320 likes | 493 Views
Towards Automating Intrusion Alert Analysis. Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu Cyber Defense Laboratory Department of Computer Science North Carolina State University. Background. Traditional intrusion detection systems (IDS) Focus on low-level attacks or anomalies
E N D
Towards Automating Intrusion Alert Analysis Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu Cyber Defense Laboratory Department of Computer Science North Carolina State University
Background • Traditional intrusion detection systems (IDS) • Focus on low-level attacks or anomalies • Actual alerts are mixed with false alerts • Intensive intrusions unmanageable amount of alerts • It’s necessary to develop automatic tools to construct attack scenarios and facilitate intrusion analysis.
Related Research • Exploit similarities between alert attributes • Ex.: Valdes and Skinner (2001), Staniford et al. (2000) • Exploit known attack scenarios • Ex.: Cuppens and Ortalo (2000), Dain and Cunningham (2001), Debar and Wespi (2001) • Use pre- and post-conditions of attacks • JIGSAW by Templeton and Levitt (2000) • Cannot deal with missing detections and failed attacks • Our initial work is an extension to JIGSAW • MIRADOR approach by Cuppens and Miege (2002) • Developed independently and in parallel to our work • Our work (2002, 2003) • Others • M2D2 by Morin et al. (2002), Mission-Impact by Porras et al. (2002)
Outline • Construct attack scenarios from intrusion alerts via correlation • Correlation based on prerequisites and consequences of attacks • Analyze intensive alerts • Extract attack strategies from correlated alerts
Correlation Based on Prerequisites and Consequences of Attacks • Goal • Construct high-level attack scenarios from low-level alerts
SadmindBufferOverflow Alert attributes: {VictimIP, VictimPort} Prerequsite: ExistHost(VictimIP)^VulnerableSadmind(VictimIP) Consequence: {GainAccess(VictimIP)} Correlation Based on Prerequisites and Consequences of Attacks (Cont’d) • Basic Idea • Hyper-alert types: Encode our knowledge about each type of attacks • Prerequisites and Consequences • Reason about hyper-alerts based on the knowledge
SadmindBufferOverfow SadmindPing h2 h1 C(h1) = {VulnerableSadmind(152.1.19.5), VulnerableSadmind(152.1.19.9)} P(h2) = {ExistHost(152.1.19.5), VulnerableSadmind(152.1.19.5)} Correlation Based on Prerequisites and Consequences of Attacks (Cont’d) • Reasoning of alerts • An earlier hyper-alert prepares for a later one if the former makes the later easier to be successful • Decompose prerequisites and consequences into pieces of predicates • Match the predicates
Experimental Evaluation • Purposes of experiments • How well can the proposed method construct attack scenarios? • Can alert correlation help differentiate between true and false alerts? • Conjecture: correlated alerts are more possible to be true alerts.
RealSecure Network Sensor Isolated network NetPoke Experimental Evaluation (Cont’d) • DARPA 2000 intrusion detection scenario specific datasets • A novice attacker installs components for and carries out a DDOS attack • LLDOS 1.0 (inside and DMZ) • LLDOS 2.0.2 (inside and DMZ)
Hyper-Alert Correlation Graph Discovered from the Inside Traffic of LLDOS 1.0
Experimental Evaluation (Cont’d) • Two measures • Completeness: How well can we correlate the related alerts? • Soundness: How correctly are the alert correlated?
Experimental Evaluation (Cont’d) False Positive Rate Detection Rate
Additional details can be found in • Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," in ACM CCS 2002, pages 245--254, November 2002.
Analyze Intensive Intrusion Alerts • Limitations of the previous correlation technique • Difficult to cope with very large set of correlated alerts • Our solution • Interactive analysis utilities • Independent • Complementary • Used as building blocks • Can be applied iteratively to a previous analysis results.
Interactive Analysis Utilities • Hyper-alert generating utilities • Aggregation/disaggregation • Clustering analysis • graph decomposition: a special case • Focused analysis • Feature extraction utilities • Frequency analysis • Link analysis • Association analysis
Alert Aggregation/Disaggregation • Aggregation • To simplify the correlation graph, the same type of hyper-alerts can be aggregated together. • An interval constraint (e.g. 10 seconds) is used to control the aggregation.
Aggregation/Disaggregation with Abstraction • Alerts reported by IDSs usually are low-level alerts, and can be abstracted to more general alerts. • Hyper-alerts can be aggregated together and form new hyper-alerts with more abstracted alert type. • The abstraction level to be aggregated • Interval constraint
Alert Aggregation/Disaggregation (cont’d) • Disaggregation • Aggregated hyper-alerts can be disaggregated to show detailed information. Disaggregate
Case Study with DEFCON8 Dataset • Some common attack strategies were easily identified • e.g., Nmap_Scan PmapDump ToolTalk_Overflow • e.g., HTTP-based attacks from 010.020.011.074 to 010.020.001.014, 010.020.001.015, 010.020.001.019… • Observation • There were many BackOrifice and NetBus alerts • i.e., attackers were coordinating multiple machines during their attacks • Makes correlation and attack identification more difficult! • Selected results
Using Adjustable Graph Reduction • Most hyper-alerts of the same type are close to each other in time in the DEFCON8 dataset
Largest Correlation Graph after Maximum Graph Reduction Aggregated from a graph with • 2,940 nodes • 25,321 edges
Using Graph Decomposition • Clustering Constraint: • (A1.srcIP = A2.srcIP) ^ (A1.destIP = A2.destIP) Intuition: sharing the same source and destination IP addresses.
Additional details can be found in • Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," in RAID 2002, pages 74--94, October 2002.
Learning Attack Strategies from Correlated Alerts • It’s desirable, and sometimes necessary, to understand attackers’ strategies • Intrusion response, incident handling, profiling attackers or attacking tools, etc. • Static vulnerability analysis • Example: Attack graphs • Requires specifications of security properties • Limited to combinations of known attacks • Learning attack strategies from alerts • Complement static vulnerability analysis • Allow examination of attack strategies in different granularities
Representation of Attack Strategies • Attack strategy • Intrinsic relationships between steps in a sequence of attacks • Intuition: an attack strategy consists of attack steps and the constraints among these steps • Attack strategy graph • A graph representation that captures the intrinsic relationships between steps in an attack strategy.
T2 T1 Equality Constraint • An equality constraint for hyper-alert types T1 and T2 • Equality relations between attributes in these two types. • Given a type T1 alert h1 and a type T2 alert h2 • h1 prepares for h2 if they satisfy an equality constraint • Can be derived from T1 and T2. SadmindBufferOverfow SadmindPing consequence prerequisite VulSadmind(destIP) VulSadmind(VictimIP) T1.destIP = T2.victimIP
Attack Strategy Graph • Extracted from LLDOS 1.0 alerts (IDS: RealSecure)
Learning Algorithm • Two steps • Aggregate intrusion alerts that belong to the same step of a sequence of attacks into one hyper-alert • Extract the constraints between the attack steps • The result is represented as an attack strategy graph
Additional details can be found in • Peng Ning, Dingbang Xu, "Learning Attack Strategies from Intrusion Alerts," To appear in ACM CCS 2003, October, 2003.
Future Work • Intrusion Alert Analysis • Integrate intrusion alerts with other information sources • Hypothesize and reason about missed attacks