1 / 13

Information Fusion

Information Fusion. By Ganesh Godavari. Outline of Talk. Problem Definition Attack Types Correlation Solutions OSSIM Work Status. Problem Definition.

yuri
Download Presentation

Information Fusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Fusion By Ganesh Godavari

  2. Outline of Talk • Problem Definition • Attack Types • Correlation Solutions • OSSIM • Work Status

  3. Problem Definition • Fusion of Intrusion Detection Data from Various Sensors distributed over a geographic area. Attacks events are interval based (recall Degrading Denial of Service). • Note: Fusion is possible only if data can be correlated at both the sensor and intermediary nodes.

  4. Possible Attack Scenarios Syn Attack • Cause: vulnerability in some TCP/IP stack implementations. • How does it work: The program sends an TCP SYN packet in large number and never completing the TCP handshake. This causes a large backlog and deteriorates the performance of the machine. • Result: Systems performance may slowdown.

  5. Contd.. Ping Flood • Cause: vulnerability in some Operating Systems. • How does it work: An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition. • Result: Systems performance may slowdown.

  6. Contd.. UDP Flood Attack • Cause: Connectionless nature of UDP protocol • How does it work: Attacker sends a UDP packet to a random port on the victim system. On receiving a UDP packet, OS will determine which application is waiting on the destination port. If there is no application that is waiting on the port, an ICMP (destination unreachable) packet is generated of to the source address. • Result: Systems performance may slowdown.

  7. Correlation Techniques • Correlation of attacks • Similarities between the event attributes • E.g. srcIP, dstIP • Cannot detect non obvious attacks (need to check for temporal relationships!!) • Known attack Scenarios • E.g. “gesundheit!” signature of Stacheldraht DoS tool • Preconditions and consequences of individual attack • E.g. “port-scan is performed on a machine to check for venerable ports, before an attack is launched on the ports”

  8. Qualitative Temporal Relationships • Non obvious patterns among events can be represented using Temporal relationships between interval-based events. • Listed in the next side are the twenty-four relationships between intervals and 11 relationships between semi-intervals [1] [2][3]

  9. 24 relations between Events

  10. Open Source Security Information Management • OSSIM project Combines tools like • snort, Spade, Ntop, mrtg … • To provide a global picture of the IDS • Correlation • Sequence of events • Create rules: if (recv event A then event B then event C) do { Action } • Heuristic Algorithm • State variable • “c” – level of compromise, probability that the machine is compromised • “a” – level of attack the system is subjected to

  11. Correlation contd.. • A value is assigned to the C or A variable for a machine on the network according to three rules: • machine 1 attacks machine 2 will increase the A of machine 2 and the C of machine 1. • If Attack is successful then value of C will increase for machines 1 and 2. • If events are internal then C increases for the originating machine.

  12. Current Project Status • Created a test-bed of 3 machines. • Able to parse Snort Alerts. • Need to correlate/fuse the alerts generated during an hour before sending to the intermediary nodes.

  13. References • ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun. ACM, 26, 11: 832–843, November 1983. • FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54, 199–227. • PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG. 2001. Abstraction-based intrusion detection in distributed environments. ACM Trans. on Info. and System Security (TISSEC) 4, 407 – 452.

More Related