Language-Based Generation and Evaluation of NIDS Signatures Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.

Slides:



Advertisements
Similar presentations
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.
Advertisements

Deterministic Finite Automata (DFA)
Report on Common Intrusion Detection Framework By Ganesh Godavari.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
UltraPAC : automated protocol parser generator Daniel Burgener Jing Yuan.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
COS 420 DAY 24. Agenda Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Student evaluations Latest.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Great Theoretical Ideas in Computer Science.
Protocol Analysis/Testing Based on Sidhu et al in IEEE TSE 89 and TN 93 Figures from the papers.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
By David Brumley, James Newsome, Dawn Song and Hao Wang and Somesh Jha.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
Layer 4 of the TCP/IP protocol stack: Application level Services: TELNET, FTP, SMTP, HTTP, DNS, RIP, NFS Hierarchy of protocols and services.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Adv. Network Security How to Conduct Research in Network Security.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Honeypot and Intrusion Detection System
A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
What is a “Network Intrusion Detection System (NIDS)"?
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.
Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.
1 Chapter 34 Internet Applications (Telnet, FTP).
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
Cryptography and Network Security Sixth Edition by William Stallings.
Remote Access Usages. Remote Desktop Remote desktop technology makes it possible to view another computer's desktop on your computer. This means you can.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network Intrusion Detection System (NIDS)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Theory of Computation Automata Theory Dr. Ayman Srour.
Snort – IDS / IPS.
Introduction to Operating Systems
Evaluating a Real-time Anomaly-based IDS
An Enhanced Support Vector Machine Model for Intrusion Detection
NetSpy: Automatic Generation of Spyware Signatures for NIDS
Real-Time Attack Detection in CPS
Presentation transcript:

Language-Based Generation and Evaluation of NIDS Signatures Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison

Rubin, Jha, Miller2 Attacker “TYPE A \n CWD \n” Network NIDS Signature database Misuse Network Intrusion Detection System (NIDS) Problem: A single attack might have many forms: –Ptacek and Newsham, 1988 –Handley and Paxson, 2001 –Marty, 2002 –Mutz, Vigna, and Kemmerer, 2003 –Vigna, Robertson, and Balzarotti, 2004 –Rubin, Jha, Miller, 2004 –And others... “TYPE A \n (.)* CWD ” TYPE A \n LIST \n CWD...

Rubin, Jha, Miller3 Attacker Network NIDS Signature database Problem: Accurate Signatures Today, we construct signatures in an ad-hoc manner Challenges: complex protocols, redundancy Questions: –Can we systematically construct an accurate signature? –Can we systematically evaluate a signature? –Can we systematically compare signatures? “TYPE A \n (.)* CWD ” TYPE A \n LIST \n CWD...

Rubin, Jha, Miller4 Contributions Practical: provide signature writers a methodology and a tool that enables them to systematically construct a signature, evaluate its accuracy, and compare it to other signatures Conceptual: –a session signature, –a semantic model for an attack protocol, –a language-base approach for signature construction

Rubin, Jha, Miller5 A NIDS Signature Attack: a set of TCP streams Signature: a set of TCP streams TCP Streams ASig

Rubin, Jha, Miller6 A NIDS Signature Attack: a set of TCP streams Signature: a set of TCP streams A prefect signature: Sig=A TCP Streams ASig Sig=A

Rubin, Jha, Miller7 A NIDS Signature Attack: a set of TCP streams Signature: a set of TCP streams A prefect signature: Sig=A Problem: most of the time A is unknown. Difficult to: –construct accurate a signature –evaluate changes to the signature –compare signatures TCP Streams A Sig

Rubin, Jha, Miller8 A NIDS Signature TCP Streams A Sig Attack: a set of TCP streams Signature: a set of TCP streams A prefect signature: Sig=A Problem: most of the time A is unknown. Difficult to: –construct accurate a signature –evaluate changes to the signature –compare signatures

