Скачать презентацию Intrusion Detection New Directions Teresa Lunt Xerox Palo Скачать презентацию Intrusion Detection New Directions Teresa Lunt Xerox Palo

8b92c8174850c2795e9297100ff85aa1.ppt

  • Количество слайдов: 26

Intrusion Detection: New Directions Teresa Lunt Xerox Palo Alto Research Center tlunt@parc. xerox. com Intrusion Detection: New Directions Teresa Lunt Xerox Palo Alto Research Center [email protected] xerox. com

Detect, isolate, reconfigure, repair Detection & Response 3. Essential systems increase their degree of Detect, isolate, reconfigure, repair Detection & Response 3. Essential systems increase their degree of protection & robustness 2. Intrusion detector alerts on possible attack IDS Emergency Mode Activator Sensor Decoy/ Sensor Cleanup Sensor 1. Sensors perform security monitoring 5. Human-assisted incident response restores service and secure state Fishbowl 4. Fishbowl created Critical System to divert the attacker and observe the attack

Data Collection • What level of data to collect • Tradeoffs in: – – Data Collection • What level of data to collect • Tradeoffs in: – – – – OS system calls OS command line network data (e. g. , from router and firewall logs or MIBs) within applications keystrokes all characters transmitted types of intrusions that can be detected complexity and volume of data ability to formulate rules that characterize intrusions ease of playback ease of damage assessment or evidence gathering data reliability degree of privacy invasion

Typical OS Audit Record Fields • subject • action • object – identifies user, Typical OS Audit Record Fields • subject • action • object – identifies user, session, and location – the action attempted – what the subject acted upon; subfields depend on type of action • • errorcode resource-info – CPU, memory, I/O • timestamp

State of the Art • Host-based vs. network-based – Do not detect attacks that State of the Art • Host-based vs. network-based – Do not detect attacks that disrupt or manipulate the infrastructure • Knowledge-based – Look for patterns associated with known intrusions – Detect only what you know to look for – Most systems look for only a dozen or so intrusion types – Serious foes will use “surprise” attacks we haven’t seen before • High number of false alarms – Much flagged activity is of little concern (e. g. , password guessing) – Extremely large numbers of alarms, which must be investigated manually – Lack of discrimination between suspicious and normal behaviors

State of the Art cont’d • Line monitors (eavesdrop on a communications line) – State of the Art cont’d • Line monitors (eavesdrop on a communications line) – View is restricted to what passes over a given line – Too much data must be examined and logged – Considerably weakened if encryption is used • Can monitor small numbers of machines/entities – Audit logs do not scale well – Monitoring individual users and machines – No ability for cooperating detectors, which could filter events of lesser or only local concern • Lack of robustness – Cannot deal with missing, incomplete, untimely, or otherwise faulty data • Unix-specific

Research Challenges • • • • Detect a wide variety of intrusion types Very Research Challenges • • • • Detect a wide variety of intrusion types Very high certainty Real-time detection Develop a network-wide view rather than local views Analysis must work reliably with incomplete data Detect unanticipated attack methods Scale to very large heterogeneous systems What data to collect for maximal effectiveness; network instrumentation Automated response Discover or narrow down the source of an attack Integrate with network management and fault diagnosis Infer intent; forming the big picture Cooperative problem solving

Methods under Investigation • Methods to detect highly unusual events or combinations of events Methods under Investigation • Methods to detect highly unusual events or combinations of events – Statistical methods – Neural networks – Machine learning • Methods to detect activity outside prescribed bounds • • Traceback methods – Thumbprinting Acceptable Illegal Structural – Graphical intrusion detection – State transition models (model-based detection) Discrepancy Statistical New knowledge-based analysis techniques Model/Pattern Profile – Specification-based detection Match

Cooperating Detectors IDS IDS IDS Sensors Also needed: Efficient and effective methods for peer-to-peer Cooperating Detectors IDS IDS IDS Sensors Also needed: Efficient and effective methods for peer-to-peer cooperative problem solving to be applied to the detection problem –To filter events of only local concern –To assess a larger “region”

Advanced Techniques • Statistical anomaly detection (SRI, CMU) – establish a historical behavior profile Advanced Techniques • Statistical anomaly detection (SRI, CMU) – establish a historical behavior profile for each desired entity (e. g. , user, group, device, process) – compare current behavior with the profiles – detects departures from established norms – continuously update profiles to “learn” changes in subject behavior – addresses unanticipated intrusion types • Early statistical studies: – SRI study (Javitz et al): • Showed users could be distinguished from each other based on patterns of use – Sytek study (Lunt et al): • Showed behavior characteristics can be found that discriminate between normal user behavior and simulated intrusions

