collaborative intrusion detection system & … to execute arbitrary commands ... – do away...
TRANSCRIPT
Slide 1/39DCSL: Dependable Computing Systems Lab
Collaborative Intrusion Detection System & Application to VoIP
Saurabh BagchiDependable Computing Systems Lab
School of Electrical and Computer EngineeringPurdue University
Joint work with: Vinita Apte, Bingrui Foo, Yu-Sung Wu, Eugene H. Spafford
http://shay.ecn.purdue.edu/~dcsl
Slide 2/39DCSL: Dependable Computing Systems Lab
Intrusion Detection: What?
• Intrusion Detection System (IDS) detects deviation of allowable system behaviors or subversion of security policy
• IDS market is divided into two groups– Host-based– Network-based
Slide 3/39DCSL: Dependable Computing Systems Lab
Intrusion Detection: A little bit of past and present
• Past:– IDSs came about in 1970s and looked very different– Mainframe computers were pricey beasts and people had to pay good
money for cycles on them– IDS were for checking if anyone was stealing cycles
• Present: – The US Treasury Department estimates cybercrime proceeds in 2004 were
$105 billion, greater than those of illegal drug sales.– 2005 FBI/CSI Computer Crime and Security Survey found nearly nine out of
10 U.S. businesses suffered from a computer virus, spyware or other online attack in 2004 or 2005
– The process of downloading and installing the latest Microsoft patches which may be as small as 70 megabytes (MB) or as large as 260 MB, takes longer then the time it takes for an unpatched computer to be compromised
– IDS and Firewalls are the first line of defense
Slide 4/39DCSL: Dependable Computing Systems Lab
Intrusion Detection: Types
• IDSs are based on two alternative choices– Anomaly based: Specify the normal behavior of users or machines
• Example: System CPU utilization between midnight and 5 am is no more than 50%
– Misuse based: Specify the signatures of attacks• Example: Detect a string like ‘rm –rf /’
• Metrics for evaluating IDSs– False positives, or False alarms– False negatives, or Missed alarms
False alarms are often seen in anomaly based IDSMissed alarms are often seen in misuse based IDS
Slide 5/39DCSL: Dependable Computing Systems Lab
Challenges of current IDS
• Traditional IDS only probes at a point of a system – Limited view of the whole system– The coverage and accuracy of your detection depends solely on the
ingenious pattern description or signature definition corresponding to that specific point
– Loose rules => Better coverage but more false alarms (ex: “/usr/bin/gcc”)
– Strict rules => Better accuracy but more missing alarms (ex: “/usr/bin/gcc wormX.c”)
• Our approach: Collaborative Intrusion Detection Systems (CIDS)– Multiple detectors specialized for different parts of system– Manager infrastructure for combining alarms from multiple detectors
Slide 6/39DCSL: Dependable Computing Systems Lab
CIDS Approach - Motivation
• Single IDS (detector) can have false positives (false alarms) or false negatives (missed alarms)– It only tells you YES or NO. – Usually can’t tell you how much the alarm can be trusted.
• Single IDS (detector) is specialized for certain kinds of attacks– Limited view of the whole attack => less accuracy– An single attack could have multiple symptoms (cascaded attack)
• Combining information from multiple detectors might help detection accuracy
• Future automatic responses mechanism will heavily rely on the quality of the alarms from IDS
• Timing and correlation information might be useful for estimating speed of propagation of attack
Slide 7/39DCSL: Dependable Computing Systems Lab
CIDS Architecture
N/Wlayer
Systemlayer
Applicationlayer
Manager
DxxElementary Detector
Message Queue
Applicationlayer
N/Wlayer
Systemlayer
D1 D2
D3 D4CT
Applicationlayer
N/Wlayer
Systemlayer
D5
D3 D4CT
CT Connection Tracker
Keys
N/Wlayer
Systemlayer
Applicationlayer
Manager
DxxElementary Detector
Message Queue
Applicationlayer
N/Wlayer
Systemlayer
D1 D2
D3 D4CT
Applicationlayer
N/Wlayer
Systemlayer
D1 D2
D3 D4CT
Applicationlayer
N/Wlayer
Systemlayer
D5
D3 D4CT
CT Connection Tracker
Keys
Slide 8/39DCSL: Dependable Computing Systems Lab
CIDS Components• Elementary Detectors (EDs): Specialized detectors
distributed through the system – The EDs may be off-the-shelf and minimal change is required for
integration into CIDS (e.g. Snort, Libsafe)– Different hosts may have different configurations of EDs
• Message Queue (MQ): Communication layer for multiple CIDS components– Secure through a shared secret key and hash digest
• Connection Tracker (CT): Kernel level entity to track which process has active connection on which port (bridge between NIDS and HIDS)
• Manager: Responsible for collating alerts from EDs and generating a combined alert expected to be more accurate
Slide 9/39DCSL: Dependable Computing Systems Lab
Manager Architecture
Manager
Host 1
Rules
Inference Engines
Host 2 Host N
………….
