advanced database systems, mod3-2, 2006 1 intrusion detection

Advanced Database Systems, mod3-2, 2006 1

Intrusion Detection


OutlineAttack formalizationIntrusion detectionTrust evaluationDoS


Against AttacksPrevention

Access control

Detection Anomaly detection:

Misuse detection:


Attack detection <-- cmd: cluster Similarity of to categorical command

sequences, s1 and s2 _________ MCP (Match Count Polynomial Bound)

LCS (Longest Common Subsequence) Cluster by sim(), similar to k-Means algo.

K. Sequeira, M. Zaki, ADMIT: Anomaly-based Data Mining for Intrusions, ACM KDD 2002.

S1 = {vi <1>, ps –eaf, vi<1>, ls –a <1>}S2 = {vi <1>, ls –a <1>, rm –i <1>, vi <2>}MCP(S1, S2) = 1, due to only one identical slot in themLCS(S1, S2) = 2, due to the subsequence, {vi<1>, ls-a<1>}


IDS - Intrusion Detection Systems Clustering-based detection Clustering by the similarity measures

Correlation of attack scenarios Patterns for known attacks

Rule-based detection Chaining (precond1 : postcond2) ->

(precond2 : postcond3), where ____________________

Attack graph Node: states (initial state, goal state) Edge: desirable exploits Process from the goal state to the initial

state

P. Ning, D. Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM TISS, 2004

A or a

E or e


Background Exploits E(v,s,d)

(Vulnerability, Source, Destination)

Conditions p(*)

Alert A=a0,a1,…,an. A is a sequence of alerts.


Definitions Given T(fact, prerequisite, consequence),

___________ = set of all predicates appearing in prerequisite

___________ = set of all predicates appearing in consequence

______________ = set of all predicates implied by Conseq(T)

Conseq(T) ExpConseq(T)

Alert t1 prepares for Alert t2 if _________________________________ and there exist p Prereq(t2) and c ExpConseq(t1) such that p=c.

Type T may [indirectly] prepare for type T’ if ExpConseq(T) Prereq(T’) .



Type Graphs: Precond --> Postcond

Given ICMP_PING_NMAPI -> SCAN_NMAP_TCP2 Rsh3 -> Mstream_Zombie4

Using clusters: Node i is connected to Node j if Postcondi and Precondj are in the same cluster

Using “prepare for” relationships:



Audit Data: Precond --> Postcond

Type T alert t “prepares for” type T’ alert t’: Hypothesis that may be missed but found in audit data


ICMP_PING_NMAPI

SCAN_NMAP_TCP2

Rsh3

Mstream_Zombie4

IMAP_Authen_Overflow5

FTP_Glob_Expansion6


Filtering conditionFiltering condition [template] for T wrt A



DefinitionsT may [indirectly] prepare for T’ t may indirectly prepare for t’Sequences of hyperalert types are

candidates of attacks possibly missed by the IDS.

Equality constraint for (T1, T2)Hyperalert type alert graph TG over TFiltering condition [template] for T wrt AHyperthetical attack(s) consistent



Attack (E,C) Exploits E(v,s,d)

(Vulnerability, Source, Destination)

Conditions p(*) Alert A=a0,a1,…,an. A is a

sequence of alerts. Relationship: require, imply

Require: Rr C E

Imply: Ri E C

Prepare for: Re = Ri Rr.

Attack Graph G(EC, RrRi) Match function f: A --> E

L. Wang, A. Liu, S. Jajodia, An efficient and unified approach to correlating, hypothesizing, predicting intrusion alerts, European Computer Security, 2005.

Sadmine buffer overflow vulnerability host1 --> host 2

User privilege on host 1

Vulnerable Sadmind RPC

service on host2

Arbitary code execution with root privileges on host 2


Alert correlations Given alerts A=ai,aj, ak, …,ah, where f(ai)=

f(aj)= f(ak) If f(ak) Re f(ah), then query graph QG

L. Wang, A. Liu, S. Jajodia, An efficient and unified approach to correlating, hypothesizing, predicting intrusion alerts, European Computer Security, 2005.

time ai aj ak ah


NETWORK SECURITYSecurity in P2P

Denial-of-Service (DoS)Pong-Cache Poisoning


GUESSNode

Cache: other nodes available to accept queries and to send queries to one of the nodes in its cache at random

Cache management: by exchanging “ping” and “pong” messages

•Pong Cache: the cache that nodes use to store node ids of other nodes

N. Daswani and H. Garcia-Molina, Pong-Cache Poisoning in GUESS, ACM CCS 2004.


In P2PNodes in the network N={N1, N2, …, Nn}

GM=N and GM=, for the Good and Malicious nodes.

