Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Published byHannah Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)"— Presentation transcript:

1 Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress) Lloyd Greenwald, Lucent Bell Labs

2 Lucent Technologies – Proprietary Use pursuant to company instruction Machine Learning Algorithms for Surveillance and Event Detection Surveillance: Network traffic Event Detection: Unknown vulnerability exploits using sequences of messages Machine Learning Algorithms: Learning Markov models to capture recent sequential protocol usage

3 Lucent Technologies – Proprietary Use pursuant to company instruction NIDS Monitors Traffic and Detects Events That Violate Security Policy (from Bro user manual)

4 Lucent Technologies – Proprietary Use pursuant to company instruction Example Attack Sequence: NIDS Evasion Attack (from Handley et. al. 01) Fake missing packet (to cause buffering) Send two interspersed sequences for same connection Even with same ttl’s there is ambiguity with how end systems will re- create sequence

5 Lucent Technologies – Proprietary Use pursuant to company instruction Example Attack: Multi-Step Apache/mod_ssl worm (aka Slapper) 1. Probe/scan target for vulnerability by sending HTTP GET request on tcp port 80 that violates 1.1 standard 2. Response identifies server as Apache 3. Exploit for SSLv2-enabled OpenSSL 0.9.6d vulnerability sent to tcp port 443 4. Target sends traffic back to attacker on udp port 2002 5. Target begins scanning for other vulnerable hosts

6 Lucent Technologies – Proprietary Use pursuant to company instruction Technical Approach Automatically build sequential models of recent protocol usage Analyze models for common and uncommon sequences Proactively exercise protocol implementation with uncommon sequences sampled from models Reactively detect uncommon sequences Build new defense policies for NIDS

7 Lucent Technologies – Proprietary Use pursuant to company instruction Prior Work: Machine Learning Algorithms for Automated Test Case Generation Surveillance: Web logs Event Detection: Exercise errors in web applications Machine Learning Algorithms: Learning Markov models to capture recent sequential web application usage Session Data Interne t

8 Lucent Technologies – Proprietary Use pursuant to company instruction Prior Work: Automated Test Case Generation Leverage dynamic user information to automatically generate NEW test cases for web applications. Session Data Key contribution 1) sequential statistical models built using machine learning techniques. Key contribution 2) flexible test case generation exploiting probabilistic sampling methods.

9 Lucent Technologies – Proprietary Use pursuant to company instruction Web Application Studied –Front end – JSP –Back end - MySql –10K lines of code, 118 methods, 12 classes –123 user sessions (sequential application usage extracted from web log) Question: Can we build models that can be used to generate new, valid user sessions?

10 Lucent Technologies – Proprietary Use pursuant to company instruction Building Markov Models From Web Logs Extract User Sessions from Web Log 12.3.40.65 GET index.jsp 12.3.40.65 GET login.jsp 12.3.40.65 GET /apps/bookstore/reg.jsp? member_login=hello& member_password=world& member_password2=world 12.3.40.65 GET myinfo.jsp Control Model: possible sequences of URLS that are visited Data Model: possible sets of parameter values (name-value pairs)

11 Lucent Technologies – Proprietary Use pursuant to company instruction Control Models unigram: Probability of a user visiting a given page independent of previous page P(currentPage=X) default register search book Detail 0.65 0.20 0.05 0.10

12 Lucent Technologies – Proprietary Use pursuant to company instruction Control Models bigram: Conditional probability of a user visiting a page, given the previous page P(currentPage=X | lastPage=Y) default register search book Detail 0.30 0.45 0.15 0.10

13 Lucent Technologies – Proprietary Use pursuant to company instruction Control Models trigram: Conditional probability of a user visiting a page, given the previous two pages P(currentPage=X | lastPage1=Y1, lastPage2=Y2) default register search book Detail 0.05 0.30 0.10 0.55

14 Lucent Technologies – Proprietary Use pursuant to company instruction Reliability vs. Discrimination unigrambigramtrigram Greater discrimination (more context) Greater reliability (more training data)

15 Lucent Technologies – Proprietary Use pursuant to company instruction Data Models advanced: P(values=X | lastPage+importantParams=Y1, currentPage=Y2) Books.do?category=3 BookDetail.do?category=3&itemId=8 simple: P(values=X | currentPage =Y) “important parameter”

16 Lucent Technologies – Proprietary Use pursuant to company instruction Page1: http://decide.cs/bookstore/BookDetail.do ?itemId=18 Page2: http://decide.cs/bookstore/AddOrder.do? Simple Data Model quantity=99&itemId=36

17 Lucent Technologies – Proprietary Use pursuant to company instruction Page1: http://decide.cs/bookstore/BookDetail.do ?itemId=18 Page2: http://decide.cs/bookstore/AddOrder.do? Advanced Data Model quantity=1&itemId=18

18 Lucent Technologies – Proprietary Use pursuant to company instruction Generating Test Cases by Combining Control and Data Models Generate arbitrary queries about user sessions and use these queries to build test cases –What are the k most likely user sessions? –What are the k least likely user sessions? –Generate k user sessions randomly, according to the distribution represented in a web log.

19 Lucent Technologies – Proprietary Use pursuant to company instruction Can our models be used to generate valid user sessions?

20 Lucent Technologies – Proprietary Use pursuant to company instruction Network Protocol Modeling Challenges Using live network data instead of logs Access to reconstructed traffic in both directions Can build models using data from multiple machines (instead of web log from single server) What are we generating? Sequences of packets Sequence of high-level events that can be turned into packets What is a user session? Single connection Cluster connections from subset of 5-tuple (srcIP, dstIP, srcPort, dstPort, Protocol) What are control and data models? Can we generate valid new sequences?

21 Lucent Technologies – Proprietary Use pursuant to company instruction Building Sequential Model to Discover NIDS Evasion Attack (from Handley et. al. 01) Control model: sequence numbers Data model: TTLs and payload How hard is it to discover that this pattern is “uncommon” ?

22 Lucent Technologies – Proprietary Use pursuant to company instruction Discussion Are Markov models sufficient for this task? Too propositional? Are data models too sparse? Are state spaces too large? How hard is anomaly detection in this framework? What is a good definition for “uncommon” traffic that doesn’t produce many false positives or false negatives? What about emerging new usage patterns? How to avoid “training attacks”? How much protocol knowledge to use in building models? Can signature matching events be used in data model? Besides generating sequences, what other analyses can we perform? Entropy of models to determine level of history-dependence in traffic?

23 Lucent Technologies – Proprietary Use pursuant to company instruction Related Work Host-based and Network-base Intrusion Detection Systems (NIDS) –Signature-based anomaly detection -- manual analysis –Packet-based or with context – detect known vulnerabilities and behaviors Formal verification of protocols – require extensive protocol knowledge; do not account for implementation variations Scrubbers and Normalizers remove TCP/IP ambiguities – do not account for application-layer ambiguities and must make tradeoffs concerning removing ambiguities that change semantics or lead to performance loss Fuzzing/Fault-injection – random generation of inputs for vulnerability detection – generates invalid sequences

Download ppt "Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?

Similar presentations

Ads by Google