Event Dispatcher
Translation Engine
Combining Engine
Rules
Inference Engines
Combining Engine
Rules
Inference Engines
Combining Engine
Rules
Inference Engines
Combining Engine
Elementary DetectorsElementary Detectors
Global (system wide)
Events
Translates native alert formats into the standard format : Events
Dispatches the event to the appropriate host’s Inference Module
Matches the received events against the Rule Objects to come up with a determination of disruption.
Combine decisions from multiple Inference Engines
Global Inference Module correlates events across the whole system (across hosts)
Slide 10/39DCSL: Dependable Computing Systems Lab
Graph-Based Inference Engine
A
B
C
D
E
2
1
2
4
1
Rule Object #1
S3 A
B
C
D
E
2
1
2
4
1
Rule Object #1
S3
•Rules are represented as graphs•Nodes are events and Edges represent sequencing of events•Edge weights represent assurance values indicating likelihood of sequence
• Assurance Value (AV) for an attack given by sum of edge weights• An event is matched with a rule object if it is fusionable, i.e., belongs to
the same disruption instance• Discounted Assurance Value (DAV) for partial matches
DAV = AV × (Partial path length/Complete path length)Alert Probability = DAV/(maximum AV)
Slide 11/39DCSL: Dependable Computing Systems Lab
• AC,Snort => 2/7=0.286• AC,Libsafe =>[(2+2)*2/3]/7=0.38• AC,Snort,Libsafe=>(2+2)/7=0.57
Graph-Based Inference Engine (cont’d)
Apache Chunk Attack
1000
Snort
1001LibSafe
1002
SIGSEGV
1004
2 2
2 1File
Access
1002
2
2
Slide 12/39DCSL: Dependable Computing Systems Lab
Bayesian Network Based Inference Engine• In a Bayesian Network, the nodes represent random variables modeling
the events and edges the direct influence of one variable on another• Three step process for creating rule object
– Nodes to represent events– Edges to represent conditional probability relations among the events– Creation of table with conditional probability values
OpenSSLAttack
1100
Snort
1101
LibSafe
1002
SIGSEGV
1004
0.90.1TRUETRUE
0.20.8TRUEFALSE
0.70.3FALSETRUE
0.10.9FALSEFALSE
TRUEFALSE
LibSafeSnortOpenSSL
Attack
0.90.1TRUETRUE
0.20.8TRUEFALSE
0.70.3FALSETRUE
0.10.9FALSEFALSE
TRUEFALSE
LibSafeSnortOpenSSL
Attack
0.70.3TRUE
0.30.7FALSE
TRUEFALSE
SnortOpenSSL
Attack
0.70.3TRUE
0.30.7FALSE
TRUEFALSE
SnortOpenSSL
Attack • Bayesian Network toolbox used for solving• Input is fusionable event stream• Output is conditional probability of root (the start node – OpenSSL Attack here)
Slide 13/39DCSL: Dependable Computing Systems Lab
CIDS System: Current Implementation
Web ClientWeb
ServerAppl.Server
Database
1. Create profile2. Browse catalog3. Create shopping cart4. Check out shopping cart
Slide 14/39DCSL: Dependable Computing Systems Lab
CIDS Elementary Detectors
• Application level: Libsafe. Middleware to intercept “unsafe” C function calls and prevent stack overflow attacks.
• Network level: Snort. Sniffs on incoming network packets and matches against rulebase to perform misuse based detection.
• Kernel level: Sysmon. Home-grown new detector.– Intercepts system calls for file accesses and executions.– Takes a set of rules for disallowed accesses or executions
• Can be specified using wildcards or directory tree– Intercepts signals of interest that can flag illegal operations.
