New Methods in Attack Detection

Shambhu Upadhyaya (PI)Computer Science and Engineering

University at Buffalo

Kevin Kwiat (Program Manager)Air Force Research Lab, Rome, NY

CEISARE @2

Overall Outline

Road map

Significant accomplishments

Publications

Specific research projects

Results

Conclusion

CEISARE @3

Road Map I

Research Projects Encapsulation of owner’s intent (1998)

Reasoning framework for IDS (1999)

Secure voting protocol work (2000)

IDS simulation (2001)

Encapsulation of program’s intent, Building secure enclaves (2002)

Funding AFOSR seed grant (1999)

AFOSR grant through AFRL and in part through ACRC (2000 – 2004)

AFOSR summer fellowships (through RDL, II and NRC)

DARPA seedling (2003)

CEISARE @4

Road Map II

Students supported Kiran Mantha, MS, 2001 (Deloitte & Touche, NY)

Ramkumar Chinchani, MS, 2002 (PhD student)

Neelesh Arora, MS, 2003 (Thomson Financial, NY)

Ashish Garg (PhD student)

Anusha Iyer (PhD student)

Aarthie Muthukrishnan (MS student)

Madhu Chandrasekharan (MS student)

Others involved Ben Hardekopf (AFRL)

Alex Eisen (IASP Scholar)

Melissa Thomas (IASP Scholar)

CEISARE @5

Significant Accomplishments Research

Several publications, 1MS Thesis (2001), 1 Ph.D. dissertation (2004)

Funding from other agencies such as DARPA, NSA/ARDA

Conference/Workshops Panel organization (IEEE SRDS 2000), Tutorial in IEEE MILCOM 2002

Plenary talk at MMM-2003, St. Petersburg, Russia (upcoming)

Academic Center of Excellence status from NSA (2002), funding from DoD

Kevin Kwiat appointed as Research Associate Professor in CSE Dept.

Media Research cited in Scientific American, Dec. 2002

Associated Press coverage of MILCOM 2002 work

CEISARE @6

Publications Conferences/Workshops

SCS International SPECTS, 1999 (Upadhyaya & Kwiat)

SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya, Kwiat)

IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat, Upadhyaya)

IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani, Kwiat)

IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat)

SCS Int. SPECTS, 2001 (Hardekopf, Kwiat, Upadhyaya)

IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat)

IEEE Int. IA Workshop, 2003 (Chinchani, Upadhyaya, Kwiat)

Book Chapter Kluwer Academic Press, 2003

Journals Several papers in the works

CEISARE @7

Research Projects Encapsulation of owner’s intent – Concept development, preliminary

simulation, investigation of scalability (Ref: Upadhyaya, Kwiat, SPECTS

1999, Mantha, Chinchani, Upadhyaya, Kwiat, SCSC 2000, IEEE MILCOM

2003)

Reasoning about intrusions (Chinchani, Upadhyaya, Kwiat, IEEE SMC

2001, SRDS 2001)

Building secure enclaves (Chinchani, Upadhyaya, Kwiat, IEEE IAW 2003)

Simulation support for IA experiments (Garg, Upadhyaya, Chinchani,

Kwiat, SCSC 2003)

Secure voting protocols (Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001)

CEISARE @8

Encapsulation of Owner’s Intent – A New Proactive Intrusion Assessment Paradigm

Very few anomaly detection systems work well

A major factor overlooked is User

Bring the user into the loop

Encapsulation of user’s intent serves as a “certificate”

Can you make more accurate detection decisions?

Working at high level attaches greater significance to semantics

to user’s operations

Contributes to user’s affirming the truth in COA

CEISARE @9

Where Does Our Work Fit In?

CEISARE @10

Salient Features of our IDS Handling threats posed by insiders

Rule-based misuse detectors not very successful

Anomaly detectors are more promising, but not practical due to

involved data collection, learning and high false alarms

Based on generation of a run-time plan for users

Composing verifiable assertions based on queries of users

Idea is based on sound principles of signature analysis

Does away with audit trail analysis

Detection of intricate and subtle attacks

Lower detection latency

CEISARE @11

Outline of the Central Topic Background and related work

Guidelines through lessons learned

An analogy and demonstration of Basic principle

Implicit vs Explicit intent encapsulation

Implementation of a small system

Related problems

Reasoning framework

Who watches the watcher?

