Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS
Content 1.Introduction 2.Examples and Analysis 3.Prototype Design 4.More to come 5.Conclusion
Introduction Penetration into computer systems continues at a high rate despite substantial progress in security research and technology No reason to assume that this level of “insecurity” will change Most penetrations are done by individuals or small teams Only lately has personalization entered into security consideration
Our research into personalization in areas such as: –User command lines behavior (e.g., UNIX) –User browser patterns as reflected by URL sequences –User work habits Provides a basis for: –User classification –Abnormality observation –Detection of deviation from regular behavior –Changes in patterns
Examples and Analysis
Comments on Example 1 Assumptions: –Access to server is through home page –Knowledge of structure and content of server pages Provides the following: –Detailed access starts from server page address.html –Page cline.html leads to two links: –Cline-bisttrom.html and –Cline-stella.html The example demonstrates “reasonable” behavior
Example
Access starts straight from a couple of internal pages (i.e., nodes of the tree) It continues by a visit to a link off the home page Summary: –The behavior does not follow regular access patterns –The behavior is difficult to explain –This access may indicate suspicious behavior Comments on Example 2
Other Types of Entry Modes In addition to URLs, one should watch out for: –FTP access – –Potential Logins –Other protocols access: e.g., port scanning On a “sound” server: FTPs port are predefined , except for bugs, can be protected against Port scanning is already trapped by IDS
Prototype Design We face suspicious behavior with two tools –Automatic recognition Machine Learning Data Mining Automatic recognition may be trained on “regular’ access patterns and attempt detection of “irregular” access patterns –So far, results are good, but not great – enough penetration is undetected
Behavior Analysis Application A JAVA application that classifies behavior is partially done and operational –It shows a high level of detection of irregular behavior The approach is promising and has a proven track record Web Browser communication performance improved by 20% by changing cache to use Next URL Prediction Prediction is based on the underlining assumption of “regularity” of behavior
Observation URL, IP packets, and Port scanning look like an algorithm (or a program) without termination –Example 1 can be written as: Initialize; Initialize; Loop; rest of URLs The loop is a while that selects links in for viewing The selection criterion is personal –Example 2 seems as an unordered set of program statements Therefore Example 2 does not seem to be a “regular” access pattern
Prototype Design Details STEPS 1.Analyze Server pages hierarchy 2.Analyze each page for links and sources (i.e. src ) files 3.Build an identification engine based on 1.Behavior categorization 2.Page hierarchy 3.Isolation of individual users to identifying agents 4.Construct input benchmarks 5.Continue work on Other Types of Entry Modes
More to come Examples of more complex relationships to be explored –Server pages link to other servers pages –Same source (IP) for different communication types –Accessing different locations on tree concurrently –Can be done by using two copies of the browser –The two sessions will have different Ids but may be cooperating –The agents monitoring the two browsers must collaborate URLs and FTPs from same source at the same time Multiple FTPs –Similar case to multiple browsers...
Conclusion A substantial prototype will be completed by end of Summer Complex relationships will be explored: –Threats will be enumerated –Potential detection will be proposed –Prototype will include some of these results Open areas will be reported on in detail