Presentation is loading. Please wait.

Presentation is loading. Please wait.

8/2/99Global Guard - U.C. Davis Security Lab1 JIGSAW – Attack Modeling Language Steven J. Templeton U.C. Davis Security Lab.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "8/2/99Global Guard - U.C. Davis Security Lab1 JIGSAW – Attack Modeling Language Steven J. Templeton U.C. Davis Security Lab."— Presentation transcript:

1 8/2/99Global Guard - U.C. Davis Security Lab1 JIGSAW – Attack Modeling Language Steven J. Templeton U.C. Davis Security Lab

2 8/2/99Global Guard - U.C. Davis Security Lab2 JIGSAW – Origins Language as a means of: –Organizing thinking about attacks –Express attack/security concepts in a convenient way to reason about Language based on abstract attack concepts, program/protocol specifications, system configuration Emphasis not on detecting new, low level vulnerabilities, but in how these plus system information could be combined into sophisticated multi-stage attacks. Of particular interest is detecting new attacks. Relies on sensor input detecting specific system events or known attacks, i.e. CIDF GIDOs.

3 8/2/99Global Guard - U.C. Davis Security Lab3 Concept Structure Requires Report Transfer Channel Remote Execution Concept RSH Connection Spoofing DOSSeqNumProbingSpoofed Packet Send Send CIDIF Report Audit RSH packet data Action Where

4 8/2/99Global Guard - U.C. Davis Security Lab4 Concept Framework concept extends #- list of concepts on which this concept is based requires #- labeled list of reports or domain data used in concept where #- correlate assertions on attributes report #- expresses details of positive correlations seen action#- external actions end.

5 8/2/99Global Guard - U.C. Davis Security Lab5 requires - events needed #-Specifies the reports or domain specifications required #-Specifies label bindings e.g. concept Propagate requires Push_Transfer_Channel: PUTC#- subscribed report Remote_Execution: RE#- subscribed report Pull_Transfer_Channel: PLTC#- subscribed report … e.g. concept Buffer_Overflow requires Buffer_Overflow_Detected: BOD #- subscribed report … #-The requires section lists the types of reports the concept as agent wishes to subscribe to.

6 8/2/99Global Guard - U.C. Davis Security Lab6 requires - (continued) e.g. concept Linux5.1-IMAP_buffer_overflow requires Host_Info: HI #- domain knowledge Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report … e.g. concept IIS_List_Overflow_Attack requires Host_Info: HI #- domain knowledge IIS_List_Overflow_Detected: IISLOD#- subscribed report IIS_Access: IISA#- subscribed report … e.g. concept RSH_connection_spoof requires Trusted_Partner: TP#- subscribed report Network_DOS: ND#- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS #- subscribed report …

7 8/2/99Global Guard - U.C. Davis Security Lab7 report - changes in KB #- where values are bound to instantiations of a report and the report is published e.g. assert Linux5.1-IMAP_vulnerable#- keyword assert is optional (host <- L51IMAPD.hostname) retract Linux5.1-IMAP_vulnerable (hostname) #- explanatory data passed along by binding matching “required” reports to this report; by default all required reports are bound #- keyword unbind is used to limit growth of explanatory data e.g. assert SeqNumProbe (dest <- SNP.dest) unbind SNP#- all other unbound data is lost

8 8/2/99Global Guard - U.C. Davis Security Lab8 report - (continued) e.g. concept Linux5.1-IMAP_buffer_overflow requires Host_Info: HI #- domain knowledge Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report … report buffer_overflow _detected (host <- HI.host) … end.