Rubin, Jha, Miller9 Language-Based Approach TCP Streams Attack: the language A ghost Signature: the language L sig Goal: compare the language Problem: difficult to determine containment  A ghost. Ideas: 1.Abstraction: over-approximate A ghost, such that it is easy to determine containment 2.Automation: Use an automatic tool to compare L sig and A inv L sig A ghost A inv

Rubin, Jha, Miller10 Language-Based Signature Construction TCP Streams L sig A ghost A inv  ConclusionAction  fp  fn

Rubin, Jha, Miller11 Language-Based Signature Construction TCP Streams L sig A ghost A inv  ConclusionAction L sig  A inv A false positive Shrink signature  fp  fn

Rubin, Jha, Miller12 Language-Based Signature Construction TCP Streams L sig A ghost A inv  fp  ConclusionAction L sig  A inv A false positive Shrink signature  L sig  A inv A inv  fn

Rubin, Jha, Miller13 Language-Based Signature Construction TCP Streams L sig A ghost A inv  fp  ConclusionAction L sig  A inv A false positive Shrink signature  L sig  A inv A false negative Expand signature A inv  fn

Rubin, Jha, Miller14 Language-Based Signature Construction TCP Streams L sig A ghost A inv  fp  ConclusionAction L sig  A inv A false positive Shrink signature  L sig  A inv A false negative Expand signature A spurious sequence Refine A inv A inv  fn  sp

Rubin, Jha, Miller15 Language-Based Signature Construction TCP Streams L sig A ghost A inv  fp  ConclusionAction L sig  A inv A false positive Shrink signature  L sig  A inv A false negative Expand signature A spurious sequence Refine A inv L sig  A inv Discussion in the paper  L sig  A inv A inv  fn  sp

Rubin, Jha, Miller16 Outline Goal: develop methodology to construct and evaluate signatures Main idea: use a formal language to approximate A ghost and automatically compare this language to L sig The languages The signature construction process

Rubin, Jha, Miller17 L sig : A Syntactic Representation of the Attack Our signature is a regular language Alphabet: application-level events. For example, FTP commands A session signature: a string in the language represents the entire attack. Each signature is a concatenation of three languages: preparation (L pre ), exploitation (L exp ), and confirmation (L conf )

Rubin, Jha, Miller18 ftp-cwd [CAN ] Preparation: FTP login login L logout Q QQ LL TokenDescription L Login confirmation Q Connection termination

Rubin, Jha, Miller19 ftp-cwd [CAN ] Preparation: FTP login Exploitation: A CWD command with a long argument login L logout Q QQ LL attack A such that (length>100 && data  (.) * /bin/sh(.) * C login TokenDescription L Login confirmation Q Connection termination C CWD command A CWD argument

Rubin, Jha, Miller20 L ftp-cwd : ftp-cwd Session Signature Non-recursive hierarchical state machine Constructed automatically Can be analyzed intrusion logout2 1attack A,I R,L IRIR A,L C I R,L C A,C,I R,Q Q Q CQL A accept start reject  

Rubin, Jha, Miller21 L ftp-cwd : Vs. Snort Non-recursive hierarchical state machine Constructed automatically Can be analyzed intrusion logout2 1attack A,I R,L IRIR A,L C I R,L C A,C,I R,Q Q Q CQL A accept start reject  

Rubin, Jha, Miller22 Language-Based Signature Construction TCP Streams Session Signature A ghost A inv  fp  ConclusionAction L sig  A inv A false positive Shrink signature  L sig  A inv A false negative Expand signature A spurious sequence Refine A inv L sig  A inv Discussion in the paper  L sig  A inv A inv  fn  sp

Rubin, Jha, Miller23 A inv : Semantic Representation of the Attack Another regular language Models semantics properties: –“Requires FTP login” –“Requires ASCII FTP mode” –“Requires HTTP 1.1” Using an FSM we model the semantics of the application-level protocol that the attack uses

