company logo fsm based algorithms for ids design: an active discrete event system approach to...

Company

LOGO

FSM based Algorithms for IDS Design:

An Active Discrete Event System Approach to Intrusion Detection System for ARP Attacks

AgendaOutline

•Overview of IDSs

•Address Resolution Protocol (ARP)

•Overview

•Security issues in ARP

•Existing ARP Attack Detection Mechanisms and Motivation

•Active Discrete Event Systems (DES)

•FDD theory of DES for Detecting ARP attacks

•Modeling and Attack Detection

What is IDS?

Intrusion A set of actions aimed to compromise

the security goals, namely

Integrity, confidentiality, or availability, of a computing and networking resource

Intrusion detection The process of identifying and

responding to intrusion activities

IDS: Taxonomy

Location of Deployment Host based

• Monitor Computer Processes• File Integrity Checkers (system files, checksum e.g. hash

value)• Log File Analysis (attack s are encoded in terms of regular

exp.)

• Statistical Approach (session duration, CPU uses, no. of files open)

• System Call Monitoring (any deviation is compared with normal seq.)

Network based Monitor Network Traffic Packet Signatures Anomalous Activity

IDS: Taxonomy

Detection Methodology Signature based

• Detects known attacks whose syntax and behavior is known

• Can not detects new or novel attacks • Generate large number of False Positive

Alarms

Signature based Misuse Detection

Intrusion Patterns

activities

pattern matching

intrusion

Example: if (src_ip == dst_ip) then “land attack”

alert ip any any − > any any (msg : ”BAD TRAFFIC sameSRC/DST”; sameip; reference : cve,CVE−1999−0016; url,www.cert.org/advisories/CA−1997−28.html; classtype : bad − unknown; sid : 527; rev : 3; )

alert ip any any − > any any (msg : ”BAD TRAFFIC sameSRC/DST”; sameip; reference : cve,CVE−1999−0016; url,www.cert.org/advisories/CA−1997−28.html; classtype : bad − unknown; sid : 527; rev : 3; )

IDS: Taxonomy

Detection Methodology Anomaly based

• Can detects both known and unknown attacks

• Create normal (and/or attack) profile from training data set

• Require pure training dataset for profile generation

• Network packets are classified as Normal and Anomalous based on the profile

• Detects patterns that do not confirm expected or normal behavior

• Generate large number of False Positive Alarms

Anomaly Based Detection

activity measures

0102030405060708090

CPU ProcessSize

normal profileabnormal

probable intrusion

IDS: Taxonomy

Detection Methodology Event based

• Detects known attacks for which a signature can not be generated

• These attacks do not change the syntax and sequence of network traffic under normal and compromised situation

• Detection is through monitoring the difference in sequence of events (i.e. network packets) under normal and compromised situations

Agenda What is ARP?

Address Resolution Protocol maps IP address to MAC address

Purpose of ARP

32-bit Internet address

48-bit Ethernet address

ARP RARP

ARP CACHE : IP – MAC Bindings

IP MAC TYPE

10.0.0.2 00:00:00:00:00:02 dynamic

AgendaHow ARP works?

ARP Request is Broadcasted to all the hosts in LAN

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02

Who has IP 10.0.0.2?

ARP Request

ARP Request

AgendaHow ARP works?

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02ARP Reply

I have IP 10.0.0.2My MAC is 00:00:00:00:00:02

Unicast Reply from concerned host

Agenda What is ARP cache?

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:01

00:00:00:00:00:03

00:00:00:00:00:02

ARP cache : updated

IP MAC TYPE

10.0.0.2 00:00:00:00:00:02 dynamic

ARP Reply

Agenda ARP Packet

Ethernet : 1 IP : 0X800

OPCODE

1: ARP Request

2: ARP Reply

Size : 28 bytes

AgendaWhy is ARP vulnerable?

ARP is a stateless protocol

Hosts cache all ARP replies sent to them even if they

had not sent an explicit ARP request for it.

No mechanism to authenticate their peer

Agenda ARP Spoofing

Attacker sends forged ARP packets to the victim

10.0.0.1 10.0.0.200:00:00:00:00:01 00:00:00:00:00:02

I have IP 10.0.0.3My MAC is 00:00:00:00:00:02

ARP Reply

IP MAC TYPE

10.0.0.3 00:00:00:00:00:02 dynamic

Attacker

Victim

Agenda Man-in-the-Middle Attack

10.0.0.1

10.0.0.3

10.0.0.2

00:00:00:00:00:03

00:00:00:00:00:02ARP Reply

ARP Reply

Attacker

IP MAC TYPE

10.0.0.3 00:00:00:00:00:01 dynamic

IP MAC TYPE

10.0.0.2 00:00:00:00:00:01 dynamic

00:00:00:00:00:01

EXISTING TOOLS AND TECHNIQUES

Agenda

EXISTING TOOLS AND TECHNIQUES

Static ARP Cache entries—Fixed IP-MAC pairs Huge administrative effort

Does not scale on a large dynamic network

One new/changed host affects all the hosts

Port Security -- Bind switch port to specified MAC address and shut down

pot in case of change in MAC address of a transmitter IP.