• SIG_SEGV to indicate segmentation violation that may be caused by buffer overflow
Slide 15/39DCSL: Dependable Computing Systems Lab
Simulated Attacks• Three classes of attacks, multiple types within each class,
and multiple variants within each type– Buffer overflow: Can be used to overwrite parts of stack and write
and execute malicious code• Apache chunk attack• Open SSL attack
– Flooding: Overwhelm the network with redundant or malicious packets causing a denial of service
• Ping flood• Smurf
– Script based: Exploit poorly written scripts which do not do input validation to execute arbitrary commands
• Used unchecked Perl open() and system() calls
Slide 16/39DCSL: Dependable Computing Systems Lab
Results: Performance – Without Attacks• Measured without and with attacks• 30 web clients running concurrently• (Transactions/second) of workload transaction measured• When multiple EDs present, manager with both Inference Engines is deployed
13.21
12.8812.76
12.66 12.7212.52
12.6112.47
12.88 12.8212.73 12.69
12.00
12.40
12.80
13.20
13.60
No detector Libsafe Sysmon Snort Libsafe +Sysmon
Sysmon +Snort
Snort +LibSafe
LibSafe +Snort +Sysmon
(NF) Snort (NF) Snort+ Libsafe
(NF) Snort+ Sysmon
(NF)Libsafe +Snort +Sysmon
Trans/sec
No Intrusion
• Degradation overall: 3.95% with Snort rules modified, 5.60% without
Slide 17/39DCSL: Dependable Computing Systems Lab
Results: Performance – With Attacks
• OpenSSL Attack performance degradation is 6.33%• Chunk Attack performance improves!!!
– Having Libsafe prevents core dumping
• Highest performance degradation due to Matlab Bayesian Network toolbox
11.19
12.30
13.13
12.30
10.00
11.00
12.00
13.00
14.00
No ED All EDs No ED All EDs
Chunk Attack Chunk Attack Open SSL Attack Open SSL Attack
Tran
s/se
c
Slide 18/39DCSL: Dependable Computing Systems Lab
Results: Accuracy of DetectionSnort Libsafe Sysmon (Signal) Sysmon
(File)CIDS(Alert Prob. > 0.5 ? )
No attacks Yes (1807,1933) No No No No attack
Open SSL Yes (1881,1887) No Yes R1 Yes
Open SSL variant No No Yes R1 Yes
Apache Chunk Yes (1807, 1808, 1809)
Yes Yes R1 Yes
Smurf 1000 Yes (499) No No No Yes
Smurf 500 No No No No No
Ping Flooding Yes (523, 1322) No No No Yes
Script No No No Yes Yes
• Yes: Detected. Figures in parentheses are the rule numbers within Snort. Sysmon(File) is the file access detection part, Sysmon(Signal) is the illegal signal detection part; R1: The attack was not successful in creating a file.
Slide 19/39DCSL: Dependable Computing Systems Lab
CIDS Summary
• CIDS can accommodate best-of-breed detection techniques (existing off-the-shelf detectors can be easily integrated) and provides management and correlation facility
• Two algorithms for correlating alerts– Graph-based– Bayesian network based
• Both false alarms and missing alarms are reduced• Output of the two correlation algorithms are probability
values telling you how possible that attack has happened.• Performance degradation after using CIDS is around 3.95%
under normal operations (without attacks) and 6.33% when being operated under OpenSSL attacks
Slide 20/39DCSL: Dependable Computing Systems Lab
Application of CIDS to a Voice over IP (VoIP) Application
Slide 21/39DCSL: Dependable Computing Systems Lab
VoIP Basics• First launched in Feb 1995 – Vocaltec Inc.• Allows transport of voice traffic over IP networks
– Cost savings due to convergence of networks– Do away with internal EPABX systems
• Protocols– RTP: Data transport– SIP, H.323: Signaling
• Some VoIP predictions:– 12 million VoIP users by end of 2007 [Forrester Research]– 100 million VoIP users by the end of 2011 [ON World Research]
"By 1985, machines [computers] will be capable of doing any work Man can do." – Herbert A. Simon, of Carnegie Mellon University, one of the founders of the field of artificial intelligence (1965)
Slide 22/39DCSL: Dependable Computing Systems Lab
VoIP Call Mechanism
sip:[email protected] sip:[email protected]
INVITE
Client A
INVITE
INVITE
Client B
Proxy Server Proxy Server
OK
OK
