Intrusion Detection using Sequences of System Calls By S. Hofmeyr & S. Forrest.

Slides:

Advertisements

Similar presentations

V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.

Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Chapter 3 Process Description and Control

ISA Issues; Performance Considerations. Testing / System Verilog: ECE385.

INSTRUCTION SET ARCHITECTURES

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

From Quark to Jet: A Beautiful Journey Lecture 1 1 iCSC2014, Tyler Dorland, DESY From Quark to Jet: A Beautiful Journey Lecture 1 Beauty Physics, Tracking,

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Artificial Intelligence in Game Design Introduction to Learning.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche.

Process Description and Control Chapter 3. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor.

Storage system designs must be evaluated with respect to many workloads New Disk Array Performance (CDF of latency) seconds % I/Os seconds % I/Os seconds.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Evaluating Hypotheses

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.

Chapter 2: Input, Processing, and Output

Computer Organization and Architecture

Chapter 6: An Introduction to System Software and Virtual Machines

Lehrstuhl für Informatik 2 Gabriella Kókai: Maschine Learning 1 Evaluating Hypotheses.

Cmpt-225 Simulation. Application: Simulation Simulation  A technique for modeling the behavior of both natural and human-made systems  Goal Generate.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Protection of Agent Teamwork By Jeremy Hall. Agent Teamwork Overview ● Mobile agent framework  AgentTeamwork 2 is a mobile-agent based middleware system.

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.

1 Principles of a Computer Immune System Anil Somayaji, Steven Hofmeyr, & Stephanie Forrest Presented by: Jesus Morales.

A S ENSE OF S ELF FOR U NIX P ROCESSES Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, University of New Mexi Thomas A. Longstaff Carnegie-Mellon.

Multiple testing correction

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.

Computer Security and Penetration Testing

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

SE: CHAPTER 7 Writing The Program

Developing an Algorithm

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Software Testing Yonsei University 2 nd Semester, 2014 Woo-Cheol Kim.

Quality Software Project Management Software Size and Reuse Estimating.

Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse.

Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.

CE Operating Systems Lecture 2 Low level hardware support for operating systems.

Process Description and Control Chapter 3. Source Modified slides from Missouri U. of Science and Tech.

CE Operating Systems Lecture 2 Low level hardware support for operating systems.

Conditionals Opening Discussion zWhat did we talk about last class? zDo you have any questions about the assignment? zPass by value limitations.

1 Exploiting Nonstationarity for Performance Prediction Christopher Stewart (University of Rochester) Terence Kelly and Alex Zhang (HP Labs)

1 Microprocessors CSE Protected Mode Memory Addressing Remember using real mode addressing we were previously able to address 1M Byte of memory.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

1 Process Description and Control Chapter 3. 2 Process A program in execution An instance of a program running on a computer The entity that can be assigned.

CIVET seminar Presentation day: Presenter : Park, GilSoon.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

Chapter 9: Value-Returning Functions

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Advanced OS Concepts (For OCR)

1. Systems and Software Development

OPERATING SYSTEMS CS3502 Fall 2017

QianZhu, Liang Chen and Gagan Agrawal

A Closer Look at Instruction Set Architectures

Roland Kwitt & Tobias Strohmeier

Software Security Lesson Introduction

Process Description and Control

BIC 10503: COMPUTER ARCHITECTURE

CS5123 Software Validation and Quality Assurance

Presentation transcript:

Intrusion Detection using Sequences of System Calls By S. Hofmeyr & S. Forrest

Overview zFocus: privileged processes zDiscriminator: system call sequences zBuilding a database: defining “normal” zDetecting anomalies: how to measure zResults: promising numbers zConcerns: remaining doubts zExtensions of research: Jones, Li & Lin

Inspiration zHuman immune system zRecognition of self zRejection of nonself zHow would we describe “self” for a software system, or a program?

