gpn 2009 may 29, kansas city, missouri an open security defense architecture for open collaborative...
Post on 17-Dec-2015
217 Views
Preview:
TRANSCRIPT
GPN 2009May 29, Kansas City, Missouri
An open security defense architecture for open collaborative
cyber infrastructures
Xinming (Simon) OuKansas State University
The Great Plains Network Annual Meeting 2009Kansas City, Missouri
GPN 2009May 29, Kansas City, Missouri
Challenges to securing cyber infrastructures
• Cyber warfare is asymmetric– Attack only needs to break a few points– Defense has to be comprehensive
• Attackers have an upper hand in automation– Many automated exploit tools– Not so many good defense tools
• Openness of academic cyber infrastructures – Unrealistic to have draconic control on access
2
GPN 2009May 29, Kansas City, Missouri
Multi-step AttacksInternet
Demilitarized zone (DMZ)
Corporation
webServer
workStationwebPages
fileServer
Firewall 2
buffer
overrun
Trojan horsesharedBinaryNFS shell
Firewall 1
3
GPN 2009May 29, Kansas City, Missouri
Solution
System adminSecurity expert
CERT advisory
Information about users
Linux security behavior;Windows security behavior;Common attack techniques
Apache1.3.4bug!
Host configurationNetwork configuration
Reasoning System
potential attack paths
4
GPN 2009May 29, Kansas City, Missouri
baseline security status
Automated analyzer
Information collection
Enterprise Network
Security scanningand monitoring
Suggested configuration change to harden security
Broader Security Community
NVDOVAL/Nessus
RepositoryCVSS
High-level security knowledge
Baseline security knowledge
GPN 2009May 29, Kansas City, Missouri
MulVAL
Interaction Rules from Security
Experts
MulVAL Scanner
MulVAL Scanner
Analyzer
Could root be compromised on any of
the machines?Ou, Govindavajhala, and Appel. Usenix Security 2005
Answers
Network Analyzer
Vulnerability Information (e.g.
NIST NVD)
Network reachability information
Vulnerability definition (e.g. OVAL, Nessus
Scripting Language)
User information
6
GPN 2009May 29, Kansas City, Missouri
Interaction Rules
execCode(Attacker, Host, PrivilegeLevel) :- vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Attacker, Host, Protocol, Port).
internet
dmzwebServer
Firewall 1
vulExists(webServer, httpd, remote, privilegeEscalation).
serviceRunning(webServer, httpd, tcp, 80, apache).
networkAccess(attacker, webServer, tcp, 80).
execCode(attacker, webServer, apache).Oops!
From MulVAL Scanner & OVAL, NVD
From MulVAL Scanner
Derived
7
GPN 2009May 29, Kansas City, Missouri
MulVAL Attack-Graph Toolkit
Datalog representation
Machine configuration
Network configuration
Security advisories
MulVAL reasoning
engine
Proofs of assertions
Grap
h
Bu
ilder Logical
attack graph
Interaction rules
Ou, Boyer, and McQueen. ACM CCS 2006
Joint work with Idaho National Laboratory
8
GPN 2009May 29, Kansas City, Missouri
Test on a Real Network
• Used MulVAL to check the configuration of four Linux servers– Reported a potential two-stage attack path due to
multiple vulnerabilities on a server.• Three local kernel vulnerabilities
• One buffer overflow bug in libpng
• Local users are trusted
• Web browser links libpng
9
GPN 2009May 29, Kansas City, Missouri
system administrator
Network Monitoring
Tools
Abnormally high trafficAbnormally high traffic
TrendMicro server communicating
with known BotNet controllers
TrendMicro server communicating
with known BotNet controllers
memory dump
Seemingly malicious
code modules
Found open IRC sockets with other
TrendMicro servers
netflow dump
These TrendMicro Servers are certainly compromised!