Rubin, Jha, Miller24 FTP Semantic Model VariableDescriptionValues X1X1 User logged in{0,1} X2X2 FTP transfer mode{‘A’,’B’,0} NameTokenDescriptionPrecond.Postcond. SLOGINLVictim indicates successful login-X 1 =1,X 2 =‘A’ BINARYB Attacker issues TYPE B command X 1 =1X 2 =‘B’ ASCIIA Attacker issues TYPE A command X 1 =1X 2 =‘A’ VQUITQ1Q1 Victim terminates connection-  X i =0 UQUITQ2Q2 Attacker terminates connection-  X i =0 FTP State variables FTP Transitions

Rubin, Jha, Miller25 Language-Based Signature Construction TCP Streams Session Signature A ghost Semantic model  fp  fn Semantic Model Signature Spin String/ NULL SP FN or FP Manual refinement (currently) Automatic comparison

Rubin, Jha, Miller26 TCP Streams Constructing a Signature for ftp-cwd login=1 L pre L exp False Positive L1L1 (.) * CWD Semantic Model Signature Spin String/ NULL

Rubin, Jha, Miller27 TCP Streams Constructing a Signature for ftp-cwd login=1 FP 1 L1L1 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” Semantic Model Signature Spin String FP 1

Rubin, Jha, Miller28 TCP Streams Constructing a Signature for ftp-cwd login=1 FP 1 L1L1 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” L2L2 L(.) * CWD Semantic Model Signature Spin String/ NULL

Rubin, Jha, Miller29 TCP Streams Constructing a Signature for ftp-cwd L1L1 login=1 FP 1 FP 2 L2L2 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” L2L2 L(.) * CWD FP 2 =“L  UQUIT  CWD ” Semantic Model Signature Spin String FP 2

Rubin, Jha, Miller30 TCP Streams Constructing a Signature for ftp-cwd login=1 FP 1 L1L1 FP 2 L2L2 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” L2L2 L(.) * CWD FP 2 =“L  UQUIT  CWD ” L3L3 L(  UQ) * CWD Semantic Model Signature Spin String/ NULL

Rubin, Jha, Miller31 TCP Streams Constructing a Signature for ftp-cwd login=1 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” L2L2 L(.) * CWD FP 2 =“L  UQUIT  CWD ” L3L3 L(  UQ) * CWD FP 3 =“L  VQUIT  CWD ” FP 1 L1L1 FP 2 L2L2 FP 3 L3L3 Semantic Model Signature Spin String FP 3

Rubin, Jha, Miller32 TCP Streams Constructing a Signature for ftp-cwd login=1 L pre L exp False Positive L1L1 (.) * CWD FP 1 =“CWD ” L2L2 L(.) * CWD FP 2 =“L  UQUIT  CWD ” L3L3 L(  UQ) * CWD FP 3 =“L  VQUIT  CWD ” FP 1 L1L1 FP 2 L2L2 FP 3 L3L3 Semantic Model Signature Spin NULL

Rubin, Jha, Miller33 Constructing a Signature for ftp-cwd TCP Streams login=1 FP 1 L1L1 FP 2 L2L2 FP 3 L3L3 L 1  L 2  L 3  L 4 L4L4 More false positivesLess false positives Comparing signature: It is possible to show that L 4 does not miss more attacks than L 1 (under certain assumptions)

Rubin, Jha, Miller34 Constructing a Signature for pro-ftpd Session Signature (simplified)False Negative/Spurious L  TYPEA  ST  RET  RET TCP Streams login=1 TYPE=‘A’

Rubin, Jha, Miller35 Constructing a Signature for pro-ftpd Session Signature (simplified)False Negative L  TYPEA  ST  RET  RETFN 1 =L  ST  RET  RET TCP Streams login=1 TYPE=‘A’ FN 1 Two signatures based on the configuration of the FTP server

Rubin, Jha, Miller36 Lessons to Take Home A methodology to construct and evaluate signatures Able to detect loopholes in signatures, loopholes that we did not anticipate The accuracy of the signature depends of the accuracy of the semantic model TCP Streams Session Signature A ghost A inv  fp A inv  fn  sp

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.