Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell)

Slides:

Advertisements

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Report on statistical Intrusion Detection systems By Ganesh Godavari.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lecture 11 Intrusion Detection (cont)

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

IIT Indore © Neminah Hubballi

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Information Visualization for Intrusion Detection Analysis: A Needs Assessment of Security Experts John Goodall, Anita Komlodi, Wayne G. Lutters UMBC Workshop.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Code Red Worm Propagation Modeling and Analysis Zou, Gong, & Towsley Michael E. Locasto March 21, 2003.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Intruders Detection Systems Presently there is much interest in systems, which can detect intrusions, IDS (Intrusion Detection System). IDS are of very.

Visualizing network flows Gregory Travis Advanced Network Management Lab Indiana University

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.

1 Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff C. Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.

SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Role Of Network IDS in Network Perimeter Defense.

Network Intrusion Detection System (NIDS)

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Very Fast containment of Scanning Worms Presented by Vinay Makula.

Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Intrusion Detection Systems (IDS)

Home Internet Vulnerabilities

Intrusion Detection system

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

CSE551: Introduction to Information Security

Statistical based IDS background introduction

Introduction to Internet Worm

Presentation transcript:

Fusing Intrusion Data for Pro-Active Detection and Containment Mallikarjun (Arjun) Shankar, Ph.D. (Joint work with Nageswara Rao and Stephen Batsell) Oak Ridge National Laboratory

Motivating Overview Problem: changing cyber-security landscape –Distributed attacks –Self-propagating worms cause denial-of-service and serious infrastructure damage Intrusions characteristics: –Trigger and impact many parts of the system –Spread rapidly Solution focus: –Detect using multiple sensors –Fuse intrusion sensors effectively to reduce false alarms –Meet response time constraints for rapid containment

Background Most existing intrusion sensors –Host based Protection boundary violation User activity System call anomalies –Network based Packet signatures Anomalous activity Detection methodologies –Data mining and pattern searching –Probabilistic techniques –Learning, anomaly detection Typically, single point of analysis in system

Fusion Possibility: Example Telnet Intrusionps Attack [**] [1:716:5] TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] 03/08-19:09: :23 -> :1664 TCP TTL:255 TOS:0x0 ID:39157 IpLen:20 DgmLen:55 DF ***AP*** Seq: 0x3BCB82CB Ack: 0x38633CDD Win: 0x2238 TcpLen: 20 [Xref => cve CAN ] [Xref => arachnids 08] header,805,2,execve(2),, Mon Mar 08 19:09: , msec, path,/usr/bin/ps,attribute,104555,root,sys, ,22927,0,exec_args,4,ps,-z,-u, [.. data snipped..],subject,2066, root,100,2066, 100,2804,2795, , return,success,0,trailer,805 Break-in Progress Network Sensor: Snort Host Sensor: BSM Example from DARPA Intrusion Detection Test - Lincoln Labs 1999:

Fusing Multiple Sensors Problem: How do you combine information from multiple sensors of intrusion? Use data fusion! D i : any type of sensor (legacy, signature, anomaly, etc.) U i : attack detection signal Net: D 1 CPU: D 2 u1u1 FUSER DnDn u 0 – Overall Determination unun u2u2 ….

Simple Likelihood Ratio Derivation Cost:

Single node tracking: data fusion (likelihood ratio) Data Fusion ><>< η: Learned Constant P(u 1, u 2, …, u N | attack) P(u 1, u 2, …, u N | no attack)

Fusion: Example Computation Data Three Sensors P(FalseAlarm1)= 0.1, P(Miss1) = 0.01 P(FalseAlarm2)= 0.2, P(Miss2) = 0.01 P(FalseAlarm3)= 0.25, P(Miss3) = 0.01 Overall P(FalseAlarm) = 6x10^-3 P(Miss) = 2x10^-6 Simplifying Assumption: Sensors are Independent.

Requirements for Containment of Autonomous Intrusions: Worms Susceptible Infective Exploit vulnerability for entry –Gains system control –Attacks other vulnerable machines –May stay dormant and wake up for delayed attack Propagate at network bandwidth (e.g, using UDP in slammer) –Random as well as deterministic destinations –Target popular hosts for worst impact Some Examples: Code Red (8/2002), Slammer (1/2003), Blaster (8/2003), Bagle(1/2004)

Evaluation of Spreading Behavior Reaches 1 (all machines infected) if not patched or restrained Spreading depends on “infection rate” –Mode of transport (TCP, UDP) –Targeted spreading –Rate of restraint and patching Past examples –Code red – doubled every 37 minutes, infected 375,000 hosts –Slammer – doubled every 8 seconds, infected 90% of vulnerable hosts in internet in 10 minutes Rate of Increase of Infectives[dI/dt] α Infectives[I(t)] * Susceptibles[1-I(t)] dI/dt = β I(t)(1-I(t)) I(t) = e β(t-T) /(1 + e β(t-T) ) t I(t) 1

Restraining Infections Assume you can contain an infected machine in θ seconds Assuming aggressive worms (2*Slammer, high infection rate) Rate of Increase of Infectives[dI/dt] α Infectives Remaining[I(t) – I(t - θ)] * Susceptibles[1-I(t)]

Spreading Under Restraint Code Red β = 0.03Slammer β = 0.11β = 0.2

Pro-active Restraint Requirements Local response needed < 5-7 s Proactive alerting –Global patching –Response needed < 50 s With Restraint

Multi-resolution Response Levels to Detect and Contain Worms Node detection: data fusion at a single node LAN detection and containment: information fusion WAN containment: proactive notification and patching CPUNetApp **** A BCenter A CPUNetApp **** B +

Conclusion Data-fusion: technique applicable to combine diverse sensors Containing intrusions: fused data and intrusion determinants need to be distributed proactively Local response times in the order of seconds needed Wide-area notifications in the order of tens of seconds are effective -Thank You-