280 likes | 455 Views
Enriching intrusion alerts through multi-host causality. Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan. Motivation. IDS alerts highlight suspicious activity Network and host level Alerts lack context How did this activity happen?
E N D
Enriching intrusion alerts through multi-host causality Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan
Motivation • IDS alerts highlight suspicious activity • Network and host level • Alerts lack context • How did this activity happen? • What were the effects of this activity?
httpd rootkits.com Process bash File Socket wget Detection point Fork event getroot.exe rootproc Read/write event Causality to connect alerts Remote socket
Overview • Causality: BackTracker • Bi-directional distributed BackTracker • Correlating IDS alerts • Conclusions
BackTracker • Help figure out what application was exploited • Show chain of events between exploit and detection point • Track causal operating system events and objects
remote socket httpd remote socket bash wget Process File /tmp/xploit/backdoor Socket Detection point Fork event Read/write event BackTracker Example backdoor
BackTracker • Objects: processes, files • Events: read/write, fork, exec, mmap… • Online component logs events, objects • Offline component generates graphs • Causality effective technique for highlighting actions of attacker
Extending BackTracker • Use send/receive events to connect hosts on separate hosts • identify packets by source/destination IP address and TCP sequence number • Forward tracking
Bi-directional distributed BackTracker (BDB) • Common configuration: firewall • Given a single infected host, track attack • Tracking multi-host attacks • Follow attack “upstream” • Find original source of intrusion • Patch vulnerable server, fix infected laptop • Follow attack “downstream” • Find other compromised hosts
Process File Socket Detection point Fork event Read/write event Prioritize Packets init remote socket rc remote socket httpd wget bash /tmp/xploit/backdoor backdoor
Process File Socket Detection point Fork event Read/write event Highest process, most recent packet init remote socket rc remote socket httpd wget bash /tmp/xploit/backdoor backdoor
socket httpd bash wget /tmp/xploit/backdoor backdoor Guess and check • Follow all packets, examine other host • Search for causally linked “intrusions” Host B Host A httpd bash backdoor spread_worm
Use NIDS to highlight packets smb socket socket smbd bash wget /tmp/xploit/backdoor backdoor
Multi-host attacks • Examined Slapper worm and manual attack on local network • Significant background noise • 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd • All hosts both clients and servers • Download source code, compile • Gigabytes of network traffic • Millions of events and objects • 20 minute experiments, break in after 10 • Goal: given a single infected host find source of attack and all infected hosts
Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D
Process File Socket Detection point Causal event
Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D
Process File Socket Detection point Causal event
Process File Socket Detection point Causal event Tracking Slapper Forward
Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D
Multi-host manual attack • Highest process, most recent packet does not always work • Use Snort to highlight suspicious packets • Stealthy attack, difficult to detect • Attack one host at a time • Wait for next target to communicate with current host • Break into various services • Services under heavy legitimate use • Use previously “unknown” attacks • Perform different tasks on each host
Multi-host manual attack External Network Host A Host B Host C Host D Host E Host F Host G Host H Host I Host J Host K Host L
Correlating IDS alerts • Many independent sources of IDS alerts • Host/network • Host/host • Correlate multiple sources, reduce false positives • correlate through syntactic or timing relationships • correlate through manually specified semantic relationships • BDB can correlate IDS alerts through causal relationships
Zero Configuration Snort • Difficult to configure • False positives • Services not used • Failed exploit attempts • New rules developed frequently • Setup system with all default Snort rules • Also enabled several other rules • Use causality to verify Snort alerts • Detect any processes running as root
Zero Configuration Snort Results • Ran honeypot for two days • Without correlating alerts • 39 Snort alerts • Many processes run as root • Zero Configuration Snort • Zero false positives • One true positive
Process File Socket Detection point Causal event
Conclusions • Can use causality to provide context for intrusion alerts • Follow multi-host attacks • Correlate IDS alerts • Causality effective mechanism for adding context to intrusion alerts