Advanced Techniques cont’d • Machine learning (LANL) – – – – Builds a massive Advanced Techniques cont’d • Machine learning (LANL) – – – – Builds a massive tree of statistical “rules” (typically 100, 000’s of them) Branches are labeled with conditional probabilities Prunes the tree to a maximum depth of four to six Low-occurrence branches are combined Tree is “trained” from a few days of data Tree cannot be updated to “learn” as usage patterns change Activity is considered abnormal if it does not “match” a branch in the tree or if it matches a branch with low conditional probability last node • Meta-Learning (Columbia University) – Meta-learning integrates a number of separately learned classifiers – Multi-layered approach: • machine learning and decision procedures detect intrusions locally • meta-learning and decision procedures to integrate the collective knowledge acquired by the local agents

Advanced Techniques cont’d • Computational immunology – based on biological analogies (e. g. , Advanced Techniques cont’d • Computational immunology – based on biological analogies (e. g. , self vs. non-self discrimination) – build up a database of observed short sequences of system calls for a program and detect when the observed program behavior exhibits short sequences not in that database (U. of NM) – allows the detection of tampered or malicious programs or other suspicious events – this potentially lightweight method is being implemented in small, autonomous agents in a CORBA environment (ORA)

Advanced Techniques cont’d • Model-based detection – Detects suspicious state transitions (UC Santa Barbara) Advanced Techniques cont’d • Model-based detection – Detects suspicious state transitions (UC Santa Barbara) • specifies penetration scenarios as a sequence of actions • keeps track of interesting “state changes” • attempts to identify attacks in progress before damage is done – Adapt model-based diagnosis, which has been successful in diagnosing faults in microprocessors, to intrusion detection (MIT) • Graphical detection (UC Davis) – detects intrusions whose activity spans many machines that could be difficult to detect locally – specifies intrusion scenarios as graphs of actions covering many machines – the graphs provide an intuitive visual display

Advanced Techniques cont’d • Specification-based detection (UC Davis) – detects departures from security specifications Advanced Techniques cont’d • Specification-based detection (UC Davis) – detects departures from security specifications of privileged programs – allows detection of unanticipated attacks • Thumbprint technique (UC Davis) – allows limited traceback – thumbprint is a statistical digest of an interval of a communications channel – matching thumbprints can be used to reconstruct the path of an intruder

Advanced Techniques cont’d • Signalling Infrastructure Detection (GTE) – detect anomalous events in a Advanced Techniques cont’d • Signalling Infrastructure Detection (GTE) – detect anomalous events in a network and signalling infrastructure typical of telephone service providers – designed for integration into network operations centers – uses existing systems/tools for data collection – uses anomaly detection and specific signalling protocol “sanity checks” • Detection in high-speed networks (MCNC) – Integrates anomaly detection techniques with network management for ATM networking (IP over ATM) – Logical analysis of routing protocol operation to detect anomalous states

Advanced Techniques cont’d • Automated response (Boeing) – Integrates firewall, intrusion detection, filtering router, Advanced Techniques cont’d • Automated response (Boeing) – Integrates firewall, intrusion detection, filtering router, and network management technologies – Local intrusion detectors determines threat presence – Firewalls communicate intrusion detection information to each other – Firewalls cooperate to locate the intruder – Network managers automatically reconfigure the network to thwart the attack – Firewalls and filtering routers dynamically alter filtering rules to block the intruder – Dynamic reconfiguration of logging, monitoring, and access control in response to detected suspicious activity – "Fusion" of intrusion-detection data reported by different detectors – The monitoring is also adapted as part of the response, to help pinpoint the problem and its source

Advanced Techniques cont’d • Survivable Active Networks (Bellcore) – Will allow highly configurable network Advanced Techniques cont’d • Survivable Active Networks (Bellcore) – Will allow highly configurable network elements to cooperate with networked hosts to detect, isolate, and recover quickly and automatically from damage due to errors or malicious attacks – "Ablative software" will allow suspect activity to be "peeled off" the system while continuing to operate in a microenvironment • Planning and procedural reasoning (SRI) – Suggest and implement incident recovery procedures – Uses AI-based automated planning technology for both analysis and recovery and repair – Generates explanations to help the sys admin understand what happened and what to do about it – Integrate intrusion response tools, to combine the functionality of many tools that specialize in particular areas of incident management, into a security anchor desk (USC-ISI)

