intrusion detection: new directions teresa lunt xerox palo alto research center [email protected]
TRANSCRIPT
IDS Emergency ModeActivator
Decoy/Sensor
Fishbowl
2. Intrusion detector alertson possible attack
3. Essential systemsincrease their degreeof protection & robustness
4. Fishbowl createdto divert the attacker and observe the attack
1. Sensors perform security
monitoring
Critical System
5. Human-assisted incident response restores service and secure state
Cleanup
Sensor Sensor
Sensor
Detection & Response
Detect, isolate, reconfigure, repair
Data Collection• What level of data to collect
– OS system calls– OS command line– network data (e.g., from router and firewall logs or MIBs)– within applications– keystrokes– all characters transmitted
• Tradeoffs in:– types of intrusions that can be detected– complexity and volume of data– ability to formulate rules that characterize intrusions– ease of playback– ease of damage assessment or evidence gathering– data reliability– degree of privacy invasion
Typical OS Audit Record Fields
• subject– identifies user, session, and location
• action– the action attempted
• object– what the subject acted upon; subfields depend on
type of action
• errorcode
• resource-info– CPU, memory, I/O
• timestamp
• Host-based vs. network-based– Do not detect attacks that disrupt or manipulate the infrastructure
• Knowledge-based – Look for patterns associated with known intrusions
– Detect only what you know to look for
– Most systems look for only a dozen or so intrusion types
– Serious foes will use “surprise” attacks we haven’t seen before
• High number of false alarms– Much flagged activity is of little concern (e.g., password guessing)
– Extremely large numbers of alarms, which must be investigated manually
– Lack of discrimination between suspicious and normal behaviors
State of the Art
State of the Art cont’d
• Line monitors (eavesdrop on a communications line)– View is restricted to what passes over a given line
– Too much data must be examined and logged
– Considerably weakened if encryption is used
• Can monitor small numbers of machines/entities– Audit logs do not scale well
– Monitoring individual users and machines
– No ability for cooperating detectors, which could filter events of lesser or only local concern
• Lack of robustness– Cannot deal with missing, incomplete, untimely, or otherwise
faulty data
• Unix-specific
Research Challenges• Detect a wide variety of intrusion types• Very high certainty• Real-time detection• Develop a network-wide view rather than local views• Analysis must work reliably with incomplete data• Detect unanticipated attack methods• Scale to very large heterogeneous systems• What data to collect for maximal effectiveness; network
instrumentation• Automated response• Discover or narrow down the source of an attack• Integrate with network management and fault diagnosis• Infer intent; forming the big picture• Cooperative problem solving
• Methods to detect highly unusual events or combinations of events– Statistical methods– Neural networks– Machine learning
• Methods to detect activity outside prescribed bounds– Specification-based detection Profile Model/Pattern
Acceptable
Illegal
Discrepancy
Match
Statistical
Structural
Methods under Investigation
• New knowledge-based analysis techniques– Graphical intrusion
detection– State transition models
(model-based detection)
• Traceback methods– Thumbprinting
Cooperating Detectors
IDS
IDS
IDS
IDS
IDS
SensorsAlso needed:Efficient and effective methods for peer-to-peer cooperative problem solving to be applied to the detection problem–To filter events of only local concern–To assess a larger “region”
Advanced Techniques
• Statistical anomaly detection (SRI, CMU)– establish a historical behavior profile for each desired entity (e.g.,
user, group, device, process)– compare current behavior with the profiles– detects departures from established norms– continuously update profiles to “learn” changes in subject behavior– addresses unanticipated intrusion types
• Early statistical studies:– SRI study (Javitz et al):
• Showed users could be distinguished from each other based on patterns of use
– Sytek study (Lunt et al):• Showed behavior characteristics can be found that
discriminate between normal user behavior and simulated intrusions
Advanced Techniques cont’d
