15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 2 Introduction PART 1: Presentation of Evaluation Results –Design assumption: an out-of-the-box system after-the-fact analysis no network monitoring or audit trail data –Data source: end-of-day filesystem dumps for Pascal not available: contents of /tmp, /proc, OS tables,... PART 2: Status of DERBI System PART 3: Future

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 3 Evaluation Procedure Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping Manual mapping, no additional information used Attacks detected but scored as undetected because we could not identify corresponding session (3) Some false positives similarly unscored (approx. 5) Full DERBI system not used –to better fit into scoring protocol –to provide linearized textual output

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 4 Detection of Buffer Overflow Attacks Detected, but session not identified X major + contributing DetectedUndetected False x + x x x Inconsistent uudemon.cleanup FileSys Changes x 115 EJECT: 7 of 7; 1 falseFORMAT: 6 of 7; 1 false FFB: 2 of x x x 77 x /etc/passwd 11 x Normal Access uudecode 22 x x + 35 x Suspicious login 54 x + 75 x x x + 60 Attack ID Exploit Script: Created Accessed 6* x x x x x PS: 3 of 4 + failed attack* 5%50% Probability (blank if 100%)

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 5 Visibility of Evidence exploit detected failed exploit detectedfalse positive normal usage MTuThWFMTuThWF uud.clean eject format ffb uudecode read create ps 687 exploit evidence overwritten

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 6 Attack Evidence Rules Used in the Evaluation Test Set = 18%

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 7 Example Evidence Rule: EJECT buffer overflow EVIDENCE-TYPE (exploit (setuid root) buffer-overflow) UNIQUE-NAME eject-1 EVALUATION-NAME eject PATHS (follow-links '("/usr/bin/eject")) EVIDENCE ( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or (window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest 0 0) ;;; assign 0% probability to command being used and 0% believe that it was ((greater-than (TimeAccessed PATH) ;;; use is later than (max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects )) ;;; 40% probability of exploit, no change in believe about whether it was exploited POSIT ((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*))) EXPLANATION (next slide)

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 8 Evidence Rule: EJECT buffer overflow (cont) UNIQUE-NAME eject-1 PATHS (follow-links '("/usr/bin/eject")) EXPLANATION (explain-evidence ( PATH ;;; variable declarations (TIME (print-unix-time (TimeAccessed PATH))) (TIME2 (print-unix-time (TimeModified "/cdrom"))) (TIME3 (print-unix-time (TimeModified "/floppy"))) ) (TimeAccessed PATH) ;;; as-of time "The command ~S is version vulnerable to a buffer overflow attack and appears to have been used at time ~A which is more recent than two associated files: /cdrom (~A) and /floppy (~A)." PATH TIME TIME2 TIME3)

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 9 Example Output for an Attack +04:53:25 later ==================================== Time: 23-Jul :32:39 EDT ( ) Exploit: Suspicious-login (Suspicious-login) Login for user "darleent from host :00:12 later ==================================== Time: 23-Jul :32:51 EDT ( ) Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1) "/usr/bin/uudecode" is often used by crackers and rarely by users, and appears to have been used at time 23-Jul :32:51 EDT :00:23 later ==================================== Time: 23-Jul :33:14 EDT ( ) Exploit: EJECT (EJECT-1) The command "/usr/bin/eject" is version vulnerable to a buffer overflow attack and appears to have been used at time 23-Jul :33:14 EDT which is more recent than two associated files: /cdrom (12-Feb :42:46 EST) and /floppy (20-Jul :32:15 EDT). Asserting belief/plausibility = (40 100) :10:32 later

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 10 mscan (#80): spotted probing of telnet saint (#53): detected rlogin to root via ++ warez (#66-1): detected creation of hidden directory xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie HTTP tunnel: not matched to session (scored undetected) –detected installation of bogus uudemon.cleanup –detected use (via CRON: uucp and later bramy) More Indirect Detection

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 11 Interesting False Detections Rlogin from local host to privileged account (root) that has + + in.rhosts root SetUID command installed (top) login record inconsistencies –root: lastlog date later than last entry in wtmpx –start of root login missing (wtmpx truncation?) –~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login –some related to test setup/shutdown (ignored, based on timing).

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 12 DERBI Architecture Three major components: –Head: analysis, reasoning, and explanation –Body: interface between complex queries of Head and simple data from Feet –Feet: simple data collection - may run on remote system file system information log files Support heterogeneous clusters & low-end systems

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 13 Log File Information Relationships utmp utmpx wtmp wtmpx lastlog syslog messages authlog sulog File system Shell Init Files cronlogcrontabs Partial redundancy of info Redundancy a common result of the evolution & growth of systems Use to check for tampering Also exposes changes to system clock

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 14 Checking a Suspect System DERBI

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 15 Rule Graph The presented slide is not included here -- it could not be adequately converted into a graphic that could be included in a MS PowerPoint file. This slide showed a graph with a large number of nodes representing rules, and was intended to show that although the rules formed a predominantly hierarchical structure, there was substantial crossing-over of the boundaries. A PostScript version of this graph can be found at

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 16 Future Analysis for interrelated systems –overlapping file systems, servers, users, other privileges (not just simple client-server) Support of multiple OSs and OS families Expansion and standardization of attack data –vulnerabilities, exploits, tools, camouflage, packages Test and distribution: operational clusters; false positive rates Explanation More sophisticated analysis Identification of higher-level goals