Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.

Slides:



Advertisements
Similar presentations
Backtracking Algorithmic Complexity Attacks Against a NIDS
Advertisements

Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.
Logic.
Secrecy Preserving Signatures Filtering Packets without Learning the Filtering Rules.
Doc.: IEEE /0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for ax Date: Authors:
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Logical Agents Chapter 7. Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Knoweldge Representation & Reasoning
Marakas: Decision Support Systems, 2nd Edition © 2003, Prentice-Hall Chapter Chapter 7: Expert Systems and Artificial Intelligence Decision Support.
Logical Agents Chapter 7 Feb 26, Knowledge and Reasoning Knowledge of action outcome enables problem solving –a reflex agent can only find way from.
Presenter: PCLee Design Automation Conference, ASP-DAC '07. Asia and South Pacific.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Security Evaluation of Pattern Classifiers under Attack.
VeriFlow: Verifying Network-Wide Invariants in Real Time
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Language-Based Generation and Evaluation of NIDS Signatures Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
Logical Agents Logic Propositional Logic Summary
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Efficient & Robust TCP Stream Normalization Mythili Vutukuru Joint work with Hari Balakrishnan and Vern Paxson.
Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations.
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
1 Overview of the project: Requirement-Driven Development of Distributed Applications School of Information Technology and Engineering (SITE) University.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Semantics In Text: Chapter 3.
Logical Agents Chapter 7. Knowledge bases Knowledge base (KB): set of sentences in a formal language Inference: deriving new sentences from the KB. E.g.:
CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.
Detecting Evasion Attack at High Speed without Reassembly.
Logical Agents Chapter 7. Outline Knowledge-based agents Logic in general Propositional (Boolean) logic Equivalence, validity, satisfiability.
Author : Sarang Dharmapurikar, John Lockwood Publisher : IEEE Journal on Selected Areas in Communications, 2006 Presenter : Jo-Ning Yu Date : 2010/12/29.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.
Artificial Intelligence: Research and Collaborative Possibilities a presentation by: Dr. Ernest L. McDuffie, Assistant Professor Department of Computer.
Network Intrusion Detection System (NIDS)
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Some Thoughts to Consider 5 Take a look at some of the sophisticated toys being offered in stores, in catalogs, or in Sunday newspaper ads. Which ones.
Proof Methods for Propositional Logic CIS 391 – Intro to Artificial Intelligence.
Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.
D10A Metode Penelitian MP-04b Metodologi Penelitian di dalam Ilmu Komputer/Informatika Program Studi S-1 Teknik Informatika FMIPA Universitas.
Some Great Open Source Intrusion Detection Systems (IDSs)
Logical Agents. Inference : Example 1 How many variables? 3 variables A,B,C How many models? 2 3 = 8 models.
Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.
Snort – IDS / IPS.
EA C461 – Artificial Intelligence Logical Agent
Semantics-Aware Malware Detection
CSc4730/6730 Scientific Visualization
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
NARS an Artificial General Intelligence Project
Presentation transcript:

Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison

Rubin, Jha, Miller2 Attacker Network NIDS Signature database Misuse Network Intrusion Detection System (NIDS) GET /cmd.exe

Rubin, Jha, Miller3 Attacker Network NIDS Signature database Misuse Network Intrusion Detection System (NIDS) Misuse-NIDS task: detect known attacks GET /cmd.exe

Rubin, Jha, Miller4 Attacker Network NIDS Signature database Misuse Network Intrusion Detection System (NIDS) Misuse-NIDS task: detect known attacks The security a NIDS provides primarily depends on its ability to resists attackers’ attempts to evade it GET /%63md.exe GET /cmd.exe

Rubin, Jha, Miller5 Current NIDS Evaluation Many researchers (and attackers) have shown how to evade a NIDS –Ptacek and Newsham, 1998 –Handley and Paxson, 2001 –Marty, 2002 –Mutz, Vigna, and Kemmerer, 2003 –Vigna, Robertson, and Balzarotti, 2004 –Rubin, Jha, Miller, 2004 –And others... Observation: NIDS evaluation is not carried out using a well defined threat model based on formal methods.

