440 likes | 463 Views
New Methods in Attack Detection. Shambhu Upadhyaya (PI) Computer Science and Engineering University at Buffalo Kevin Kwiat (Program Manager) Air Force Research Lab, Rome, NY. Overall Outline. Road map Significant accomplishments Publications Specific research projects Results
E N D
New Methods in Attack Detection Shambhu Upadhyaya (PI) Computer Science and Engineering University at Buffalo Kevin Kwiat (Program Manager) Air Force Research Lab, Rome, NY
Overall Outline • Road map • Significant accomplishments • Publications • Specific research projects • Results • Conclusion CEISARE @
Road Map I • Research Projects • Encapsulation of owner’s intent (1998) • Reasoning framework for IDS (1999) • Secure voting protocol work (2000) • IDS simulation (2001) • Encapsulation of program’s intent, Building secure enclaves (2002) • Funding • AFOSR seed grant (1999) • AFOSR grant through AFRL and in part through ACRC (2000 – 2004) • AFOSR summer fellowships (through RDL, II and NRC) • DARPA seedling (2003) CEISARE @
Road Map II • Students supported • Kiran Mantha, MS, 2001 (Deloitte & Touche, NY) • Ramkumar Chinchani, MS, 2002 (PhD student) • Neelesh Arora, MS, 2003 (Thomson Financial, NY) • Ashish Garg (PhD student) • Anusha Iyer (PhD student) • Aarthie Muthukrishnan (MS student) • Madhu Chandrasekharan (MS student) • Others involved • Ben Hardekopf (AFRL) • Alex Eisen (IASP Scholar) • Melissa Thomas (IASP Scholar) CEISARE @
Significant Accomplishments • Research • Several publications, 1MS Thesis (2001), 1 Ph.D. dissertation (2004) • Funding from other agencies such as DARPA, NSA/ARDA • Conference/Workshops • Panel organization (IEEE SRDS 2000), Tutorial in IEEE MILCOM 2002 • Plenary talk at MMM-2003, St. Petersburg, Russia (upcoming) • Academic • Center of Excellence status from NSA (2002), funding from DoD • Kevin Kwiat appointed as Research Associate Professor in CSE Dept. • Media • Research cited in Scientific American, Dec. 2002 • Associated Press coverage of MILCOM 2002 work CEISARE @
Publications • Conferences/Workshops • SCS International SPECTS, 1999 (Upadhyaya & Kwiat) • SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya, Kwiat) • IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat, Upadhyaya) • IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani, Kwiat) • IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat) • SCS Int. SPECTS, 2001 (Hardekopf, Kwiat, Upadhyaya) • IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat) • IEEE Int. IA Workshop, 2003 (Chinchani, Upadhyaya, Kwiat) • Book Chapter • Kluwer Academic Press, 2003 • Journals • Several papers in the works CEISARE @
Research Projects • Encapsulation of owner’s intent – Concept development, preliminary simulation, investigation of scalability (Ref: Upadhyaya, Kwiat, SPECTS 1999, Mantha, Chinchani, Upadhyaya, Kwiat, SCSC 2000, IEEE MILCOM 2003) • Reasoning about intrusions (Chinchani, Upadhyaya, Kwiat, IEEE SMC 2001, SRDS 2001) • Building secure enclaves (Chinchani, Upadhyaya, Kwiat, IEEE IAW 2003) • Simulation support for IA experiments (Garg, Upadhyaya, Chinchani, Kwiat, SCSC 2003) • Secure voting protocols (Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001) CEISARE @
Encapsulation of Owner’s Intent – A New Proactive Intrusion Assessment Paradigm • Very few anomaly detection systems work well • A major factor overlooked is User • Bring the user into the loop • Encapsulation of user’s intent serves as a “certificate” • Can you make more accurate detection decisions? • Working at high level attaches greater significance to semantics to user’s operations • Contributes to user’s affirming the truth in COA CEISARE @
Where Does Our Work Fit In? CEISARE @
Salient Features of our IDS • Handling threats posed by insiders • Rule-based misuse detectors not very successful • Anomaly detectors are more promising, but not practical due to involved data collection, learning and high false alarms • Based on generation of a run-time plan for users • Composing verifiable assertions based on queries of users • Idea is based on sound principles of signature analysis • Does away with audit trail analysis • Detection of intricate and subtle attacks • Lower detection latency CEISARE @
