advanced database systems, mod3-2, 2006 1 intrusion detection
TRANSCRIPT
Advanced Database Systems, mod3-2, 2006 1
Intrusion Detection
Advanced Database Systems, mod3-2, 2006 2
OutlineAttack formalizationIntrusion detectionTrust evaluationDoS
Advanced Database Systems, mod3-2, 2006 3
Against AttacksPrevention
Access control
Detection Anomaly detection:
Misuse detection:
Advanced Database Systems, mod3-2, 2006 4
Attack detection <-- cmd: cluster Similarity of to categorical command
sequences, s1 and s2 _________ MCP (Match Count Polynomial Bound)
LCS (Longest Common Subsequence) Cluster by sim(), similar to k-Means algo.
K. Sequeira, M. Zaki, ADMIT: Anomaly-based Data Mining for Intrusions, ACM KDD 2002.
S1 = {vi <1>, ps –eaf, vi<1>, ls –a <1>}S2 = {vi <1>, ls –a <1>, rm –i <1>, vi <2>}MCP(S1, S2) = 1, due to only one identical slot in themLCS(S1, S2) = 2, due to the subsequence, {vi<1>, ls-a<1>}
Advanced Database Systems, mod3-2, 2006 5
IDS - Intrusion Detection Systems Clustering-based detection Clustering by the similarity measures
Correlation of attack scenarios Patterns for known attacks
Rule-based detection Chaining (precond1 : postcond2) ->
(precond2 : postcond3), where ____________________
Attack graph Node: states (initial state, goal state) Edge: desirable exploits Process from the goal state to the initial
state
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
A or a
E or e
Advanced Database Systems, mod3-2, 2006 6
Background Exploits E(v,s,d)
(Vulnerability, Source, Destination)
Conditions p(*)
Alert A=a0,a1,…,an. A is a sequence of alerts.
Advanced Database Systems, mod3-2, 2006 7
Definitions Given T(fact, prerequisite, consequence),
___________ = set of all predicates appearing in prerequisite
___________ = set of all predicates appearing in consequence
______________ = set of all predicates implied by Conseq(T)
Conseq(T) ExpConseq(T)
Alert t1 prepares for Alert t2 if _________________________________ and there exist p Prereq(t2) and c ExpConseq(t1) such that p=c.
Type T may [indirectly] prepare for type T’ if ExpConseq(T) Prereq(T’) .
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
Advanced Database Systems, mod3-2, 2006 8
Type Graphs: Precond --> Postcond
Given ICMP_PING_NMAPI -> SCAN_NMAP_TCP2 Rsh3 -> Mstream_Zombie4
Using clusters: Node i is connected to Node j if Postcondi and Precondj are in the same cluster
Using “prepare for” relationships:
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
Advanced Database Systems, mod3-2, 2006 9
Audit Data: Precond --> Postcond
Type T alert t “prepares for” type T’ alert t’: Hypothesis that may be missed but found in audit data
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
ICMP_PING_NMAPI
SCAN_NMAP_TCP2
Rsh3
Mstream_Zombie4
IMAP_Authen_Overflow5
FTP_Glob_Expansion6
Advanced Database Systems, mod3-2, 2006 10
Filtering conditionFiltering condition [template] for T wrt A
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
Advanced Database Systems, mod3-2, 2006 11
DefinitionsT may [indirectly] prepare for T’ t may indirectly prepare for t’Sequences of hyperalert types are
candidates of attacks possibly missed by the IDS.
Equality constraint for (T1, T2)Hyperalert type alert graph TG over TFiltering condition [template] for T wrt AHyperthetical attack(s) consistent
P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004
Advanced Database Systems, mod3-2, 2006 12
Attack (E,C) Exploits E(v,s,d)
(Vulnerability, Source, Destination)
Conditions p(*) Alert A=a0,a1,…,an. A is a
sequence of alerts. Relationship: require, imply
Require: Rr C E
Imply: Ri E C
Prepare for: Re = Ri Rr.
Attack Graph G(EC, RrRi) Match function f: A --> E
L. Wang, A. Liu, S. Jajodia, An efficient and unified approach to correlating, hypothesizing, predicting intrusion alerts, European Computer Security, 2005.
Sadmine buffer overflow vulnerability host1 --> host 2
User privilege on host 1
Vulnerable Sadmind RPC
service on host2
Arbitary code execution with root privileges on host 2
Advanced Database Systems, mod3-2, 2006 13
Alert correlations Given alerts A=ai,aj, ak, …,ah, where f(ai)=
f(aj)= f(ak) If f(ak) Re f(ah), then query graph QG
L. Wang, A. Liu, S. Jajodia, An efficient and unified approach to correlating, hypothesizing, predicting intrusion alerts, European Computer Security, 2005.
time ai aj ak ah
Advanced Database Systems, mod3-2, 2006 14
NETWORK SECURITYSecurity in P2P
Denial-of-Service (DoS)Pong-Cache Poisoning
Advanced Database Systems, mod3-2, 2006 15
GUESSNode
Cache: other nodes available to accept queries and to send queries to one of the nodes in its cache at random
Cache management: by exchanging “ping” and “pong” messages
•Pong Cache: the cache that nodes use to store node ids of other nodes
N. Daswani and H. Garcia-Molina, Pong-Cache Poisoning in GUESS, ACM CCS 2004.
Advanced Database Systems, mod3-2, 2006 16
In P2PNodes in the network N={N1, N2, …, Nn}
GM=N and GM=, for the Good and Malicious nodes.
