15-august-2000at&t network security and intrusion detection survey of the art and practice dr....
TRANSCRIPT
15-August-2000 AT&T
Network Securityand
Intrusion Detection
Survey of the Art and Practice
Dr. Michah Lerner
AT&T Labs15-August-2000
15-August-2000 AT&T
Outline
Model Principles Assumptions Methods Products
No silver bullets
Published sources only
Note: this talk describes some attack models.
If you’d like “try them out”, don’t!
15-August-2000 AT&T
Intrusion Detection Systems, IDS Identified by Dorothy Denning in 1987 IEEE Software
Engineering• Protect systems and networks from threats, vulnerabilities, and
intrusions Art includes:
• “Bro: A System for Detecting Network Intruders in Real Time” (Vern Paxon)
• JiNao – Protect link state routing – Felix Wu Rule-based expert system, statistical analysis, protocol analysis, OSPF
MIB, distributed programming interface (DPI)
Vendors include: • Amazon.com lists 171 security products• Axent (NetProwler, and Tivoli modules), ISS, Network
Associates, Cisco
15-August-2000 AT&T
A Story … Jane the Dandelion wine merchant
• Running SSL to protect her eCommerce site
Coalition against Dandelion Wine• Quietly launches a chosen ciphertext attack
against her SSL server (Daniel Bleichenbacher, LNCS 1462, 1998)
• Exploit weakness in SSL V.3.0 Generate many authentication requests SSL reports which ones were incorrectly formatted The Coalition obtained her master secret!
• They tested about one million chosen ciphertexts – on her server!• She just thought that SSL was slow!• IDS would have found incomplete SSL handshakes, and probably foiled the intruder
15-August-2000 AT&T
Assumptions Assumptions …
• RFC 1636 – encryption essential to security Open networks violate this assumption Encryption should protect control information, as well as
contents See section 7.3 of the RFC
• In attack from Vi net Vj assume only one of Vi, Vj is the attacker
DDOS violates this assumption
Assumptions are “sometimes” wrong• Replay attack can masquerade with encrypted data• Distributed attacks can leverage multiple attackers• Encryption can be broken
15-August-2000 AT&T
Not much used for first break-in discovery, but invaluable for security incident analysis and follow-up: it answers typical questions like: When did the first break-in happen? Which other systems may have been attacked? Which other services on the attacked system may have been compromised?
Concept – Collection & AnalysisCERNCERN European Laboratory for Particle Physics European Laboratory for Particle Physics
Birth Place of “The Web Browser” – http://www.cern.ch
Network
Filter
Analyzer
Suspicious behavior
Database
Reports
Security officer
Every time something suspicious is detected, the session’s security weight is increased When the security weight gets higher than a given threshold, detailed monitoring starts Encryption was, until recently, not allowed by the French law
15-August-2000 AT&T
Intrusion – Examples
Denial of Service Hijacking of session or router Theft
• Resources – bandwidth theft or blockage
• Identity
• Information
15-August-2000 AT&T
Intrusion at any layer or sliceDifficult and Complex Problem
RTP
MediaMPEG etc.
