what about scanning?

What About Scanning?

Analyzing Scan Data as part of a “Defense in Depth”

Solution to the High Bandwidth Intrusion Detection

ProblemDouglas Cress

M.S. Thesis Defense 8/6/03 2

The Way Ahead

Introduction and Motivation Description of Scanning Analyzing NIDS Alerts Experiment Description Conclusions and Future Work


High Bandwidth Intrusion Analysis Challenges

Class A networks have 16 million hosts, Class B networks have 65,535 hosts Both class sizes require bandwidth in the

Multiple T3 (45 Mb/s ~ 486 GB/day) to OC-3 (155 Mb/s ~ 1.67 TB/day)

Detecting Intrusions at line rate is basically impossible

Most NIDS only sample the data stream at such high bandwidths



Small number of defenders vs. overwhelming force of attackers Global Information Assurance Certification

(GIAC) has certified only 643 people since 2000! Constantly changing vulnerability

landscape 2,572 unique entries in the Common

Vulnerability and Exposures (CVE) database Ever increasing rise of non-mission

essential software P2P, Chat, Warez etc.



Poor tools Visualizations break down because of

massive amount of data Meta-data like CISCO NetFlow isn’t

sufficient to prove an intrusion Even Network Intrusion Detection

Systems (NIDS), if poorly configured, can output more false alarms than true


Hacker Methodology

1. Information gathering – Scanning2. Initial penetration – Buffer overflow3. Privilege escalation – Password

cracking 4. Various Activities – Data extraction5. Attack Relay – Violate trust

relationships


High Bandwidth Intrusion Analyst Solutions

Defense in Depth Physical Devices

routers, firewalls, NIDS etc. Organization security policies

Fair-use, virus scanning, etc. Analysis methods

Real-Time, Trend, Area Of Responsibility (AOR), etc.


Defense in Depth

RouterFirewall

NIDS

HIDS


Thesis Synopsis

Reduce wasted analyst time by identifying most likely true-positive NIDS alerts based on related previous scanning

Using UMBC as a testing ground for theories

Novelty and Significance of work


Background TCP/IP

TCP, UDP, and ICMP are all susceptible to scanning TCP has the three way handshake

SYN, SYN-ACK, ACK UDP provides auto-response for

available services ICMP provides challenge and

response functionality


Types of Scans

Scanning is not illegal Moulton vs. VC3, 2000

Half-open scan (aka SYN scan) Null-host scan OS scan Packaged scan and attack tool


Scan Tools

NMAP (Network MAPer) Most famous, most options

Nessus One of many vulnerability scanners

Grim’s Ping FTP – Warez emplacement tool


Generic NIDS Description

Network appliance designed to examine all passing traffic for embedded intrusions

Produces alarms / alerts for an analyst to review

Anomaly-based vs. Signature-based Common Vendors include – ISS’s

RealSecure, Cisco’s IDS, Enterasys’s Dragon, and SNORT


Brief Description of SNORT

Open source – libpcap based 3 parts

Packet decoder Detection engine Alert / logging system

SNORT pre-processors stream4, conversation, and portscan2


Parsing Logs

UMBC has over 15 million alerts a day Use PERL to quickly parse logs to mine

the most important information Figure out who is involved in scanning

(both source and destination IP) Look for alerts either from or to IPs

related to previously detected scanning


Predictive Analysis / Attack Forecasting

Data mining techniques are good for trend analysis

Type of scan should indicate skill level of attacker SYN-scan perpetrated by worm or

script-kiddie Null-host scan wielded by skilled

attacker


UMBC’s fitness as a Testing Ground

Class B address space (130.85.0.0/16)

Varied users and missions Students, administrators, researchers

High bandwidth Multiple T3’s

Small intrusion analysis group


Long-Term / Trend Analysis

Process of examining intrusion events over a long time period to determine both future events and missed past events