Secure voting in distributed systems

Generic simulation platform development

Summary

CEISARE @12

Background and Related Work

Rule based [Ilgun et al., 95], [Cheng, 02], Wagner & Dean,

01]

Program behavior based [Ko et al., 97]

User behavior based [Spyrou, 96]

RBAC [Ferraiolo & Kuhn, 92]

Real-time detection (NADIR)

Distributed and concurrent schemes (DIDS, GrIDS,

EMERALD)

CEISARE @13

Guidelines

Use the principle of least privilege to achieve better

security

Use mandatory access control wherever appropriate

Data used for intrusion detection should be kept

simple and small

Intrusion detection capabilities are enhanced if

environment specific factors are taken into account

CEISARE @14

Thinking Out of the Box

RULES:

All 9 dots should be connected with no more than 4 straight lines

No tracing back and must be done without taking off your hand

CEISARE @15

Analogy from Control Flow Checking

Generate compile-time signatures & assertions and embed them into instruction stream

Monitor execution and look for discrepancy Technique is based on sound principles – EDC/ECC

SIG-REG SIG-GEN CU BD

COMPARATOR

AddressProcessorMemory

BUS

Tags Reset

Error Signal

CEISARE @16

Basic Principle

AssertionGenerator

SessionScope

FilterPlan

Generator

SprintPlan

RuntimeWatchdog

Engine

Tolerance limits,Counters,

Thresholds etc..

User

One-time effort

Runtime effort

RuntimeCommands

Intrusion Signal

CEISARE @17

User Intent Encapsulation

CEISARE @18

Intent as a Certificate

Even when IDS is accurate, decision may be wrong

User cannot be held accountable if he contests

Bring the user into loop early on

User (bona fide or intruder) is queried for his intent

Expressed intent becomes a certificate of normal user

activity

Issues

Process of encapsulation shouldn’t be intrusive

Capture maximum information with min. effort to the user

CEISARE @19

Implicit vs. Explicit Intent

CEISARE @20

Sketch of the Algorithm User logs into the system

Chooses the job s/he wishes to performCheck the size of the session scope

If too large,warn userUser wants to change it

Launch inter work-space level monitor

Create workspaces for the jobs

Launch workspace level monitor thread per workspaceLaunch command level monitor thread per command

Authenticate command

Monitor Command

YES

LoopReport command type

Report object accessed

CEISARE @21

Simulation and Results

A university environment was simulated

Client-server architecture using Sun Ultra Enterprise 450 Model

4400 and Sun Ultra 5’s running Solaris 2.7

Intrusion scenarios

Legitimate user

Intruder

Two legitimate logins

First login from user, second login from intruder

First login from intruder, second login from user

Two intruders login

CEISARE @22

Test Cases

User activity collected over two months

Test cases grouped into four categories

1-user, 1-user with multiple logins, multiple users, multiple users

with multiple logins

Two sets of experiments – worst case and average case

Legitimate and intrusive operations

32 attacks

Obvious ones such as transferring /etc/passwd files, exploiting

vulnerabilities such as rdist, perl 5.0.1

Subtle attacks similar to mimicry attacks

CEISARE @23

Screenshots of Query Interface

CEISARE @24

Another Illustration

CEISARE @25

Runtime Monitoring Setup

CEISARE @26

Summary of Results

Summary 1 User, No Multiple Logins 1 User, With Multiple Logins 2 Users, No Multiple Logins 2 Users, With Multiple LoginsUser Detection 87.50% 78.60% 74.90% 91.90%and Latency 33.4 35 36.1 29User False Positives 12.50% 21.40% 25.10% 8.10%

False Negatives 0% 0% 0% 0%User Detection 98% 89% 100% 94.70%and Latency 0 11 0 9.6

Intruder False Positives 0% 0% 0% 0%False Negatives 2% 11% 0% 5.30%

Intruder Detection 99% 100% 98.20% 100%and Latency 0.4 0.7 0.6 0.5User False Positives 0% 0% 0% 0%

False Negatives 1.40% 0% 1.80% 0%Intruder Detection 56% 81.30% 77.40% 91.50%

and Latency 15.9 14.8 17 27Intruder False Positives 0% 0% 0% 0%

False Negatives 44% 18.70% 22.60% 8.50%

CEISARE @27

Some Research Questions

What if the user lies to the query?

How do you enhance performance?

Who is watching the watcher?

How do you perform more comprehensive

evaluation?

CEISARE @28

1) What if the User Lies?