At some other time, N’=(N-) B.P(Ni): Pong Cache

Fixed size Changed over time Entries

•Live: entry from G•Poisoned: entry from M•Dead: entry from G but temporarily left

the system


Ex of Ping & Pong

N2N3

N1

P(N1)

N4N5

N2

P(N2)

Ping

Pong


Pong Cache PoisoningMalicious nodes may collude to conduct

“pong-cache poisoning” attacks in which they attempt to propagate malicious node ids in as many pong caches as possible.

Why Pong Cache Poisoning? DoS: A good node may query a malicious

node, and may not receive a response Inauthentic Results: a good node may query a

malicious node, and may receive a response that contains incorrect answers to the query.

Propagated Cache Poisoning:


GUESS Protocol Policies & Options Seeding Policy (SP): a new node Ni is seeded with

Random-Friend (RF) Popular-Node (PN) Trusted-Directory (TD)

Introduction Protocol (IP): to introduce the new born node Ni to the PONG caches of existing nodes Nj Nj replace its PONG cache

Ping Probe and Pong Choice Policy (PPP&PCP): Ni must decide which node Nj to ping. Nj should determine exactly which |S| node ids to respond with.

Cache Replacement Policy (CRP): Ni receives up to |S| node from Nj. Ni should chooses Y S

Random; MRU, LRU

ID Smearing Algorithm (IDSA): If Nk P(Ni), then there may be

too many copies of in the network and we set P’(Ni)=P(Ni)-{Nk}.


ReputationWhy reputation?

Determining the validity of a resource is a costly operation. downloading a file or a digest ???

What if we know the trustworthiness of resource providers?

Each node Records a reputation vector of length n. R[i,j]: node i’s opinion of node j.

Voting reputation

S. Marti and H. Garcia-Molina, Limited Reputation Sharing in P2P Systems, ACM Conference on Electronic Commerce, 2004.


Query-Flood DoS Attacks In Gnutella

Neil Daswani and Hector Garcia-MolinaStanford University

Department of Computer Science


Problem & ApproachProblem

Gnutella: multiplicative query broadcastApplication-layer denial-of-service

Approach Load balancing / provide fairness


How does Gnutella Work?Super-nodesMessages

Ping / Pong Query / QueryHit Push

Already SeenTime To Live File X-fer: HTTP

Local Peers

Remote Peers


Gnutella Traffic ModelLocal Work

={q1,q2,q3}Remote Work =

{q4,…,q9} {q10,q11}

q6q7

q8q9

q11q10

q4q5

q1q2q3

B

CA


Gnutella Traffic ModelLocal vs. Remote

Work:Reservation Ratio

() Remote Work:

How many? (IAS)Which ones? (DS)

q1q2q3

q4q5 q6

q7q8

q9q10q11

C

B


A

Reservation Ratio ()Only used in high load situations.Max C queries from local peers.Max (1-)C queries from remote peers.If =1/3 and C=6,

C=(1/3)(6)=2 Local

q1q2q3

B

C


A

Incoming Alloc. Strategy(1-)C=(4/6)(6)=4

RemoteIAS Possibilities:

Fractional:2 from B2 from C

Weighted:3 from B1 from C

q1

B

Cq6

q7

q8q9q4

q5

q11q10

q2


A

Drop Strategy

q1

B

Cq11

q10

D

F G

Which queries Which queries to drop?to drop?

