190 likes | 279 Views
Towards Vulnerability-Based Intrusion Detection with Event Processing. Amer Farroukh , Mohammad Sadoghi , Hans-Arno Jacobsen University of Toronto. Limitation of Regular Expressions. Conficker worm infected more than 10 million hosts in 2008. Economic loss tallied up to $9.1 billion.
E N D
Towards Vulnerability-Based Intrusion Detection with Event Processing AmerFarroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto DEBS'11
Limitation of Regular Expressions • Conficker worm infected more than 10 million hosts in 2008. • Economic loss tallied up to $9.1 billion. IDS bin/sh UofT Network binbin/sh bin//sh RE-Signature ------------------ bin/*sh bin/delete Attacker DEBS'11
Signature-based IDSes • Exploit-based (Snort/ Cisco /Proventia): Regular Ex • Vulnerability-based: Leverage protocol semantics • Complex signatures: Multiple PDUs (ex. Conficker) Buffer overflow (shellcode) content: "|74 07 eb|“ && distance: 1 && within: 1 && pcre: "/\xeb.[\x58-\x5b]\x31[\xc9\xd2 \xdb]/bin/sh” Buffer overflow (all exploits) Filename ="login.htm" && len(uri.assignment_sequence.variable["password"])>20 Buffer overflow after binding to server BIND PDU: ver=3.0 && UUID=“4b324fc8-1670-01d3-1278-5a47bf6ee188” ACK PDU: ver=3.0 && result[UUID] = Accept REQ PDU: ver=3.0 && opnum=0x1f && strlen(stub.PathName)> 256 && matchRE(stub.PathName, “/^\x05\x00\x00”) DEBS'11
Outline • Related Work & System Architecture • Matching Algorithms • Access Predicate Pruning (APP) • Early Elimination (EE) • Multiple Protocol Data Units (MPDU) Support • Memory Conscious Network (MCN) • Experimental Evaluations • Conclusions DEBS'11
Related Work Vulnerability-based signature matching • Evaluate signatures over a stream data packets • High-speed matching [RAID’08] • Programmer has to hard code signatures into the parser. • Candidate Selection (CS) [SIGCOMM‘10] • Only algorithm proposed in IDS to match many signatures • Re-compute candidate list for every field parsed Event processing (Publish/Subscribe Matching) • Evaluate subscriptions (signatures) over a stream of events (packets) • Propagation [SIGMOD’01] • Targets specific type of predicates • Counting [ACM TODS‘94] • Predicate matching and signature matching are distinct. • Can support arbitrary matchers • BE-Tree [SIGMOD’11] (EPTS Principle Award) • Two-phase space-cutting to iteratively refine and prune the search space DEBS'11
Event Processing vs. IDS DEBS'11
System Architecture Protocol Specs Vulnerability Signature set Packets Signature Compiler Parser Generator Traffic Capture (Libpcap) Netshield Core Engine Protocol Parser (Minimal) TCP Reassembly (Libnids) StubPAC Protocol Identification (Port or PIA_Bro) Multiple PDU Component (MCN) IDL File & Signatures Leverage Existing Systems Our Contribution DEBS'11
Outline • Related Work & System Architecture • Matching Algorithms • Access Predicate Pruning (APP) • Early Elimination (EE) • Multiple Protocol Data Units (MPDU) Support • Memory Conscious Network (MCN) • Experimental Evaluations • Conclusions DEBS'11
Access Predicate Pruning (APP) Pi Signature Access Predicate Predicate Type Predicate SN is matched Pre-computation Phase Runtime Predicate Matching Si Predicate List Index Counter Check Counters Runtime Signature Matching Add to List Sj Create Counter Access Predicate List Partial Matches
Sid Increases Early Elimination (EE) Signature Compilation SN is matched Pre-computation Phase Dual Scan Increment Counter (If Matched) Runtime Signature Matching Check Counters Predicate List Add to List Create Counter Sj Access Predicate List Partial Matches
APP and EE Evaluation DEBS'11
Outline • Related Work & System Architecture • Matching Algorithms • Access Predicate Pruning (APP) • Early Elimination (EE) • Multiple Protocol Data Units (MPDU) Support • Memory Conscious Network (MCN) • Experimental Evaluations • Conclusions DEBS'11
Memory Conscious Network (MCN) MPDU Signatures: ----------------------- S4=S2&S3 S5=S1->S2 S6=S1&(S2&S3) S7=(S1||S2)&S3 Si HASH Signature Nodes S1 S2 S3 Sample run: --------------- --------------------------------------------------------------------------------- S1 S3 S2 0 -> 00 & 10 & 11 & || 01 & 11 & 00 & 00 & Output: --------------- JN1 JN2 JN3 S7 S7 S5 Join Nodes S4 S6 00 & 00 & JN4 JN5 S7 S6 S5 S4
MCN Evaluation DEBS'11
Conclusions and Future Work • Vulnerability-based signature matching • Proposed two novel solutions APP and EE • Attack resilient and faster than CS • Access predicate selectivity (future work) • MPDU support • One of the first efforts to match MPDU signatures • MCN is memory efficient and 29 times faster than sequential scan • Balancing network depth and node sharing (future work) DEBS'11
Thank You DEBS'11
Challenges of Vulnerability Signatures • Enable high speed parsing • Parse only relevant fields • Support arbitrary matchers • RE, strings, length-checking, numbers, and ranges • Reduce state maintenance • Avoid state explosion for MPDU matching DEBS'11
APP and EE Complexities • Time Complexity (Worst Case) • APP • For every predicate: O(Predicate List + AP List) • Final Scan: O(Partial Matches List) • EE • For every predicate: O(Predicate List + Partial Matches AP List) • Final Scan: O(Partial Matches List) • Memory Footprint (APP & EE) • Determined by size of Partial Matches List DEBS'11