An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State University, Manhattan, KS 2 – HP Labs, Princeton, NJ

system administrator Network Monitoring Tools Abnormally high traffic TrendMicro server communicating with known BotNet controllers memory dump Seemingly malicious code modules Found open IRC sockets with other TrendMicro servers netflow dump These TrendMicro Servers are certainly compromised! 2 A day in the life of a real SA Key challenge How to deal with uncertainty in intrusion analysis? Key challenge How to deal with uncertainty in intrusion analysis?

An empirical approach In spite of the lack of theory or good tools, sysadmins are coping with attacks. Can we build a system that mimics what they do (for a start): – An empirical approach to Intrusion Analysis using existing reality Our goal: – Help a sysadmin do a better job rather than replace him 3

High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 4

Capture Uncertainty Qualitatively Confidence level Uncertainty Modes LowPossible p ModerateLikely l HighCertain c Arbitrarily precise quantitative measures are not meaningful in practice Roughly matches confidence levels practically used by practitioners 5

High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 6

Observation Correspondence 7 obs(anomalyHighTraffic)int(attackerNetActivity) obs(netflowBlackListFilter(H, BlackListedIP)) obs(memoryDumpMaliciousCode(H)) obs(memoryDumpIRCSocket(H1,H2)) p int(compromised(H)) l l int(exchangeCtlMessage(H1,H2)) l Observations Internal conditions mode what you can see what you want to know

High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 8

Internal Model 9 Logical relation among internal conditions Condition 1Condition 2 Condition 1 infers Condition 2 int(compromised(H1))int(probeOtherMachine(H1,H2)) int(sendExploit(H1,H2)) int(compromised(H2)) int(sendExploit(H1,H2)) int(compromised(H2)) int(compromised(H1)) int(probeOtherMachine(H1,H2)) direction of, inference mode f, b, p l p c

High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 10

Reasoning Methodology 11 Simple reasoning – Observation correspondence and internal model are inference rules – Use inference rules on input observations to derive assertions with various levels of uncertainty Proof strengthening – Derive high-confidence proofs from assertions derived from low-confidence observations

Example 1 Observation Correspondence 12 int(exchangeCtlMsg( , ), l ) obs(memoryDumpIRCSocket( , )) obsMap obs(memoryDumpIRCSocket(H1,H2))int(exchangeCtlMessage(H1,H2)) l

Example 2 Internal Model 13 int(exchangeCtlMsg( , ), ) obs(memoryDumpIRCSocket( , )) int(compromised( ), ) l obsMap Int rule l

Proof Strengthening 14 Observations: f is likely true O1O1 O2O2 f is certainly true proof strengthening O3O3

Proof Strengthening 15 A A A A A A l l c p strengthen

Proof Strengthening 16 int(exchangeCtlMsg( , ), l ) obs(memoryDumpIRCSocket( , )) int(compromised( ), l ) obsMap intR obs(memoryDumpMaliciousCode(’ ’)) int(compromised( ), l ) obsMap int(compromised( ), ) strengthenedPf strengthen( l, l ) = c c

Evaluation Methodology Test if the empirically developed model can derive similar high-confidence trace when applied on different scenarios Keep the model unchanged and apply the tool to different data sets 17

SnIPS (Snort Intrusion Analysis using Proof Strengthening) Architecture 18 Reasoning Engine Snort alerts (convert to tuples) Observation Correspondence User query, e.g. which machines are “certainly” compromised? High-confidence answers with evidence pre-processing Internal Model Snort Rule Repository Done only once

Snort rule class type 19 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access”;uricontent:"/guestbook.pl”; classtype:attempted-recon; sid:1140;) obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost)), int(probeOtherMachine(FromHost, ToHost)), ? ). Internal predicate mapped from “classtype”

Snort rule documents 20 Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosing in some cases. Ease of Attack: Exploits exists obsMap(obsRuleId_3614, obs(snort(’1:1140’, FromHost, ToHost)), int(compromised(ToHost)), p ) Hints from natural-language description of Snort rules obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost)), int(probeOtherMachine(FromHost, ToHost)), ). l ?

Automatically deriving Observation Correspondence Snort has about 9000 rules. This is just a base-line and needs to be fine-tuned. Would make more sense for the rule writer to define the observation correspondence relation when writing a rule 21 Internal Predicate% of rules Mapped automatically59% Not mapped automatically41%

Data set description Treasure Hunt (UCSB 2002) – 4hrs – Collected during a graduate class experiment – Large variety of system monitoring data: tcpdump, sys log, apache server log etc. Honeypot (Purdue, 2008) – 2hrs/day over 2 months – Collected for spam analysis project – Single host running misconfigured Squid proxy KSU CIS department network 2009 – 3 days – 200 machines including servers and workstations. 22

Some result from Treasure Hunt data set 23 | ?- show_trace(int(compromised(H), c)). int(compromised(’ ’),c) strengthenedPf int(compromised(’ ’), p) intRule_1 int(probeOtherMachine(’ ’,’ ’), p) obsRulePre_1 obs(snort(’122:1’,’ ’,’ ’,_h272)) int(compromised(’ ’),l) intRule_3 int(sendExploit(’ ’,’ ’), l) obsRuleId_3749 obs(snort(’1:1807’,’ ’,’ ’,_h336)) An exploit was sent to A probe was sent from was certainly compromised!

Data Reduction Data setDuration of Network traffic Snort alertspre-processed alerts High- confidence proofs Treasure Hunt4 hours4,849, Honeypot2 hrs/day for 2 months 637, CIS Network3 days1,138,

Related work Y. Zhai et al. “Reasoning about complementary intrusion evidence,” ACSAC 2004 F. Valeur et al., “A Comprehensive Approach to Intrusion Detection Alert Correlation,” 2004 Goldman and Harp, "Model-based Intrusion Assessment in Common Lisp", 2009 C. Thomas and N. Balakrishnan, “Modified Evidence Theory for Performance Enhancement of Intrusion Detection Systems”,

Summary Based on a true-life incident we empirically developed a logical model for handling uncertainty in intrusion analysis Experimental results show – Model simulates human thinking and was able to extract high-confidence intrusion – Model empirically developed from one incident was applicable to completely different data/scenarios – Reduction in search space for analysis 26

Future Work Continue the empirical study and improve the current implementation Establishing a theoretical foundation for the empirically-developed method – Modal logic – Dempster-Shafer Theory – Bayes Theory 27

Thank you Questions? 28

Summarization 29 Compact the information entering reasoning engine Group similar “internal condition” into a single “summarized internal condition”

Comparison of the three data sets 30

Output from CIS 31 int(compromised(' '),c) strengthenedPf int(compromised(' '),l) intRule_1b int(probeOtherMachine(' ',' '),l) sumFact summarized(86) int(compromised(' '),l) intRule_3f int(sendExploit(' ',' '),c) strengthenedPf int(sendExploit(' ',' '),l,) sumFact summarized(109) int(skol(sendExploit(' ',' ')),p) IR_3b int(compromised(' '),p) sumFact summarized(324)