Presentation is loading. Please wait.

Presentation is loading. Please wait.

DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University.

Published bySophie Curtis Modified over 9 years ago

Similar presentations

Presentation on theme: "DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University."— Presentation transcript:

1 DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University June 13, 2002

2 DARPA Overview Detecting Code-Driven Threats Prior work in program anomaly detection Applying anomaly detection to Windows processes Challenges to anomaly detection

3 DARPA Code-Driven Threats

4 DARPA Background 20 years of intrusion detection research has yielded tools sometimes capable of detecting malicious hackers A viable anti-virus commercial industry has emerged in the same period in the wake of PC viruses

5 DARPA However… While both approaches are very good at detecting known attacks/viruses… They do not perform well in –detecting novel attacks/malicious code –scaling to Internet-wide attacks –responding in computer time

6 DARPA A New Threat… Code-driven attacks Malicious hackers spend their time breaking into systems one at a time Code-driven attacks are written once, unleashed everywhere

7 DARPA How Big is this Problem? Code Red costed an estimated $2.6 billion Worms will continue to exploit vulnerabilities in online software Newly reported vulnerabilities to CERT CC from 1995 to 2001. Copyright IEEE, Security and Privacy - 2002, supplement to IEEE Computer.

8 DARPA Why Don’t Existing Defenses Work? Code-driven attacks: –Go through firewalls unimpeded –Go unnoticed by intrusion detection systems –Propagate too fast for anti-virus vendors to disseminate signatures in time –Have complete access to our network and file systems –Execute with our own privileges –Can send sensitive information out over networks –Can spy on our computer and Web usage patterns

9 DARPA The Future is Ominous --- Nimda was a harbinger Future worms will be: –Architecture independent –Stealthy to its victims using process hiding –Autonomous, so it can independently migrate –Intelligent, so it can learn new exploits on the fly –Polymorphic, to avoid signature detection –Programmable, to learn vulnerabilities and be remotely controllable

10 DARPA This Problem Requires New Thinking Consider: –Intrusion detection techniques are designed to handle Internet and network-based attacks –Anti-virus software is designed to address malicious code attacks But, neither handle code-driven attacks effectively We need to either learn from the strengths of these approaches, or to develop a new approach entirely

11 DARPA Prior Work in Program-Based Anomaly Detection

12 DARPA Intrusion Detection Approaches Misuse Detection scan packets, logs, commands for known malicious patterns. (pattern matching) Upside: known attacks can be detected. Downside: unknown, novel threats not detected. Reactionary. Anomaly Detection Detect intrusions by statistical aberrations from normal usage. Upside: novel or unknown intrusions can be detected. Downside: well-known intrusions may go undetected

13 DARPA Network-Based vs. Host-Based Intrusion Detection Network-based Scans network packet logs for signatures of intrusive activities. Increasing bandwidth is a challenge. End-to-end encryption could obsolete this approach. Host-based Scans machine audit logs for signatures of intrusive activities. Traditionally monitors users’ behavior. Many sensors/hosts require enterprise management.

14 DARPA Process-Based Anomaly Detection Premise of process-based approach: “Abnormally behaving programs are a primary indicator of computer misuse.” Approach: –build program behavior profiles for monitored programs and use these to detect intrusions.

15 DARPA Goals of Process-Based Anomaly Detection Learn Benign Program Behavior Generalize from Observed Behavior Flag Deviations from Learned Behavior

16 DARPA Cigital’s Three Systems for Anomaly Detection Recurrent Neural Network String Transducer State Tester

17 DARPA Summary of Cigital System Performance Scope: Detects program misuse --- mainly U2R attacks. Recurrent Neural Network 100% of U2R attacks at a rate of 3 FA/day. String Transducer 100% of U2R attacks at a rate of 3 FA/day. State Tester 100% of U2R attacks at a rate of 9 FA/day.

18 DARPA Comparison, Strengths, Weaknesses Systems perform comparably --- short training time for string transducer and state tester make them more desirable. Detects program misuse attacks very reliably with few false alarms. Will not detect either programs that are not monitored or attacks that are legitimate uses of programs.

19 DARPA Performance as a Function of Training Data The horizontal axis represents the percentage of available data used for training. The vertical axis is the percentage of sessions creating false alarms when all possible attacks are detected Table lookup String transducer State tester

20 DARPA Applying Anomaly Detection to Windows Processes

21 DARPA Approach for Windows NT Collects system events and identifies anomalous patterns Ported to use Windows NT/2000 base- object audit data Cigital algorithms show high performance with low false positive rates.

22 DARPA Using strace for NT Data needs to be collected as it is created and streamed to the ID system – NT auditing does not meet these requirements Advantages of using strace for NT Provides additional information such as Thread IDs Can be altered to stream data directly to our system Selectively captures system calls that we need Can be turned On/Off on-the-fly

23 DARPA Collecting Data in Real-Time Streams of events arrive from multiple processes and multiple threads and need to be sorted accordingly. 654321 42 63 51 EventsProcess Splitter

24 DARPA Performing Anomaly Detection Data from each application must be matched with the appropriate model and the state must be updated by the ID algorithm. 42 Algorithm State Model New State State Model

25 DARPA Performance Against Code Red 11-fold x-validation Includes 2 Code Red attack traces

26 DARPA Anomaly Detection Challenges

27 DARPA Training Statistical and machine learning techniques that require baseline behavior profiles require extensive training. –Time consuming –Determines quality of results –Training in one environment may not map well to another environment –Over training is a problem for some classes of machine learning

28 DARPA False Positives Operators have low thresholds for false positives An acceptable rate might be < 1 per day

29 DARPA Identification Anomaly detection approaches tell you when something is wrong, not what is wrong, what specific attack is executing, nor where it is coming from.

30 DARPA Real-Time Response Once an intrusion is detected, systems need to identify, alert, isolate, and respond according to local security policies.

31 DARPA Summary Much work has been performed in process- based anomaly detection Many challenges remain… Foremost among them, can we leverage process-based anomaly detection to detect future code-driven threats?

32 DARPA Questions? Anup Ghosh aghosh@darpa.mil For more info, see: C. Michael & A. Ghosh, “Simple state- based approaches to program-based anomaly detection”, to appear in ACM Transactions on Information and System Security (TISSEC), 2002.

Download ppt "DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google