DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification
Intrusion Detection Systems and Practices
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
What is it, how does it work, and why is it important?
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Signature Based and Anomaly Based Network Intrusion Detection
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Operating system Security By Murtaza K. Madraswala.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
Common System Exploits Tom Chothia Computer Security, Lecture 17.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
IDS Intrusion Detection Systems
Operating system Security
Principles of Computer Security
Intrusion Detection Systems
Intrusion Detection system
Introduction to Internet Worm
Intrusion Detection Systems
Presentation transcript:

DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University June 13, 2002

DARPA Overview Detecting Code-Driven Threats Prior work in program anomaly detection Applying anomaly detection to Windows processes Challenges to anomaly detection

DARPA Code-Driven Threats

DARPA Background 20 years of intrusion detection research has yielded tools sometimes capable of detecting malicious hackers A viable anti-virus commercial industry has emerged in the same period in the wake of PC viruses

DARPA However… While both approaches are very good at detecting known attacks/viruses… They do not perform well in –detecting novel attacks/malicious code –scaling to Internet-wide attacks –responding in computer time

DARPA A New Threat… Code-driven attacks Malicious hackers spend their time breaking into systems one at a time Code-driven attacks are written once, unleashed everywhere

DARPA How Big is this Problem? Code Red costed an estimated $2.6 billion Worms will continue to exploit vulnerabilities in online software Newly reported vulnerabilities to CERT CC from 1995 to Copyright IEEE, Security and Privacy , supplement to IEEE Computer.

DARPA Why Don’t Existing Defenses Work? Code-driven attacks: –Go through firewalls unimpeded –Go unnoticed by intrusion detection systems –Propagate too fast for anti-virus vendors to disseminate signatures in time –Have complete access to our network and file systems –Execute with our own privileges –Can send sensitive information out over networks –Can spy on our computer and Web usage patterns

DARPA The Future is Ominous --- Nimda was a harbinger Future worms will be: –Architecture independent –Stealthy to its victims using process hiding –Autonomous, so it can independently migrate –Intelligent, so it can learn new exploits on the fly –Polymorphic, to avoid signature detection –Programmable, to learn vulnerabilities and be remotely controllable

DARPA This Problem Requires New Thinking Consider: –Intrusion detection techniques are designed to handle Internet and network-based attacks –Anti-virus software is designed to address malicious code attacks But, neither handle code-driven attacks effectively We need to either learn from the strengths of these approaches, or to develop a new approach entirely

DARPA Prior Work in Program-Based Anomaly Detection

DARPA Intrusion Detection Approaches Misuse Detection scan packets, logs, commands for known malicious patterns. (pattern matching) Upside: known attacks can be detected. Downside: unknown, novel threats not detected. Reactionary. Anomaly Detection Detect intrusions by statistical aberrations from normal usage. Upside: novel or unknown intrusions can be detected. Downside: well-known intrusions may go undetected

DARPA Network-Based vs. Host-Based Intrusion Detection Network-based Scans network packet logs for signatures of intrusive activities. Increasing bandwidth is a challenge. End-to-end encryption could obsolete this approach. Host-based Scans machine audit logs for signatures of intrusive activities. Traditionally monitors users’ behavior. Many sensors/hosts require enterprise management.

DARPA Process-Based Anomaly Detection Premise of process-based approach: “Abnormally behaving programs are a primary indicator of computer misuse.” Approach: –build program behavior profiles for monitored programs and use these to detect intrusions.

DARPA Goals of Process-Based Anomaly Detection Learn Benign Program Behavior Generalize from Observed Behavior Flag Deviations from Learned Behavior

DARPA Cigital’s Three Systems for Anomaly Detection Recurrent Neural Network String Transducer State Tester

DARPA Summary of Cigital System Performance Scope: Detects program misuse --- mainly U2R attacks. Recurrent Neural Network 100% of U2R attacks at a rate of 3 FA/day. String Transducer 100% of U2R attacks at a rate of 3 FA/day. State Tester 100% of U2R attacks at a rate of 9 FA/day.

DARPA Comparison, Strengths, Weaknesses Systems perform comparably --- short training time for string transducer and state tester make them more desirable. Detects program misuse attacks very reliably with few false alarms. Will not detect either programs that are not monitored or attacks that are legitimate uses of programs.

DARPA Performance as a Function of Training Data The horizontal axis represents the percentage of available data used for training. The vertical axis is the percentage of sessions creating false alarms when all possible attacks are detected Table lookup String transducer State tester

DARPA Applying Anomaly Detection to Windows Processes

DARPA Approach for Windows NT Collects system events and identifies anomalous patterns Ported to use Windows NT/2000 base- object audit data Cigital algorithms show high performance with low false positive rates.

DARPA Using strace for NT Data needs to be collected as it is created and streamed to the ID system – NT auditing does not meet these requirements Advantages of using strace for NT Provides additional information such as Thread IDs Can be altered to stream data directly to our system Selectively captures system calls that we need Can be turned On/Off on-the-fly

DARPA Collecting Data in Real-Time Streams of events arrive from multiple processes and multiple threads and need to be sorted accordingly EventsProcess Splitter

DARPA Performing Anomaly Detection Data from each application must be matched with the appropriate model and the state must be updated by the ID algorithm. 42 Algorithm State Model New State State Model

DARPA Performance Against Code Red 11-fold x-validation Includes 2 Code Red attack traces

DARPA Anomaly Detection Challenges

DARPA Training Statistical and machine learning techniques that require baseline behavior profiles require extensive training. –Time consuming –Determines quality of results –Training in one environment may not map well to another environment –Over training is a problem for some classes of machine learning

DARPA False Positives Operators have low thresholds for false positives An acceptable rate might be < 1 per day

DARPA Identification Anomaly detection approaches tell you when something is wrong, not what is wrong, what specific attack is executing, nor where it is coming from.

DARPA Real-Time Response Once an intrusion is detected, systems need to identify, alert, isolate, and respond according to local security policies.

DARPA Summary Much work has been performed in process- based anomaly detection Many challenges remain… Foremost among them, can we leverage process-based anomaly detection to detect future code-driven threats?

DARPA Questions? Anup Ghosh For more info, see: C. Michael & A. Ghosh, “Simple state- based approaches to program-based anomaly detection”, to appear in ACM Transactions on Information and System Security (TISSEC), 2002.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.