Difficult to perform Massive amount of data to process

and store Urgency of the now often crowds out

long-term view


November 2002 Raw Alerts


November 2002 Alert Types


November Top 5 per Day


Attack vs. Scan AlertsNovember 2002 Scans and Attack Alert Comparison

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

11/1

/200

2

11/3

/200

2

11/5

/200

2

11/7

/200

2

11/9

/200

2

11/1

1/20

02

11/1

3/20

02

11/1

5/20

02

11/1

7/20

02

11/1

9/20

02

11/2

1/20

02

11/2

3/20

02

11/2

5/20

02

11/2

7/20

02

11/2

9/20

02

Date

Co

un

t (M

illi

on

s)

Alerts

Scans


Analysis Process

Execute scanTop10.pl against SNORT scan alerts

Execute checkAlerts2.pl to find SNORT attack alerts relating to the top ten scanning parties

Execute checkAlerts2_to_excel.pl to format the data for easy spreadsheet viewing


November 1st Top 10 Source Scanners

55%

17%

13%

4%

2%1%

130.85.178.42

130.85.83.146

130.85.70.176

130.85.104.155

130.85.150.220

130.85.150.213

130.85.111.213

130.85.91.240

130.85.114.88

130.85.168.49

Nov 1 Top 10 Source Scanners


Nov 1 Top 10 Scan VictimsNovember 1st Top 10 Scan Victims

59%

18%

8%

8%

2%2% 2% 1%

64.231.48.85

64.231.48.103

209.91.161.131

216.104.117.52

64.231.49.234

209.91.176.79

64.231.48.134

130.85.140.2

204.183.84.240

80.141.108.40


11/01/02 Correlated Scans To Attacks for November 2002

0

500

1000

1500

2000

2500

3000

11

/1/0

2

11

/2/0

2

11

/3/0

2

11

/4/0

2

11

/5/0

2

11

/6/0

2

11

/7/0

2

11

/8/0

2

11

/9/0

2

11

/10

/02

11

/11

/02

11

/12

/02

11

/13

/02

11

/14

/02

11

/15

/02

11

/16

/02

11

/17

/02

11

/18

/02

11

/19

/02

11

/20

/02

11

/21

/02

11

/22

/02

11

/23

/02

11

/24

/02

11

/25

/02

11

/26

/02

11

/27

/02

11

/28

/02

11

/29

/02

11

/30

/02

Date

Ala

rm C

ou

nt

204.183.84.240209.91.161.131209.91.176.79216.104.117.5264.231.48.10364.231.48.13464.231.48.8564.231.49.23480.141.108.40MY.NET.104.155MY.NET.111.213MY.NET.114.88MY.NET.140.2MY.NET.150.213MY.NET.150.220MY.NET.168.49MY.NET.178.42MY.NET.70.176MY.NET.83.146MY.NET.91.240

Nov 1 Scans vs. Month


Term Analysis for November

MY.NET.114.88 => ucommons-114-88.pooled.umbc.edu

MY.NET.170.176 => phaser.ucs.umbc.edu

MY.NET.150.213 => libpc11.lib.umbc.edu

MY.NET.150.220 => paladin.lib.umbc.edu


Term Analysis for November

Analysis focus for hosts involved in scanning and later attacking Red Worm Alerts x86 setuid exploit alarms null scans


Four types of hosts

ucommons – Dynamically assigned Could be anybody with a laptop

libpc11 – General use lab computer Rotating user set

paladin – Personal use computer Probably hacked

phaser – SA owned machine Embarrassingly hacked?


Mar 1 Scans vs. MonthMar1 Scans to Rest Alerts

0

10

20

30

40

50

60

70

80

3/1/

2003

3/3/

2003

3/5/

2003

3/7/

2003

3/9/

2003

3/11

/200

3

3/13

/200

3

3/15

/200

3

3/17

/200

3

3/19

/200

3

3/21

/200

3

3/23

/200

3

3/25

/200

3

3/27

/200

3

3/29

/200

3

3/31

/200

3

Date

Ale

rt C

ou

nt

12.223.210.92

129.89.177.104

142.166.101.40

192.26.92.30

192.5.6.30

200.69.241.141

208.180.107.153

24.122.34.47

62.245.82.59

67.33.105.181

MY.NET.1.200

MY.NET.196.55

MY.NET.202.194

MY.NET.249.194

MY.NET.97.104

MY.NET.97.124

MY.NET.97.148

MY.NET.97.188

MY.NET.97.29

MY.NET.98.43


Term Analysis for March

MY.NET.97.29 => ppp-29.dialup.umbc.edu



MY.NET.1.200 => Unresolved


Term Analysis for March

MY.NET.1.200 Scanned with NMAP Windows SMB attacks Watch-listed host attempted access

