Download presentation
Presentation is loading. Please wait.
Published byHollie Waters Modified over 9 years ago
1
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005
2
wail.cs.wisc.edu2 Motivation - the good Network security analysts have many tasks –Abuse monitoring –Audit and forensic analysis –Firewall/ACL configuration –Vulnerability testing –Policy –Liaison Network management End host management
3
wail.cs.wisc.edu3 Motivation - the bad Adversaries are smart Vulnerabilities and threats are significant –Worms Slammer, Blaster, Sasser, Witty, MyDoom, etc. Persistent and growing background radiation (Pang et al. ‘04) –Scans Billions per day Internet-wide and growing (Yegneswaran et al. ‘03) –Viruses No longer clearly defined (eg. Agobot) –DDos Bot-nets consisting of hundreds of thousands of drones
4
wail.cs.wisc.edu4 Motivation - the ugly (sort of) Network intrusion detection systems (NIDS) –Static signatures - hard to tune and maintain –Lots of alarms –Scalability problems Firewalls and intrusion prevention systems –Limited capability Bulletin boards and commercial services –May not be timely enough Traffic monitors (eg. FlowScan, AutoFocus) –A step in the right direction
5
wail.cs.wisc.edu5 Objective Network situational awareness based on self- directed network intrusion detection –“The degree of consistency between one’s perception of their situation and reality” –“An accurate set of information about one’s environment scaled to a specific level of interest” –Expand notions of traditional abuse monitoring and forensic analysis Adapts to malicious traffic –Front-end for firewalls/IPS
6
wail.cs.wisc.edu6 Mechanisms Data sharing between networks –Eg. DOMINO (Yegneswaran et al., NDSS ‘04) Monitoring unused address space –Eg. iSink (Yegneswaran et al., RAID ‘04) –Eg. BroSA (Yegneswaran et al. ‘05) Automatic generation of resilient signatures –Eg. Nemean (Yegneswaran et al., USENIX Security ‘05)
7
wail.cs.wisc.edu7 DOMINO architecture Hierarchical overlay network –Descending order of security and trust Data sharing –XML-based schema –Summary exchange protocol extends IDMEF –Push or pulling periodically Data/alert fusion and filtering –Subject of on-going research (eg, Barford et al. Allerton, ‘04)
8
wail.cs.wisc.edu8 Unused address monitoring Packets are (nearly) all malicious –There have been some very weird misconfigurations Enables active responses –Key for understanding details Widely available –We monitor four class B’s and one class A –Useful in large and small Easier to share this data
9
wail.cs.wisc.edu9 iSink architecture Passive component: Argus –libpcap-based monitoring tool Active component: based on Click modular router –Library of stateless responders to collect details of intrusions NAT filter: to manage (redundant) traffic –Source/destination filtering
10
wail.cs.wisc.edu10 Activities on ports (port 135) Distribution of exploits varies with network –170 byte requests on Class A –Blaster, RPC-X1 all 3 networks –Welchia LBL –Empty connections UW Networks
11
wail.cs.wisc.edu11 Real-time honeynet reports Bro plug-in for situational summary generation –Periodic reports New events High variance events Low variance events Top profiles –Adaptive NetSA in depth –Identify large events quickly –On-going
12
wail.cs.wisc.edu12 Semantics-aware signatures Objective: automated generation of resilient NIDS signatures –Signatures must be both specific and general Challenge: generate signatures for attack vectors that have never been seen –Multi-step and polymorphic attacks Approach: create a transformation algorithm to synthesize semantics-aware signatures from iSink data –Session and application protocol semantic awareness (Sommer & Paxson, ‘03)
13
wail.cs.wisc.edu13 Nemean architecture Data abstraction –Transport normalizer –Aggregation –Service normalizer Clustering –Group sessions/connections using similarity metric Signature generation –Machine learning to build finite state automata
14
wail.cs.wisc.edu14 Signature example (Welchia) Multistage attack (3 steps) –GET / 200 OK –SEARCH / 411 Length Required –SEARCH /AAAA… Start Get / 200 Search / 411 Search / 411 Get / 200 Search /AAAAA[more] 400 Search /AAAAA[more] 400 Search /AAAAA[more] 400
15
wail.cs.wisc.edu15 Summary Malicious activity in the Internet is a huge problem and is likely to persist for a long time Current network security analysis tools are largely inadequate We advocate network situational awareness through self-directed intrusion detection –Distributed data sharing –Unused address space monitoring –Automated semantics-aware signature generation
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.