A cognate user is expected to specify a focused

session-scope

Selection of overly permissive session-scope

must be discouraged

Can be done by penalizing a quality of service

Monitoring cost can be drawn from user’s

budget

CEISARE @29

2) Performance Enhancements

Profiling user operations

Take into consideration frequency of operations and

temporal characteristics of system usage

Dynamically updating session-scope

In the statistical anomaly detection engine, one could

prune rarely used operations from the session-scope

One could allow users to update/refine session-scope

(but may disrupt the learning process)

CEISARE @30

Reasoning Framework A critical problem with anomaly detection is false positive

Intrusion flagging requires more than set inclusion check

Not a binary decision – Sequences of operations need to be considered

Cost analysis

Cost of operation

Cost of deviation

Cost of monitoring

Actions at higher levels defined in terms of actions at lower levels

Eg.,: (ReadByte, WriteByte) -> (CreateFile,deleteFile,WriteFile) -

>(HardDisk)

CEISARE @31

Cost Analysis Based Reasoning

Reasoning by stochastic modeling of job activity

Two thresholds Tl and Th defined

When cost maps into mid region, situation ambiguous

Cost gradients used to shrink the window

Algorithms developed to trigger threshold movements so that a speedy decision on intrusion can

be arrived

(Ref: IEEE SRDS 2001)

Tl Th

Non-intrusive Indeterminate Intrusive

Accumulated Cost, monotone, non-decreasing

CEISARE @32

3) Who is Protecting the Protector?

Tamper-resistant security monitoring Available choices

Replication (Chameleon at UIUC) Layered Hierarchy (AAFID at Purdue) Both can be easily compromised

Proposed solution Circulant graph Overhead is manageable There is no mutual trust

among the watchers (Ref: IEEE IWIA 2003)

CEISARE @33

4) Comprehensive Evaluation

0

20

40

60

80

100

120

140

1980 1985 1990 1995 2000 2005

Time

Intr

usi

on

det

ecti

on

mo

del

s

Current status of IDS

CEISARE @34

Our Approach

A generic platform for intrusion modeling and testing of

IDS

Desirable features

Test and evaluate any intrusion detection model

Measure performance for improvement

Consider variety of intrusion scenarios

Collect pre-deployment measures

Analogy is drawn from network simulators

CEISARE @35

What Exists in the Open? Other approaches

Razak: Network intrusion simulation

Schiavo & Rowe: Intrusion detection tutors

Roberts: Simulation of Malicious Intruders

What is lacking above?

None of the above provide a generic platform for

modeling and simulation

Performance of models cannot be evaluated

CEISARE @36

Our Steps

Study features of a variety of IDS

Consider network simulation and OS simulation

Develop a common language to facilitate various formats

conversion (interoperability)

Perform some case studies

(Ref: SCS SCSC 2003)

Even monitoring, Access control subsystems

CEISARE @41

Work in Progress

Intrusion detection and Proactive recovery (subcontract

to Colorado State University)

Dynamic Reasoning based User Intent Driven IDS

(DRUID) prototype development (DARPA seedling)

GUI for session scope input

Command monitor

Statistical Engine

Data analysis, training and testing

CEISARE @42

Prototype Status

CEISARE @43

Security Enhancement in Distributed Voting – A Related Project

Joint work with UB and AFRL

Guaranteeing owner’s intended result by

distributed monitoring and voter isolation

Uniquely combines fault tolerance and security

Doesn’t require trusted third party

CEISARE @44

Danger of 2-Phase Commit Protocol

• Phase 1: processors distribute their results and vote on them such that each processor determines the majority

• Phase 2: processor in the majority commits result to the user

User waits for

majority result

User is sent

malicious result -

majority trustworthy

SELF-DESTRUCT

CEISARE @45

Timed-Buffer Distributed Voting

• Addresses “last mile” of distributed voting

• Buffer until “silence is consent”

• Reverses 2-phase commit protocol

– Instead of voting then committing - commits first (to buffer) then votes (period of dissension)

– Prevents disastrous commit phase - unlikely for classical fault tolerance but not information attack

Suspect results buffered

Integrity restored and buffer released

untrustworthy trustworthy

CEISARE @46

ACRC Application of TB-DVAWIRELESS CLIENT

SECURE WIRELESS LINKSECURE WIRED LINK

GATEWAYSECURE SERVER

SECURE DATA IS EXPOSED

(when translated from IP standards to wireless and vice-a-versa)• Apply fault tolerance techniques to protect, detect, and react to attacks and enable service restoration

CEISARE @47

Summary

Developed a new intrusion assessment

paradigm – Encapsulation of owner’s intent

Brings user into the loop

User’s encapsulated intent serves as a

certificate

Feasibility study

Practical implementation study