150 likes | 254 Views
DERBI : D iagnosis, E xplanation and R ecovery from B reak- I ns. Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA 94025 http://www.ai.sri.com/~derbi. Introduction.
E N D
DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA 94025 http://www.ai.sri.com/~derbi DARPA Information Survivability Program Intrusion Detection PI Meeting
Introduction • PART 1: Presentation of Evaluation Results • Design assumption: • an out-of-the-box system • after-the-fact analysis • no network monitoring or audit trail data • Data source: end-of-day filesystem dumps for Pascal • not available: contents of /tmp, /proc, OS tables, ... • PART 2: Status of DERBI System • PART 3: Future DARPA Information Survivability Program Intrusion Detection PI Meeting
Evaluation Procedure Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping • Manual mapping, no additional information used • Attacks detected but scored as undetected because we could not identify corresponding session (3) • Some false positives similarly unscored (approx. 5) • Full DERBI system not used • to better fit into scoring protocol • to provide linearized textual output DARPA Information Survivability Program Intrusion Detection PI Meeting
FFB: 2 of 2 PS: 3 of 4 + failed attack* EJECT: 7 of 7; 1 false FORMAT: 6 of 7; 1 false Attack ID 137 60 6* 87 102 129 136 22 28 77 112 115 147 False 8 11 35 63 75 120 False 54 104 x Inconsistent x x x x x x x x x x x Normal Access + + uudecode + + + + + + + Suspicious login + + x + + uudemon.cleanup x x /etc/passwd x FileSys Changes x + Exploit Script: x x Created x x x Accessed Probability 5% 50% (blank if 100%) Detected Detected, but session not identified Undetected X major + contributing Detection of Buffer Overflow Attacks DARPA Information Survivability Program Intrusion Detection PI Meeting
M Tu W Th F M Tu W Th F eject 22 28 77 147 137 112 115 format 60 11 35 63 75 120 ffb 8 54 104 6 102 136 87 129 read 136 ps create 6 87 uudecode 8 22 28 35 63 120 uud.clean 16 115 exploit detected normal usage exploit evidence overwritten failed exploit detected falsepositive Visibility of Evidence DARPA Information Survivability Program Intrusion Detection PI Meeting
Attack Evidence Rules Used in the Evaluation Test Set = 18% DARPA Information Survivability Program Intrusion Detection PI Meeting
Example Evidence Rule:EJECT buffer overflow EVIDENCE-TYPE (exploit (setuid root) buffer-overflow) UNIQUE-NAME eject-1 EVALUATION-NAME eject PATHS (follow-links '("/usr/bin/eject")) EVIDENCE ( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or (window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest 0 0) ;;; assign 0% probability to command being used and 0% believe that it was ((greater-than (TimeAccessed PATH) ;;; use is later than (max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects 40 100)) ;;; 40% probability of exploit, no change in believe about whether it was exploited POSIT ((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*))) EXPLANATION (next slide) DARPA Information Survivability Program Intrusion Detection PI Meeting
Evidence Rule:EJECT buffer overflow (cont) UNIQUE-NAME eject-1 PATHS (follow-links '("/usr/bin/eject")) EXPLANATION (explain-evidence ( PATH;;; variable declarations (TIME (print-unix-time (TimeAccessed PATH))) (TIME2 (print-unix-time (TimeModified "/cdrom"))) (TIME3 (print-unix-time (TimeModified "/floppy"))) ) (TimeAccessed PATH) ;;; “as-of” time "The command ~S is version vulnerable to a buffer overflow attack and appears to have been used at time ~A which is more recent than two associated files: /cdrom (~A) and /floppy (~A)." PATHTIMETIME2TIME3) DARPA Information Survivability Program Intrusion Detection PI Meeting
+04:53:25 later ==================================== Time: 23-Jul-1998 14:32:39 EDT (901218759) Exploit: Suspicious-login (Suspicious-login) Login for user "darleent” from host 194.7.248.153 ------------------------------------------------------------- +00:00:12 later ==================================== Time: 23-Jul-1998 14:32:51 EDT (901218771) Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1) "/usr/bin/uudecode" is often used by crackers and rarely by users, and appears to have been used at time 23-Jul-1998 14:32:51 EDT. ------------------------------------------------------------- +00:00:23 later ==================================== Time: 23-Jul-1998 14:33:14 EDT (901218794) Exploit: EJECT (EJECT-1) The command "/usr/bin/eject" is version vulnerable to a buffer overflow attack and appears to have been used at time 23-Jul-1998 14:33:14 EDT which is more recent than two associated files: /cdrom (12-Feb-1998 15:42:46 EST) and /floppy (20-Jul-1998 10:32:15 EDT). Asserting belief/plausibility = (40 100) ------------------------------------------------------------ +12:10:32 later Example Output for an Attack DARPA Information Survivability Program Intrusion Detection PI Meeting
More Indirect Detection • mscan (#80): spotted probing of telnet • saint (#53): detected rlogin to root via ++ • warez (#66-1): detected creation of “hidden” directory • xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie • HTTP tunnel: not matched to session (scored undetected) • detected installation of bogus uudemon.cleanup • detected use (via CRON: uucp and later bramy) DARPA Information Survivability Program Intrusion Detection PI Meeting
Interesting False Detections • Rlogin from local host to privileged account (root) that has “+ +” in .rhosts • root SetUID command installed (“top”) • login record inconsistencies • root: lastlog date later than last entry in wtmpx • start of root login missing (wtmpx truncation?) • ~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login • some related to test setup/shutdown (ignored, based on timing). DARPA Information Survivability Program Intrusion Detection PI Meeting
DERBI Architecture • Three major components: • Head: analysis, reasoning, and explanation • Body: interface between complex queries of Head and simple data from Feet • Feet: simple data collection - may run on remote system • file system information • log files • Support heterogeneous clusters & low-end systems DARPA Information Survivability Program Intrusion Detection PI Meeting
utmp wtmp syslog utmpx wtmpx messages authlog cronlog crontabs Shell Init Files Filesystem Log File Information Relationships • Partial redundancy of info • Redundancy a common result of the evolution & growth of systems • Use to check for tampering • Also exposes changes to system clock lastlog sulog DARPA Information Survivability Program Intrusion Detection PI Meeting
Checking a Suspect System DERBI DERBI DERBI DERBI DARPA Information Survivability Program Intrusion Detection PI Meeting
Future • Analysis for interrelated systems • overlapping file systems, servers, users, other privileges (not just simple client-server) • Support of multipleOS’s and OS families • Expansion and standardization of attack data • vulnerabilities, exploits, tools, camouflage, packages • Test and distribution: operational clusters; false positive rates • Explanation • More sophisticated analysis • Identification of higher-level goals DARPA Information Survivability Program Intrusion Detection PI Meeting