Content
IPv4, IPv6
Ap
plic
atio
nT
ran
spo
rtN
etw
ork
SIP RTSP RSVP RTCPHTTP H.323
TCP UDP
PPP PPPAAL3/4 AAL5
Static &dynamic page
Quality ofService
MediaTransport
Lin
kP
hys
ical
SONET ATM Ethernet V.34
15-August-2000 AT&T
Resources• Exhaust, overload or consume
Control Functions• Undermine direct control protocols
Assert authentication or authorization contrary to policy
Block authentication or authorization • Undermine indirect control
Subvert timing or other policing methods Transport Functions
Transmit forged content Modify, Read or Block content
“Many attackers use tools like COPS or SATAN, which automate the process of checking for known bugs in remote network systems. These freely available tools, as well as commercial tools such as ISS’s Internet Scanner, are designed to help systems administrators audit their own networks, but are equally useful to an attacker.” [Wallach99]
See http://www.cert.org/advisories
Mobsters101 – How to Intrude1
1For discussion purposes only
15-August-2000 AT&T
Intrusion – Definition Intrusion
• Violation of the network policy, even where the policy is not completely stated
Policy • Allocation, usage and return of resources
Possibly multiple policies active on a network Varied requirements of business, administration or trust
Resources• Finite• Independent• Layered• Protocol-driven
Protocols• Efficient, not perfect
• IP spoofing – packets are not uniquely att-ributable to the origin
• Costly to stop
15-August-2000 AT&T
Prevention – Policies & Assurances Violations of policy may define intrusion Except:
• Seldom have such a precise policy in IP• The policy could be buggy• New applications could violate the policy• Cost is prohibitive for many applications• Can plug anything into the Internet – not just “safe”
applications. IEEE 802.3 (Ethernet) is ubiquitous An alternative to formal policy is assurances
• General policy, but less rigorous Availability – connections, bandwidth, low delay Integrity – privacy, reliability, and low error-rate
15-August-2000 AT&T
Detection Assurances are threatened by:
• Misuse – specific attack behavior Based on expert knowledge of patterns associated with attack Patterns of misuse defined by experts, or by machine learning –
should not occur Examples:
– Mismatched SYN/ACK– Same authenticated user from multiple locations?– Multiple failed authentications? From different address??
Problem: only recognizes anticipated threats (but can combine several threats that might otherwise be missed)
• Anomalous use – possible attack Recognize increased risk to network Compare actual with expected behavior Load rising atypically?
15-August-2000 AT&T
How to Protect the Assurances? Redundancy
• Makes it harder to corrupt• Make it easier to identify corruption• May make it easier to locate the corruption
Explicit redundancy: add to network or data• Tags and attributes• Input/output validation
Implicit redundancy: already in the network• Anonymous – timing• Private – network attributes• Content – privacy and easily evaded• Per-protocol or general properties
State-machine compliance? Frame-format?
15-August-2000 AT&T
Two Keys to ProtectionPrevention
Define multiple layers• Define behavior of each
layer, including resources• Enforce each behavior• Prohibit actions that may
compromise the behavior Examples
• IP DDOS does not affect ATM integrity
• Replay of short-lifetime HTTP cookies is traceable
• Link-layer marking • Ingress/egress filtering• End-to-end coordination
Detection Identify correct behavior Reinforce or augment
• Redundancy Format (protocol) Augmentation (tags) Validations
Characterize activities Recognize anomalies
• Unusual transit duration, route, or augmentation
• Item – invalid packet header• Aggregate – bad path or
invalid protocol sequence• Honeypot traces
15-August-2000 AT&T
Explicit Redundancy – Protection Content transformation
• SSL• Cookies
Protocol hardening against adversarial “errors”• IPSec• Invalid session properties (i.e. stale keys, invalid
context or content) may indicate attack Packet augmentation
• Security labels• Properties inherited from ingress• Requirements incumbent upon egress• Min/max trust and validation of information flow1
Management at Ingress/Egress• Interaction with authentication and multiple domains
15-August-2000 AT&T
Implicit Redundancy – Detection Packet
• Well-formed packets (protocol-compliant)• Well-defined packets (service behavior)• Source, destination, format
May validate endpoints and actions
Traffic profile• Acquire by observation of usage
Statistical model – “distinctive characteristics (packet size, timing) … not on connection contents”
Resists encryption, and preserves privacy Database of representative samples
Does the traffic profile fit the source/destination profiles?
