Towards Vulnerability-Based Intrusion Detection with Event Processing Amer Farroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto July 13,

Slides:

Advertisements

Similar presentations

XFA : Faster Signature Matching With Extended Automata Author: Randy Smith, Cristian Estan and Somesh Jha Publisher: IEEE Symposium on Security and Privacy.

Advertisements

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Carnegie Mellon University Complex queries in distributed publish- subscribe systems Ashwin R. Bharambe, Justin Weisz and Srinivasan Seshan.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

What Learned Last Week Homework qn –What machine does the URL go to?

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Chapter 9 Classification And Forwarding. Outline.

Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

Penetration Testing Security Analysis and Advanced Tools: Snort.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

MIDDLEWARE SYSTEMS RESEARCH GROUP Denial of Service in Content-based Publish/Subscribe Systems M.A.Sc. Candidate: Alex Wun Thesis Supervisor: Hans-Arno.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Fang Yu Microsoft Research, Silicon Valley Work was done in UC Berkeley,

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

High-Speed Matching of Vulnerability Signatures Nabil Schear * David R. Albrecht † Nikita Borisov † University of Illinois at Urbana-Champaign * Department.

Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Parallel Event Processing for Content-Based Publish/Subscribe Systems Amer Farroukh Department of Electrical and Computer Engineering University of Toronto.

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.

Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Yan Chen Department of Electrical Engineering and Computer Science

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Publisher : ANCS’ 06 Author : Fang Yu, Zhifeng Chen, Yanlei Diao, T.V.

Network Intrusion Detection System (NIDS)

Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.

CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Snort – IDS / IPS.

Jennifer Rexford Princeton University

Automatic Network Protocol Analysis

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Distributed Network Traffic Feature Extraction for a Real-time IDS

Data Streaming in Computer Networking

SONATA: Query-Driven Network Telemetry

Attack Transformation to Evade Intrusion Detection

Automated Parser Generation for High-Speed NIDS

Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu

Sonata Query-driven Streaming Network Telemetry

Yan Chen Department of Electrical Engineering and Computer Science

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

Sonata: Query-Driven Streaming Network Telemetry

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

Design principles for packet parsers

Presentation transcript:

Towards Vulnerability-Based Intrusion Detection with Event Processing Amer Farroukh, Mohammad Sadoghi, Hans-Arno Jacobsen University of Toronto July 13, 2011 DEBS'11

Limitation of Regular Expressions Conficker worm infected more than 10 million hosts in Economic loss tallied up to $9.1 billion. July 13, 2011DEBS'11 IDS Attacker RE-Signature bin/*sh bin/sh binbin/sh bin//sh UofT Network bin/delete

Signature-based IDSes Exploit-based (Snort/ Cisco /Proventia): Regular Ex Vulnerability-based: Leverage protocol semantics Complex signatures: Multiple PDUs (ex. Conficker) July 13, 2011DEBS'11 Buffer overflow (all exploits) Filename ="login.htm" && len(uri.assignment_sequence.variable["password"])>20 Buffer overflow (shellcode) content: "|74 07 eb|“ && distance: 1 && within: 1 && pcre: "/\xeb.[\x58-\x5b]\x31[\xc9\xd2 \xdb]/bin/sh” Buffer overflow after binding to server BIND PDU: ver=3.0 && UUID=“4b324fc d a47bf6ee188” ACK PDU: ver=3.0 && result[UUID] = Accept REQ PDU: ver=3.0 && opnum=0x1f && strlen(stub.PathName)> 256 && matchRE(stub.PathName, “/^\x05\x00\x00”)

Outline Related Work & System Architecture Matching Algorithms – Access Predicate Pruning (APP) – Early Elimination (EE) Multiple Protocol Data Units (MPDU) Support – Memory Conscious Network (MCN) Experimental Evaluations Conclusions July 13, 2011DEBS'11

Related Work Vulnerability-based signature matching Evaluate signatures over a stream data packets – High-speed matching [RAID’08] Programmer has to hard code signatures into the parser. – Candidate Selection (CS) [SIGCOMM‘10] Only algorithm proposed in IDS to match many signatures Re-compute candidate list for every field parsed Event processing (Publish/Subscribe Matching) Evaluate subscriptions (signatures) over a stream of events (packets) – Propagation [SIGMOD’01] Targets specific type of predicates – Counting [ACM TODS‘94] Predicate matching and signature matching are distinct. Can support arbitrary matchers – BE-Tree [SIGMOD’11] (EPTS Principle Award) Two-phase space-cutting to iteratively refine and prune the search space July 13, 2011DEBS'11