• Machine learning (LANL)– Builds a massive tree of statistical “rules” (typically 100,000’s of them)– Branches are labeled with conditional probabilities– Prunes the tree to a maximum depth of four to six– Low-occurrence branches are combined– Tree is “trained” from a few days of data– Tree cannot be updated to “learn” as usage patterns change– Activity is considered abnormal if it does not “match” a branch in the
tree or if it matches a branch with low conditional probability last node
• Meta-Learning (Columbia University)– Meta-learning integrates a number of separately learned classifiers– Multi-layered approach:
• machine learning and decision procedures detect intrusions locally• meta-learning and decision procedures to integrate the collective
knowledge acquired by the local agents
Advanced Techniques cont’d
• Computational immunology– based on biological analogies (e.g., self vs. non-self
discrimination)– build up a database of observed short sequences of system
calls for a program and detect when the observed program behavior exhibits short sequences not in that database (U. of NM)
– allows the detection of tampered or malicious programs or other suspicious events
– this potentially lightweight method is being implemented in small, autonomous agents in a CORBA environment (ORA)
Advanced Techniques cont’d
• Model-based detection– Detects suspicious state transitions (UC Santa Barbara)
• specifies penetration scenarios as a sequence of actions• keeps track of interesting “state changes”• attempts to identify attacks in progress before damage is done
– Adapt model-based diagnosis, which has been successful in diagnosing faults in microprocessors, to intrusion detection (MIT)
• Graphical detection (UC Davis)– detects intrusions whose activity spans many machines that could
be difficult to detect locally– specifies intrusion scenarios as graphs of actions covering many
machines– the graphs provide an intuitive visual display
Advanced Techniques cont’d
• Specification-based detection (UC Davis)– detects departures from security specifications of
privileged programs – allows detection of unanticipated attacks
• Thumbprint technique (UC Davis)– allows limited traceback– thumbprint is a statistical digest of an interval of a
communications channel– matching thumbprints can be used to reconstruct
the path of an intruder
Advanced Techniques cont’d
• Signalling Infrastructure Detection (GTE)– detect anomalous events in a network and signalling
infrastructure typical of telephone service providers– designed for integration into network operations centers– uses existing systems/tools for data collection– uses anomaly detection and specific signalling protocol
“sanity checks”• Detection in high-speed networks (MCNC)
– Integrates anomaly detection techniques with network management for ATM networking (IP over ATM)
– Logical analysis of routing protocol operation to detect anomalous states
Advanced Techniques cont’d
• Automated response (Boeing)– Integrates firewall, intrusion detection, filtering router, and network
management technologies– Local intrusion detectors determines threat presence – Firewalls communicate intrusion detection information to each other– Firewalls cooperate to locate the intruder– Network managers automatically reconfigure the network to thwart
the attack– Firewalls and filtering routers dynamically alter filtering rules to block
the intruder– Dynamic reconfiguration of logging, monitoring, and access control in
response to detected suspicious activity– "Fusion" of intrusion-detection data reported by different detectors – The monitoring is also adapted as part of the response, to help
pinpoint the problem and its source
Advanced Techniques cont’d
• Survivable Active Networks (Bellcore)– Will allow highly configurable network elements to cooperate
with networked hosts to detect, isolate, and recover quickly and automatically from damage due to errors or malicious attacks
– "Ablative software" will allow suspect activity to be "peeled off" the system while continuing to operate in a microenvironment
• Planning and procedural reasoning (SRI)– Suggest and implement incident recovery procedures– Uses AI-based automated planning technology for both analysis
and recovery and repair– Generates explanations to help the sys admin understand what
happened and what to do about it– Integrate intrusion response tools, to combine the functionality of
many tools that specialize in particular areas of incident management, into a security anchor desk (USC-ISI)
