PowerPoint Presentation

Analyzing and Profiling Attacker Behavior in Multistage Intrusions1ContentsIntroduction and BackgroundLiterature ReviewMethodologyImplementationEvaluationContributionConclusionReferences2IntroductionIncrease in technology has brought more sophisticated intrusions, with which the network security has become more challenging.Attackers might have different intentions and each attack might have different level.Understanding their behavior is important to understand possible risks.In a government study [7] attackers are classified into 9 different groupsAmateurs, Criminals, Insiders, Phishers, Nations, Hackers, Terrorists, Bot-network operators, and Spyware/ malware authors.

3Introduction (Contd..)4Amateurs: This group of attackers dont have much knowledge. They do it for fun.Criminals: seek to attack systems for monetary gain. They use spam, phishing, and spyware/malware to commit identity theft and online fraud. Phishers: Execute phishing schemes in an attempt to steal identities or information for monetary gain. Terrorists : Seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security.

Attacker Groups 5Hackers: Break into networks by gaining unauthorized access that requires a fair amount of skill or computer knowledgeInsiders: Insiders knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. Nations: Use cyber tools as part of their information-gathering and espionage activities. Spyware/malware authors: carry out attacks against users by producing and distributing spyware and malware.Bot-network operators: Bot-net operators use a network, or bot-net, remotely controlled systems to coordinate attacks

Problems with IDS (Contd..)It is very important to profile and predict the attacker intentions to protect the network accordingly.There is a necessity find an efficient way to identify the type of attackers.IDS such as Snort [8] helps in detecting single step intrusions, but not in detecting multistage attack and attacker behavior.Due toHuge number of alertsLack of proper model that can detect multistage attacksLack of a method that can link multistage attacks to attacker behavior.6ObjectiveDevelop a system that canDetect multistage attacksAnalyze the attacker behavior by classifying the activity Discover the attacker behavior patternsPredict and profile the type of attacker based on behavior.7Literature Review Multilevel alert clustering and intelligent alert clustering models [2] were well formed techniques for reducing the number of alerts.Complexity of the above models could degrade the performance of the system.Mathew et al [1] have made a good effort to present a technique for understanding multi stage attacks using attack-track based visualization of heterogeneous event streams. They used the event correlation which is based on attack tracks to determine the temporal relationship between the heterogeneous events.

8Literature Review (Contd..)The above approach was useful just to understand the stages in the multistage attack, but not to predict the user behavior.A user behavior perception model based on markov process [7] presented a novel user behavior perception model for intelligent mobile terminals.The model is based on the Markov process, which introduces also the idea of machine learning and context-awareness. The user behavior histories were used to discover users preference, and information gathered from users are described to perceive the user behaviors.

9MethodologyProcessing the raw dataAlert groupingAttacker behavior analysisPreparation of semi-automatic Training the Hidden Markov ModelProfiling and Predicting of attacker behavior

10Collection and Generalization of AlertsThe raw data was provided by ORNL. It was in pcap formatThe generated alerts have a lot of insignificant information, which needs to be eliminated.Essential details in each alert such as IP Address of source and destination host, alert type and classification are extracted.

[**] [1:2000537:6] ET SCAN NMAP -sS [**][Classification: Attempted Information Leak] [Priority: 2] 07/17-09:30:09.298097 192.168.101.66:33966 -> 192.168.101.53:175TCP TTL:49 TOS:0x0 ID:27814 IpLen:20 DgmLen:44S* Seq: 0x3C25204F Ack: 0x0 Win: 0x800 TcpLen: 24TCP Options (1) => MSS: 1460

11Collection and Generalization of AlertsThe raw data was provided by ORNL. It was in pcap formatThe generated alerts have a lot of insignificant information, which needs to be eliminated.Essential details in each alert such as IP Address of source and destination host, alert type and classification are extracted.

(portscan)TCPPortscan , 07/17-10:03:27.114495, 192.168.101.66,3387, 192.168.101.54,4497.

SourceDestinationTime stampAlert type12Alert GroupingSnort[8] generates thousands of alerts each day many of them might be false alarms. With large number of alerts it is not possible to profile and predict the attacker behavior.On an average an alert is generated for every 2 milliseconds, therefore, we need to group them.Alerts that generated from same source and targeted to same destination for the same purpose ( i.e. with same alert type) and generated within one second of time difference are grouped together.

192.168.101.56, 192.168.72.1, 07/17- 10:59:06, ETSCANNMAP, 70, 50

SourceDestinationTime stampAlert typeCountBehavior code13Attacker Behavior Analysis14Based on a government study in 2010 [7] the attackers are divided in to different groups such as amateurs, criminals, insiders, terrorists, and hackers.To predict the attacker behavior we have used Hidden Markov Model (HMM) [9], A machine learning algorithm, to analyze these attackers behavior by defining some rules for each type of attacker.

