340 likes | 366 Views
Metadata for Anomaly-Based Security Protocol Attack Deduction. Tysen Leckie, Member, IEEE, and Alec Yasinsac, Senior Member, IEEE IEEE Transactions on knowledge and data engineering Vol. 16, No. 9, pp. 1157-1168, 2004. Outline. Introduction Normal, Abnormal, and Malicious Behavior
E N D
Metadata for Anomaly-Based Security Protocol Attack Deduction Tysen Leckie, Member, IEEE, and Alec Yasinsac, Senior Member, IEEE IEEE Transactions on knowledge and data engineering Vol. 16, No. 9, pp. 1157-1168, 2004.
Outline • Introduction • Normal, Abnormal, and Malicious Behavior • BSEADS Architecture • Observed Profile • Behavioral Analyzers • Parallel Session, Behavioral Analyzers(Failed Sessions, Weak Session, Replay Session) • Detection Methods(Spread, Normality, Pattern ) • BSEADS Example • Conclusion • Comment
Introduction • SEADS (Secure Enclave Attack Detection Stystem) The System is based on a simulated networked environment within an eccompassing architecture • SEADS Concept • To allow intrusion detection in encrypted traffic • Created by the Security and Assurance in Information Technology (SAIT) Laboratory at Florida State University (FSU)
Introduction 2002 Yasinsac, SEADS concept (to allow intrusion detection in encrypted traffic ) Knowledge-based SEADS(KSEADS)--Misuse Detection Behavioral-based SEADS(BSEADS)--Anomaly Detection • To use patterns of well-known attacks or weak spots of the system to identify intrusions • unable to detect any future intrusions • Establish normal usage patterns using statistical measures on system features ex: CPU and I/O
Normal, Abnormal, and Malicious Behavior • Difficult to grasp • the relationship between normal, abnormal, and malicious behavior” • “Normally” malicious • If some activity that user performs as a matter of routine is malicious in definition, then an anomaly detection cannot detect that attack. • Human behavior naturally varies • Require sophisticated models and metrics for representing normal, abnormal, and malicious behavior
Normal, Abnormal, and Malicious Behavior • False negatives • Malicious behavior displaying normal characteristics is undetectable in pure anomaly-based systems. • False positives • Legitimate activity that deviates from normal is mistakenly flagged by a purely anomaly-based system.
BSEADS Architecture • User activity is naturally time variant. • Hour of day, day of week, season, holiday, nonwork days, etc. • To prevent high false positive rates • To recognize the time variant characteristics of the environment and adapt to change in step with changing user habits • Describe the notion of behavior across multiple time granularities to reduce false positives • Partition time into 6 categories(In BSEADS) :Early morning, morning, afternoon, evening, night, and entire day
BSEADS Architecture • User Activity Logs:using attack-free data from a Monitor Activity File • Event Handler (EH): to capture dynamically ongoing protocol session activity from the monitor • Profile Handler(PH):to maintain each principal’s User Activity Log • B-IDE(Behavioral Intrusion Detection Engine): to measures and checks each user’s Behavioral Analyzer ( standard deviation and chi-square to analyze abnormal behavior).
User Activity User Profile Synthetic method(in BSEADS) Real method a live user environment No intrusion activity Training Phase create User Activity Log(UAL) Represent a user’s entire session activity Normal profile statistics All relevant statistics per time category Training Phase Metadata Statistical value Statistical (dynamic) Attack Status B-IDE Observed statistics B-IDE: Behavioral Intrusion Detectoin Engine
Behavioral Analyzers Metadata record Metadata record Metadata record … Security protocls Security protocls Security protocls User activity User activity User activity monitor Parallel session Failedsession Replaysession Weak encryption session BA BA1 BA BA 1. Behavioral Analyzers(BA)
Parallel Session Principal M Messages Intended for B Intercpt Principal A Principal B Man-in-the-middle Two or more protocols are executed concuurently Parallel Session between A and M
Behavioral Analyzers — Failed Sessions • Brute force attack: • Attempt proceeds through all possible combinations of legal values sequentially • a trial-and-error technique ( to decode encrypted data ex. Password, Data Encryption Standard(DES) keys • The Secure Shell Protocol Version 1 (SSH) allows a brute force. Failed session Breaking into Maliciously interfering System Failed Session BA (Behavior Analyzer) to recognize abnormal failure pattern
Behavioral Analyzers — Weak Session Weak form of encryption • Weak Sesson Attack: • Allow negotiation to establish cryptographic parameters, ex: key length • The cipher-suite rollback attack occurs when an active attacker edit the cleartext list of handshanke messages. =>to force a domestic user to use export –weakened encryption • A variation of the ciper-suite rollback attack is illustrated in the attack on the SSL 2.0 protocol. Edit the cleartext list of Limited key space Weak authentication Cipher-suite rollback attack Masquerade attack Brute ForceAttack System Weak Session BA (Behavior Analyzer) to recognize Weak Session
