a stateful intrustion detection system for world-wide web servers
DESCRIPTION
A Stateful Intrustion Detection System for World-wide Web Servers. Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada. - PowerPoint PPT PresentationTRANSCRIPT
A Stateful A Stateful Intrustion Intrustion
Detection System Detection System for World-wide Web for World-wide Web
ServersServersVigna G, Robertson W, Kher V, Kemmerer RVigna G, Robertson W, Kher V, Kemmerer R
Department of Computer ScienceDepartment of Computer Science
UC, Santa BarabaraUC, Santa Barabara
19th Annual Computer Security Applications Confere19th Annual Computer Security Applications Conferencence
December 08 - 12, 2003December 08 - 12, 2003 Las Vegas, Nevada Las Vegas, Nevada
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
IntroductionIntroduction
MotivationMotivation Large number of web serversLarge number of web servers Continuous disclosure of Continuous disclosure of
vulnerabilities in web servers – vulnerabilities in web servers – popular targetspopular targets
2001-2002 - 23% computer 2001-2002 - 23% computer vulnerabilities are web relatedvulnerabilities are web related
IntroductionIntroduction Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS) Analyse input streams for manifestation of Analyse input streams for manifestation of
attackattack Stateless:Stateless:
Examines each event in the input Examines each event in the input stream independentlystream independently
Stateful: Stateful: Considers relationships between Considers relationships between
events and detect attacks based on events and detect attacks based on event-historiesevent-histories
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
IntroductionIntroduction IDS IDS
Network-based: Network-based: Monitors network traffic, eventsMonitors network traffic, events Do not consider application-level Do not consider application-level
logiclogic Cannot detect attacks based on Cannot detect attacks based on
configuration of the server-configuration of the server-applicationapplication
Application-based:Application-based: Process different stages of client Process different stages of client
requestrequest IDS tightly coupled to web server and IDS tightly coupled to web server and
visiblevisible Performance of web server impacted Performance of web server impacted
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
IntroductionIntroduction IDS
Anomaly detection:Anomaly detection: Models of normal behaviorModels of normal behavior Compares log data with normal Compares log data with normal
models to detect abnormal models to detect abnormal pattern/activitypattern/activity
Detect previously unknown attacksDetect previously unknown attacks Large number of false positivesLarge number of false positives
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
IntroductionIntroduction IDS (Intrusion Detection System)
Misuse detection:Misuse detection: Models of attack descriptionsModels of attack descriptions Compares with audit data with Compares with audit data with
modeled attack for evidence of modeled attack for evidence of attackattack
Detect only attacks that are modeledDetect only attacks that are modeled Focused analysis for attack detectionFocused analysis for attack detection Less false positives so more popularLess false positives so more popular
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
IntroductionIntroduction
Current IDS - limitationsCurrent IDS - limitations Simple pattern matching of HTTP Simple pattern matching of HTTP
requestsrequests Buffer overflows not detectedBuffer overflows not detected Attacks involving multiple steps cannot Attacks involving multiple steps cannot
be modeledbe modeled Only detect trends in large sets of web-Only detect trends in large sets of web-
related eventsrelated events Focuses on single event stream (network Focuses on single event stream (network
log or server application log)log or server application log) Do not maintain histories of web requestsDo not maintain histories of web requests
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT (IDS)WebSTAT (IDS) Based on STAT framework (State-Based on STAT framework (State-
Transition Analysis Technique)Transition Analysis Technique) Complex multi-step attacks can be Complex multi-step attacks can be
modeled using STATL languagemodeled using STATL language Performs integrated analysis of multiple Performs integrated analysis of multiple
event streams, Network and OS event streams, Network and OS events/logsevents/logs
Modular, MultiThreaded Modular, MultiThreaded Application independent runtime with Application independent runtime with
components that deal with specific components that deal with specific application domainsapplication domains
More effective detection with less false More effective detection with less false positivespositives
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
STAT framework Models attacks as transitions between Models attacks as transitions between
security states of a systemsecurity states of a system Supported by STATL modeling languageSupported by STATL modeling language
STATL Describe Events, Attack Scenarios with Describe Events, Attack Scenarios with
relevant variables eg: source of HTTP relevant variables eg: source of HTTP requestrequest
Events defined by subclassing specific C++ Events defined by subclassing specific C++ classes of STAT frameworkclasses of STAT framework
Classes encapsulated in language extension Classes encapsulated in language extension modules and compiled into DLLsmodules and compiled into DLLs