9 8/2/99Global Guard - U.C. Davis Security Lab9 report - (continued) e.g. concept RSH_Connection_Spoofing requires Trusted_Partner: TP#- subscribed report Network_DOS: ND#- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS #- subscribed report … report Remote_Execution (dest<-SPS.target) #- host we can execute on (source<-SPS.source) (true_src<-SPS.true_src) #- where remote code must (start_time<-SPS.time) #- come from (end_time<-SPS.time)

10 8/2/99Global Guard - U.C. Davis Security Lab10 report - (continued) e.g. concept NIS_Connection_Spoofing requires Trusted_Partner: TP#- subscribed report Network_DOS: ND#- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS #- subscribed report … report Remote_Execution (dest<-SPS.target) #- host we can execute on (source<-SPS.source) (true_src<-SPS.true_src) #- where remote code must (start_time<-SPS.time) #- come from (end_time<-SPS.time)

11 8/2/99Global Guard - U.C. Davis Security Lab11 where - Correlates assertions #- A list of expressions which must be true for the concept to hold #- Describes constraints on how reports are to be combined. e.g. DOS.host is SPS.source DOS.port_set includes SPS.source active(DOS) while active(SPS) #- Base library of functions can be extended either globally or local to the particular construct. e.g.defpred is_mail_port(X) ( X in { SMTP, POP, POP2, POP3, IMAP } ) deffunc number_of_ports(X) ( return card(X.port_set) ) #- CBV only, no side-effects #- No external calls allowed

12 8/2/99Global Guard - U.C. Davis Security Lab12 Example: SynFlood concept SynFlood requires SynFlood: SF NetworkAccess: NA where network_access(NA.true_src, SF.target) report Denial_of_Network_Service (target<- SF.target) update_on (port_set<- port_set + SF.port) (start_time<- SF.time) (stop_time<- SF.time)update end.

13 8/2/99Global Guard - U.C. Davis Security Lab13 More Examples concept FileHandleGuessing requires where report end. concept DNS_Cache_Poisoning requires DNS_Cache_Poison_Detected: DNSCP report Traffic_Redirection forall ce in DNSCP.map_list { (remap <- remap + [DNSCP.old_IPA, DNSCP.new_IPA]) } end.

14 8/2/99Global Guard - U.C. Davis Security Lab14 Example: Connection Spoofing concept Connection_Spoofing requires Trusted_Partner: TP Network_DOS: ND SeqNumProbe: SNP SpoofedPacketSend: SPS where ND.hosts includes TP.host SPS.source is SPS.target active(ND) while active(SPS) not ND.hosts includes SPS.true_src not ND.hosts includes SPS.target report assert Connection_Spoofing (dest<-SPS.target) (source<-SPS.source) (true_src<-SPS.true_src) (start_time<-SPS.time) (end_time<-SPS.time) end.

15 8/2/99Global Guard - U.C. Davis Security Lab15 action - external effects #- used to *send alerts and other informational reports *send CIDF GIDOs to other A-boxes *dynamically change sensors *take response measures

16 8/2/99Global Guard - U.C. Davis Security Lab16 extends - basic inheritance #- convenient notation when useful reports are not asserted as needed (missing “binds”) e.g.concept ThinWorm extends Worm

17 8/2/99Global Guard - U.C. Davis Security Lab17 Sensor Framework Wraps sensor input to provide JIGSAW reports sensor requires { extern : #- external process - or - gido : #- GIDO this wraps #- negotiated via IDIAN } report {#- messages to JSAs ( + ) } end.

18 8/2/99Global Guard - U.C. Davis Security Lab18 DOS Network Concept Hierarchy DOS port DOS Host DOS Network DOS all ports

19 8/2/99Global Guard - U.C. Davis Security Lab19 Concept Hierarchy SynFlood DOS port Halt Computer DOS Host PacketStorm DOS Network Unplug Cable DOS all ports concept SynFlood requires SynFloodDetected: SFD report Denial_of_Service (host <- SFD.host) ( port <- SFD.port_x ) end.

20 8/2/99Global Guard - U.C. Davis Security Lab20 Unplug Cable DOS all ports Concept Hierarchy SynFlood DOS port Halt Computer DOS Host PacketStorm DOS Network concept UnpluggedCable requires UPCableDetected: UPC report Denial_of_Service (host <- UPC.host) ( port <- * ) end.

21 8/2/99Global Guard - U.C. Davis Security Lab21 Unplug Cable DOS all ports Concept Hierarchy SynFlood DOS port PingOfDeath DOS Host PacketStorm DOS Network concept PacketStorm requires PacketStormDetected: PS report forall h in LocalNet(PS.host,PS.adapter) Denial_of_Service (host <- PS.host) (port <- * ) end.

