1 / 15

DERBI : D iagnosis, E xplanation and R ecovery from B reak- I ns

DERBI : D iagnosis, E xplanation and R ecovery from B reak- I ns. Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA 94025 http://www.ai.sri.com/~derbi. Introduction.

solana
Download Presentation

DERBI : D iagnosis, E xplanation and R ecovery from B reak- I ns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry Tyson Douglas Moran Pauline Berry David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA 94025 http://www.ai.sri.com/~derbi DARPA Information Survivability Program Intrusion Detection PI Meeting

  2. Introduction • PART 1: Presentation of Evaluation Results • Design assumption: • an out-of-the-box system • after-the-fact analysis • no network monitoring or audit trail data • Data source: end-of-day filesystem dumps for Pascal • not available: contents of /tmp, /proc, OS tables, ... • PART 2: Status of DERBI System • PART 3: Future DARPA Information Survivability Program Intrusion Detection PI Meeting

  3. Evaluation Procedure Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping • Manual mapping, no additional information used • Attacks detected but scored as undetected because we could not identify corresponding session (3) • Some false positives similarly unscored (approx. 5) • Full DERBI system not used • to better fit into scoring protocol • to provide linearized textual output DARPA Information Survivability Program Intrusion Detection PI Meeting

  4. FFB: 2 of 2 PS: 3 of 4 + failed attack* EJECT: 7 of 7; 1 false FORMAT: 6 of 7; 1 false Attack ID 137 60 6* 87 102 129 136 22 28 77 112 115 147 False 8 11 35 63 75 120 False 54 104 x Inconsistent x x x x x x x x x x x Normal Access + + uudecode + + + + + + + Suspicious login + + x + + uudemon.cleanup x x /etc/passwd x FileSys Changes x + Exploit Script: x x Created x x x Accessed Probability 5% 50% (blank if 100%) Detected Detected, but session not identified Undetected X major + contributing Detection of Buffer Overflow Attacks DARPA Information Survivability Program Intrusion Detection PI Meeting

  5. M Tu W Th F M Tu W Th F eject 22 28 77 147 137 112 115 format 60 11 35 63 75 120 ffb 8 54 104 6 102 136 87 129 read 136 ps create 6 87 uudecode 8 22 28 35 63 120 uud.clean 16 115 exploit detected normal usage exploit evidence overwritten failed exploit detected falsepositive Visibility of Evidence DARPA Information Survivability Program Intrusion Detection PI Meeting

  6. Attack Evidence Rules Used in the Evaluation Test Set = 18% DARPA Information Survivability Program Intrusion Detection PI Meeting

  7. Example Evidence Rule:EJECT buffer overflow EVIDENCE-TYPE (exploit (setuid root) buffer-overflow) UNIQUE-NAME eject-1 EVALUATION-NAME eject PATHS (follow-links '("/usr/bin/eject")) EVIDENCE ( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or (window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest 0 0) ;;; assign 0% probability to command being used and 0% believe that it was ((greater-than (TimeAccessed PATH) ;;; use is later than (max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects 40 100)) ;;; 40% probability of exploit, no change in believe about whether it was exploited POSIT ((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*))) EXPLANATION (next slide) DARPA Information Survivability Program Intrusion Detection PI Meeting

  8. Evidence Rule:EJECT buffer overflow (cont) UNIQUE-NAME eject-1 PATHS (follow-links '("/usr/bin/eject")) EXPLANATION (explain-evidence ( PATH;;; variable declarations (TIME (print-unix-time (TimeAccessed PATH))) (TIME2 (print-unix-time (TimeModified "/cdrom"))) (TIME3 (print-unix-time (TimeModified "/floppy"))) ) (TimeAccessed PATH) ;;; “as-of” time "The command ~S is version vulnerable to a buffer overflow attack and appears to have been used at time ~A which is more recent than two associated files: /cdrom (~A) and /floppy (~A)." PATHTIMETIME2TIME3) DARPA Information Survivability Program Intrusion Detection PI Meeting

  9. +04:53:25 later ==================================== Time: 23-Jul-1998 14:32:39 EDT (901218759) Exploit: Suspicious-login (Suspicious-login) Login for user "darleent” from host 194.7.248.153 ------------------------------------------------------------- +00:00:12 later ==================================== Time: 23-Jul-1998 14:32:51 EDT (901218771) Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1) "/usr/bin/uudecode" is often used by crackers and rarely by users, and appears to have been used at time 23-Jul-1998 14:32:51 EDT. ------------------------------------------------------------- +00:00:23 later ==================================== Time: 23-Jul-1998 14:33:14 EDT (901218794) Exploit: EJECT (EJECT-1) The command "/usr/bin/eject" is version vulnerable to a buffer overflow attack and appears to have been used at time 23-Jul-1998 14:33:14 EDT which is more recent than two associated files: /cdrom (12-Feb-1998 15:42:46 EST) and /floppy (20-Jul-1998 10:32:15 EDT). Asserting belief/plausibility = (40 100) ------------------------------------------------------------ +12:10:32 later Example Output for an Attack DARPA Information Survivability Program Intrusion Detection PI Meeting

  10. More Indirect Detection • mscan (#80): spotted probing of telnet • saint (#53): detected rlogin to root via ++ • warez (#66-1): detected creation of “hidden” directory • xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie • HTTP tunnel: not matched to session (scored undetected) • detected installation of bogus uudemon.cleanup • detected use (via CRON: uucp and later bramy) DARPA Information Survivability Program Intrusion Detection PI Meeting

  11. Interesting False Detections • Rlogin from local host to privileged account (root) that has “+ +” in .rhosts • root SetUID command installed (“top”) • login record inconsistencies • root: lastlog date later than last entry in wtmpx • start of root login missing (wtmpx truncation?) • ~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login • some related to test setup/shutdown (ignored, based on timing). DARPA Information Survivability Program Intrusion Detection PI Meeting

  12. DERBI Architecture • Three major components: • Head: analysis, reasoning, and explanation • Body: interface between complex queries of Head and simple data from Feet • Feet: simple data collection - may run on remote system • file system information • log files • Support heterogeneous clusters & low-end systems DARPA Information Survivability Program Intrusion Detection PI Meeting

  13. utmp wtmp syslog utmpx wtmpx messages authlog cronlog crontabs Shell Init Files Filesystem Log File Information Relationships • Partial redundancy of info • Redundancy a common result of the evolution & growth of systems • Use to check for tampering • Also exposes changes to system clock lastlog sulog DARPA Information Survivability Program Intrusion Detection PI Meeting

  14. Checking a Suspect System DERBI DERBI DERBI DERBI DARPA Information Survivability Program Intrusion Detection PI Meeting

  15. Future • Analysis for interrelated systems • overlapping file systems, servers, users, other privileges (not just simple client-server) • Support of multipleOS’s and OS families • Expansion and standardization of attack data • vulnerabilities, exploits, tools, camouflage, packages • Test and distribution: operational clusters; false positive rates • Explanation • More sophisticated analysis • Identification of higher-level goals DARPA Information Survivability Program Intrusion Detection PI Meeting

More Related