evolution & growth of systems Use to check for tampering Also exposes changes to system clock

14 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 14 Checking a Suspect System DERBI

15 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 15 Rule Graph The presented slide is not included here -- it could not be adequately converted into a graphic that could be included in a MS PowerPoint file. This slide showed a graph with a large number of nodes representing rules, and was intended to show that although the rules formed a predominantly hierarchical structure, there was substantial crossing-over of the boundaries. A PostScript version of this graph can be found at http://www.ai.sri.com/~derbi/presentations/idpi9812/derbi-graph-1998dec.ps

16 15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 16 Future Analysis for interrelated systems –overlapping file systems, servers, users, other privileges (not just simple client-server) Support of multiple OSs and OS families Expansion and standardization of attack data –vulnerabilities, exploits, tools, camouflage, packages Test and distribution: operational clusters; false positive rates Explanation More sophisticated analysis Identification of higher-level goals

Download ppt "15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry."

Similar presentations

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
Fill in missing numbers or operations

Fill in missing numbers or operations
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Worksheets.

Worksheets.
& dding ubtracting ractions.

& dding ubtracting ractions.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Multiplication X 1 1 x 1 = 1 2 x 1 = 2 3 x 1 = 3 4 x 1 = 4 5 x 1 = 5 6 x 1 = 6 7 x 1 = 7 8 x 1 = 8 9 x 1 = 9 10 x 1 = 10 11 x 1 = 11 12 x 1 = 12 X 2 1.

Multiplication X 1 1 x 1 = 1 2 x 1 = 2 3 x 1 = 3 4 x 1 = 4 5 x 1 = 5 6 x 1 = 6 7 x 1 = 7 8 x 1 = 8 9 x 1 = 9 10 x 1 = x 1 = x 1 = 12 X 2 1.
Division ÷ 1 1 ÷ 1 = 1 2 ÷ 1 = 2 3 ÷ 1 = 3 4 ÷ 1 = 4 5 ÷ 1 = 5 6 ÷ 1 = 6 7 ÷ 1 = 7 8 ÷ 1 = 8 9 ÷ 1 = 9 10 ÷ 1 = 10 11 ÷ 1 = 11 12 ÷ 1 = 12 ÷ 2 2 ÷ 2 =

Division ÷ 1 1 ÷ 1 = 1 2 ÷ 1 = 2 3 ÷ 1 = 3 4 ÷ 1 = 4 5 ÷ 1 = 5 6 ÷ 1 = 6 7 ÷ 1 = 7 8 ÷ 1 = 8 9 ÷ 1 = 9 10 ÷ 1 = ÷ 1 = ÷ 1 = 12 ÷ 2 2 ÷ 2 =
1 Hyades Command Routing Message flow and data translation.

1 Hyades Command Routing Message flow and data translation.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
We need a common denominator to add these fractions.

We need a common denominator to add these fractions.
Prepared by: Workforce Enterprise Services For: The Illinois Department of Commerce and Economic Opportunity Bureau of Workforce Development ENTRY OF EMPLOYER.

Prepared by: Workforce Enterprise Services For: The Illinois Department of Commerce and Economic Opportunity Bureau of Workforce Development ENTRY OF EMPLOYER.
CALENDAR.

CALENDAR.
1 1  1 =.

1 1  1 =.
1  1 =.

1  1 =.
Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Similar presentations

Ads by Google