Presentation is loading. Please wait.

Presentation is loading. Please wait.

Somesh Jha University of Wisconsin

Published byAgus Lesmono Modified over 6 years ago

Similar presentations

Presentation on theme: "Somesh Jha University of Wisconsin"— Presentation transcript:

1 Somesh Jha University of Wisconsin
Intrusion Detection Somesh Jha University of Wisconsin

2 Intrusion Detection Goal: Discover attempts to maliciously gain access to a system 24 November 2018 J. Giffin and S. Jha

3 Network Intrusion Detection Systems (NIDS)
Inspects packets at certain vantage points For example, behind the routers Look for malicious or anomalous behavior Much more fine-grained than firewalls Example: drop a packet whose payload “matches” a certain string 24 November 2018 J. Giffin and S. Jha

4 Network Intrusion Prevention System (IPS)
NIDS are generally “passive” Raise alerts if something suspicious happens IPS are active Drop suspicious looking packages Route certain packets for further inspection Have to work at line speeds 24 November 2018 J. Giffin and S. Jha

5 Classification of NIDS
Signature-based Also called misuse detection Establish a database of malicious patterns If a sequence of packets “matches” one of the patterns, raise an alarm Positives Good attack libraries Easy to understand the results Negatives Unable to detect new attacks or variants of old attacks Example Snort, Bro, NFR, … 24 November 2018 J. Giffin and S. Jha

6 Classification of NIDS
Anomaly-based Establish a statistical profile of normal traffic If monitored traffic deviates “sufficiently” from the established profile, raise an alarm Positives Can detect new attacks Negatives High false alarm rate Intruder can go under the “radar” Examples Mostly research systems 24 November 2018 J. Giffin and S. Jha

7 Classification of NIDS
Stateless Need to keep no state Example: raise an alarm if you see a packet that contains the pattern “mellissa” Positives Very fast Negatives For some attacks need to keep state 24 November 2018 J. Giffin and S. Jha

8 Classification of NIDS
Stateful Keeps state Sometime need to do reassembly Reassemble packets that belong to the same connection, e.g., packets that belong to the same ssh session Quite hard! (out-of-order delivery) Positives Can detect more attacks Negatives Requires too much memory 24 November 2018 J. Giffin and S. Jha

9 Snort logs, alerts, ... malicious patterns libpcap
Filtered packet stream libpcap 24 November 2018 J. Giffin and S. Jha

10 libpcap Takes the “raw” packet stream
Parses the packets and presents them as a Filtered packet stream Library for packet capture Website for more details 24 November 2018 J. Giffin and S. Jha

11 Malicious Pattern Example
alert tcp any any -> / (content: “/cgi-bin/phf”; msg: “PHF probe!”;) action pass log alert destination address destination port source address source port protocol 24 November 2018 J. Giffin and S. Jha

12 Malicious Patterns Example
content: “/cgi-bin/phf” Matches any packet whose payload contains the string “/cgi-bin/phf” Look at msg: “PHF probe!” Generate this message if a match happens 24 November 2018 J. Giffin and S. Jha

13 More Examples alert tcp any any ->
/ :6010 (msg: “X traffic”;) alert tcp ! /24 any -> / :6010 (msg: “X traffic”;) 24 November 2018 J. Giffin and S. Jha

14 How to generate new patterns?
Buffer overrun found in Internet Message Access Protocol (IMAP) Run exploit in a test network and record all traffic Examine the content of the attack packet 24 November 2018 J. Giffin and S. Jha

15 Notional "IMAP buffer overflow" packet
:27: :1034 -> :143 TCP TTL:64 TOS:0x0 DF ***PA* Seq: 0x5295B44E Ack: 0x1B4F Win: 0x7D78 EB 3B ; 5E ED 31 C9 31 C0 88 6E E 0C ^.v n..n. B0 0B 89 F3 8D 6E E9 8D 6E 0C 89 EA CD n....n..... 31 DB 89 D8 40 CD E8 C0 FF FF FF 2F E 2F /bin/sh 24 November 2018 J. Giffin and S. Jha

16 Alert rule for the new buffer overflow
alert tcp any any -> / (content:"|E8C0 FFFF FF|/bin/sh"; msg:"New IMAP Buffer Overflow detected!";) Can mix hex formatted bytecode and text 24 November 2018 J. Giffin and S. Jha

17 Advantages of Snort Lightweight Malicious patterns easy to develop
Small footprint Focused monitoring: highly tuned Snort for the SMTP server Malicious patterns easy to develop Large user community Consider the IRDP denial-of-service attack Rule for this attack available on the same day the attack was announced 24 November 2018 J. Giffin and S. Jha

18 Disadvantages Does not perform stream reassembly
Attackers can use that to “fool” Snort Break one attack packet into a stream Pattern matching is expensive Matching patterns in payloads is expensive (avoid it!) Rule development methodology is adhoc 24 November 2018 J. Giffin and S. Jha

19 Host-based ID Monitor interaction between a specific program and OS
Raise an alarm if suspicious “system calls” are observed Unlike NIDS monitoring happens at the end hosts Need to model Unusual behavior Normal behavior 24 November 2018 J. Giffin and S. Jha

