1 / 30

Collaborating Against Common Enemies

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL Current Intrusion Detection Uses Rules  Alerts Network 5 Network 1 Network 4 Network 2 Network 3 How about collaborating?

jaden
Download Presentation

Collaborating Against Common Enemies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL

  2. Current Intrusion Detection Uses Rules  Alerts Network 5 Network 1 Network 4 Network 2 Network 3 How about collaborating?

  3. Potential reasons for collaboration: • Provides global picture of attack • Detecting low rate distributed attackers • Detecting stepping stones But benefit depends on networks/IDSs seeing Correlated Attacks?

  4. Talk Is About Correlated Attacks Define Correlated Attacks: as attacks from the same sources IP on different IDSs/networks

  5. Talk Is About Correlated Attacks Define Correlated Attacks: as attacks from the same source IP on different IDSs/networks Correlated Attacks Correlated IDS

  6. This Talk Logs from 1700 IDSs show:  Collaboration is useful • Realtime  Collaborate with a few IDSs • 40% of alerts are correlated • Correlated attacks within 10min • An IDS sees correlated attacks with 8 IDSs (out of 1700), and the group does not change Collaboration with correlated IDSs increases detection by 75% and as good as collaborating with all.

  7. Dataset Full packet headers, unanonymized src/dest addresses Anonymized dest IP; no packet headers or alert type

  8. Method • Correlation is based on sharing the same source IP • Adding info about attack type and dest port did not matter • Correlated IDSs – IDSs for which more than 10% of their attacks are correlated

  9. Do IDSs see Correlated Attacks? YES, Many • 20% of attacking IPs are common attackers • 40% of the attacks are correlated • On average, 1500 correlated attackers/ day/IDS

  10. Interarrival of Correlated Attacks 1.0 0.8 0.6 75% of correlated attacks happen within 10 minutes of each other CDF 0.4 0.2 0.0 0.1 1 10 100 1000 10000 100000 Interarrival time in mins Correlated attacks within a few minutes  Need realtime collaboration!

  11. Size of Correlation Groups For each IDS compute the # of IDSs with which it is correlated 1.0 0.8 90% of IDS are correlated with less than 8 IDS (out of 1700) 0.6 CDF 0.4 0.2 IDS correlation 0.0 1 2 4 8 16 32 # IDSs in Correlation Group IDS correlate within small groups!  Scalable collaboration

  12. Do Correlation Groups Change? If an IDS is correlated with 4 other IDS and the group changes by one, the percentage change is 25% 0.08 0.07 Avg. Change in Correlation Group 0.06 0.05 0.04 Change 0.03 0.02 0.01 0 10 15 20 25 30 5 No. of days Correlation is persistent!  Establish trust out of band

  13. Why IDS correlate? • Is it proximity in IP space?

  14. Is Proximity in IP Space the Reason? • Compute cross correlation between proximity in IP space and correlated IDS Complete positive correlation 1.0 Cross correlation with IP space distance hovers around 0 0.5 Cross Correlation 0 -0.5 No correlation Distance in IP space -1.0 0 5 10 15 20 25 30 35 40 IDS ID Attack Correlation is independent of proximity in IP space

  15. Why IDS correlate? • Is it proximity in IP space? • Is it because attackers target sites with similar software and services (e.g., Santy worm) ? More than 60% of attacks in a correlation group target particular service (e.g. SMTP groups, IBM Tivoli, IIS servers)

  16. Is Similarity in Software the Reason? • Compute cross correlation between similarity in software & attack correlation Complete positive correlation 1.0 0.5 No correlation Similarity in software is positively correlated Cross Correlation 0 -0.5 Similarity distance -1.0 0 5 10 15 20 25 30 35 40 IDS ID Decreasing similarity Decreasing correlation

  17. So, what does it mean for Collaborative Intrusion Detection?

  18. Issues for IDS collaboration across networks • Is it useful? • How often should IDS exchange information? • How to make it scale? • How does an IDS trust its collaborators to protect the privacy of its information and not lie?

  19. Exploiting Correlation for collaboration  Collaboration is useful • Realtime  Scale by collaborating with IDS in same correlation group  Check trust out-of band • 40% of alerts are correlated • Correlated attacks within 10min • An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS) • The correlation group does not change

  20. Correlation Based Collaboration (CBC) • Attack Correlation Detector (ACD) for finding correlation groups (e.g., DShield) • Since groups persist for months  ACD computation scale • It is up to each network to decide whether to collaborate or not

  21. Correlation Based Collaboration (CBC) IDS send logs to ACD ACD ACD tells each IDS its correlation group

  22. Evaluation of CBC Blacklisting • Flag an attacking IP address if # alerts cross a threshold • Compare with • Local detection • Collaborating with all IDSs • Random Collaboration - Collaborating with the same sized random subset as the correlation group

  23. Evaluation Method • IDS queries its collaborators when # alerts from an IP exceeds Querying Threshold • IDS blacklists IP if aggregate # alerts exceeds Blacklisting Threshold • Thresholds picked to minimize false positives (for ISP dataset)

  24. Speed! • Compute time taken to blacklist a source in each scheme 100000 10000 1000 Local Detection Time in mins 100 10 0 0 4000 8000 12000 16000 Attacking IP addresses

  25. Speed! • Compute time taken to blacklist a source in each scheme 100000 10000 Random 1000 Local detection and random collaboration are almost identical Local Detection Time in mins 100 10 0 0 4000 8000 12000 16000 Attacking IP addresses

  26. Speed! • Compute time taken to blacklist a source in each scheme 100000 All IDS 10000 Random Local 800 mins 1000 Detection Time in mins 100 150 mins 10 0 0 4000 8000 12000 16000 Attacking IP addresses

  27. Speed! • Compute time taken to blacklist a source in each scheme 100000 All IDS 10000 CBC Random 1000 Local Detection Time in mins 100 CBC speeds up detection for 75% of the studied sources 10 No difference for fast attackers 0 0 4000 8000 12000 16000 Attacking IP addresses CBC performs almost as well as collaborating with all IDS

  28. Significant Reduction in Alert Volume CBC halves the volume of the alert logs a network administrator has to examine!

  29. Low Overhead CBC requires orders of magnitude less querying overhead for the same benefits!

  30. Conclusions  Collaboration is useful • Realtime  Scale by collaborating with IDS in same correlation group  Check trust out-of band • 40% of alerts are correlated • Correlated attacks within 10min • An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS) • The correlation group does not change CBC exploits the above; is as good as collaborating with all but with 0.3% of the overhead.

More Related