intrusion detection system for applications using linux containers
TRANSCRIPT
Intrusion Detection System for Applications using Linux Containers
Amr Abed, Charles Clancy, David Levy
Agenda
Backgound Overview Evaluation Conclusion
Linux Containers
Anomaly Detection TechniqueSliding Window & BoSC
…futex futex
sendto futex
sendtopwritesendtofutex
…
[2,0,3,0,1,0,…,0]Syscall Index
sendto 0select 1futex 2lseek 3
pwrite 4… …
other 42Index Map
BoSC
BoSC Frequency
… …
[2,1,2,0,1,0,…,0] 5
[2,0,3,0,1,0,…,0] 1
Normal-behavior Database
Anomaly Detection TechniqueSliding Window & BoSC
…futex futex
sendto futex
sendtopwrite
sendtofutex
…
[3,0,2,0,1,0,…,0]Syscall Index
sendto 0select 1futex 2lseek 3pwrite 4
… …other 42
Index Map
BoSC
BoSC Frequency
… …
[2,1,2,0,1,0,…,0] 5
[2,0,3,0,1,0,…,0] 1
[3,0,2,0,1,0,…,0] 1
Normal-behavior Database
Anomaly Detection TechniqueSliding Window & BoSC
…futexfutex sendto futex
sendtopwritesendtofutex
…
[3,0,2,0,1,0,…,0]Syscall Index
sendto 0select 1futex 2lseek 3pwrite 4
… …other 42
Index Map
BoSC
BoSC Frequency
… …
[2,1,2,0,1,0,…,0] 5
[2,0,3,0,1,0,…,0] 1
[3,0,2,0,1,0,…,0] 2
Normal-behavior Database
Agenda
Background Overview Evaluation Conclusion
Real-time Intrusion Detecion
straceBehavior
LogSyscall
List
mysqlslap sqlmap
Monitoring
Real-time Intrusion Detecion
straceBehavior
LogSyscall
List
mysqlslap sqlmap
Syscall ParserSyscall
Index MapSliding Window
Syscall
System Call Parsing
Index BoSC
Frequency
Real-time Intrusion Detection
BoSC
Classifier
Normal Behavior Database
Learning System Behavior
Real-time Intrusion Detecion
BoSC
Classifier
Normal Behavior Database
OK STOPB
oSC
Matching?
Anomaly Detection
Agenda
Background Overview Evaluation Conclusion
Test Environment
mysqlslap sqlmap
Test Configuration
Test Parameters• Epoch-size range: 1000, 1500, …, 4000 (total system calls per epoch)• Detection-threshold range: 10, 20, …, 100 (mismatches per epoch)
System Input• A trace of 3,804,000 total system calls was used• Only system calls were used for training (no arguments)• 875,000 system calls used for training• 40 distinct system calls found
Individual Attack Types Tested
Reconnaissance (Brute-force) attack• Retrieve all info about DBMS, e.g. users, roles, schemas, passwords, … etc. • Generated ~ 42,000 mismatches
DoS Attack• Using wild cards to slow down database• Generated 37 mismatches
OS takeover attempt• Attempt to run ‘cat /etc/passwd’ shell command (failed)• Generated 279 mismatches
File-system access• Copy /etc/passwd to local machine • Generated 182 mismatches
Test Results
Epoch Size = 1000 system calls per epoch
Test Results
Detection Threshold = 10 mismatches per epoch
Agenda
Background Overview Evaluation Conclusion
Conclusion
High detection rate is easily achievable at low detection threshold• 100% at detection threshold of 10 mismatches per epoch
High detection speed• Minimum of 10 system calls (for 100% detection rate)• Maximum of 1000 system calls (for epoch size of 1000)
Non-zero FPR measured• Nature of running application (not repetitive)
• state of database changes from idle to active Plus same workload may not generate exact BoSCs• expect better performance for an application that is repetitive by nature (e.g. Hadoop Yarn)
• Memory-based learning technique • looks for exact same BoSCs • modify technique to adapt for minor change for better performance
Strong anomaly signal from anomalous data• Malicious dataset: average 695 mismatches/epoch• Normal dataset: average 33 mismatches/epoch
Relatively small overhead• 5MB for storing normal-behavior database