E H

q6q7

q8q9q4

q5

q2


Drop Strategy

PreferLowTTLPreferLowTTL

EqualEqual

ProportionalProportional

PreferHighTTLPreferHighTTL


PreliminariesGnutella P2P Network:

by Gnutella Development Forum (GDF) as Gnutella UDP Extension for Scalable Searches (GUESS)

URL: //groups.yahoo.com/group/the_gdf/files/Proposals/GUESS/guess_01.txt

GDF file sharing network: 100,000 concurrent users offering 5~10 TB data at any time

Implementation: 10 vendors, copies downloaded: 35 million

Similar P2P protocols: FastTrack, eDonkey

N. Daswani and H. Garcia-Molina, Pong-Cache Poisoning in GUESS, ACM CCS 2004.


Selecting Voters

Neighbors in the overlay topology Neighbor voting

Peers from whom one has fetched files and who have proven to be reputable Friend voting

Qv

QvQQr vqR

rvRvqR

rqR,

,,

,)1(


EigenTrustS. Kamvar, M. Schlosser, and H. Garcia-Molina, The EigenTrust Algorithm for Reputation Management in P2P Networks, Conf. on WWW, 2003.


QuestionsWhich queries to drop?Traffic management policies?Effect of topology?How is “damage” distributed?

=> Need Traffic Model & Metrics


Gnutella Traffic ModelDiscrete-eventOnly super-nodes

explicitly modeled Only queries are

modeledq=(origin,ttl)Max capacity:

C = 6 queries / time unit Local Peers

Remote Peers


Gnutella Traffic ModelLocal Work

={q1,q2,q3}Remote Work =

{q4,…,q9} {q10,q11}

Local Work Accepted = {q1}

Remote Work Accepted = IB,A(1)={q4,q5} IC,A(1)={q10,q11}

q1q2q3

q4q5 q6

q7q8

q9q10q11

B

C


Gnutella Traffic ModelLocal Work ={q1,q2,q3}Remote Work =

{q4,…,q9} {q10,q11}Local Work Accepted =

{q1}Remote Work Accepted

= IB,A(1)={q4,q5} IC,A(1)={q10,q11}

Work Broadcasted ={q1,q4,q5,q10,q11}

q10q11

C

B

Aq1q4

q5


Good & Malicious Nodes Good nodes: =

= 1/3

In general, for symmetric networks: = 1 / (D() + 1)

Malicious nodes: m = 1

B

CA

Tota

l R

em

ote

Q

ueri

es P

rocessed

0 1

K3; =2


Damage

Service Guarantee: Sj(t), Sj(t)Damage for node j (at time t):

Dj(t) = (Sj(t) – Sj(t)) / Sj(t)Cumulative Network Damage:

D(t) = “bad” queries / “total” queries

5A

B

C

D65

4A

B

C

M40

SSAA(t)=16(t)=16 SSAA(t)=8(t)=8

DDAA(t)=(16-8)/16=0.5(t)=(16-8)/16=0.5


Location-driven optimal aggregation of spatiotemporal alerts for intrusion detection Exploits E(v,s,d)

(Vulnerability, Source, Destination) Known/Unknown

Conditions p(*) Alert A=a0,a1,…,an. A is a sequence of alerts.

Matched with known Unmatched due to unknown --> maybe matched with unknown Unmatched due to new --> maybe learn

s1s2

s3space

time

s0s3

s2s1

R-tree


A or a

E or e

*

*


IDS and Attacks Attacks hard to be recognized

Unknown variation of known attacks Known variation of unknown attacks Unknown variation of unknown attacks

IDS Attackvariation


Correlation among categorical sequences

{A,B, C,D}

{E,F, G}

{H,J, K,M}

A

B

C

D

E

F

G

H

J

K

M

Sequences- Planned and known-


Song

사노라면 언젠가는 밝은 날도 오겠지흐린 날도 날이 새면 해가 뜨지 않더냐새파랗게 젊다는 게 한 밑천인데쩨쩨하게 굴지 말고 가슴을 쫙 펴라내일은 해가 뜬다 내일은 해가 뜬다

비가 새는 작은 방에 새우잠을 잔데도고운 님 함께라면 즐거웁지 않더냐오손도손 속삭이는 밤이 있는 한쩨쩨하게 굴지 말고 가슴을 쫙 펴라내일은 해가 뜬다 내일은 해가 뜬다

advanced database systems, mod3-2, 2006 1 intrusion detection

Documents