Events are then used in Scenario Events are then used in Scenario description, which again are compiled into description, which again are compiled into DLLsDLLs
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
State A State BAction/Event
STATL
Opening TCP conn.Execution of CGI script
Transition Assertion: eg: specify port, parameters
Attack Scenario:
System Snapshot
Transition
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
State A State B
State A State B
State A State B
Non-consumingBoth states active
ConsumingOnly destination state valid
UnwindingRollback to previous state
Transitions
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
STATL STATcore is the runtime for STATLSTATcore is the runtime for STATL Core implements the concepts of state, Core implements the concepts of state,
transition, instance, etctransition, instance, etc Obtains events from logs/audits and Obtains events from logs/audits and
matches with actions, transitions and matches with actions, transitions and attack scenariosattack scenarios
EventProvider
STATcore
Events/logs
Translate STATLextension
Convert toSTAT events
incorporate
Attack ScenarioAnalysis
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Language extension module that Language extension module that
defines web-specific eventsdefines web-specific events Event provider that parses web server Event provider that parses web server
logs and generates corresponding logs and generates corresponding eventsevents
Modules for Network, OS eventsModules for Network, OS events A number of STATL scenarios to detect A number of STATL scenarios to detect
attacks against web serversattacks against web servers Response modules to generate alertsResponse modules to generate alerts
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Class Request : public STAT_EventClass Request : public STAT_Event
{{
public:public:
string request;string request;
string userAgent;string userAgent;
string encodedRequest;string encodedRequest;
…………
}}
WebSTAT
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Counting scenario pattern:Counting scenario pattern:
Integer parameters: threshold, Integer parameters: threshold, alert_freq, inactivity_timeoutalert_freq, inactivity_timeout
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Web Crawler Scenario:Web Crawler Scenario:
file to specify which User-Agents are allowedfile to specify which User-Agents are allowed Pattern Matching Scenario:Pattern Matching Scenario:
Detect attacks embedded in URL using pattern Detect attacks embedded in URL using pattern matching comparing with a list of regular matching comparing with a list of regular expressionsexpressions
Repeated Failed Access Scenario:Repeated Failed Access Scenario: Checks multiple client errors. Counter records Checks multiple client errors. Counter records
number of times a failed request originated number of times a failed request originated from a subnetfrom a subnet
Cookie Stealing Scenario:Cookie Stealing Scenario: Records initial use of session cookie by a Records initial use of session cookie by a
remote client by mapping cookie to an IP remote client by mapping cookie to an IP address.address.
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Buffer Overflow Scenario:Buffer Overflow Scenario:
Presence of binary data in a request or an Presence of binary data in a request or an extremely long request are attempts to exploit extremely long request are attempts to exploit buffer overflowbuffer overflow
Network and application-level buffer Network and application-level buffer overflow detection:overflow detection: Examine Web server logs and actual client Examine Web server logs and actual client
requestsrequests If binary data found at network-level and no If binary data found at network-level and no
matching entry in server log, attack is matching entry in server log, attack is successfulsuccessful
Document Root Escape Attack: Illicit access to a file outside web server’s root. Examine Web server log and OS audit records
to detect file system access violations
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT Evaluation:Evaluation:
Web server: pentium IV - 1.8 GHz, OS:Web server: pentium IV - 1.8 GHz, OS: RedHat RedHat 8.0, Apache8.0, Apache
Clients: pentium IV - 1.8 GHz, OS:Clients: pentium IV - 1.8 GHz, OS: RedHat 8.0RedHat 8.0
Network card: Intel EtherExpress 10/100 Network card: Intel EtherExpress 10/100 Ethernet cardsEthernet cards
100BaseT full-duplex , cisco catalyst 3500 100BaseT full-duplex , cisco catalyst 3500 XL switchXL switch
Measurement:Measurement: Average throughput, response Average throughput, response timestimes of web servers with/without WebSTAT on of web servers with/without WebSTAT on server.server.
With WebSTATWith WebSTAT: slightly lower throughput: slightly lower throughput
No change in response timeNo change in response time
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
WebSTAT WebSTAT CONCLUSIONS:CONCLUSIONS: WebSTAT operates on multiple event WebSTAT operates on multiple event
streamsstreams Supports more effective detection of web-Supports more effective detection of web-
based attacks, reduced no. of false positivesbased attacks, reduced no. of false positives IDS can be performed in high performance IDS can be performed in high performance
servers in real-timeservers in real-time
Stateful IDS for Web Servers – Stateful IDS for Web Servers – Vigna Vigna G et al., 2003G et al., 2003
THANKS !