Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach.

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

1 Reading Log Files. 2 Segment Format
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
A Brief Documentation.  Provides basic information about connection, server, and client.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Module 7: Advanced Application and Web Filtering.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Louisiana Tech Capstone Submitted by Capstone 2010 Cyber Security Situational Awareness System.
Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Status & development of the software for CALICE-DAQ Tao Wu On behalf of UK Collaboration.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Snort – IDS / IPS.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Intrusion Detection Systems (IDS)
Detecting Targeted Attacks Using Shadow Honeypots
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
Authors: Helen J. Wang, Chuanxiong Guo, Daniel R
Presentation transcript:

Saturday, May 17, 2008 Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach

Saturday, May 17, 2008 Pascal Gamper 2 Outline  Motivation  Problem Statement  Automated Signature Generation – Overview  The NoAH approach  Attack Detection  Attack Analysis  Signature Generation

Saturday, May 17, 2008 Pascal Gamper 3 Motivation: The dynamics of (In)security Source: “The Dynamics of (In)Security“, Stefan Frei, ETH Zurich, BlackHat % probability for available 0-day exploits

Saturday, May 17, 2008 Pascal Gamper 4 Problem Statement  Defending against 0-day attacks: Intrusion Detection System (IDS)  Separate benign and malicious network traffic  Host- or Network-based signatures  Most signatures for IDS are hand-craftet by professionals  Zero-day exploits make manual signature generation useless  Problem: Manual signature generation is too slow! Options?

Saturday, May 17, 2008 Pascal Gamper 5 Techniques for automated signature generation Overview

Saturday, May 17, 2008 Pascal Gamper 6 Building Blocks of an ASG System Attack Detector Analysis Engine Correlator Attack Detector Analysis Engine Site 1 Site N raw data Signature Generator refined attack vector information attack vector information transformed attack vector information

Saturday, May 17, 2008 Pascal Gamper 7 The NoAH Approach EU Project NoAH (Network of Affined Honeypots)

Saturday, May 17, 2008 Pascal Gamper 8 Goals  NoAH aims at automated  detection of unknown attacks  generation of signatures to counter 0-day attacks  Generate signatures for common IDS  Install full-scale infrastructure across Europe  Target audience: ISP‘s, NREN‘s, researchers

Saturday, May 17, 2008 Pascal Gamper 9 Attack Detection

Saturday, May 17, 2008 Pascal Gamper 10 NoAH Architecture: Attack Detector Argos  Detection technique (Argos):  OS independent memory tainting (x86 emulator) > Scope of NoAH: Remote attacks that do not require a human in the loop Host OS Emulated Hardware Guest OS RAM 0xAAA NIC CPU Network Exec

Saturday, May 17, 2008 Pascal Gamper 11 Attack Analysis

Saturday, May 17, 2008 Pascal Gamper 12 Combining Analysis Engines  Different analysis engines (Extractors) which  Analyse attack information from different sources  Extractors can depend on each other  Meta-signature describes entire set of available attack information  Quality estimation of meta-signature based on  Which extractors succeeded  Value and amount of extracted information

Saturday, May 17, 2008 Pascal Gamper 13 Combining host- and network-based analysis  Extractor #1: Host-based information from Argos  Identifies memory content relevant for the attack  Identifies OS and attacked process  Identifies network traffic bytes involved  Extractor #2: Network-based information from Protocol State Tracker  Protocol field(s) containing network bytes involved  Communication/Protocol state history

Saturday, May 17, 2008 Pascal Gamper 14 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

Saturday, May 17, 2008 Pascal Gamper 15 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

Saturday, May 17, 2008 Pascal Gamper 16 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

Saturday, May 17, 2008 Pascal Gamper 17 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Argos.netlog Argos.csi.x Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Argos Extractor Tracker Extractor

Saturday, May 17, 2008 Pascal Gamper 18 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker MySQL Database Signature Generator Main process Snitch Thread Network Socket IPC File I/O Network TrackerOutput.dat TrackerDump.dat Snitch Perl Script Argos Control Socket Extractor Thread Tracker Extractor Argos.netlog Argos.csi.x Argos Extractor