Behavioral Analyzers — Replay Session Record packets Digital signatures authenticate content Protocol analyzer Replay attack System Replay Session BA (Behavior Analyzer) to recognize Replay Session Prevention Packets+time-stamp Protocol verification
Detection Methods Measure of Spread Compare Measure of Normality Observed Statistics Chi-squre Pattern Recognition Measure of Pattern Behavioral Analyzers
Entire day night evening afternoon Morning Early Morning Time SessionD SessionA SessionB SessionC SessionD Detection Methods — Measure of Spread Outlier • measure of spread --- standard deviation • detemination of attacks • Attack behavior is usually grouped and high concentrations. • Outliers is sensitive to be an indication of attack behavior. • If the stnadard deviation is greater than 1 indicate a nonuniform spread
Detection Methods — Measure of Normality The trained historical User Activity Logs Observed Activity Log Dynamically generated Dynamically generated Compare chi-square Normal profile statistics Observed activity statistics Malicious? Nonmalicious? • Upper Control Limit: • Threshold that the chi-square result is compare to. • Using the accumulated normal profile statistics, Upper Control Limit = • If the computed chi-square is larger than Upper Control Limit signal the presence of abnormal activity
Detection Methods — Measure of Normality Sum of individual activity is anomalous. Entire day night Hard to find the subtle distictions between malicious and begin anomalies. Normal activity evening afternoon Individual activity Morning Early Morning Time SessionD SessionA SessionB SessionC SessionD • Statistical measure – chi-square • Helpful to detect abnormalities in peaks of behavior • Disadvantage: • Insensitive to the order of the occurrence of events • Difficult to determine the right threshold which an anomaly is intrusive
Detection Methods — Measure of Pattern In past research, E1 -> E2 -> E3 -> (E4 = 90%, E5 = 10%) Pattern prediction approach • Predictive pattern recognition • Assumption: Sequences of events are not random but follow a discernible pattern. • If the pattern observed is E1 followed by E2 followed by E3, • then the probability E4 = 90%, E5 = 10% • Analyzing past data and performing pattern discovery determine this probability percentage. • Weakness: unrecognized patterns of behavior are not recognized as anomalous for they do not match the left hand side of the rule.
Detection Methods — Measure of Pattern 6 14 immediately follows semantics Fig. Time-bounded pattern match. Anomaly • Minimum time of occurrence of abc • t = 1 is 6 and t = 11 is 14 >10.(Match in 10 time units) • The worst-case time of this algorithm is O(n2), n:events VS t2 t3 t4 Normal Abnormal follows semantics a b c a d a c a c b a ca ε ε ε d a εεε b ε ε Abnormal c:t3 10 a:t4 Fig. Approximate match approach. 5 • The stream of events abcadacacbac matched against pattern of adab • The longest common subsequence problem sloved by dynamic programming in O(mn) time, m:size of the pattern, n: input • Pattern c,b,a constraint specifies Tt4 – Tt2 [0, 5] and Tt4 – Tt3 [5, 10]
Detection Methods — BSEADS Example • Development Environment • Windows 2000 platform • Standard Template Library (STL) and Visual C++ • Developing an effective approach to intrusion detection in the encrypted environment
BSEADS Example Synthetic method(in BSEADS) real-time environment Monitor Activity File At hour 0 (12:00 am)request Attack-free protocol activity Transmit sessions Training Phase EH(Event Handler) Parse Events based on each principal Create(dynamically training) User Activity Log(UAL) 4weeks Observed Activity Log Metadata Metadata At the end of hour sixearly morning time category Behavior Analyzers Behavior Analyzers(B-IDE) Parallel Session BA Parallel Session BA Chi-square Statistic Failed Session BA Failed Session BA Replay Session BA Replay Session BA Weak Session BA Weak Session BA The categories are defined early morning, morning, afternoon, evening, night, and entire day.Once the night category was completed, the system checked the spread, behavior, and performed pattern recognitin for the entire accumulated day.
BSEADS Example– Parallel Session Behavior Analyzer Synthetic method(in BSEADS) real-time environment Monitor Activity File Attack-free protocol activity Transmit sessions Training Phase EH(Event Handler) Create(dynamically training) Parse Events based on each principal User Activity Log(UAL) 4weeks Observed Activity Log Time Degradation Metadata Metadata Normal profile statistics for user M Observed statistics Profile Handler B-IDE Active Handler • Checked the entire afternoon accumulated behavior • Measure the spread of the observed statistics using standard deviaton, the result = 1.304. (not uniform over this period) • Checked for any abnormal characteristics based on the observed and normal profile statistics = 2 > upper control limit(1.50) • Check pattern recognition approach • The historical pattern of SSH, IPSec, SSL, and SSH occurs 50 time units. • observed data at t = 4 is 61. (65-4) = 61 > 50 abnormal Afternoon category was realized.