At some other time, N’=(N-) B.P(Ni): Pong Cache
Fixed size Changed over time Entries
•Live: entry from G•Poisoned: entry from M•Dead: entry from G but temporarily left
the system
Advanced Database Systems, mod3-2, 2006 17
Ex of Ping & Pong
N2N3
N1
P(N1)
N4N5
N2
P(N2)
Ping
Pong
Advanced Database Systems, mod3-2, 2006 18
Pong Cache PoisoningMalicious nodes may collude to conduct
“pong-cache poisoning” attacks in which they attempt to propagate malicious node ids in as many pong caches as possible.
Why Pong Cache Poisoning? DoS: A good node may query a malicious
node, and may not receive a response Inauthentic Results: a good node may query a
malicious node, and may receive a response that contains incorrect answers to the query.
Propagated Cache Poisoning:
Advanced Database Systems, mod3-2, 2006 19
GUESS Protocol Policies & Options Seeding Policy (SP): a new node Ni is seeded with
Random-Friend (RF) Popular-Node (PN) Trusted-Directory (TD)
Introduction Protocol (IP): to introduce the new born node Ni to the PONG caches of existing nodes Nj Nj replace its PONG cache
Ping Probe and Pong Choice Policy (PPP&PCP): Ni must decide which node Nj to ping. Nj should determine exactly which |S| node ids to respond with.
Cache Replacement Policy (CRP): Ni receives up to |S| node from Nj. Ni should chooses Y S
Random; MRU, LRU
ID Smearing Algorithm (IDSA): If Nk P(Ni), then there may be
too many copies of in the network and we set P’(Ni)=P(Ni)-{Nk}.
Advanced Database Systems, mod3-2, 2006 20
ReputationWhy reputation?
Determining the validity of a resource is a costly operation. downloading a file or a digest ???
What if we know the trustworthiness of resource providers?
Each node Records a reputation vector of length n. R[i,j]: node i’s opinion of node j.
Voting reputation
S. Marti and H. Garcia-Molina, Limited Reputation Sharing in P2P Systems, ACM Conference on Electronic Commerce, 2004.
Advanced Database Systems, mod3-2, 2006 21
Query-Flood DoS Attacks In Gnutella
Neil Daswani and Hector Garcia-MolinaStanford University
Department of Computer Science
Advanced Database Systems, mod3-2, 2006 22
Problem & ApproachProblem
Gnutella: multiplicative query broadcastApplication-layer denial-of-service
Approach Load balancing / provide fairness
Advanced Database Systems, mod3-2, 2006 23
How does Gnutella Work?Super-nodesMessages
Ping / Pong Query / QueryHit Push
Already SeenTime To Live File X-fer: HTTP
Local Peers
Remote Peers
Advanced Database Systems, mod3-2, 2006 24
Gnutella Traffic ModelLocal Work
={q1,q2,q3}Remote Work =
{q4,…,q9} {q10,q11}
q6q7
q8q9
q11q10
q4q5
q1q2q3
B
CA
Advanced Database Systems, mod3-2, 2006 25
Gnutella Traffic ModelLocal vs. Remote
Work:Reservation Ratio
() Remote Work:
How many? (IAS)Which ones? (DS)
q1q2q3
q4q5 q6
q7q8
q9q10q11
C
B
Advanced Database Systems, mod3-2, 2006 26
A
Reservation Ratio ()Only used in high load situations.Max C queries from local peers.Max (1-)C queries from remote peers.If =1/3 and C=6,
C=(1/3)(6)=2 Local
q1q2q3
B
C
Advanced Database Systems, mod3-2, 2006 27
A
Incoming Alloc. Strategy(1-)C=(4/6)(6)=4
RemoteIAS Possibilities:
Fractional:2 from B2 from C
Weighted:3 from B1 from C
q1
B
Cq6
q7
q8q9q4
q5
q11q10
q2
Advanced Database Systems, mod3-2, 2006 28
A
Drop Strategy
q1
B
Cq11
q10
D
F G
Which queries Which queries to drop?to drop?
