behavior intrusion detection: enhanced hakan evecek rodolfo ortiz hakan evecek rodolfo ortiz

28
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz

Post on 19-Dec-2015

227 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Behavior Intrusion Detection: EnhancedBehavior Intrusion Detection: EnhancedHakan EvecekRodolfo OrtizHakan EvecekRodolfo Ortiz

Page 2: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

GOALSGOALS

1. Discuss the characteristics of a Behavior Intrusion Detection Systems

2. Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets.

3. Provide the results. 4. Analyze the behavior of protocols when

firewall enabled/disabled.5. Present an approach to prioritize

suspicious packets.6. How to enhance Behavior IDS

Page 3: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

WHATWHAT IS IDS?IS IDS?

IDS is concerned with the detection of hostile actions towards a computer system or network.

There are two types:

Anomaly detection (Behavior IDS)

Signature detection

Page 4: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

OVERVIEW OF BIDSOVERVIEW OF BIDS

They can be described as an alarm for strange system behavior. Based on statistics.

AdvantagesThey don’t need to know the details of an attackDynamic, they are automatically updated

DisadvantagesMany false positives are generated during the sensor trainingThe training must be extensive so that the baseline is accurate

Page 5: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

OVERVIEW OF BIDSOVERVIEW OF BIDS

Anomalies to be detected:

Traffic to unused portsNon standard service assigned to one standard port (port 80 set for peer sharing)Too much UDP/TCP trafficMore bytes coming to a HTTP server than outgoing bytes

Page 6: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Measure timing for DNS, ICMP and HTTP/HTTPSEstablish a baseline for different packet sequencesLabel packets outside the baseline for further analysis

IDSOuter(FC4) Intra1 (XP)

Internet

DLink SW2

DNSServer

WebServer

Intranet(10.0.0.0/24)

DLink SW1

Intra2(win2003)

DMZ(192.168.0.0/24)

HP5000 SW

Firewall

IDSInner(FC4)

Firewall

(FC4)

THE PROJECTTHE PROJECT

IDSSensor

DBIDS

Sensor

Page 7: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

ICMPICMP

Intra1 (XP)

ICMP Request

ICMP Reply

Firewall

DC

B A

SERVERIDSInner

Page 8: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

DNSDNS

DNSSERVER

DNS Request

DNS Reply

Firewall

IDSInner

DC

B A

Intra1 (XP)

Page 9: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

HTTPHTTP

SYN

SYN ACK

Firewall

ACK

A

C

B

F

D

EGET

G

WEBSERVER

IDSInner

Intra1 (XP)

Page 10: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

SERVER HELLOCERTIFICATESERVER KEY EXCHANGECERTIFICATE REQUESTSERVER HELLO DONE

HTTPSHTTPS

SYNSYN ACK

Firewall

ACKCLIENT HELLO

CERTIFICATECLIENT KEY EXCHANGECERTIFICATE VERIFYCHANGE CIPHER SPECFINISHED

APPLICATION DATAAPPLICATION DATA

IDSInner

WEBSERVER

Intra1 (XP)

Page 11: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Units are in seconds.

In a normal distribution, approximately 99.7% of the population will be in the interval defined by 

works well for the upper bound, but the lower bound is defined by

Using the formula above, we get a confidence interval

3

DATA OBTAINEDDATA OBTAINED

1

3

Page 12: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

FirewallBlue-enabledPink-disabled

Packets outside the range in a circle

3 times standard deviation

ICMPICMP

I CMP Firewall enabled Firewall disabled Mean 0.000119 0.000106

Standard Deviation 0.000023 0.000011 % inside the above interval 93.33% 96.67%

0.000075

0.000095

0.000115

0.000135

0.000155

0.000175

0.000195

0.000215

0.000235Time (sec)

Packet Sequence Number

Page 13: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

FirewallBlue-enabledPink-disabled

Packets outside the range in a circle

3 times standard deviation

DNSDNS

DNS Firewall enabled Firewall disabled Mean 0.000352 0.000345

Standard Deviation 0.000038 0.000023 % inside the above interval 98.64% 100.00%

0.000285

0.000335

0.000385

0.000435

0.000485

0.000535

0.000585

0.000635

0.000685

0.000735Time (sec)

