GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.

Slides:

Advertisements

Similar presentations

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Advertisements

Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server.

An empirical approach to modeling uncertainty in Intrusion Analysis Xinming (Simon) Ou 1 S. Raj Rajagopalan 2 Sakthi Sakthivelmurugan 1 1 – Kansas State.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.

1 SnIPS Implementation and GUI Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Network Security Testing Techniques Presented By:- Sachin Vador.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Computer Security and Penetration Testing

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Lecture 11 Intrusion Detection (cont)

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

CERN’s Computer Security Challenge

CYBERCOG Test Bed Overview. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

Linux Networking and Security

Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.

1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.

Cracking Techniques Onno W. Purbo

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses sm sm Deral Heiland – Layered Defense Research.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Role Of Network IDS in Network Perimeter Defense.

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

Some Great Open Source Intrusion Detection Systems (IDSs)

1 Practical IDS alert correlation in the face of dynamic threats Sathya Chandran Loai Zomlot Xinming Ou Argus Research Group Kansas State University.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Top 5 Open Source Firewall Software for Linux User

Chapter 7: Identifying Advanced Attacks

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Backtracking Intrusions

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Intrusion Detection Systems (IDS)

Intrusion Detection system

Operating System Concepts

Presentation transcript:

GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State University The Great Plains Network Annual Meeting 2009 Kansas City, Missouri

GPN 2009 May 29, Kansas City, Missouri Challenges to securing cyber infrastructures Cyber warfare is asymmetric – Attack only needs to break a few points – Defense has to be comprehensive Attackers have an upper hand in automation – Many automated exploit tools – Not so many good defense tools Openness of academic cyber infrastructures – Unrealistic to have draconic control on access 1

GPN 2009 May 29, Kansas City, Missouri Multi-step Attacks Internet Demilitarized zone (DMZ) Corporation webServer workStation webPages fileServer Firewall 2 buffer overrun Trojan horse sharedBinary NFS shell Firewall 1 2

GPN 2009 May 29, Kansas City, Missouri Solution System admin Security expert CERT advisory Information about users Linux security behavior; Windows security behavior; Common attack techniques Apache bug! Host configuration Network configuration Reasoning System potential attack paths 3

GPN 2009 May 29, Kansas City, Missouri baseline security status Automated analyzer Information collection Enterprise Network Security scanning and monitoring Suggested configuration change to harden security Broader Security Community NVD OVAL/Nessus Repository CVSS High-level security knowledge Baseline security knowledge

GPN 2009 May 29, Kansas City, Missouri MulVAL Interaction Rules from Security Experts MulVAL Scanner Analyzer Could root be compromised on any of the machines? Ou, Govindavajhala, and Appel. Usenix Security 2005 Answers Network Analyzer Vulnerability Information (e.g. NIST NVD) Network reachability information Vulnerability definition (e.g. OVAL, Nessus Scripting Language) User information 5

GPN 2009 May 29, Kansas City, Missouri Interaction Rules execCode (Attacker, Host, PrivilegeLevel) :- vulExists (Host, Program, remote, privilegeEscalation), serviceRunning (Host, Program, Protocol, Port, PrivilegeLevel), networkAccess (Attacker, Host, Protocol, Port). internet dmz webServer Firewall 1 vulExists (webServer, httpd, remote, privilegeEscalation). serviceRunning (webServer, httpd, tcp, 80, apache). networkAccess (attacker, webServer, tcp, 80). execCode (attacker, webServer, apache). Oops! From MulVAL Scanner & OVAL, NVD From MulVAL Scanner Derived 6

GPN 2009 May 29, Kansas City, Missouri MulVAL Attack-Graph Toolkit Datalog representation Machine configuration Network configuration Security advisories MulVAL reasoning engine Proofs of assertions Graph Builder Logical attack graph Interaction rules Ou, Boyer, and McQueen. ACM CCS 2006 Joint work with Idaho National Laboratory 7

GPN 2009 May 29, Kansas City, Missouri Test on a Real Network Used MulVAL to check the configuration of four Linux servers – Reported a potential two-stage attack path due to multiple vulnerabilities on a server. Three local kernel vulnerabilities One buffer overflow bug in libpng Local users are trusted Web browser links libpng 8