OK
RTP Data
SIP Request
SIP Response
Slide 23/39DCSL: Dependable Computing Systems Lab
Distributed IDS for VoIP Application
• Distributed Intrusion Detection System for VoIP networks -SPACEDIVE
• Why build an IDS just for VoIP?– Soft real-time requirements– Attack can take place across a session– Attack across protocols
• Why correlation based detection?– Multiple components in a VoIP system– One attack may span many components– One detector cannot have a complete view of the different stages of attack
• Approach:– Local detector using fast network pattern matching– Remote detector to correlate alerts– Stateful and cross-protocol detection
Slide 24/39DCSL: Dependable Computing Systems Lab
Rule Matching Engine (RMEL)
Protocol Stacks Snort Rules
Sniffing Module
Local Event Trail
Event Parser
Network Event Trail
Sniffing Module
Protocol Stacks Snort Rules
State Repository
Local Event Trail
Event Parser
Rule Matching Engine - (RMER)
Rule Matching Engine (RMEL)
SPACEDIVE Design – Local Level
Slide 25/39DCSL: Dependable Computing Systems Lab
LAN1
LAN1
RMER
LAN2LAN2
RMEH
RMEL RMEL
RMEL RMEL
RMER
SPACEDIVE Design – Remote Level
Slide 26/39DCSL: Dependable Computing Systems Lab
Low Level Rule Language
• Snort rules– Limited capability for remembering state– Events span multiple packets– Events span multiple protocols
• New constructs– var – set the value of a state variable– event – trigger a local event– net_event – trigger a network-level event– seqwin (protocol specific - RTP) – specify maximum tolerance for out-
of-order packets– Connectors: AND/OR/NOT/BEFORE/AFTER
Slide 27/39DCSL: Dependable Computing Systems Lab
Sample Rules
1. alert udp Client_IP any -> Server_IP 5060 (content:”INVITE”; var invite;)
2. alert udp Server_IP any -> Client_IP any (content:”sip:OK”; var ok;)
3. event(ok AFTER invite;) # trigger local event
4. alert rtp my_IP 6000 (seqwin:50; var:dos);
5. event(dos;)6. net_event(dos;) # network event –
# notification # sent to RMER
Slide 28/39DCSL: Dependable Computing Systems Lab
High Level Rule Language• Specified at the RMERs• General format
R =((wherei:whati)conni)response (i= 1,…,N)
• Sample Rule
(C1:RTP_DATA) AFTER (C2:SESSION_TERM) alert
Slide 29/39DCSL: Dependable Computing Systems Lab
Efficient Matching• event ((rv3 OR (rv1 AND rv2)) AND rv4)
AND
OR rv4
AND
rv1 rv2
rv3
TRUE
AND
rv4TRUE
“tree roll-up”
Slide 30/39DCSL: Dependable Computing Systems Lab
Experimental Testbed
Internet
SIP Proxy and Registrarmmpc1.ecn
SIP Proxy and Registrar
msee233dlnx1.ecn
RMER RMER
RMEH
Domain 1 Domain 2
Client AClient B
Client C
S1 S2
Software
Servers: openser
Clients: Xlite
Slide 31/39DCSL: Dependable Computing Systems Lab
Attack Scenarios• Call Hijacking• Man in the Middle Attack• BYE Attack• Compromised SIP Proxy• Billing Fraud• Denial of Service (DoS) Attack
Slide 32/39DCSL: Dependable Computing Systems Lab
Man in the Middle Attack
S2 HS1A B
Invite
Challenge
InviteInvite
Invite with Response to challenge
Challenge
Invite with Response to
challenge
Invite404 Not Found
OK
OKOK
S2 HS1A B
Invite
Challenge
InviteInvite
Invite with Response to challenge
Challenge
Invite with Response to
challenge
Invite404 Not Found
OK
OKOK
Slide 33/39DCSL: Dependable Computing Systems Lab
Rules for Detection
(S1:SIP_OK) AND (S2:SIP_OK) AND (NOT(B:SIP_OK)) alert
RMEH
alert udp S2_IP any -> B_IP any (var:rv3; content:OK;) net_event (rv3;)
B
alert udp S1_IP any -> S2_IP any (var:rv2; content:OK;) net_event (rv2;)
S2
alert udp A_IP any -> S1_IP any (var:rv1; content:OK;) net_event (rv1;)
S1
RuleComponent
Slide 34/39DCSL: Dependable Computing Systems Lab
Timeline for correlated detectionLocal event
detection at S1Local event
detection at S2 Attack detected at RMER
Time (ms)
t = 0 t=3.6 t=5.2
• Detection latency depends upon timeout interval• Timeout interval is a configurable parameter dependent on
– Network delay– Processing capacity
Slide 35/39DCSL: Dependable Computing Systems Lab
Resilience to DoS
• Case 1: Client A without SPACEDIVE