Rubin, Jha, Miller6 Our Goal A formal threat model for NIDS testing Why a formal model? –enables solid reasoning about the system capabilities –facilitates applications beyond testing –successfully used in the past (e.g., protocol verification)

Rubin, Jha, Miller7 TCP streams NIDS Task: is it well defined? NIDS Task: Identify the “Sasser” set (threat) NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior) NIDS Sasser Sasser

Rubin, Jha, Miller8 TCP streams NIDS Task: is it well defined? NIDS Sasser Sasser NIDS Task: Identify the “Sasser” set (threat) NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior)

Rubin, Jha, Miller9 TCP streams NIDS Task: is it well defined? NIDS Sasser Sasser NIDS Task: Identify the “Sasser” set (threat) NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior) NIDS task is not well defined unless the threat is well defined Consequently, NIDS testing is not well defined

Rubin, Jha, Miller10 Contributions A formal threat model for NIDS evaluation. –Black hat: generating attack variants (test cases) –White hat: determine if a TCP sequence is an attack –Unifies existing techniques for NIDS testing Practical tool. Used for black and white hat purposes Improving Snort. Found and proposed fixes for 5 vulnerabilities

Rubin, Jha, Miller11 The Attacker’s Mind: Transformations CWD CWD <long buffer> Fragmentation Retransmission Out-of-order Substitution Context padding Transformation Transport level Application level CWD <long buffer> CWD <long buffer> MKD CWD /tmp\nCWD

Rubin, Jha, Miller12 Composing Transformations CWD \n CWD /tmp\n CWD \n ytes>\n...CWD /tmp\nCWD <4000 Vulnerability: any pattern from the type foo*bar ytes>\n CWD /tmp\n...CWD <4000 Detected Not Detected FTP Attack: CAN Snort Behavior

Rubin, Jha, Miller13 Transformations: Summary Transformations are simple Transformations are semantics preserving (sound) Transformations are syntactic manipulations Transformations can be composed Idea: Transformations define the threat Goal: define/find a formal method that enables systematic composition of transformations

Rubin, Jha, Miller14 Natural Deduction A set of rules expressing how valid proofs may be constructed. Rules are simple, sound. Rules are syntactic transformations. Rules can be composed to derive theorems. If both P and Q are true, then P  Q is true (conjunction) P,Q P  Q :

Rubin, Jha, Miller15 Natural Deduction as a Transformation System Observation: natural deduction is a suitable mechanism to describe attack transformation: if A is an attack instance, then fragmentation of A is also an attack instance Rules derive attacks A set of rules defines an attack derivation model attack ack att :

Rubin, Jha, Miller16 Threat: Attack Derivation Model Transformation Rules Representative Instance root A AA closure(Root A,  A ) +

Rubin, Jha, Miller17 Main Ideas Formal model for attack derivation Black hat tool for attack generation White hat tool for attack analysis

Rubin, Jha, Miller18 AGENT: Attack Generation for NIDS Testing Transformation Rules Representative Instance Closure Generator Snort Detect? Yes, check another Eluding Instance No Attack Simulator Attack Instance Attack Derivation Model

Rubin, Jha, Miller19 Testing Methodology Rules for: –Transport level (TCP) –Application level (FTP, finger, HTTP) –Total of nine rules Representative attacks –finger (finger root) –HTTP (perl-in-CGI) –FTP (ftp-cwd) Testing phases –7 phases –2-3 rules each phase

Rubin, Jha, Miller20 Testing Results 5 vulnerabilities in less then 2 months –TCP reassembly –Interaction between the TCP reassembly and pattern matching algorithms –HTTP handling Positives results, show that Snort correctly identify all instances of a given type

Rubin, Jha, Miller21 AGENT: Practical Consideration Generates finite closure: truncate derivation paths Generates feasible closure: use a small set of rules each time Gap between theoretical threat model and practical tool: a lot of opportunity for future work Transformation Rules Representative Instance Inference Engine Attack Simulator Attack Derivation Model

Rubin, Jha, Miller22 Main Ideas Formal model for attack derivation Black hat tool for attack generation White hat tool for attack analysis

Rubin, Jha, Miller23 White Hat Capabilities TCP streams s R Provide a proof that a TCP sequence implements A

Rubin, Jha, Miller24 Capabilities Beyond Testing TCP streams R Provide a proof that a TCP sequence implements A Backward derivation –Automatic root construction –Found a single root

Rubin, Jha, Miller25 Capabilities Beyond Testing TCP streams Provide a proof that a TCP sequence implements A Backward derivation –Automatic root construction –Found a single root –Determine that a given TCP implements A –Determine that a given TCP sequence does not implement A s s R

Rubin, Jha, Miller26 Attack Analysis Results TCP streams 20 instances: ~600 transformations, ~1300 bytes, ~650 packets We nullify 10 instances We let AGENT to determine which instance is a real attack Results: 7 secs for real attacks 100 secs for false attack Forward derivation: ~650! steps

Rubin, Jha, Miller27 The Lessons to Take Home A well define threat model is necessary for a rigorous NIDS evaluation A formal threat model can be developed for large and complex security systems like NIDS A formal threat model provides solid insight into your NIDS The work is ongoing, you are welcome to join.

Back UP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.