GPN 2009 May 29, Kansas City, Missouri system administrator Network Monitoring Tools Abnormally high traffic TrendMicro server communicating with known BotNet controllers memory dump Seemingly malicious code modules Found open IRC sockets with other TrendMicro servers netflow dump These TrendMicro Servers are certainly compromised! 9 The next challenge: Situation Awareness

GPN 2009 May 29, Kansas City, Missouri High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 10

GPN 2009 May 29, Kansas City, Missouri High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 11

GPN 2009 May 29, Kansas City, Missouri Observation Correspondence Mapping observations to Internal condition. what you can see what you want to know obs(anomalyHighTraffic)int(attackerNetActivity) obs(netflowBlackListFilter(H, BlackListedIP)) obs(memoryDumpMaliciousCode(H)) obs(memoryDumpIRCSocket(H1,H2)) p int(compromised(H)) l l int(exchangeCtlMessage(H1,H2)) l 12

GPN 2009 May 29, Kansas City, Missouri High-confidence Conclusions with Evidence Targeting subsequent observations Mapping observations to their semantics IDS alerts, netflow dump, syslog, server log … Observations Internal model Reasoning Engine 13

GPN 2009 May 29, Kansas City, Missouri Internal Model Logical relation among internal conditions. Condition1 Condition2 “leads to” relation i.e. Condition1 may cause Condition2 m1m1 m2m2 int(compromised(H1))int(probeOtherMachine(H1,H2)) pc int(compromised(H1))int(sendExploit(H1,H2)) pc int(compromised(H2)) l p int(compromised(H1)), int(exchangeCtlMessage(H1,H2)) p c int(compromised(H2)) 14

GPN 2009 May 29, Kansas City, Missouri Proof Strengthening Observations: f is likely true O1O1 O2O2 f is certainly true proof strengthening O3O3 15

GPN 2009 May 29, Kansas City, Missouri The SnIPS system Reasoning Engine Snort alerts (summarized tuples) Observation Correspondence User query, e.g. which machines are “certainly” compromised? High-confidence answers with evidence pre-processing Internal Model Snort Rule Repository Done only once 16

GPN 2009 May 29, Kansas City, Missouri Automate Model Building for Snort alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access”;uricontent:"/guestbook.pl”; classtype:attempted-recon; sid:1140;) obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)), int(probeOtherMachine(FromHost, ToHost)), ? ). Internal predicate mapped from “classtype” 17

GPN 2009 May 29, Kansas City, Missouri Automate Model Building for Snort Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosing in some cases. Ease of Attack: Exploits exists obsMap(obsRuleId_3614, obs(snort(’1:1140’, FromHost, ToHost, _Time)), int(compromised(ToHost)), p ) Hints from natural-language description of Snort rules obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)), int(probeOtherMachine(FromHost, ToHost)), ). l ? 18

GPN 2009 May 29, Kansas City, Missouri Coverage Internal Predicate% of rules Predicates Handled by the internal model 59% Suspicious41% Snort has about 9000 rules. This is just a base-line and needs to be fine-tuned. Would make more sense for the rule writer to define the observation correspondence relation when writing a rule. 19

GPN 2009 May 29, Kansas City, Missouri Experiment on Treasure Hunt data Data collected during a graduate-level course exercise Data set contains multi- stage attacks as in real world scenario A large variety of monitoring data 20

GPN 2009 May 29, Kansas City, Missouri Some Results | ?- show_trace(int(compromised(H), c)). int(compromised(’ ’),c) strengthenedPf int(compromised(’ ’),l) intRule_1 int(probeOtherMachine(’ ’,’ ’),l) obsRulePre_1 obs(snort(’122:1’,’ ’,’ ’,_h272)) int(compromised(’ ’),l) intRule_3 int(sendExploit(’ ’,’ ’),c) obsRuleId_3749 obs(snort(’1:1807’,’ ’,’ ’,_h336)) An exploit was sent to A probe was sent from was certainly compromised! 21

GPN 2009 May 29, Kansas City, Missouri Summary Open knowledge sharing and automated knowledge reuse is key in effective cyber defense Advantages of logic-based techniques – Publishing and incorporation of knowledge/information through well-understood logical semantics – Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems 22

GPN 2009 May 29, Kansas City, Missouri Who We Are 23 Argus: Cyber Security Research Group at Kansas State University Contact me: Simon Ou

GPN 2009 May 29, Kansas City, Missouri Thank You! Questions?