Outline of the Central Topic • Background and related work • Guidelines through lessons learned • An analogy and demonstration of Basic principle • Implicit vs Explicit intent encapsulation • Implementation of a small system • Related problems • Reasoning framework • Who watches the watcher? • Secure voting in distributed systems • Generic simulation platform development • Summary CEISARE @
Background and Related Work • Rule based [Ilgun et al., 95], [Cheng, 02], Wagner & Dean, 01] • Program behavior based [Ko et al., 97] • User behavior based [Spyrou, 96] • RBAC [Ferraiolo & Kuhn, 92] • Real-time detection (NADIR) • Distributed and concurrent schemes (DIDS, GrIDS, EMERALD) CEISARE @
Guidelines • Use the principle of least privilege to achieve better security • Use mandatory access control wherever appropriate • Data used for intrusion detection should be kept simple and small • Intrusion detection capabilities are enhanced if environment specific factors are taken into account CEISARE @
RULES: All 9 dots should be connected with no more than 4 straight lines No tracing back and must be done without taking off your hand Thinking Out of the Box CEISARE @
Address Processor Memory BUS Tags Reset SIG-REG SIG-GEN CU BD Error Signal COMPARATOR Analogy from Control Flow Checking • Generate compile-time signatures & assertions and embed them into instruction stream • Monitor execution and look for discrepancy • Technique is based on sound principles – EDC/ECC CEISARE @
Basic Principle Session Scope Filter Sprint Plan User Plan Generator One-time effort Runtime effort Runtime Watchdog Engine Assertion Generator Runtime Commands Tolerance limits, Counters, Thresholds etc.. Intrusion Signal CEISARE @
User Intent Encapsulation CEISARE @
Intent as a Certificate • Even when IDS is accurate, decision may be wrong • User cannot be held accountable if he contests • Bring the user into loop early on • User (bona fide or intruder) is queried for his intent • Expressed intent becomes a certificate of normal user activity • Issues • Process of encapsulation shouldn’t be intrusive • Capture maximum information with min. effort to the user CEISARE @
Implicit vs. Explicit Intent CEISARE @
Sketch of the Algorithm User logs into the system Chooses the job s/he wishes to perform Check the size of the session scope If too large,warn user YES User wants to change it Launch inter work-space level monitor Create workspaces for the jobs Launch workspace level monitor thread per workspace Launch command level monitor thread per command Report command type Authenticate command Loop Report object accessed Monitor Command CEISARE @
Simulation and Results • A university environment was simulated • Client-server architecture using Sun Ultra Enterprise 450 Model 4400 and Sun Ultra 5’s running Solaris 2.7 • Intrusion scenarios • Legitimate user • Intruder • Two legitimate logins • First login from user, second login from intruder • First login from intruder, second login from user • Two intruders login CEISARE @
Test Cases • User activity collected over two months • Test cases grouped into four categories • 1-user, 1-user with multiple logins, multiple users, multiple users with multiple logins • Two sets of experiments – worst case and average case • Legitimate and intrusive operations • 32 attacks • Obvious ones such as transferring /etc/passwd files, exploiting vulnerabilities such as rdist, perl 5.0.1 • Subtle attacks similar to mimicry attacks CEISARE @
Screenshots of Query Interface CEISARE @
Another Illustration CEISARE @
Runtime Monitoring Setup CEISARE @
Summary of Results CEISARE @
Some Research Questions • What if the user lies to the query? • How do you enhance performance? • Who is watching the watcher? • How do you perform more comprehensive evaluation? CEISARE @
1) What if the User Lies? • A cognate user is expected to specify a focused session-scope • Selection of overly permissive session-scope must be discouraged • Can be done by penalizing a quality of service • Monitoring cost can be drawn from user’s budget CEISARE @
2) Performance Enhancements • Profiling user operations • Take into consideration frequency of operations and temporal characteristics of system usage • Dynamically updating session-scope • In the statistical anomaly detection engine, one could prune rarely used operations from the session-scope • One could allow users to update/refine session-scope (but may disrupt the learning process) CEISARE @