Packet Sequence Number

Page 14: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Firewall enabledBlue-HTTPPink-HTTPS

Packets outside the range in a circle

3 times standard deviation

HTTP vs. HTTPSHTTP vs. HTTPS

0.000000

0.005000

0.010000

0.015000

0.020000

Time (sec)

Packet Sequence Number

Page 15: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

HTTP vs. HTTPSHTTP vs. HTTPS

Firewall disabledBlue-HTTPPink-HTTPS

Packets outside the range in a circle

3 times standard deviation

0.000000

0.001000

0.002000

0.003000

0.004000

0.005000

0.006000

0.007000

0.008000

0.009000Time (sec)

Packet Sequence Number

Page 16: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

HTTP vs. HTTPSHTTP vs. HTTPS

Firewall enabled Firewall disabled HTTP HTTPS HTTP HTTPS

Mean 0.000582 0.004463 0.000561 0.004320 Standard Deviation 0.000064 0.001574 0.000033 0.000708 % inside the above

interval 98.48% 98.99% 98.99%

99.49%

Page 17: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound.

Label the suspicious packets and give them priorities based on their distance from the confidence interval.

Upper bound Lower bound

PROPOSED APPROACHPROPOSED APPROACH

3 1

Page 18: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Firewall enabled

ICMPICMP

6 times standard deviation (higher priority)

3 times (lower priority)

Confidence interval1 time (lower priority)

2 times (higher priority)

0.000000

0.000050

0.000100

0.000150

0.000200

0.000250

0.000300

0.000350Time (sec)

Packet Sequence Number

Page 19: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Firewall enabled

DNSDNS

6 times standard deviation (higher priority)

3 times (lower priority)

Confidence interval1 time (lower priority)

2 times (higher priority)0.000250

0.000300

0.000350

0.000400

0.000450

0.000500

0.000550

0.000600

0.000650

0.000700Time (sec)

Packet Sequence Number

Page 20: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Firewall enabled

HTTPHTTP

6 times standard deviation (higher priority)

3 times (lower priority) Confidence

interval 1 time (lower priority)

2 times (higher priority)0.000400

0.000500

0.000600

0.000700

0.000800

0.000900

0.001000

0.001100

0.001200

0.001300

0.001400Time (sec)

Packet Sequence Number

Page 21: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Firewall enabled

HTTPSHTTPS

6 times standard deviation (higher priority)

3 times (lower priority) Confidence

interval 1 time (lower priority)

2 times (higher priority)0.000000

0.005000

0.010000

0.015000

0.020000

0.025000Time (sec)

Packet Sequence Number

Page 22: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

The suspicious packets are defined.

Then prioritize/label the packets based on the distance from the mean.

How do we know it’s an attack?

Define a behavior for each kind of attack, e.g. worms

SUSPICIOUS PACKETSSUSPICIOUS PACKETS

Page 23: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Based on “A behavioral approach to worm detection” [20]

Need to look for this pattern of information –behavioral signature- in the database.

WORMS BEHAVIORWORMS BEHAVIOR

CA

A:? -> C:D C:? -> E:DHost A and C and E are infected

D is port number

Page 24: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

What to do with the packet? How to know if it is from an intruder?

What data do we need to store?

How to collect the data towards an automated process?

How can SNORT create the intervals automatically?

Implement the approach in SNORT’s source code

Analyzing other protocols

FUTURE WORKFUTURE WORK

Page 25: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Analyzing other scenarios like an internet server instead of a local server

Analyze wireless communication

DNSSecure

Behavioral signatures for other attacks

FUTURE WORKFUTURE WORK

Page 26: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives.

The intervals work in the studied protocols, results may change for other protocols.

Intervals need to be tested using attacks like DDoS, worms, etc.

HTTP and HTTPS graphs are different because more information is exchanged and timing varies.

CONCLUSIONCONCLUSION

Page 27: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003

Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and

Julia Allen

Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002

Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003

REFERENCESREFERENCES

Page 28: Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

QUESTIONS?QUESTIONS?