towards automating intrusion alert analysis

Computer Science

Towards Automating Intrusion Alert Analysis

Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu

Cyber Defense Laboratory

Department of Computer Science

North Carolina State University

Computer Science 2

Background

• Traditional intrusion detection systems (IDS)– Focus on low-level attacks or anomalies– Actual alerts are mixed with false alerts– Intensive intrusions unmanageable amount of

alerts

• It’s necessary to develop automatic tools to construct attack scenarios and facilitate intrusion analysis.

Computer Science 3

Related Research

• Exploit similarities between alert attributes– Ex.: Valdes and Skinner (2001), Staniford et al. (2000)

• Exploit known attack scenarios– Ex.: Cuppens and Ortalo (2000), Dain and

Cunningham (2001), Debar and Wespi (2001)

• Use pre- and post-conditions of attacks– JIGSAW by Templeton and Levitt (2000)

• Cannot deal with missing detections and failed attacks• Our initial work is an extension to JIGSAW

– MIRADOR approach by Cuppens and Miege (2002)• Developed independently and in parallel to our work

– Our work (2002, 2003)• Others

– M2D2 by Morin et al. (2002), Mission-Impact by Porras et al. (2002)

Computer Science 4

Outline

• Construct attack scenarios from intrusion alerts via correlation– Correlation based on prerequisites and

consequences of attacks

• Analyze intensive alerts

• Extract attack strategies from correlated alerts

Computer Science 5

Correlation Based on Prerequisites and Consequences of Attacks

• Goal– Construct high-level attack scenarios from low-

level alerts

Computer Science 6

Correlation Based on Prerequisites and Consequences of Attacks (Cont’d)• Basic Idea

– Hyper-alert types: Encode our knowledge about each type of attacks

• Prerequisites and Consequences– Reason about hyper-alerts based on the knowledge

Prerequsite: ExistHost(VictimIP)^VulnerableSadmind(VictimIP)

Consequence: {GainAccess(VictimIP)}

Alert attributes: {VictimIP, VictimPort}

SadmindBufferOverflow

Computer Science 7

C(h1) = {VulnerableSadmind(152.1.19.5),

VulnerableSadmind(152.1.19.9)}

h1 h2

P(h2) = {ExistHost(152.1.19.5),

VulnerableSadmind(152.1.19.5)}

SadmindPing SadmindBufferOverfow

Correlation Based on Prerequisites and Consequences of Attacks (Cont’d)• Reasoning of alerts

– An earlier hyper-alert prepares for a later one if the former makes the later easier to be successful

• Decompose prerequisites and consequences into pieces of predicates

• Match the predicates

Computer Science 8

Experimental Evaluation

• Purposes of experiments– How well can the proposed method construct

attack scenarios?– Can alert correlation help differentiate between

true and false alerts?• Conjecture: correlated alerts are more possible to be true

alerts.

Computer Science 9

Experimental Evaluation (Cont’d)

• DARPA 2000 intrusion detection scenario specific datasets– A novice attacker installs components for and carries out a

DDOS attack – LLDOS 1.0 (inside and DMZ)– LLDOS 2.0.2 (inside and DMZ)

•NetPoke

•RealSecure

•Network Sensor•Isolated network

Computer Science 10

Hyper-Alert Correlation Graph Discovered from the Inside Traffic of LLDOS 1.0

Computer Science 11

Experimental Evaluation (Cont’d)

• Two measures– Completeness: How well can we correlate the related

alerts?

– Soundness: How correctly are the alert correlated?€

Rc =#Correctly Correlated Alerts

#Related Alerts

€

Rs =#Correctly Correlated Alerts

#Correlated Alerts

Computer Science 12

Experimental Evaluation (Cont’d)

0%10%20%30%40%50%60%70%80%90%

100%

DataSet1

DataSet2

DataSet3

DataSet4

CompletenessSoundness

Computer Science 13

Experimental Evaluation (Cont’d)

0102030405060708090

100

DataSet 1

DataSet 2

DataSet 3

DataSet 4

Before Correlation

After Correlation

0

10

20

30

40

50

60

70

80

Data Set 1 Data Set 2 Data Set 3 Data Set 4

False Positive Rate

Detection Rate

Computer Science 14

• Additional details can be found in– Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing

Attack Scenarios through Correlation of Intrusion Alerts," in ACM CCS 2002, pages 245--254, November 2002.

