1 / 28

Automatic Generation and Analysis of NIDS Attacks

Automatic Generation and Analysis of NIDS Attacks. Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison. Misuse Network Intrusion Detection System (NIDS). Attacker. Network. NIDS. Signature database. GET <URL>/cmd.exe.

cpinegar
Download Presentation

Automatic Generation and Analysis of NIDS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison

  2. Misuse Network Intrusion Detection System (NIDS) Attacker Network NIDS Signature database GET <URL>/cmd.exe Rubin, Jha, Miller

  3. Misuse Network Intrusion Detection System (NIDS) • Misuse-NIDS task: detect known attacks GET <URL>/cmd.exe Attacker Network NIDS Signature database GET <URL>/cmd.exe Rubin, Jha, Miller

  4. Misuse Network Intrusion Detection System (NIDS) • Misuse-NIDS task: detect known attacks • The security a NIDS provides primarily depends on its ability to resists attackers’ attempts to evade it GET <URL>/%63md.exe Attacker Network NIDS Signature database GET <URL>/cmd.exe Rubin, Jha, Miller

  5. Current NIDS Evaluation Many researchers (and attackers) have shown how to evade a NIDS • Ptacek and Newsham, 1998 • Handley and Paxson, 2001 • Marty, 2002 • Mutz, Vigna, and Kemmerer, 2003 • Vigna, Robertson, and Balzarotti, 2004 • Rubin, Jha, Miller, 2004 • And others... Observation: NIDS evaluation is not carried out using a well defined threat model based on formal methods. Rubin, Jha, Miller

  6. Our Goal A formal threat model for NIDS testing Why a formal model? • enables solid reasoning about the system capabilities • facilitates applications beyond testing • successfully used in the past (e.g., protocol verification) Rubin, Jha, Miller

  7. NIDS Task: is it well defined? • NIDS Task: Identify the “Sasser” set (threat) • NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior) TCP streams Sasser NIDS Sasser Rubin, Jha, Miller

  8. NIDS Task: is it well defined? • NIDS Task: Identify the “Sasser” set (threat) • NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior) TCP streams NIDS Sasser Sasser Rubin, Jha, Miller

  9. NIDS Task: is it well defined? • NIDS Task: Identify the “Sasser” set (threat) • NIDS Testing: Compare “Sasser” to “NIDS Sasser” (NIDS behavior) • NIDS task is not well defined unless the threat is well defined • Consequently, NIDS testing is not well defined TCP streams NIDS Sasser Sasser Rubin, Jha, Miller

  10. Contributions • A formal threat model for NIDS evaluation. • Black hat: generating attack variants (test cases) • White hat: determine if a TCP sequence is an attack • Unifies existing techniques for NIDS testing • Practical tool. Used for black and white hat purposes • Improving Snort. Found and proposed fixes for 5 vulnerabilities Rubin, Jha, Miller

  11. The Attacker’s Mind: Transformations buffer> CWD <long buffer> buffer> CWD <long buffer> CWD <long CWD <long buffer> Transformation Fragmentation Transport level Retransmission Out-of-order MKD <long buffer> Substitution Application level CWD /tmp\nCWD <long buffer> Context padding Rubin, Jha, Miller

  12. ytes>\n CWD /tmp\n CWD <4000 ... ytes>\n CWD <4000 ... CWD / tmp\n Composing Transformations FTP Attack: CAN-2002-0126 Snort Behavior CWD <4000 bytes>\n Detected CWD /tmp\n CWD <4000 ... bytes>\n Detected Detected Not Detected Vulnerability: any pattern from the type foo*bar Rubin, Jha, Miller

  13. Transformations: Summary • Transformations are simple • Transformations are semantics preserving (sound) • Transformations are syntactic manipulations • Transformations can be composed Idea: Transformations define the threat Goal: define/find a formal method that enables systematic composition of transformations Rubin, Jha, Miller

  14. Natural Deduction • A set of rules expressing how valid proofs may be constructed. • Rules are simple, sound. • Rules are syntactic transformations. • Rules can be composed to derive theorems. If both P and Q are true, then PQ is true (conjunction) P,Q PQ : Rubin, Jha, Miller

  15. Natural Deduction as a Transformation System • Observation: natural deduction is a suitable mechanism to describe attack transformation: if A is an attack instance, then fragmentation of A is also an attack instance • Rules derive attacks • A set of rules defines an attack derivation model attack : ack att Rubin, Jha, Miller

  16. Threat: Attack Derivation Model Representative Instance rootA + Transformation Rules A closure(RootA ,A) Rubin, Jha, Miller

  17. Main Ideas • Formal model for attack derivation • Black hat tool for attack generation • White hat tool for attack analysis Rubin, Jha, Miller

  18. AGENT: Attack Generation for NIDS Testing Transformation Rules Representative Instance Attack Derivation Model Closure Generator Attack Simulator Attack Instance Eluding Instance No Snort Detect? Yes, check another Rubin, Jha, Miller

  19. Testing Methodology • Rules for: • Transport level (TCP) • Application level (FTP, finger, HTTP) • Total of nine rules • Representative attacks • finger (finger root) • HTTP (perl-in-CGI) • FTP (ftp-cwd) • Testing phases • 7 phases • 2-3 rules each phase Rubin, Jha, Miller

  20. Testing Results • 5 vulnerabilities in less then 2 months • TCP reassembly • Interaction between the TCP reassembly and pattern matching algorithms • HTTP handling • Positives results, show that Snort correctly identify all instances of a given type Rubin, Jha, Miller

  21. Transformation Rules Representative Instance AGENT: Practical Consideration Attack Derivation Model • Generates finite closure: truncate derivation paths • Generates feasible closure: use a small set of rules each time • Gap between theoretical threat model and practical tool: a lot of opportunity for future work Inference Engine Attack Simulator Rubin, Jha, Miller

  22. Main Ideas • Formal model for attack derivation • Black hat tool for attack generation • White hat tool for attack analysis Rubin, Jha, Miller

  23. White Hat Capabilities • Provide a proof that a TCP sequence implements A TCP streams R s Rubin, Jha, Miller

  24. Capabilities Beyond Testing • Provide a proof that a TCP sequence implements A • Backward derivation • Automatic root construction • Found a single root TCP streams R Rubin, Jha, Miller

  25. Capabilities Beyond Testing • Provide a proof that a TCP sequence implements A • Backward derivation • Automatic root construction • Found a single root • Determine that a given TCP implements A • Determine that a given TCP sequence does not implement A TCP streams R s s Rubin, Jha, Miller

  26. Attack Analysis Results • 20 instances: ~600 transformations, ~1300 bytes, ~650 packets • We nullify 10 instances • We let AGENT to determine which instance is a real attack Results: • 7 secs for real attacks • 100 secs for false attack • Forward derivation: ~650! steps TCP streams Rubin, Jha, Miller

  27. The Lessons to Take Home • A well define threat model is necessary for a rigorous NIDS evaluation • A formal threat model can be developed for large and complex security systems like NIDS • A formal threat model provides solid insight into your NIDS • The work is ongoing, you are welcome to join. Rubin, Jha, Miller

  28. Back UP

More Related