20 Goal: Discover attempts to maliciously gain access to a system
Misuse Detection Specify patterns of attack or misuse Ensure misuse patterns do not arise at runtime Snort Rigid: cannot adapt to novel attacks Specification-Based Monitoring Specify constraints upon program behavior Ensure execution does not violate specification Our work; Ko, et. al. Specifications can be cumbersome to create Anomaly Detection Learn typical behavior of application Variations indicate potential intrusions IDES High false alarm rate 24 November 2018 J. Giffin and S. Jha

21 Specification-Based Monitoring
Two components: Specification: Indicates constraints upon program behavior Enforcement: How the specification is verified at runtime or from audit data 24 November 2018 J. Giffin and S. Jha

22 Specification Enforcement
Analyst or Administrator Training Sets Static Source Code Analysis Static Binary Code Analysis Specification Enforcement Execution Obeys Static Ruleset Execution Matches Model of Application 24 November 2018 J. Giffin and S. Jha

23 Representative Work by Ko, et al.
Specification: Programmers or administrators specify correct program behavior Enforcement: At runtime, only allow actions that match the specified policy PROGRAM fingerd read(X) :- worldreadable(X); bind(79); write(“/etc/log”); exec(“/usr/ucb/finger”); END 24 November 2018 J. Giffin and S. Jha

24 Specification Enforcement
Analyst or Administrator Training Sets Static Source Code Analysis Static Binary Code Analysis Specification Enforcement Execution Obeys Static Ruleset Execution Matches Model of Application 24 November 2018 J. Giffin and S. Jha

25 Representative Work by Forrest, et al
Specification: Learn correct program behavior with training Record sequences of system calls Enforcement: Only accept behaviors similar to learned patterns Example system: STIDE 24 November 2018 J. Giffin and S. Jha

26 Training Repeatedly run the program, varying the input
For some n, record all sequences of n system calls observed n depends upon the program End result: database of n-tuples of system calls 24 November 2018 J. Giffin and S. Jha

27 cat (print file contents)
geteuid, getuid, getegid, getgid, fstat, open, fstat, lseek, mmap, read, memcntl, write, lseek, munmap, lseek, close, close, exit geteuid, getuid getuid, getegid getegid, getgid getgid, fstat fstat, open / lseek open, fstat lseek, mmap / munmap / close mmap, read read, memcntl memcntl, write write, lseek munmap, lseek close, close / exit 24 November 2018 J. Giffin and S. Jha

28 Enforcement Monitor system calls generated by application
Ensure that the last n calls match a sequence in the database Option: Allow slight deviation from database Training set may have been incomplete 24 November 2018 J. Giffin and S. Jha

29 cat (print file contents)
geteuid, getuid, getegid, getgid, fstat, open, fstat, lseek, mmap, read, memcntl, write, lseek, munmap, lseek, close, close, exit Accepts incorrect system call sequences geteuid, getuid, getegid, getgid, fstat, lseek, close, exit geteuid, getuid getuid, getegid getegid, getgid getgid, fstat fstat, open / lseek open, fstat lseek, mmap / munmap / close mmap, read read, memcntl memcntl, write write, lseek munmap, lseek close, close / exit 24 November 2018 J. Giffin and S. Jha

30 Drawbacks Accepts incorrect call sequences
Due to window-based approach with ambiguity Opportunity for attack sequence to go undetected Only learn behaviors exercised in training set Not all execution paths followed Users must construct valid training sets Users must determine window size 24 November 2018 J. Giffin and S. Jha

31 Drawbacks Specification may overfit the data
If training on real data, training set may contain exploits Learn exploit pattern as normal 24 November 2018 J. Giffin and S. Jha

32 Specification Enforcement
Analyst or Administrator Training Sets Static Source Code Analysis Static Binary Code Analysis Specification Enforcement Execution Obeys Static Ruleset Execution Matches Model of Application 24 November 2018 J. Giffin and S. Jha

33 Our Approach Specification: Static analysis of binary code
function: save %sp, 0x96, %sp cmp %i0, 0 bge L1 mov 15, %o1 call read mov 0, %o0 call line nop b L2 L1: mov %i0, %o0 call close L2: ret restore Specification: Static analysis of binary code Specifications are automatically generated Not reliant upon programmers to produce accurate specifications Analyzes all execution paths Source code may be unavailable 24 November 2018 J. Giffin and S. Jha

34 Our Approach read close line Enforcement: Operate an automaton modeling correct system call sequences Dynamic ruleset More expressive than static ruleset of Ko, et. al. 24 November 2018 J. Giffin and S. Jha

35 Non-Deterministic Finite Automaton (NFA)
read close line Structure States Labeled edges between states Edge labels are input symbols – call names Path to any accepting state defines valid sequence of calls 24 November 2018 J. Giffin and S. Jha

36 Our Approach read close line Enforcement: Operate an automaton modeling correct system call sequences Dynamic ruleset More expressive than static ruleset of Ko, et. al. 24 November 2018 J. Giffin and S. Jha