15-August-2000 AT&T
General Technique Collect traffic and audit information
• Protocol analysis• Various sensors
Content-independent sensors may work even on encrypted data
State-based sensors evaluate the trustworthiness of connection path
State-free sensors operate without change to firewall or network-element
Compute patterns of misuse or abuse Recognize patterns of a possible attack
Previously observed or predicted attack patterns Uncharacteristic changes in predicted performance
15-August-2000 AT&T
Information to Collect Audit information
• Management information bases (MIBS) and logs• After-the-fact analysis of traffic artifacts
Historical information• Recognition of previously used contents, such as serial
numbers, someone else’s password, etc.• Strength of evidence follows the strength of the content
source Distributed
• Exchange data on suspected intrusions (IETF IDWG) • Information from IP authentication systems
AT&T15-August-2000
Information to Compute Attack signatures
• Hard problem – needs attack models to organize data• Attacks are often distributed – requires coordination• ISS publishes about 350 Real Secure Signatures at
http://www.iss.net Backdoors Denial of Service Distributed Denial of Service OS Sensor Suspicious Activity Unauthorized Access Attempts
• Only three detect RIP attacks on routing • None of the published signatures mention streaming,
VoIP, MPEG, Quality of Service, or attacks on OSPF
15-August-2000 AT&T
Detailed Taxonomy
Source:IBM RZ 3176 (# 93222) 10/25/99 Computer Science/Mathematics (23 pages). A ReviseTaxonomy for Intrusion-Detection Systems by Hervé Debar, Marc Dacier, Andreas Wespi
Knowledge-based• Expert systems; Signature analysis• Petri nets; State-transition analysisBehavior-based• Statistics; Expert systems• Neural networks; “User Intention” model
15-August-2000 AT&T
Information Collection Tools
Tcpdump Bro NetMon Snort All can
use rules
15-August-2000 AT&T
Protocol Monitoring Validate Appropriate Traffic Flows:
• Multiple granularities of description• Recognize change from the behavior
Activation/deactivation of connections Correlation/evaluation of connection attributes
How• Protocol scrubbing [InfoComm 2000]
State machines for correct protocol flow Error states for erroneous traffic
• Pattern recognition• Simulation/validation of expected behaviors
Does the expected response follow, or something else?
15-August-2000 AT&T
ASAX and Russel
State full event detection Correlation of events across multiple hosts
• consolidate intrusion evidence from several scattered sources and correlate them intelligently at a central location.
Declarative Language
Russel Rules
automata
Internet FUNDPUniv.
FW-1
ISP
Router
Sniffer
ASAX
• SYN-Flood• IP spoof• Port Scan• Host Scan• etc.
Source: Aziz [email protected]
(RUle-baSed Sequence Evaluation Language)
15-August-2000 AT&T
Russell -- ASX
Rule1(uid)
Rulek(x,y)
Rule1(uid)
Rulek(uid)
Rule1(uid)
Rulek(uid)
time
Evt1 Evt2Evtn
State full Detection
Event Stream
Automatic Actions
• Disable account• Log to file • SNMP traps• Email Sec-Ad• Exec any command• Send event to manager
Interface with C
15-August-2000 AT&T
What if Alert?
Block offending traffic sources Terminate suspicious processes Coordinate with multiple domains
• Intruder Detection and Isolation Protocol (IDIP)
TraceReportDirective (discovery coordinator)
15-August-2000 AT&T
Products(Names changing all the time)
Boundary controllers• NAI Gauntlet, ARGuE, MPOG, etc.• Secure Computing Sidewinder
Detectors• Axent, Cisco• SRI Emerald expert-system• NAI CyberCop• ISS RealSecure• NFR www.nfr.net• Event-based traffic analysis, pattern matching,
aggregation and adaptation SUNY, BRO, CIDF, IDIAN, DPF packet filter compiler …
15-August-2000 AT&T
Source: RZ 3253 (# 93299) 06/26/00; Computer Science 45 pages Integration of Host-based Intrusion Detection Systems into the Tivoli Enterprise Console, Christian Gigandet (IBM Research; Zurich Research Laboratory)
Vendors and Products – Tivoli Compatibility
15-August-2000 AT&T
Cisco Intrusion Detection System• NetSonar (Scanner)• NetRanger (Monitor)
The Cisco Secure IDS includes two components: Sensor (renamed NetSonar) and Director (renamed NetRanger).
Cisco Secure IDS Sensors, which are high-speed network "appliances," analyze the content and context of individual packets to determine if traffic is authorized.
15-August-2000 AT&T
15-August-2000 AT&T
ISS RealSecure
• Network engine resides on PC, monitors network transmissions for “signs of abuse and attack”
• About 350 attack signatures currently published
15-August-2000 AT&T
ID module embedded in router/switch/firewall:• Evaluates all incoming and outgoing traffic for intrusions across all ports
• Switching. Monitors heavily routed or switched networks at the most heavily-trafficked network junctions.