Open Questions • Detection performance in realistic settings with single methods and combinations of Open Questions • Detection performance in realistic settings with single methods and combinations of methods • Detection performance with faulty and missing data • False positive and false negative rates • Time to detection • Scalability • Dependence on good intruder models • Distinction from common failure modes • What data to collect/observe

Common Intrusion Detection Framework · E 1 E 2 E 3 A 1 C Common Intrusion Detection Framework · E 1 E 2 E 3 A 1 C A 2 D Reference Architecture E A D C Standard Interfaces – an interconnection framework for data collection, analysis, and response components – extensible architecture – reuse of core technology – facilitate tech transfer – reduce cost Standard API Event Generator Event Analyzer Event Database System-specific Controller

Strategic Intrusion Assessment • In a two-week period, AFIWC’s intrusion detectors at 100 AFBs Strategic Intrusion Assessment • In a two-week period, AFIWC’s intrusion detectors at 100 AFBs alarmed on 2 million sessions • After manual review, these were reduced to 12, 000 suspicious events • After further manual review, these were reduced to four actual incidents National Reporting Centers Regional Reporting Centers (CERTs) Do. D Reporting Centers International/Allied Reporting Centers Organizational Security Centers Local Intrusion Detectors • Most alarms are false positives • Most true positives are trivial incidents • Of the significant incidents, most are isolated attacks to be dealt with locally Correlation Patterns Classification Infer intent Assess damage Predict future status Assess certainty

Strategic Intrusion Assessment Suppress false alarms Correlate & infer intent Plan recognition • Peer-to-peer Strategic Intrusion Assessment Suppress false alarms Correlate & infer intent Plan recognition • Peer-to-peer cooperation among detectors to decide what to report to higher levels. Detectors must be able to: • discover each other • negotiate requirements • collaborate on diagnosis/response • Improve individual detectors • Distinguish what is trivial from significant • Distinguish what is locally relevant – Hypothesize goals for IW adversaries – Develop plans for accomplishing each goal – automated planning technology – Overlay with observed incident data to discover intent – plan recognition technology – Estimate certainty

Security Detection and Response Center Functions: • Detection: Analyzes and filters events reported from Security Detection and Response Center Functions: • Detection: Analyzes and filters events reported from lower layers • for items of interest to this layer, and • for reporting to higher layers • Assessment: to understand coordinated events • of interest at this layer, and • for reporting to higher layers Assessment Tracing Detection Response • Tracing (e. g. , IDIP, active nets) • Automated response (e. g. , IDIP for connection closing/filtering) • Event notification Significant investment Early speculative investigations No research Notification reported events from lower layers to peers

DARPA/AFRL Evaluations • Evaluations intended to drive improvements • Two rounds: one in 1998 DARPA/AFRL Evaluations • Evaluations intended to drive improvements • Two rounds: one in 1998 (completed) and one in 1999 – results reported at Dec 1998 DARPA PI meeting – Data sources for 1998 were TCP dump and Unix audit logs – 1999 evaluation will include NT and other data sources • Live evaluation on a network at MIT/LL using simulated data similar to AFB data – Generated large amounts of realistic background traffic similar to observed/collected AFB traffic – Created the largest known collection of automated attacks with signatures (audit and sniffing) – Considered both known and new (never seen before) attacks – Capable of measuring both detection and false alarm rates • Projects also performed self-evaluations using extensive training and testing data sets

Live Testbed Configuration for 1999 Evaluation “INSIDE” “OUTSIDE” (172. 16 - eyrie. af. mil) Live Testbed Configuration for 1999 Evaluation “INSIDE” “OUTSIDE” (172. 16 - eyrie. af. mil) PC Work Station PC OUTSIDE WS GATEWAY INSIDE GATEWAY Work Station PC (Many IP Addresses) Work Station OUTSIDE WEB GATEWAY Work Station Web Server CISCO ROUTER Ultra 486 Solaris Sparc Linux Sun. OS 486 NT Solaris Audit Host Solaris Sniffer 486 NT Web Server DISK DUMPS AUDIT DATA SNIFFED DATA

Best combination of research prototypes Keyword baseline similar to COTS and GOTS products • Best combination of research prototypes Keyword baseline similar to COTS and GOTS products • Over two orders of magnitude reduction in false alarms with improved detection accuracy

Conclusions • Currently available technology is not adequate for the problem • Promising methods Conclusions • Currently available technology is not adequate for the problem • Promising methods under investigation show significant improvement over current technology • There is still a lot more to be done