Computer Science 15

Analyze Intensive Intrusion Alerts

• Limitations of the previous correlation technique– Difficult to cope with very large set of correlated

alerts

• Our solution– Interactive analysis utilities

• Independent• Complementary • Used as building blocks• Can be applied iteratively to a previous analysis results.

Computer Science 16

Interactive Analysis Utilities

• Hyper-alert generating utilities– Aggregation/disaggregation

– Clustering analysis

• graph decomposition: a special case

– Focused analysis

• Feature extraction utilities– Frequency analysis

– Link analysis

– Association analysis

Computer Science 17

Alert Aggregation/Disaggregation

• Aggregation– To simplify the correlation graph, the same type of hyper-

alerts can be aggregated together.• An interval constraint (e.g. 10 seconds) is used to control the

aggregation.

Computer Science 18

Aggregation/Disaggregation with Abstraction

• Alerts reported by IDSs usually are low-level alerts, and can be abstracted to more general alerts.

• Hyper-alerts can be aggregated together and form new hyper-alerts with more abstracted alert type.– The abstraction level to be aggregated

– Interval constraint

Computer Science 19

Alert Aggregation/Disaggregation (cont’d)

• Disaggregation – Aggregated hyper-alerts can be disaggregated to show

detailed information.

Disaggregate

Computer Science 20

Case Study with DEFCON8 Dataset

• Some common attack strategies were easily identified– e.g., Nmap_Scan PmapDump ToolTalk_Overflow

– e.g., HTTP-based attacks from 010.020.011.074 to 010.020.001.014, 010.020.001.015, 010.020.001.019…

• Observation– There were many BackOrifice and NetBus alerts

– i.e., attackers were coordinating multiple machines during their attacks

– Makes correlation and attack identification more difficult!

• Selected results

Computer Science 21

Using Adjustable Graph Reduction

• Most hyper-alerts of the same type are close to each other in time in the DEFCON8 dataset

0

5000

10000

15000

20000

25000

0 20 40

Interval constraint (seconds)

Count

# nodes

# edges

Computer Science 22

Largest Correlation Graph after Maximum Graph Reduction

Aggregated from a graph with

•2,940 nodes

•25,321 edges

Computer Science 23

Using Graph Decomposition

• Clustering Constraint:• (A1.srcIP = A2.srcIP) ^

(A1.destIP = A2.destIP)

Intuition: sharing the same source and destination IP addresses.

Computer Science 24

• Additional details can be found in– Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing

Intensive Intrusion Alerts Via Correlation," in RAID 2002, pages 74--94, October 2002.

Computer Science 25

Learning Attack Strategies from Correlated Alerts• It’s desirable, and sometimes necessary, to understand

attackers’ strategies– Intrusion response, incident handling, profiling attackers or

attacking tools, etc.

• Static vulnerability analysis – Example: Attack graphs– Requires specifications of security properties– Limited to combinations of known attacks

• Learning attack strategies from alerts– Complement static vulnerability analysis– Allow examination of attack strategies in different

granularities

Computer Science 26

Representation of Attack Strategies

• Attack strategy– Intrinsic relationships between steps in a sequence of

attacks

– Intuition: an attack strategy consists of attack steps and the constraints among these steps

• Attack strategy graph– A graph representation that captures the intrinsic

relationships between steps in an attack strategy.

Computer Science 27

Equality Constraint

• An equality constraint for hyper-alert types T1 and T2

– Equality relations between attributes in these two types.

– Given a type T1 alert h1 and a type T2 alert h2

• h1 prepares for h2 if they satisfy an equality constraint

– Can be derived from T1 and T2.

T1 T2

SadmindPing SadmindBufferOverfow

T1.destIP = T2.victimIP

•VulSadmind(VictimIP)•VulSadmind(destIP)

consequenceprerequisite

Computer Science 28

Attack Strategy Graph

• Extracted from LLDOS 1.0 alerts (IDS: RealSecure)

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

Computer Science 29

Learning Algorithm

• Two steps– Aggregate intrusion alerts that belong to the same

step of a sequence of attacks into one hyper-alert– Extract the constraints between the attack steps

• The result is represented as an attack strategy graph

Computer Science 30

• Additional details can be found in– Peng Ning, Dingbang Xu, "Learning Attack

Strategies from Intrusion Alerts," To appear in ACM CCS 2003, October, 2003.

Computer Science 31

Future Work

• Intrusion Alert Analysis– Integrate intrusion alerts with other information

sources– Hypothesize and reason about missed attacks

Computer Science 32

Thank You!