BSEADS Example– Failed Session Behavior Analyzer Synthetic method(in BSEADS) real-time environment Monitor Activity File Attack-free protocol activity Transmit sessions Training Phase EH(Event Handler) Create(dynamically training) Parse Events based on each principal User Activity Log(UAL) 4weeks Metadata Observed Activity Log Metadata Modify statistics Time Degradation Calculator Observed statistics B-IDE Active Handler Profile Handler Normal profile statistics for user M • Evening category was realized. • Multiple failed sessions between M and B • Spread of observed statistics (standard deviation) = 2.31 (abnormal) • The metric values were not occurring uniformly over this period. • To analyze the behavioral characteristics • chi-square result = 9 > upper control limit (1.49) • Historical pattern of [SSH, SSH] calculated to occur Tt2 – Tt1[3, 15] . • The t1 must begin at least 3 time units before the event at t2, but no earlier than 15 units before.
BSEADS Example--Weak Session Behavior Analyzer(Intruder M forced A and B to use weak encryption.) Synthetic method(in BSEADS) real-time environment Monitor Activity File Attack-free protocol activity Transmit sessions Training Phase EH(Event Handler) Create(dynamically training) Parse Events based on each principal User Activity Log(UAL) 4weeks Metadata Observed Activity Log Metadata Modify statistics Time Degradation Calculator Observed statistics B-IDE Active Handler Profile Handler Normal profile statistics for user M • Evening category was realized. • Multiple failed sessions between M and B • Spread of observed statistics (standard deviation) = 1.30 (abnormal) • To analyze the behavioral characteristics • chi-square result = 2 > upper control limit (1.50) • Historical pattern of [SSL, SSL, SSH] calculated to occur within 30 time units . • Observed data at t = 7 is 35.(attack)
BSEADS Example--Replay Session Behavior Analyzer(Replay session between M and B) Synthetic method(in BSEADS) real-time environment Monitor Activity File Attack-free protocol activity Transmit sessions Training Phase EH(Event Handler) Create(dynamically training) Parse Events based on each principal User Activity Log(UAL) 4weeks Metadata Observed Activity Log Metadata Modify statistics Time Degradation Calculator Observed statistics B-IDE Active Handler Profile Handler Normal profile statistics for user M • Afternoon period • Multiple failed sessions between M and B • Spread of observed statistics (standard deviation) = 1.34 (abnormal) • The metric values were not occurring uniformly over this period. • To analyze the behavioral characteristics • chi-square result = 0.5 < upper control limit (1.50)(normal) • No historical pattern of replays • Signal an attack to show a nonuniform spread
Conclusion • Classical intrusion detection techniques are not effective in the encrypted environment. • Employ an anomaly-based attack detection approach based on the characteristics of security protocol • Extend the technology to measure activity spread different time categories and granularities • By using the knowledge engineering approach, the system • can detect variations in session spread and abnormal deviations • are able to distinguish • between normal and abnormal behavior • between abnormal but legitimate behavior • abnormal but malicious behavior
[5, 11] g,h 18 [1, 8] e,f 8 [15, 18] c,d 18 [7, 10] a,b 10 1 5 7 8 10 11 15 18 1 7 8 9 10 11 16 18 e g a f b h c d e a f g b h c d Comment a, b [7, 10]c, d [15, 18]g, h [5, 11]e, f [1, 8]
IDS Approaches Two kinds of analysis approaches in IDS: • Misuse detection • To use patterns of well-known attacks or weak spots of the system to identify intrusions • unable to detect any future intrusions • Anomaly detection • Establish normal usage patterns using statistical measures on system features ex: CPU and I/O • Experience is relied upon in selecting the system
Metadata Metadata就像是一個資料庫,包含許多 table,且 table 之間可能會互相參照 (reference),也就是類似關連式資料庫的 foreign key。
header payload … behavior observation Profiles Concept Traditional This Paper Encrypted environment(Less payload data available) Metadata(session activity) Metadata1(session activity) Metadata(session activity) … Method statistical Pattern recognition Legitimate behavior Normal behavior Abormal behavior Malicious behavior 1. Several forms of metadata relating to session activity of the principals
User Activity Log User Activity Log(UAL) A static representation of metadata on user session activity Metadata System Time(milliseconds: integer) System’s IP address + MD5 hash algorithm GUID
Time Degradation User Activity Log (UAL) Execute method call Profile Handler A structure of normal profile statistics Behavioral Analyzers(BA)
Chi-square Statistics Abnormal Upper Control Limint =