Reasoning Framework • A critical problem with anomaly detection is false positive • Intrusion flagging requires more than set inclusion check • Not a binary decision – Sequences of operations need to be considered • Cost analysis • Cost of operation • Cost of deviation • Cost of monitoring • Actions at higher levels defined in terms of actions at lower levels • Eg.,: (ReadByte, WriteByte) -> (CreateFile,deleteFile,WriteFile) ->(HardDisk) CEISARE @
Tl Th Non-intrusive Intrusive Indeterminate Accumulated Cost, monotone, non-decreasing Cost Analysis Based Reasoning • Reasoning by stochastic modeling of job activity • Two thresholds Tl and Th defined • When cost maps into mid region, situation ambiguous • Cost gradients used to shrink the window • Algorithms developed to trigger threshold movements so that a speedy decision on intrusion can be arrived • (Ref: IEEE SRDS 2001) CEISARE @
3) Who is Protecting the Protector? • Tamper-resistant security monitoring • Available choices • Replication (Chameleon at UIUC) • Layered Hierarchy (AAFID at Purdue) • Both can be easily compromised • Proposed solution • Circulant graph • Overhead is manageable • There is no mutual trust among the watchers • (Ref: IEEE IWIA 2003) CEISARE @
4) Comprehensive Evaluation 140 120 100 80 Intrusion detection models 60 40 20 0 1980 1985 1990 1995 2000 2005 Time Current status of IDS CEISARE @
Our Approach • A generic platform for intrusion modeling and testing of IDS • Desirable features • Test and evaluate any intrusion detection model • Measure performance for improvement • Consider variety of intrusion scenarios • Collect pre-deployment measures • Analogy is drawn from network simulators CEISARE @
What Exists in the Open? • Other approaches • Razak: Network intrusion simulation • Schiavo & Rowe: Intrusion detection tutors • Roberts: Simulation of Malicious Intruders • What is lacking above? • None of the above provide a generic platform for modeling and simulation • Performance of models cannot be evaluated CEISARE @
Our Steps • Study features of a variety of IDS • Consider network simulation and OS simulation • Develop a common language to facilitate various formats conversion (interoperability) • Perform some case studies • (Ref: SCS SCSC 2003) • Even monitoring, Access control subsystems CEISARE @
Work in Progress • Intrusion detection and Proactive recovery (subcontract to Colorado State University) • Dynamic Reasoning based User Intent Driven IDS (DRUID) prototype development (DARPA seedling) • GUI for session scope input • Command monitor • Statistical Engine • Data analysis, training and testing CEISARE @
Prototype Status CEISARE @
Security Enhancement in Distributed Voting – A Related Project • Joint work with UB and AFRL • Guaranteeing owner’s intended result by distributed monitoring and voter isolation • Uniquely combines fault tolerance and security • Doesn’t require trusted third party CEISARE @
Danger of 2-Phase Commit Protocol majority trustworthy • Phase 1: processors distribute their results and vote on them such that each processor determines the majority • Phase 2: processor in the majority commits result to the user User waits for majority result User is sent malicious result - SELF-DESTRUCT CEISARE @
Timed-Buffer Distributed Voting trustworthy • Addresses “last mile” of distributed voting • Buffer until “silence is consent” • Reverses 2-phase commit protocol • – Instead of voting then committing - commits first (to buffer) then votes (period of dissension) • – Prevents disastrous commit phase - unlikely for classical fault tolerance but not information attack untrustworthy Suspect results buffered Integrity restored and buffer released CEISARE @
SECURE DATA IS EXPOSED ACRC Application of TB-DVA SECURE SERVER GATEWAY WIRELESS CLIENT SECURE WIRED LINK SECURE WIRELESS LINK (when translated from IP standards to wireless and vice-a-versa) • Apply fault tolerance techniques to protect, detect, and react to attacks and enable service restoration CEISARE @
Summary • Developed a new intrusion assessment paradigm – Encapsulation of owner’s intent • Brings user into the loop • User’s encapsulated intent serves as a certificate • Feasibility study • Practical implementation study CEISARE @