Presentation is loading. Please wait.

Presentation is loading. Please wait.

An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State.

Published byDion Wedmore Modified over 9 years ago

Similar presentations

Presentation on theme: "An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State."— Presentation transcript:

1 An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State University, Manhattan, KS 2 – HP Labs, Princeton, NJ

2 system administrator Network Monitoring Tools Abnormally high traffic TrendMicro server communicating with known BotNet controllers memory dump Seemingly malicious code modules Found open IRC sockets with other TrendMicro servers netflow dump These TrendMicro Servers are certainly compromised! 2 A day in the life of a real SA Key challenge How to deal with uncertainty in intrusion analysis? Key challenge How to deal with uncertainty in intrusion analysis?

3 An empirical approach In spite of the lack of theory or good tools, sysadmins are coping with attacks. Can we build a system that mimics what they do (for a start): – An empirical approach to Intrusion Analysis using existing reality Our goal: – Help a sysadmin do a better job rather than replace him 3

4 High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 4

5 Capture Uncertainty Qualitatively Confidence level Uncertainty Modes LowPossible p ModerateLikely l HighCertain c Arbitrarily precise quantitative measures are not meaningful in practice Roughly matches confidence levels practically used by practitioners 5

6 High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 6

7 Observation Correspondence 7 obs(anomalyHighTraffic)int(attackerNetActivity) obs(netflowBlackListFilter(H, BlackListedIP)) obs(memoryDumpMaliciousCode(H)) obs(memoryDumpIRCSocket(H1,H2)) p int(compromised(H)) l l int(exchangeCtlMessage(H1,H2)) l Observations Internal conditions mode what you can see what you want to know

8 High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 8

9 Internal Model 9 Logical relation among internal conditions Condition 1Condition 2 Condition 1 infers Condition 2 int(compromised(H1))int(probeOtherMachine(H1,H2)) int(sendExploit(H1,H2)) int(compromised(H2)) int(sendExploit(H1,H2)) int(compromised(H2)) int(compromised(H1)) int(probeOtherMachine(H1,H2)) direction of, inference mode f, b, p l p c

10 High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 10

11 Reasoning Methodology 11 Simple reasoning – Observation correspondence and internal model are inference rules – Use inference rules on input observations to derive assertions with various levels of uncertainty Proof strengthening – Derive high-confidence proofs from assertions derived from low-confidence observations

12 Example 1 Observation Correspondence 12 int(exchangeCtlMsg(172.16.9.20, 172.16.9.1), l ) obs(memoryDumpIRCSocket(172.16.9.20, 172.16.9.1)) obsMap obs(memoryDumpIRCSocket(H1,H2))int(exchangeCtlMessage(H1,H2)) l

13 Example 2 Internal Model 13 int(exchangeCtlMsg(172.16.9.20, 172.16.9.1), ) obs(memoryDumpIRCSocket(172.16.9.20, 172.16.9.1)) int(compromised(172.16.9.20), ) l obsMap Int rule l

14 Proof Strengthening 14 Observations: f is likely true O1O1 O2O2 f is certainly true proof strengthening O3O3

15 Proof Strengthening 15 A A A A A A l l c p strengthen

16 Proof Strengthening 16 int(exchangeCtlMsg(172.16.9.20, 172.16.9.1), l ) obs(memoryDumpIRCSocket(172.16.9.20, 172.16.9.1)) int(compromised(172.16.9.20), l ) obsMap intR obs(memoryDumpMaliciousCode(’172.16.9.20’)) int(compromised(172.16.9.20), l ) obsMap int(compromised(172.16.9.20), ) strengthenedPf strengthen( l, l ) = c c

17 Evaluation Methodology Test if the empirically developed model can derive similar high-confidence trace when applied on different scenarios Keep the model unchanged and apply the tool to different data sets 17

18 SnIPS (Snort Intrusion Analysis using Proof Strengthening) Architecture 18 Reasoning Engine Snort alerts (convert to tuples) Observation Correspondence User query, e.g. which machines are “certainly” compromised? High-confidence answers with evidence pre-processing Internal Model Snort Rule Repository Done only once

19 Snort rule class type 19 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access”;uricontent:"/guestbook.pl”; classtype:attempted-recon; sid:1140;) obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost)), int(probeOtherMachine(FromHost, ToHost)), ? ). Internal predicate mapped from “classtype”

20 Snort rule documents 20 Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosing in some cases. Ease of Attack: Exploits exists obsMap(obsRuleId_3614, obs(snort(’1:1140’, FromHost, ToHost)), int(compromised(ToHost)), p ) Hints from natural-language description of Snort rules obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost)), int(probeOtherMachine(FromHost, ToHost)), ). l ?

