Reducing false positives in intrusion detection systems by means of frequent episodes

1. Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad

2. Intrusion Detection • Signatures poorly describe the attack making them trigger on benign traffic as a result. • Processing time restrictions often leads to shortcuts. • Writing correct signatures is a difficult task. • Signatures triggers on rare or suspicious traffic. • Trigger on low-level phenomenas.

3. Research Questions • Can alerts effectively be correlated with frequent episodes? • How effective is false positive reduction?

4. Data Gathering • KDD Cup ’99 • 5 Weeks of traffic data. • 2 attack free weeks. • Honeynet • 3 computers • Apache • FTP • SQL Server • Automated attacks

5. System Overview IDS Alert log Filter Output Accepted Rules Data mining Rules

6. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

7. Data Preperation [**] [1:1200:10] ATTACK-RESPONSES Invalid URL [**] [Classification: Attempted Information Leak] [Priority: 2] 03/01-15:28:08.918757 207.200.75.201:80 -> 172.16.117.132:6243 TCP TTL:63 TOS:0x0 ID:7669 IpLen:20 DgmLen:473 DF ***AP*** Seq: 0xC832EB1A Ack: 0xA5904714 Win: 0x7FE0 TcpLen: 20 [Xref => http://www.microsoft.com/technet/security/bulletin/MS00-063.mspx]

8. Data Preperation • Alert attributes • ID, the type of alert. • Source IP. • Destination IP. • Source port. • Destination port. • TTL, time to live. • IP, size of IP header in bytes. • Dgmlen, size of packet in bytes. • Time, time of occurrence.

9. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

10. Frequent Episodes • Events: • Single action • Alarm • System input • Sequence of events

11. Frequent Episodes • Episode: a collection of event. • Episode Types: • Parallell • Serial • Complex A A A C C B B

12. Frequent Episodes Episode: Subepisodes: A B C A B A C B C

13. Attribute Rules • Intra-episode rules • A.SourceIP = B.SourceIP • A.DestinationIP = B.DestinationIP • Inter-episode rules • A.DestinationPort = 80 A B

14. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

15. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

16. Rules Generated IF [1:1013:11] THEN [1:1012:12] conf(0.353) freq(0.006) [1:1288:10] IF [1:1013:11] [1:1012:12] THEN [1:1288:10] conf(1.0) freq(0.006) [1].src = [2].src = [3].src [1].dst = [2].dst = [3].dst [1].src_port = [2].src_port = [3].src_port [1].dst_port = [2].dst_port = [3].dst_port [1].ttl = [2].ttl = [3].ttl [1].dgmlen = [2].dgmlen = [3].dgmlen [1].dst_port = 80 [2].dst_port = 80 [3].dst_port = 80 [1].ttl = 64 [2].ttl = 64 [3].ttl = 64 [1].src = 172.16.115.87 [2].src = 172.16.115.87 [3].src = 172.16.115.87 [1].dst = 209.61.100.129 [2].dst = 209.61.100.129 [3].dst = 209.61.100.129 IF [1:1149:13] THEN [1:1149:13] conf(0.53) freq(0.007) [1].src = [2].src [1].dst = [2].dst [1].dst_port = E[2].dst_port [1].ttl = E[2].ttl [1].dst_port = 80 [2].dst_port = 80 [1].ttl = 64 [2].ttl = 64

17. Results Week 1 Week 4

18. Questions?