220 likes | 307 Views
A Stateful Intrustion Detection System for World-wide Web Servers. Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada.
E N D
A Stateful Intrustion Detection System for World-wide Web Servers Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction Motivation • Large number of web servers • Continuous disclosure of vulnerabilities in web servers – popular targets • 2001-2002 - 23% computer vulnerabilities are web related
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction • Intrusion Detection Systems (IDS) • Analyse input streams for manifestation of attack • Stateless: • Examines each event in the input stream independently • Stateful: • Considers relationships between events and detect attacks based on event-histories
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction • IDS • Network-based: • Monitors network traffic, events • Do not consider application-level logic • Cannot detect attacks based on configuration of the server-application • Application-based: • Process different stages of client request • IDS tightly coupled to web server and visible • Performance of web server impacted
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction IDS • Anomaly detection: • Models of normal behavior • Compares log data with normal models to detect abnormal pattern/activity • Detect previously unknown attacks • Large number of false positives
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction IDS (Intrusion Detection System) • Misuse detection: • Models of attack descriptions • Compares with audit data with modeled attack for evidence of attack • Detect only attacks that are modeled • Focused analysis for attack detection • Less false positives so more popular
Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction Current IDS - limitations • Simple pattern matching of HTTP requests • Buffer overflows not detected • Attacks involving multiple steps cannot be modeled • Only detect trends in large sets of web-related events • Focuses on single event stream (network log or server application log) • Do not maintain histories of web requests
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT (IDS) • Based on STAT framework (State-Transition Analysis Technique) • Complex multi-step attacks can be modeled using STATL language • Performs integrated analysis of multiple event streams, Network and OS events/logs • Modular, MultiThreaded • Application independent runtime with components that deal with specific application domains • More effective detection with less false positives
Stateful IDS for Web Servers – Vigna G et al., 2003 STAT framework • Models attacks as transitions between security states of a system • Supported by STATL modeling language STATL • Describe Events, Attack Scenarios with relevant variables eg: source of HTTP request • Events defined by subclassing specific C++ classes of STAT framework • Classes encapsulated in language extension modules and compiled into DLLs • Events are then used in Scenario description, which again are compiled into DLLs
Stateful IDS for Web Servers – Vigna G et al., 2003 STATL Attack Scenario: Transition State A State B Action/Event Opening TCP conn. Execution of CGI script System Snapshot Transition Assertion: eg: specify port, parameters
Stateful IDS for Web Servers – Vigna G et al., 2003 Transitions Non-consuming Both states active State A State B Consuming Only destination state valid State A State B Unwinding Rollback to previous state State A State B
Stateful IDS for Web Servers – Vigna G et al., 2003 STATL • STATcore is the runtime for STATL • Core implements the concepts of state, transition, instance, etc • Obtains events from logs/audits and matches with actions, transitions and attack scenarios Events/logs STATcore Event Provider incorporate Convert to STAT events Translate STATL extension Attack Scenario Analysis
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Language extension module that defines web-specific events • Event provider that parses web server logs and generates corresponding events • Modules for Network, OS events • A number of STATL scenarios to detect attacks against web servers • Response modules to generate alerts
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Class Request : public STAT_Event { public: string request; string userAgent; string encodedRequest; …… }
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Counting scenario pattern: • Integer parameters: threshold, alert_freq, inactivity_timeout
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Web Crawler Scenario: • file to specify which User-Agents are allowed • Pattern Matching Scenario: • Detect attacks embedded in URL using pattern matching comparing with a list of regular expressions • Repeated Failed Access Scenario: • Checks multiple client errors. Counter records number of times a failed request originated from a subnet • Cookie Stealing Scenario: • Records initial use of session cookie by a remote client by mapping cookie to an IP address.
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Buffer Overflow Scenario: • Presence of binary data in a request or an extremely long request are attempts to exploit buffer overflow • Network and application-level buffer overflow detection: • Examine Web server logs and actual client requests • If binary data found at network-level and no matching entry in server log, attack is successful • Document Root Escape Attack: • Illicit access to a file outside web server’s root. • Examine Web server log and OS audit records to detect file system access violations
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Evaluation: Web server: pentium IV - 1.8 GHz, OS: RedHat 8.0, Apache Clients: pentium IV - 1.8 GHz, OS: RedHat 8.0 Network card: Intel EtherExpress 10/100 Ethernet cards 100BaseT full-duplex , cisco catalyst 3500 XL switch Measurement:Average throughput, response times of web servers with/without WebSTAT on server. With WebSTAT: slightly lower throughput No change in response time
Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT CONCLUSIONS: • WebSTAT operates on multiple event streams • Supports more effective detection of web-based attacks, reduced no. of false positives • IDS can be performed in high performance servers in real-time