• Case 2: Client A with SPACEDIVEdrop rtp A_IP 6000 (seqwin:50; var:dos);
Client A
M
B64 kbps
Slide 36/39DCSL: Dependable Computing Systems Lab
Resilience to DoS: Results
0
0.25
0.5
0.75
1
0 100 200 300 400 500 600
Data rate of malicious node (kbps)
Qua
lity
(Nor
mal
ized
)
Quality (without SpaceDive)
Quality (with SpaceDive)
Slide 37/39DCSL: Dependable Computing Systems Lab
SPACEDIVE Summary• We designed and built an IDS for VoIP systems• We showed that it could correlate across protocols and
components• It was scalable and could perform fast matching of network
packets
I. Vinita Apte, Yu-Sung Wu, Saurabh Bagchi, Sachin Garg, and Navjot Singh, “SPACEDIVE: A Distributed Intrusion Detection System for Voice-over-IP Environments,” Appeared at the IEEE International Conference on Dependable Systems and Networks (DSN), June 25-28, 2006, Philadelphia, USA.
II. Saurabh Bagchi, Yu-Sung Wu, Sachin Garg, Navjot Singh, and Tim Tsai, “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” In Proceedings of the IEEE Dependable Systems and Networks Conference (DSN), pp. 401-410, June 28-July 1, 2004, Florence, Italy.
III. Yu-Sung Wu, Bingrui Foo, Yongguo Mei, and Saurabh Bagchi, "Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS," In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 234-244, December 2003.
Slide 38/39DCSL: Dependable Computing Systems Lab
What’s Next?• What do we do once we know with reasonable certainty that an
intrusion is in progress– Send alert to the poor system admin at midnight asking her to hurry into the
lab and do something– Place the order for a new cluster of machines and tell my lab mates that their
data and code is gone – heck! I detected it– Provide automatic containment of the current attack and response to make
the system less vulnerable to future attacks
• We did it for client-server VoIP applications. What about peer-to-peer VoIP applications? Think Skype.– Looser trust relations– Arbitrary joins and leaves of entities
Slide 39/39DCSL: Dependable Computing Systems Lab
Come Join Us at DCSL• We are looking for 2 PhD students who can make it happen• Desirables
– Good programming skills in C and C++– Good network programming skills– Not afraid to do experiments with real systems, real code, and real attacks
• If interested, send mail to: [email protected] explaining why you think there is a fit and attaching a plain text resume
Slide 40/39DCSL: Dependable Computing Systems Lab
Backup Slides
Slide 41/39DCSL: Dependable Computing Systems Lab
Manager Architecture• Manager communicates with other entities through MQ and
has shared secret key with each ED• Manager components are
– Translation engine: Translates native alert formats into CIDS format– Event dispatcher: Dispatches the event to the appropriate host’s
Inference Engine instance– Inference Module: An Inference Module contains multiple Inference
Engines and a Combining Engine. We have an Inference Module for each host and we also have a global Inference Module.
– Inference Engine: Matches the received events against the Rule Objects to come up with a determination of disruption.
• A separate instance of the Local Inference Engine for each host • A Global Inference Engine for correlating the results from the local
engines• Rule Objects store the rules, one for each class of disruption
– Combining Engine: If multiple types of inference engine, this combines the detection decisions from inference engines.
Slide 42/39DCSL: Dependable Computing Systems Lab
Performance of Rule Matching• Rule matching overhead
• Defined 4 categories of rules:– Type 0: Snort rule matched in Snort
– Type 1: Snort rule matched in SPACEDIVE
– Type 2: Use var construct to set the value of a variable. – Type 3: Create local event in the event trail
Slide 43/39DCSL: Dependable Computing Systems Lab
Performance of Rule-Matching: Results
0
10
20
30
40
50
60
Type 0
Type 1
Type 2
Type 3
- 1 va
riable
Type 3
- 2 va
riable
s
Type 3
- 4 va
riable
s
Type 3
- 8 va
riable
s
Rule Type
Tim
e (µ
s)