22 8/2/99Global Guard - U.C. Davis Security Lab22 DOS Process Unplug Cable DOS all ports Concept Hierarchy? SynFlood DOS port PingOfDeath DOS Host PacketStorm DOS Network concept PingOfDeath requires PingOfDeath: POD report Denial_of_Service (host <- POD.target) (port <- * ) (proc <- *) end.

23 8/2/99Global Guard - U.C. Davis Security Lab23 Unplug Cable DOS all ports Concept Hierarchy SynFlood DOS port Halt Computer DOS Host PacketStorm DOS Network Denial-of-Service

24 8/2/99Global Guard - U.C. Davis Security Lab24 R&D_DOS Unplug Cable DOS all ports Report Specialization SynFlood DOS port PingOfDeath DOS Host PacketStorm DOS Network Denial-of-ServiceFTP_DOSNIS_DOSSMTP_DOSHTTP_DOSComm_DOSDMZ_DOS

25 8/2/99Global Guard - U.C. Davis Security Lab25 D.O.S. - Hierarchy of Specialization

26 8/2/99Global Guard - U.C. Davis Security Lab26 Conceptual Execution Model Communicating Agent Model Each concept statement defines a JSA (JigSaw Agents) JSAs execute concurrently on 1 or more hosts. requires specifies the types of reports of interest to the JSA – what it subscribes to reports are the messages an agent will publish reports can be either broadcast to all agents, or sent only to subscribing agents Remote groups of agents communicate via CIDF using IDIAN to negotiate report requirements

27 8/2/99Global Guard - U.C. Davis Security Lab27 Uses Forward direction as an ID system In reverse to identify vulnerabilities In reverse w/ sensors replaced with appropriate attack scripts as an attack system –Plans how to reach goal –Can find new combinations of attacks to reach goal e.g. Using DNS requests as a method for a worm to pull in its body. Port DOS to Spoof IIS Authentication, then buffer overflow list command as a means of remote execution.

28 8/2/99Global Guard - U.C. Davis Security Lab28 Attack Requirements concept Propagate requires Remote_Execution: RE … where … end. concept Linux5.1-IMAP_Vulnerable requires OS_Linux-5.1: OSL51 Not_IMAP_Patched: NIMAPP … report Remote_Execution (host<- OSL51.host) … end. concept OS_Linux-5.1_ID requires OS_Scan: OSS where OSS.OS is Linux_5.1 report OS_Linux-5.1 (host_set <- OSL51.host) end.

29 8/2/99Global Guard - U.C. Davis Security Lab29 Challenges Writing more Specifications Efficient implementation Integration of anomaly detection components into JIGSAW Appropriate Time-to-Live for assertions Update reports of continuing events

30 8/2/99Global Guard - U.C. Davis Security Lab30 Summary Simple conceptual framework for modeling attack concepts Extensible to handle new attribute relationships Utilizes new attack detectors to improve performance Specifications use behavioral characteristics of attack and/or critical resources to protect. CIDF friendly. While conceptually an agent approach, not tied to any execution method. Well suited as an attack tool.

Download ppt "8/2/99Global Guard - U.C. Davis Security Lab1 JIGSAW – Attack Modeling Language Steven J. Templeton U.C. Davis Security Lab."

Similar presentations

1 Introducing the Specifications of the Metro Ethernet Forum.

1 Introducing the Specifications of the Metro Ethernet Forum.
FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.

FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Object-Oriented Analysis and Design

Object-Oriented Analysis and Design
2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.

2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
.NET Mobile Application Development Remote Procedure Call.

.NET Mobile Application Development Remote Procedure Call.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Module 15: Implementing Messaging Patterns. Overview Lesson 1: Creating Adaptable Orchestration Ports Lesson 2: Receiving Multiple Related Messages.

Module 15: Implementing Messaging Patterns. Overview Lesson 1: Creating Adaptable Orchestration Ports Lesson 2: Receiving Multiple Related Messages.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.

Similar presentations

Ads by Google