Three Dial-up addresses all involved in IIS (Internet Information Server) attacks


Real-Time Illustration

November 11, 2002 1.2 million scans Over 74,000 alerts

Boiled down to two hosts worth investigating

Discovered in less than five minutes


Nov 11th Scan & Attack Alerts

November 11th Scans and Attacks

0

0.2

0.4

0.6

0.8

1

1.2

11/1/

2002

11/3/

2002

11/5/

2002

11/7/

2002

11/9/

2002

11/11

/200

2

11/13

/200

2

11/15

/200

2

11/17

/200

2

11/19

/200

2

11/21

/200

2

11/23

/200

2

11/25

/200

2

11/27

/200

2

11/29

/200

2

Date

Co

un

t (M

illi

on

s)

Alerts

Scans


Nov 11th Scans correlated to Attacks

Nov 11 - 11 Correlated Alerts

0

200

400

600

800

1000

1200

1400

MY.N

ET.114

.25

MY.N

ET.88.

168

MY.N

ET.70.

200

MY.N

ET.83.

146

MY.N

ET.70.

176

MY.N

ET.150

.220

MY.N

ET.150

.213

MY.N

ET.139

.10

IP Addresses

Ale

rt C

ou

nt

Correlated Alerts


Real-Time Analysis Nov 11th

MY.NET.150.220 => paladin.lib.umbc.edu Accessed over 1000 times by Dutch

registered host IIS overflow attempt Possible Red Worm related activity


Real-Time Analysis Nov 11th

MY.NET.83.146 => aciv-83-146.pooled.umbc.edu Probably wireless host 250 Access attempts from different

Dutch registered host Further scanning against the UMBC

host from a third Dutch host


Tools Created for Analysis

scanTop10.pl – examines SNORT scan logs and calculates the top 10 scanning offenders and victims

checkAlerts2.pl – compares the output of scanTop10.pl to a SNORT attack alert log

fit_checkAlerts2_to_excel.pl – formats the output from checkAlerts2.pl for absorption into a spreadsheet


Conclusions

My novel analysis method would help a small group of intrusion analysts tackle a large network’s NIDS logs

The analysis method is simple to perform and rapid in execution


Future Work

Integration of my analysis process into a SNORT Post-Processor would help reduce false-positives

SNORT already exports alerts in XML, is it possible to extend this feature to export alerts in RDFS or DAML+OIL to then be reasoned over in order to reduce false positives?


Future Work

Trend analysis is difficult because of the massive amount of data that must be stored.

Usually this data is stored in a compressed format which is then un-compressed during each search


Future Work

Perhaps storing a meta-rule version of the alerts which could then be reasoned over to provide a pointer into exactly the compressed file where the important events are located, would speed the information retrieval process

??? Questions ???


Selected Bibliography

S. Axelsson, “The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection.” In Proc. Of the 6th ACM Conference on Computer and Communications Security, 1999.

R. Bace, P. Mell, “Intrusion Detection Systems,” NIST Special Publication, Nov 2001, Available HTTP: http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf

Honeynet Project, “Know Your Enemy: Statistics, Analyzing the past … predicting the future,” [Online Document], Jul 2001, [ cited 2003 Jun 25], Available HTTP: http://www.honeynet.org/papers/stats/


Special Thanks

Dr. Nicholas for his help and mentoring

Andy Johnston for providing the SNORT logs and some background on UMBC

Paul Cress for his editing help

what about scanning?

Documents

thesis defense

thesis synopsisreduce

scan data

high bandwidthsm

analyst time

common vulnerability

data stream

analysis methodsrealtime