360 likes | 381 Views
Language-Based Generation and Evaluation of NIDS Signatures. Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison. Misuse Network Intrusion Detection System (NIDS). Problem: A single attack might have many forms: Ptacek and Newsham, 1988 Handley and Paxson, 2001
E N D
Language-Based Generation and Evaluation of NIDS Signatures Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison
Misuse Network Intrusion Detection System (NIDS) Problem: A single attack might have many forms: • Ptacek and Newsham, 1988 • Handley and Paxson, 2001 • Marty, 2002 • Mutz, Vigna, and Kemmerer, 2003 • Vigna, Robertson, and Balzarotti, 2004 • Rubin, Jha, Miller, 2004 • And others... TYPE A \n LIST \n CWD ... Attacker Network NIDS Signature database “TYPE A \n (.)*CWD <long arg>” “TYPE A \n CWD <long arg>\n” Rubin, Jha, Miller
Problem: Accurate Signatures • Today, we construct signatures in an ad-hoc manner • Challenges: complex protocols, redundancy • Questions: • Can we systematically construct an accurate signature? • Can we systematically evaluate a signature? • Can we systematically compare signatures? TYPE A \n LIST \n CWD ... Attacker Network NIDS Signature database “TYPE A \n (.)*CWD <long arg>” Rubin, Jha, Miller
Contributions • Practical: provide signature writers a methodology and a tool that enables them to systematically construct a signature, evaluate its accuracy, and compare it to other signatures • Conceptual: • a session signature, • a semantic model for an attack protocol, • a language-base approach for signature construction Rubin, Jha, Miller
A NIDS Signature TCP Streams • Attack: a set of TCP streams • Signature: a set of TCP streams Sig A Rubin, Jha, Miller
A NIDS Signature TCP Streams • Attack: a set of TCP streams • Signature: a set of TCP streams • A prefect signature: Sig=A Sig A Sig=A Rubin, Jha, Miller
A A NIDS Signature TCP Streams • Attack: a set of TCP streams • Signature: a set of TCP streams • A prefect signature: Sig=A • Problem: most of the time A is unknown. Difficult to: • construct accurate a signature • evaluate changes to the signature • compare signatures Sig Rubin, Jha, Miller
A A NIDS Signature TCP Streams • Attack: a set of TCP streams • Signature: a set of TCP streams • A prefect signature: Sig=A • Problem: most of the time A is unknown. Difficult to: • construct accurate a signature • evaluate changes to the signature • compare signatures Sig Rubin, Jha, Miller
Language-Based Approach • Attack: the language Aghost • Signature: the language Lsig • Goal: compare the language • Problem: difficult to determine containment Aghost. • Ideas: • Abstraction: over-approximate Aghost, such that it is easy to determine containment • Automation: Use an automatic tool to compare Lsig and Ainv TCP Streams Ainv Lsig Aghost Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv fn Lsig fp Aghost Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv fn Lsig fp Aghost Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv Ainv fn Lsig fp Aghost Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv Ainv fn Lsig fp Aghost Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv Ainv fn Lsig fp Aghost sp Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv Ainv fn Lsig fp Aghost sp Rubin, Jha, Miller
Outline • Goal: develop methodology to construct and evaluate signatures • Main idea: use a formal language to approximate Aghost and automatically compare this language to Lsig • The languages • The signature construction process Rubin, Jha, Miller
Lsig: A Syntactic Representation of the Attack • Our signature is a regular language • Alphabet: application-level events. For example, FTP commands • A session signature: a string in the language represents the entire attack. • Each signature is a concatenation of three languages: preparation (Lpre), exploitation (Lexp), and confirmation (Lconf) Rubin, Jha, Miller
ftp-cwd [CAN-2002-0126] • Preparation: FTP login L L Q logout login Q Rubin, Jha, Miller
ftp-cwd [CAN-2002-0126] • Preparation: FTP login • Exploitation: A CWD command with a long argument L L Q logout login Q A such that (length>100 && data (.)*/bin/sh(.)* C login attack Rubin, Jha, Miller
Lftp-cwd: ftp-cwd Session Signature A,IR,L • Non-recursive hierarchical state machine • Constructed automatically • Can be analyzed IR A,L 1 attack intrusion IR,L C L Q C accept reject Q Q A logout 2 start A,C,IR,Q C Rubin, Jha, Miller
Lftp-cwd: Vs. Snort A,IR,L • Non-recursive hierarchical state machine • Constructed automatically • Can be analyzed IR A,L 1 attack intrusion IR,L C L Q C accept reject Q Q A logout 2 start A,C,IR,Q C Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Ainv Ainv fn fp Session Signature Aghost sp Rubin, Jha, Miller
Ainv: Semantic Representation of the Attack • Another regular language • Models semantics properties: • “Requires FTP login” • “Requires ASCII FTP mode” • “Requires HTTP 1.1” • Using an FSM we model the semantics of the application-level protocol that the attack uses Rubin, Jha, Miller
FTP Semantic Model FTP State variables FTP Transitions Rubin, Jha, Miller
Language-Based Signature Construction TCP Streams Signature Semantic Model Semantic model fn Spin fp Session Signature Aghost String/ NULL FN or FP SP Manual refinement (currently) Automatic comparison Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 Spin String/ NULL Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin FP1 String FP1 Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin FP1 String/ NULL Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin L2 FP1 FP2 String FP2 Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin L2 FP1 FP2 String/ NULL Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin L2 FP1 FP2 L3 FP3 String FP3 Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams Semantic Model Signature login=1 L1 Spin L2 FP1 FP2 L3 FP3 NULL Rubin, Jha, Miller
Constructing a Signature for ftp-cwd TCP Streams login=1 L1 L2 FP1 FP2 L3 FP3 L4 • Comparing signature: • It is possible to show that L4 does not miss more attacks than L1 (under certain assumptions) L1L2L3L4 More false positives Less false positives Rubin, Jha, Miller
Constructing a Signature for pro-ftpd TCP Streams login=1 TYPE=‘A’ Rubin, Jha, Miller
Constructing a Signature for pro-ftpd TCP Streams login=1 TYPE=‘A’ FN1 Two signatures based on the configuration of the FTP server Rubin, Jha, Miller
Lessons to Take Home TCP Streams • A methodology to construct and evaluate signatures • Able to detect loopholes in signatures, loopholes that we did not anticipate • The accuracy of the signature depends of the accuracy of the semantic model Ainv Ainv fn fp Session Signature Aghost sp Rubin, Jha, Miller