• Speed. May also address speed issues by embedding ID in higher-performance hardware.
• ID module running on adapter card:– Processor provides most of the analysis.– Speed. Hardware assist with packet classification provides wire-speed intrusion detection.– Security is painful. Shrink-wrap ID engine -- easy to install, easy to manage with relatively low cost.
• ID module as an ASIC:– ID as a true design component. Installed on networking backplane, e.g. multi-gigabit switch, Probably only
way to handle– Switching. Embedded in high-performance network device allows access to all packets at single location.– Speed. Wire-speed intrusion detection.
• ID module embedded in host protocol stack:– Attached to protocol stack above encryption layer.– Encryption. Allows intrusion detection to exist in the presence of encrypted traffic while still providing
adequate value.
APIs solve top 4 problems
Pla
tform
Sup
port
Act
ive
Res
pons
e
Management Programming
Data Acquisition
Sig
natu
re D
efin
ition
Attack Recognition
Response
15-August-2000 AT&T
CyberSafe Centrax
15-August-2000 AT&T
Summary Maintain integrity:
• Per layer • Per slice (protocol)
Validate packets• Ingress/egress counters
Squelch attack sources that do not comply with reasonable usage• Test carefully to ensure not a new application• Streaming media is not a UDP attack!
Measure and understand “flow” properties• Recognize statistically significant variation from these
path properties
15-August-2000 AT&T
Backup Slides
A bit more formalityA glimpse at some academic research
15-August-2000 AT&T
Assumptions Assumptions
• RFC 1636 – encryption essential to security Open networks violate this assumption Encryption should protect control information, as well as
contents
• In attack from Vi net Vj assume only one of Vi, Vj is the attacker
DDOS violates this assumption
Assumptions are sometimes wrong• Replay attack can masquerade with encrypted data• Distributed attacks can leverage multiple attackers• Encryption can be broken
15-August-2000 AT&T
General Network Model(circumscribes problem domain)
G = (V, E) Path = {Vin, {Ej}, {Vj}, … {Ek}, {Vk}, {El}, {Vout}} Path consists of vertices and edges Edges E:
• Propagate signal
Vertices V:• Receive signal
• Compute output
• Emit signal
15-August-2000 AT&T
Network Model Edges (links)
• Signal propagation• Impairments due to random noise
Redundancy manages noise, fade or analog error Detect and correct by protocols through algebraic redundancy
Vertices (routers/switches)• Aggregate bits into packet• Classify and enqueue packet
Packet-type and priority (UDP? TCP? ICMP? RSVP?) Loss due to load variation and queue size Detect and correct by redundant payload or retransmission
• Dequeue packet Data packet: compute output as f(packet, control) Control packet: modify control as f(packet, control)
15-August-2000 AT&T
Vertex Control function f(packet,control)
Data packet:• Pure IP: f(packet, control) is nearly the identity
function modify TTL, next-hop, etc
• Proxy or active protocol: f(packet, control) not identity Augment packets in more complex “custom” ways
Control packets:• Routing: static or dynamic
• Resource: modify resources, i.e. queues, priorities
• Behavior: modify function, i.e. classifier, marking, etc.
15-August-2000 AT&T
Monitoring Entity Signatures Entity output descriptions
• Compute usage signatures (local and complete) Entity to neighbors Entity to endpoints
Entity input descriptions:• Receivers compute signature of received data
Comparisons• Entities exchange signatures (or log centrally)
Anomaly detected from signature mismatches
15-August-2000 AT&T
JiNao – Protect Link-State Routing
Router/OS Kernel
FIB Where shouldI forward this packet?
Routing ProtocolEIGRP
RIB
Routing ProtocolBGP
RIB
Routing ProtocolOSPF
RIB
Originator
JiNao
Prevention Module
Interception Module Network
Protocol Engine
Statistical Analysis
ProtocolAnalysis
Detection Module
Decision Module
Info. Abst. Module
IDS MIB
SNMPv3 Eng.
Sec
urit
y O
ffic
er
Finite state machine withtiming analysis, verifiesValidity of OSPF actions,and guards against anyintrusion – even one with“valid” security credentials