21 Automatically deriving Observation Correspondence Snort has about 9000 rules. This is just a base-line and needs to be fine-tuned. Would make more sense for the rule writer to define the observation correspondence relation when writing a rule 21 Internal Predicate% of rules Mapped automatically59% Not mapped automatically41%

22 Data set description Treasure Hunt (UCSB 2002) – 4hrs – Collected during a graduate class experiment – Large variety of system monitoring data: tcpdump, sys log, apache server log etc. Honeypot (Purdue, 2008) – 2hrs/day over 2 months – Collected for e-mail spam analysis project – Single host running misconfigured Squid proxy KSU CIS department network 2009 – 3 days – 200 machines including servers and workstations. 22

23 Some result from Treasure Hunt data set 23 | ?- show_trace(int(compromised(H), c)). int(compromised(’192.168.10.90’),c) strengthenedPf int(compromised(’192.168.10.90’), p) intRule_1 int(probeOtherMachine(’192.168.10.90’,’192.168.70.49’), p) obsRulePre_1 obs(snort(’122:1’,’192.168.10.90’,’192.168.70.49’,_h272)) int(compromised(’192.168.10.90’),l) intRule_3 int(sendExploit(’128.111.49.46’,’192.168.10.90’), l) obsRuleId_3749 obs(snort(’1:1807’,’128.111.49.46’,’192.168.10.90’,_h336)) An exploit was sent to 192.168.10.90 A probe was sent from 192.168.10.90 192.168.10.90 was certainly compromised!

24 Data Reduction Data setDuration of Network traffic Snort alertspre-processed alerts High- confidence proofs Treasure Hunt4 hours4,849,93727818 Honeypot2 hrs/day for 2 months 637,564308 CIS Network3 days1,138,572663417 24

25 Related work Y. Zhai et al. “Reasoning about complementary intrusion evidence,” ACSAC 2004 F. Valeur et al., “A Comprehensive Approach to Intrusion Detection Alert Correlation,” 2004 Goldman and Harp, "Model-based Intrusion Assessment in Common Lisp", 2009 C. Thomas and N. Balakrishnan, “Modified Evidence Theory for Performance Enhancement of Intrusion Detection Systems”, 2008 25

26 Summary Based on a true-life incident we empirically developed a logical model for handling uncertainty in intrusion analysis Experimental results show – Model simulates human thinking and was able to extract high-confidence intrusion – Model empirically developed from one incident was applicable to completely different data/scenarios – Reduction in search space for analysis 26

27 Future Work Continue the empirical study and improve the current implementation Establishing a theoretical foundation for the empirically-developed method – Modal logic – Dempster-Shafer Theory – Bayes Theory 27

28 Thank you Questions? 28 sakthi@ksu.edu xou@ksu.edu

29 Summarization 29 Compact the information entering reasoning engine Group similar “internal condition” into a single “summarized internal condition”

30 Comparison of the three data sets 30

31 Output from CIS 31 int(compromised('129.130.11.69'),c) strengthenedPf int(compromised('129.130.11.69'),l) intRule_1b int(probeOtherMachine('129.130.11.69','129.130.11.12'),l) sumFact summarized(86) int(compromised('129.130.11.69'),l) intRule_3f int(sendExploit('129.130.11.22','129.130.11.69'),c) strengthenedPf int(sendExploit('129.130.11.22','129.130.11.69'),l,) sumFact summarized(109) int(skol(sendExploit('129.130.11.22','129.130.11.69')),p) IR_3b int(compromised('129.130.11.69'),p) sumFact summarized(324)

Download ppt "An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 SnIPS Implementation and GUI 3 rd Presentation Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.

1 SnIPS Implementation and GUI 3 rd Presentation Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.
GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.

GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.
1 SnIPS Implementation and GUI Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.

1 SnIPS Implementation and GUI Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 Validation and Verification of Simulation Models.

1 Validation and Verification of Simulation Models.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Presenter: Chi-Hung Lu 1. Problems Distributed applications are hard to validate Distribution of application state across many distinct execution environments.

Presenter: Chi-Hung Lu 1. Problems Distributed applications are hard to validate Distribution of application state across many distinct execution environments.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google