Hidden Markov Model= (A, B, , N) (N is number of states)State probabilitiesTransition probabilitiesEmission or Observation probabilities

15Attacker Behavior Analysis (Contd..)We have defined five stages, which are also hidden states in HMM ScanningEnumerationAccess attemptMalware attemptDenial of service

16Stages in the multistage attackScanning: Attacker tries to gather the information about the target systemObservation: ICMP PINGEnumeration : Attacker tries to find the vulnerabilities of the target systemObservation: CHAT_MSNAccess attempt: Attacker tries to gain the access to the target systems resources.Observation: SQL version overflow attemptDenial of service : Attacker tries deny service to other users.Observation: NETBIOS SMB-DS Trans Max Param DOS attemptMalware attempt : Attacker tries to execute own code on the target system.Observation: SHELLCODE_x86_NOOP

17Preparation of Semi-Automatic HMM Training

18Preparation of Semi-Automatic HMM Training (Contd..)Maps alerts (Observations) into one of the five hidden statesFor example an alert of ICMP PING type is usually considered as a scanning type and an alert of SHELLCODE X86 INC EXC NOOP is considered as exploitation malware attempt type. As of now we have around 88 rules to train our model. Once the rule set is defined, we map the state name to each alert by applying rules.07/14-13:12:54.775367 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.24 -> 192.168.1.1

Alert typeAttackerVictimTime stamp19Preparation of Semi-Automatic HMM Training (Contd..) We have classified all the alerts into five different sets same as states in our model depending upon on the type of alert.For example an alert of ICMP PING type is usually considered as a scanning type and an alert of SHELLCODE X86 INC EXC NOOP is considered as exploitation malware attempt type. As of now we have around 88 rules to train our model. Once the rule set is defined, we have assigned the state name to each alert by applying rules.Scanning, 07/14-13:12:54.775367, Misc activity, 192.168.1.24, 192.168.1.1Time stampAttackerVictimState20Training the Hidden Markov ModelSteps Initialization : This step initializes the state, transition, and observation probabilities.Forward algorithm: This step calculates the observation probabilities based on the occurred observation sequence.Backward algorithm: This step calculates the state and transition probabilities based on observation probabilities and sequence.Re-estimation of probabilities : This step re-estimated the state, transition, and observation probabilities by iterating the above three steps number of times

21Training the Hidden Markov Model(Contd..)Table 3.1 Behavior Classification22Attacker GroupsBehaviorAmateurScanning + EnumerationInsider, Phisher, Spyware/Malware, Botnet(ISBN)Access attempt + Denial of service + Malware attemptCriminal groups, Terrorists, Hackers, Nations (CTHN)Scanning + enumeration + access attempt + Malware attemptTerrorists, Hackers (TH)Scanning + enumeration + Denial of serviceTerrorists, Hackers, Criminal groups (THC)Scanning + enumeration + access attempt + Denial of service + Malware attemptPrediction of Attacker BehaviorAs we have trained our system and stored probabilities in our database, our next step is to match the set of incoming alerts with one of our stored behavior. To find the closest behavior for a set of alerts, we have used Kullback Leibler Distance Calculator [6]. The Kullback-Leibler distance(K-L) [6] is a measure of the similarity between two completely determinedprobability distributions.Attacker Behavior Analysis23The Kullback-Leibler distance(K-L)Definition: Let p1(x) and p2(x) be two continuous probability distributions. By definition, the K-L distance D (p1, p2) between p1(x)and p2(x) is:

Basic PropertiesD (p1, p2) is the mean of the quantity log [p1(x)/p2(x)], with p1(x)being the reference distribution. The K-L distanceis always nonnegative. It is zero only when the two distributions are identical.It is common to encounter the symmetric version of the K-L distance between p1 and p2: Ds(p1, p2) = [D(p1, p2) + D(p2, p1)] / 2

24ImplementationTechnologies we usedClustering and Generalization -- Java Attacker Behavior Analysis -- Java C#.netAPI used:Hidden Markov Model Jahmm[10]KL-Distance calculator - Jahmm [10]

25Implementation (Contd..)

State ProbabilityTransition ProbabilityObservation ProbabilityFigure 1 Probability Distribution 26Implementation(Contd..)

27Figure 2 Behavior DescriptionEvaluation Experimentation

192.168.0.192192.168.0.139192.168.0.1192.168.179.1192.168.133.1192.169.10.11192.168.0.10192.168.0.191AttackersVictimsSerious threatsAmateur type28Evaluation - ResultsFigure 4 Behavior comparison291/KL- DistanceContribution30Grouping alertsBuild HMM model for each of the attacker groups.Profile the 5 HMM modelsPredict Attacker behavior by calculating KL distance [3].ConclusionIn our study we achieved most of the expected results. Over all we had over 300 types of alerts generated through this process. This made our system to be able to detect most of the known attacks.Attacker behavior analysis is very efficient way of finding the possible behavior of an attacker, which allows us to take action according to the intentions of the attacker. 31Demo32ReferencesS. Mathew, D. Britt, R. Giomundo, S. Upadhyaya, S. Sudit, Real-time Multistage Attack Awareness Through Enhanced Intrusion Alert Clustering, In Situation Management Workshop (SIMA 2005), MILCOM 2005, Atlantic City, NJ, October, 2005. Siraj, Vaughn, Multilevel Alert Clustering for Intrusion Detection Sensor Data, Fuzzy Information Processing Society, USA, 2005. Kullback-Leibler distance http://www.aiaccess.net/English/Glossaries/GlosMod/e_gm_kullbak.htmYang, Gasior, Katipally,Cui, Alerts Analysis and Visualization in Network-based Intrusion Detection Systems, The Second IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT2010), 2010, USA.Yang, Katipally, Gasior, Cui, Multistage attack detection system for network administrators, CSIIRW -6 , 2010, USA.Manavogulu, parlov, Giles, Probabilistic User Behavior Models, Proceedings of the Third IEEE International Conference on Data Mining (ICDM03), 2003 USA.CYBERSPACE: United States Faces Challenges in Addressing Global Cybersecurity and Governance, July 2010 .http://www.snort.orgMark Stamp, A Revealing Introduction to Hidden Markov Models,2008

33