E H
q6q7
q8q9q4
q5
q2
Advanced Database Systems, mod3-2, 2006 29
Drop Strategy
PreferLowTTLPreferLowTTL
EqualEqual
ProportionalProportional
PreferHighTTLPreferHighTTL
Advanced Database Systems, mod3-2, 2006 30
Advanced Database Systems, mod3-2, 2006 31
PreliminariesGnutella P2P Network:
by Gnutella Development Forum (GDF) as Gnutella UDP Extension for Scalable Searches (GUESS)
URL: //groups.yahoo.com/group/the_gdf/files/Proposals/GUESS/guess_01.txt
GDF file sharing network: 100,000 concurrent users offering 5~10 TB data at any time
Implementation: 10 vendors, copies downloaded: 35 million
Similar P2P protocols: FastTrack, eDonkey
N. Daswani and H. Garcia-Molina, Pong-Cache Poisoning in GUESS, ACM CCS 2004.
Advanced Database Systems, mod3-2, 2006 32
Selecting Voters
Neighbors in the overlay topology Neighbor voting
Peers from whom one has fetched files and who have proven to be reputable Friend voting
Qv
QvQQr vqR
rvRvqR
rqR,
,,
,)1(
Advanced Database Systems, mod3-2, 2006 33
EigenTrustS. Kamvar, M. Schlosser, and H. Garcia-Molina, The EigenTrust Algorithm for Reputation Management in P2P Networks, Conf. on WWW, 2003.
Advanced Database Systems, mod3-2, 2006 34
QuestionsWhich queries to drop?Traffic management policies?Effect of topology?How is “damage” distributed?
=> Need Traffic Model & Metrics
Advanced Database Systems, mod3-2, 2006 35
Gnutella Traffic ModelDiscrete-eventOnly super-nodes
explicitly modeled Only queries are
modeledq=(origin,ttl)Max capacity:
C = 6 queries / time unit Local Peers
Remote Peers
Advanced Database Systems, mod3-2, 2006 36
Gnutella Traffic ModelLocal Work
={q1,q2,q3}Remote Work =
{q4,…,q9} {q10,q11}
Local Work Accepted = {q1}
Remote Work Accepted = IB,A(1)={q4,q5} IC,A(1)={q10,q11}
q1q2q3
q4q5 q6
q7q8
q9q10q11
B
C
Advanced Database Systems, mod3-2, 2006 37
Gnutella Traffic ModelLocal Work ={q1,q2,q3}Remote Work =
{q4,…,q9} {q10,q11}Local Work Accepted =
{q1}Remote Work Accepted
= IB,A(1)={q4,q5} IC,A(1)={q10,q11}
Work Broadcasted ={q1,q4,q5,q10,q11}
q10q11
C
B
Aq1q4
q5
Advanced Database Systems, mod3-2, 2006 38
Advanced Database Systems, mod3-2, 2006 39
Good & Malicious Nodes Good nodes: =
= 1/3
In general, for symmetric networks: = 1 / (D() + 1)
Malicious nodes: m = 1
B
CA
Tota
l R
em
ote
Q
ueri
es P
rocessed
0 1
K3; =2
Advanced Database Systems, mod3-2, 2006 40
Damage
Service Guarantee: Sj(t), Sj(t)Damage for node j (at time t):
Dj(t) = (Sj(t) – Sj(t)) / Sj(t)Cumulative Network Damage:
D(t) = “bad” queries / “total” queries
5A
B
C
D65
4A
B
C
M40
SSAA(t)=16(t)=16 SSAA(t)=8(t)=8
DDAA(t)=(16-8)/16=0.5(t)=(16-8)/16=0.5
Advanced Database Systems, mod3-2, 2006 41
Location-driven optimal aggregation of spatiotemporal alerts for intrusion detection Exploits E(v,s,d)
(Vulnerability, Source, Destination) Known/Unknown
Conditions p(*) Alert A=a0,a1,…,an. A is a sequence of alerts.
Matched with known Unmatched due to unknown --> maybe matched with unknown Unmatched due to new --> maybe learn
s1s2
s3space
time
s0s3
s2s1
R-tree
Advanced Database Systems, mod3-2, 2006 42
A or a
E or e
*
*
Advanced Database Systems, mod3-2, 2006 43
IDS and Attacks Attacks hard to be recognized
Unknown variation of known attacks Known variation of unknown attacks Unknown variation of unknown attacks
IDS Attackvariation
Advanced Database Systems, mod3-2, 2006 44
Correlation among categorical sequences
{A,B, C,D}
{E,F, G}
{H,J, K,M}
A
B
C
D
E
F
G
H
J
K
M
Sequences- Planned and known-
Advanced Database Systems, mod3-2, 2006 45
Song
사노라면 언젠가는 밝은 날도 오겠지흐린 날도 날이 새면 해가 뜨지 않더냐새파랗게 젊다는 게 한 밑천인데쩨쩨하게 굴지 말고 가슴을 쫙 펴라내일은 해가 뜬다 내일은 해가 뜬다
비가 새는 작은 방에 새우잠을 잔데도고운 님 함께라면 즐거웁지 않더냐오손도손 속삭이는 밤이 있는 한쩨쩨하게 굴지 말고 가슴을 쫙 펴라내일은 해가 뜬다 내일은 해가 뜬다