Focus and Motivation zFocus on privileged processes yExploitation can give a user root access yThey provide a natural boundary xe.g. telnet daemon, login daemon yPrivileged processes are easier to track xSpecific, limited function xStable over time xContrast with the diversity of user actions

Where do we look? zNeed to distinguish when: yPrivileged process runs normally yPrivileged process exhibits an anomaly zThe discriminator is the observable entity used to distinguish between these two zUse sequences of system calls as the discriminator, the signature

How much detail? zDiscriminator is sequences of system calls ySimple temporal ordering is chosen yIgnore parameters yIgnore specific timing information yIgnore everything else! zWhy? As much as possible, work with simple assumptions zIs it “enough”?

Is it enough detail? zDoes the discriminator include enough detail for this hypothesis to hold? yAnswer seems to be yes ! zExtra complication: due to the variability in configuration and use of individual systems, the set of “normal” sequences of system calls will be different on different systems

Design Decisions zRemember temporal ordering of calls yNot total sequence, but sequences of length k zWhat size should k be? yLong enough to detect anomalies, short as possible yEmpirical observation: length 6 to 10 is sufficient zSo “self” is a database of (unordered) short call sequences

Building the “normal” database zSynthetic yAssurance that the normal database contains no intrusions; reproducible yBut does not reflect any particular real user activity zActual use yNecessary to generate from actual use in order to have a unique “self” yHow long to accumulate? Is it clean?

The normal database zDatabase of normal sequences does not contain all legal sequences yIf it did, anomalies would not be detected ySome rare sequences will not be used during database initialization zDatabase is stored as a forest to save space

Signature Database Structure (length 3) fopenfreadstrcmp freadstrcmp fopen strcmpfopenfread fopenfreadstrcmp fopenfreadstrcmp fopen fread strcmp fread strcmp fopen strcmp fopen fread

Derive Robust Signature Database

Detecting anomalies zA call sequence not in the database is an anomalous sequence zStrength of that anomalous sequence is measured by “Hamming distance” to the closest normal sequence (called d min ) zAny call trace with an anomalous sequence is an anomalous trace

Detecting anomalies zStrength of an anomalous trace is the maximum d min of the trace normalized for the value of k (length of sequences in the database): yŜ A = max{d min values for the trace} / k yValue is between 0 and 1 zBy adjusting the threshold value for Ŝ A, false positives can be reduced

Efficiency zComplexity of computing d min yO(k(R A N + 1)) xk is sequence length, R A is ratio of anomalous to normal sequences, N is the number of sequences in the database zd min is calculated after every system call yThe constant associated with this algorithm is very important yNot yet running in real time

Results (synthetic) zSanity test: If different programs are not distinguishable, anomalies within one program will certainly not be either zEasy to distinguish between programs; mismatches on well more than 50% of the instruction sequences (and Ŝ A >= 0.6) zAll intrusions (both attempted & successful) produced anomalies of varying strengths

Results (real environment) zThe conjecture of unique normal databases yExperiments in two configurations (at UNM and MIT) had very different databases for the same program (lpr) yIs this typical?

Closing concerns zFalse positives vs false negatives yIf forced to choose, UNM prefers to have false negatives because layering can mitigate zSaw 1 per 100 print jobs (lpr) yDue to system problems zIs Ŝ A a good measure? yIt could help generate false positives ySingle extra system call might make Ŝ A = 0.5

Annex Material Some UVa experiments S. Li, Y. Lin, and A. Jones

Signature Length Has Little Effect zIllustrated by two attacks on Apache zVaried sequence length from 2 to 30 zWe chose length 10 to have margin of error

Effectiveness: Buffer Overflow zSuccessfully detected buffer overflow attacks against wu-ftpd zWork well because attacker code adds new sequences of library calls #Mismatch es %Mismatc hes Normalized Anomaly Signal Stack Overwrite Realpath Vulnerability High normalized anomaly signals indicate attacks

Effectiveness: Denial of Service zSimulated DOS attack that uses up all available memory zAs attack progresses, library calls requesting memory return abnormally and are re-issued zDOS attack caused application to invoke new library call, fsync Program - vi#Mismat ches %Mismat ches Normalized Anomaly Signal Normal Run000 DOS Attack No intrusion detected High normalized anomaly signal indicates attack