Saturday, May 17, 2008 Pascal Gamper 19 Basic Architecture of the entire ASG System Honeypot Network Protocol State Tracker Database Signature Generator Main process Snitch Thread Network Socket IPC File I/O Network Snitch Perl Script Argos Control Socket Extractor Thread Argos.netlog Argos.csi.x Argos Extractor Meta-signature TrackerOutput.dat TrackerDump.dat Tracker Extractor

Saturday, May 17, 2008 Pascal Gamper 20 Network Protocol State Tracker  Tracks the network connections towards one or more honeypot systems  Logs protocol states for each packet  User-defined packet and connection analysis possible  Is highly configurable by relying on various libraries  State machine configurations currently available for IP, TCP/UDP, FTP

Saturday, May 17, 2008 Pascal Gamper 21 Libraries  NetBee library  Developed by NetGroup at Politecnico di Torino  Components for different types of packet processing  We integrated Packet Decoding functionality into Tracker  Netprotofsm  Finite state machine library for describing network protocols  Our approach is based on work by J. van Gurp and J. Bosch  Features: -Protocol state machines defined by XML files -Resource-gentle -Flexible timer mechanism (schedule events, define timeouts) -Implement custom actions

Saturday, May 17, 2008 Pascal Gamper 22 Architecture State Machine (libnetprotofsm) Network LogActionReplayAction Connection State Log File EventData LogReader PacketDecoder Connection State Log File Replayer Capturing Protocol Specification File Network Pcap library NetBee library netprotofsm library Replayer State Tracker

Saturday, May 17, 2008 Pascal Gamper 23 Example: Attack information extracted Information Memory Dump Argos INetwork PacketExtractor #2 Protocol Connection State: TCP: Connection established FTP: Login, User identification 04 F2 A6 00 Tainted data which is about to be used in instruction execution Snitch perl script Argos II -Operating system: Win2000 -Attacked service / program: WAR-FTPD Information Extractor #1 IP TCP FTP 04 F2 A6 00 Position in network packet Packet Field Decoding: FTP: bytes in USER field Dest Address Src Address Dest PortSrc Port USER Payload data

Saturday, May 17, 2008 Pascal Gamper 24 Signature Generation

Saturday, May 17, 2008 Pascal Gamper 25 Signature Generation Flow  1. Generate meta-signature  2. Determine signature quality  4. Save to database  5. Use Adapters to create specific signatures  6. Store, (correlate and/or distribute) adapted signatures

Saturday, May 17, 2008 Pascal Gamper 26 Snort as Signature Format  SNORT for Proof-of-Concept  SNORT is open source and well-known  Simple signature format  Implications  Only a part of extracted attack information can be used, for example -We cannot include information about attacked program

Saturday, May 17, 2008 Pascal Gamper 27 Generated signature (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;)

Saturday, May 17, 2008 Pascal Gamper 28 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Connection state information

Saturday, May 17, 2008 Pascal Gamper 29 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) State transition trigger

Saturday, May 17, 2008 Pascal Gamper 30 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Vulnerable field(s)

Saturday, May 17, 2008 Pascal Gamper 31 Conclusion  Our ASG system generates signatures with almost zero false positives  For remote code injection attacks  If full amount of attack information is extracted  Signature describes the vulnerability of the application  Protect server applications from buffer overflows in arbitrary protocols and fields > Our signatures can compete with other approaches including manually created reference signatures

Saturday, May 17, 2008 Pascal Gamper 32 Questions?

Saturday, May 17, 2008 Pascal Gamper 33 Evaluation  Prototype implementation  IP, TCP, UDP, FTP protocol state machines  Examplary signature generation tests  Protocol context aware signatures:  Average total generation time: 1,64 s  Few false positives  LCS signatures (fallback strategy):  Average total generation time: 3,46 s  High rate of false positives depending on strings

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.