37 The Binary View (SPARC)
function: save %sp, 0x96, %sp cmp %i0, 0 bge L1 mov 15, %o1 call read mov 0, %o0 call line nop b L2 L1: mov %i0, %o0 call close L2: ret restore function (int a) { if (a < 0) { read(0, 15); line(); } else { read(a, 15); close(a); } 24 November 2018 J. Giffin and S. Jha

38 Control Flow Graph Generation
call read bge CFG ENTRY call close ret call line CFG EXIT function: save %sp, 0x96, %sp cmp %i0, 0 bge L1 mov 15, %o1 call read mov 0, %o0 call line nop b L2 L1: mov %i0, %o0 call close L2: ret restore 24 November 2018 J. Giffin and S. Jha

39 Control Flow Graph Translation
read close line call read bge CFG ENTRY call close ret call line CFG EXIT 24 November 2018 J. Giffin and S. Jha

40 Control Flow Graph Translation
read close line call read bge CFG ENTRY call close ret call line CFG EXIT 24 November 2018 J. Giffin and S. Jha

41 Interprocedural Model Generation
read read close line 24 November 2018 J. Giffin and S. Jha

42 Interprocedural Model Generation
read read line write close line 24 November 2018 J. Giffin and S. Jha

43 Interprocedural Model Generation
B read line read line write close close line 24 November 2018 J. Giffin and S. Jha

44 Interprocedural Model Generation
B read line read line write close close 24 November 2018 J. Giffin and S. Jha

45 Interprocedural Model Generation
B read read line write close close 24 November 2018 J. Giffin and S. Jha

46 Possible Paths B A line read read write close close 24 November 2018
J. Giffin and S. Jha

47 Possible Paths B A line read read write close close 24 November 2018
J. Giffin and S. Jha

48 Impossible Paths B A line read read write close close 24 November 2018
J. Giffin and S. Jha

49 Impossible Paths B A line read read write close close 24 November 2018
J. Giffin and S. Jha

50 Adding Context Sensitivity
B read read Y line X write close close Y X 24 November 2018 J. Giffin and S. Jha

51 PDA State Explosion ε-edge identifiers maintained on a stack Solution:
Stack may grow to be unbounded Solution: Bound the maximum size of the runtime stack A regular language overapproximation of the context-free language of the PDA X 24 November 2018 J. Giffin and S. Jha

52 Data Flow Analysis Argument recovery
function: save %sp, 0x96, %sp cmp %i0, 0 bge L1 mov 15, %o1 call read mov 0, %o0 call line nop b L2 L1: mov %i0, %o0 call close L2: ret restore Argument recovery Statically known arguments constrain remote calls Reduces opportunity given to attackers 24 November 2018 J. Giffin and S. Jha

53 Call Site Renaming Give each monitored call site a unique name
function: save %sp, 0x96, %sp cmp $i0, 0 bge L1 mov 15, %o1 call read mov 0, %o0 call line nop b L2 L1: mov %i0, %o0 call close L2: ret restore Give each monitored call site a unique name Associates arguments with call sites Obfuscation Reduces nondeterminism 24 November 2018 J. Giffin and S. Jha

54 Call Site Renaming Give each monitored call site a unique name
function: save %sp, 0x96, %sp cmp $i0, 0 bge L1 mov 15, %o1 call _638 mov 0, %o0 call line nop b L2 L1: call read mov %i0, %o0 call close L2: ret restore Give each monitored call site a unique name Associates arguments with call sites Obfuscation Reduces nondeterminism 24 November 2018 J. Giffin and S. Jha

55 Call Site Renaming Give each monitored call site a unique name
function: save %sp, 0x96, %sp cmp $i0, 0 bge L1 mov 15, %o1 call _638 mov 0, %o0 call line nop b L2 L1: call _83 mov %i0, %o0 call close L2: ret restore Give each monitored call site a unique name Associates arguments with call sites Obfuscation Reduces nondeterminism 24 November 2018 J. Giffin and S. Jha

56 Call Site Renaming Give each monitored call site a unique name
function: save %sp, 0x96, %sp cmp $i0, 0 bge L1 mov 15, %o1 call _638 mov 0, %o0 call line nop b L2 L1: call _83 mov %i0, %o0 call _1920 L2: ret restore Give each monitored call site a unique name Associates arguments with call sites Obfuscation Reduces nondeterminism 24 November 2018 J. Giffin and S. Jha

57 Call Site Renaming Give each monitored call site a unique name
Associates arguments with call sites Obfuscation Reduces nondeterminism read read close line 24 November 2018 J. Giffin and S. Jha

58 Call Site Renaming Give each monitored call site a unique name
Associates arguments with call sites Obfuscation Reduces nondeterminism _638 _83 _1920 line 24 November 2018 J. Giffin and S. Jha

59 Technical Challenges Integrating other specification sources
Optimal null call insertion C++ vtable analysis 24 November 2018 J. Giffin and S. Jha

Download ppt "Somesh Jha University of Wisconsin"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Similar presentations

Ads by Google