10
The next challenge: Situation Awareness
GPN 2009May 29, Kansas City, Missouri
High-confidence Conclusions with Evidence
Targeting subsequent observations
Mapping observations to their semantics
IDS alerts, netflow dump, syslog, server log …
Observations
Internal model
Reasoning Engine
11
GPN 2009May 29, Kansas City, Missouri
High-confidence Conclusions with Evidence
Targeting subsequent observations
Mapping observations to their semantics
IDS alerts, netflow dump, syslog, server log …
Observations
Internal model
Reasoning Engine
12
GPN 2009May 29, Kansas City, Missouri
Observation Correspondence
Mapping observations to Internal condition.what you can see
what you want to know
obs(anomalyHighTraffic) int(attackerNetActivity)
obs(netflowBlackListFilter(H, BlackListedIP))
obs(memoryDumpMaliciousCode(H))
obs(memoryDumpIRCSocket(H1,H2))
p
int(compromised(H))l
int(compromised(H))l
int(exchangeCtlMessage(H1,H2))l
13
GPN 2009May 29, Kansas City, Missouri
High-confidence Conclusions with Evidence
Targeting subsequent observations
Mapping observations to their semantics
IDS alerts, netflow dump, syslog, server log …
Observations
Internal model
Reasoning Engine
14
GPN 2009May 29, Kansas City, Missouri
Internal ModelLogical relation among internal conditions.
Condition1 Condition2“leads to” relation
i.e. Condition1 may cause Condition2
m1 m2
int(compromised(H1)) int(probeOtherMachine(H1,H2))p c
int(compromised(H1)) int(sendExploit(H1,H2))p c
int(sendExploit(H1,H2)) int(compromised(H2))l p
int(compromised(H1)),int(exchangeCtlMessage(H1,H2))
p c
int(compromised(H2))
15
GPN 2009May 29, Kansas City, Missouri
Proof Strengthening
Observations:
f is likely true f is likely true
O1 O2
f is certainly true
proof strengthening
O3
16
GPN 2009May 29, Kansas City, Missouri
The SnIPS system
Reasoning Engine
Snort alerts
(summarized tuples)
Observation Correspondence
User query, e.g. which machines are “certainly” compromised?
High-confidence answers with
evidence
pre-processing
Internal ModelSnort Rule Repository
Done only once
17
GPN 2009May 29, Kansas City, Missouri
Automate Model Building for Snort
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"WEB-MISC guestbook.pl access”;uricontent:"/guestbook.pl”;classtype:attempted-recon; sid:1140;)
obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)),
int(probeOtherMachine(FromHost, ToHost)), ?).
Internal predicate mapped from “classtype”
18
GPN 2009May 29, Kansas City, Missouri
Automate Model Building for Snort
Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosingin some cases.
Ease of Attack: Exploits exists
obsMap(obsRuleId_3614, obs(snort(’1:1140’, FromHost, ToHost, _Time)),
int(compromised(ToHost)), p)
Hints from natural-language description of Snort rules
obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)),int(probeOtherMachine(FromHost, ToHost)), ).l ?
19
GPN 2009May 29, Kansas City, Missouri
CoverageInternal Predicate % of rules
Predicates Handled by the internal model
59%
Suspicious 41%
• Snort has about 9000 rules.
• This is just a base-line and needs to be fine-tuned.
• Would make more sense for the rule writer to define the observation correspondence relation when writing a rule.
20
GPN 2009May 29, Kansas City, Missouri
Experiment on Treasure Hunt data• Data collected during a
graduate-level course exercise
• Data set contains multi-stage attacks as in real world scenario
• A large variety of monitoring data
21
GPN 2009May 29, Kansas City, Missouri
Some Results| ?- show_trace(int(compromised(H), c)). int(compromised(’192.168.10.90’),c) strengthenedPf
int(compromised(’192.168.10.90’),l) intRule_1
int(probeOtherMachine(’192.168.10.90’,’192.168.70.49’),l) obsRulePre_1
obs(snort(’122:1’,’192.168.10.90’,’192.168.70.49’,_h272))
int(compromised(’192.168.10.90’),l) intRule_3
int(sendExploit(’128.111.49.46’,’192.168.10.90’),c) obsRuleId_3749
obs(snort(’1:1807’,’128.111.49.46’,’192.168.10.90’,_h336))
An exploit was sent to
192.168.10.90
An exploit was sent to
192.168.10.90
A probe was sent from
192.168.10.90
A probe was sent from
192.168.10.90
192.168.10.90 was certainly
compromised!
192.168.10.90 was certainly
compromised!
22
GPN 2009May 29, Kansas City, Missouri
Summary
• Open knowledge sharing and automated knowledge reuse is key in effective cyber defense
• Advantages of logic-based techniques– Publishing and incorporation of knowledge/information
through well-understood logical semantics– Efficient and sound analysis by leveraging the reasoning
power of well-developed logic-deduction systems
23
GPN 2009May 29, Kansas City, Missouri
Who We Are
24
Argus: Cyber Security Research Group at Kansas State University
http://people.cis.ksu.edu/~xou/argus/
Contact me: Simon Ouxou@ksu.edu
top related