Open Questions
• Detection performance in realistic settings with single methods and combinations of methods
• Detection performance with faulty and missing data
• False positive and false negative rates• Time to detection• Scalability• Dependence on good intruder models• Distinction from common failure modes• What data to collect/observe
Common Intrusion Detection Framework
E1 E2 E3
A1
A2
C
D
E Event GeneratorA Event AnalyzerD Event DatabaseC System-specific Controller
Standard API
Reference Architecture
Standard Interfaces– an interconnection framework
for data collection, analysis, and response components
– extensible architecture– reuse of core technology– facilitate tech transfer– reduce cost
Strategic Intrusion Assessment
International/Allied Reporting Centers
National Reporting Centers
DoD Reporting Centers
Regional Reporting Centers (CERTs)
Organizational Security Centers
Local Intrusion Detectors
CorrelationPatterns ClassificationInfer intent Assess damagePredict future status Assess certainty
• In a two-week period, AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessions
• After manual review, these were reduced to 12,000 suspicious events• After further manual review, these were reduced to four actual incidents
•Most alarms are false positives
•Most true positives are trivial incidents
•Of the significant incidents, most are isolated attacks to be dealt with locally
Strategic Intrusion Assessment
Correlate & infer intentSuppress false alarms
Plan recognition
– Hypothesize goals for IW adversaries
– Develop plans for accomplishing each goal
– automated planning technology
– Overlay with observed incident data to discover intent
– plan recognition technology
– Estimate certainty
• Peer-to-peer cooperation among detectors to decide what to report to higher levels.
Detectors must be able to:• discover each other• negotiate requirements• collaborate on diagnosis/response
• Improve individual detectors
• Distinguish what is trivial from significant
• Distinguish what is locally relevant
Detection
Assessment
Response
Tracing
Notification to peers
reported events from lower layers
reporting to higher layers
Security Detection and Response CenterFunctions:
• Detection: Analyzes and filters events reported from lower layers
• for items of interest to this layer, and
• for reporting to higher layers
• Assessment: to understand coordinated events
• of interest at this layer, and
• for reporting to higher layers
• Tracing (e.g., IDIP, active nets)
• Automated response (e.g., IDIP for connection closing/filtering)
• Event notification
Significant investment
Early speculative investigations
No research
DARPA/AFRL Evaluations• Evaluations intended to drive improvements• Two rounds: one in 1998 (completed) and one in 1999
– results reported at Dec 1998 DARPA PI meeting– Data sources for 1998 were TCP dump and Unix audit logs– 1999 evaluation will include NT and other data sources
• Live evaluation on a network at MIT/LL using simulated data similar to AFB data– Generated large amounts of realistic background traffic similar to
observed/collected AFB traffic
– Created the largest known collection of automated attacks with signatures (audit and sniffing)
– Considered both known and new (never seen before) attacks
– Capable of measuring both detection and false alarm rates
• Projects also performed self-evaluations using extensive training and testing data sets
Live Testbed Configuration for 1999 EvaluationLive Testbed Configuration for 1999 Evaluation
INSIDEGATEWAY
P2
““INSIDE” INSIDE” (172.16 - eyrie.af.mil)
““OUTSIDE” OUTSIDE” (Many IP Addresses)
PC
PC
PC
Web Server
Web Server
Web Server
Sniffer
Linux SunOS Solaris Solaris
P2
Solaris
OUTSIDEWS
GATEWAY
OUTSIDEWEB
GATEWAY
P2
Audit Host
Work Station
Work Station
Work Station
Work Station
Work Station
Work Station
Sparc SparcUltraUltra
486
CISCOROUTER
AUDIT DATA
SNIFFED DATA
DISK DUMPS
NT
486
NT
486
Best combination of research prototypes
0
20
40
60
80
100
0.001 0.01 0.1 1 10 100
AT
TA
CK
S D
ET
EC
TE
D (
%)
FALSE ALARMS (%)
KEYWORDBASELINE
BESTCOMBINATION
• Over two orders of magnitude reduction in false alarms with improved detection accuracy
Keyword baseline similar to COTS and GOTS products
Conclusions
• Currently available technology is not adequate for the problem
• Promising methods under investigation show significant improvement over current technology
• There is still a lot more to be done