Event Processing vs. IDS July 13, 2011DEBS'11 MetricEvent ProcessingIDS WorkloadDynamic (subs constantly enter and leave the system) Static (DS torn down and rebuilt when a new signature is added) ParsingMessages are parsed before they are passed to broker Parsing is crucial to enhancing performance Matching ProbabilityLarge number of subs are matched Signatures are rarely matched Memory Clean-upPartial matches may reside in the system for an extended time Memory per connection must be minimal

Our Contribution Multiple PDU Component (MCN) Parser Generator Signature Compiler Protocol Specs Vulnerability Signature set Individual Matchers (e.g., String, RE Matchers) Matching Algorithm M1M2M3M4M5 APPEE Traffic Capture (Libpcap) Traffic Capture (Libpcap) TCP Reassembly (Libnids) TCP Reassembly (Libnids) Protocol Identification (Port or PIA_Bro) Protocol Identification (Port or PIA_Bro) Leverage Existing Systems Packets StubPAC IDL File & Signatures Netshield Core Engine Protocol Parser (Minimal) Protocol Parser (Minimal) System Architecture July 13, 2011 DEBS'11

Outline Related Work & System Architecture Matching Algorithms – Access Predicate Pruning (APP) – Early Elimination (EE) Multiple Protocol Data Units (MPDU) Support – Memory Conscious Network (MCN) Experimental Evaluations Conclusions July 13, 2011DEBS'11

Predicate List Access Predicate List Ap1P1P2Ap2P3P4P5Ap3P6P7ApNPiPjPk SNSN 4 S3 3 S2 4 S1 3 S2S3SN Pre-computation Phase Partial Matches Add to List SiSi Index Counter CN 4 C3 1 C2 3 C1 1 SjSj Create Counter Cj 1 Runtime Signature Matching Check Counters String Matcher Access Predicate List Predicate List Number Matcher Access Predicate List Predicate List Length Matcher Access Predicate List Predicate List Range Matcher Access Predicate List Predicate List RE Matcher Access Predicate List Predicate List Predicate Type PiPi Runtime Predicate Matching Access Predicate Pruning (APP) Access Predicate Signature Predicate S N is matched

Access Predicate List Partial Matches Add to List SjSj Create Counter Cj 1 Runtime Signature Matching CN 4 C3 1 C2 3 C1 1 Check Counters Signature Compilation S id Increases S1 S2 S4 S5 S9 Predicate List Dual Scan Increment Counter (If Matched) Early Elimination (EE) Ap1P1P2Ap2P3P4P5Ap3P6P7ApNPiPjPk SNSN 4 S3 3 S2 4 S1 3 S2S3SN Pre-computation Phase S N is matched

APP and EE Evaluation July 13, 2011DEBS'11

AP Selectivity 12

Outline Related Work & System Architecture Matching Algorithms – Access Predicate Pruning (APP) – Early Elimination (EE) Multiple Protocol Data Units (MPDU) Support – Memory Conscious Network (MCN) Experimental Evaluations Conclusions July 13, 2011DEBS'11

MPDU Signatures: S4=S2&S3 S5=S1->S2 S6=S1&(S2&S3) S7=(S1||S2)&S3 S1S2S3 00 & 00 & Sample run: S1S3S2 10 & 01&01& 11 & 11 & S4 S7 S5S6 Output: S7 || S5 S4 0 -> 00 & S7 S6 00 & HASH Si 00 & JN1JN2 JN3 JN4JN5 Memory Conscious Network (MCN) Signature Nodes Join Nodes

MCN Evaluation AlgorithmSequentialMCN Signature Nodes AND Nodes8058 NEXT Nodes8568 OR Nodes3020 Memory per connection (bytes) 3124 July 13, 2011DEBS'11

Conclusions and Future Work Vulnerability-based signature matching – Proposed two novel solutions APP and EE – Attack resilient and faster than CS – Access predicate selectivity (future work) MPDU support – One of the first efforts to match MPDU signatures – MCN is memory efficient and 29 times faster than sequential scan – Balancing network depth and node sharing (future work) July 13, 2011DEBS'11

July 13, 2011DEBS'11

Challenges of Vulnerability Signatures Enable high speed parsing – Parse only relevant fields Support arbitrary matchers – RE, strings, length-checking, numbers, and ranges Reduce state maintenance – Avoid state explosion for MPDU matching July 13, 2011DEBS'11

Time Complexity (Worst Case) – APP For every predicate: O(Predicate List + AP List) Final Scan: O(Partial Matches List) – EE For every predicate: O(Predicate List + Partial Matches AP List) Final Scan: O(Partial Matches List) Memory Footprint (APP & EE) – Determined by size of Partial Matches List July 13, 2011DEBS'11 APP and EE Complexities