If the first packet sent has spoofed IP-MAC pair, then genuine packets

may be dropped.

Agenda EXISTING TOOLS AND TECHNIQUES

ARPWATCH

maintains a database with IP-MAC mappings

any change detected is reported to administrator using syslog/email

ARP Defender

Hardware device running ARPWATCH

ArpGuard

keeps track of a MAC-IP mappings and alerts changes and invalid

mappings

If the first packet sent has spoofed IP-MAC pair, then genuine packets

may be dropped.

Agenda

EXISTING TOOLS AND TECHNIQUES

Signature and Anomaly based IDS High number of false alarms

Modifying ARP using Cryptographic Techniques Secure-ARP - Digital Signature for authentication

Ticket-based ARP – Tickets from Ticket-issuing Agents

Calls for Replacement of entire Network Stack

Additional overhead of cryptographic calculations

Change Standard ARP

Agenda EXISTING TOOLS AND TECHNIQUES

Active Spoof Detection Engine

Send TCP SYN packets to probe IP-MAC pairs

Receive SYN/ACK if port is open or RST if closed

No response => malicious host

Violation of network layering architecture

Active Man in the Middle Attack Detector IDS finds Systems with IP forwarding enabled Spoof the ARP cache of all such systems: Now all traffic forwarded

by such systems reach IDS

Additional network Traffic

Difficulty in poisoning ARP cache of the attacker

Agenda

Motivation: What is Required in an IDS for ARP attacks

Should not modify the standard ARP Should generate minimal extra traffic in the network Should not require patching, installation of extra

software in all the systems Should detect a large set of LAN based attacks Use a state-transition based framework with

“active” component

ARP ATTACK DETECTION

USING ACTIVE DISCRETE EVENT

SYSTEM

Agenda

Assumptions of the LAN

1. Non-compromised hosts will send a response to an ARP

request within a specific interval Treq

2. IDS is running on a trusted machine with fixed IP

3. Port mirroring is enabled at the switch

The IDS has two network interfaces – one is used for data collection in the

LAN through port mirroring and the other is exclusively used for

sending/receiving ARP probes requests/replies.

Agenda

Network Architecture

Port Mirroring is enabled at the switch

E is working as IDS

Attacker

IDS

A C

B

E

D

Switch

Monitor Port

Probe Port

Agenda

Terminology

RQP: Request Packet RSP: Response Packet PRQP: Probe Request PRSP: Probe Response IPS: Source IP IPD: Destination IP MACS: Source MAC IPD: Destination MAC

RQPIPS : Source IP address of the Request Packet (RQP) Similarly for all cases…..

AgendaDES model and Failure Detection

Simplicity of both the model and the associated algorithms.

Most of the dynamic systems can be viewed as DESs at some level of abstraction.

A DES is characterized by a discrete state space and some event driven dynamics.

Process ModelSignal from sensors

Diagnostic results

The diagnosis problem for a DES model is to determine the fault status of the

states within a finite number of observations after the occurrence of a fault

along all possible traces of the system

Agenda

DES Model Requirements (in addition to Sampath et al. [6])

Requires Timing Information

Need to note time of arrival of packets

Size of domains of variables involved in DES modeling for IDS is very large

compared to systems usually handled by model

Model variables are also incorporated –extended automata [sekar et al.]

AgendaActive DES Model

AgendaActive DES Model: Transitions

AgendaActive DES Model: Traces

AgendaActive DES Model: Measurability

AgendaActive DES Model: Measurability

AgendaActive DES Model: Measurability

AgendaActive DES Model: Controllability

Not a possible scenario

AgendaActive DES Model: Failures

An ExampleAn Example

fa ilu re

a b c

a ' b' c' d'

1 2

3

1 ' 2 '

3 '

4 '

5 '

4

AgendaActive DES Model: Fi-Diagnosable

A DES model is Fi-Diagnosable for failure Fi under a measurement

limitation if:

s t

• trace s ends with in a failure state• trace t is a sufficiently long continuation of trace s• “any trace of the system that looks like st must contain a

failure state of same type as fi”

1

s.t. [ s ( ){ ( ) / (| | )}]

: [ ( )], ( )

i i i

i

F F f F

F

n N X t L G s t n D

D u P P st final u X

Where,

( ) { ( ) | the last transition of is

measurable and ends in a state}iF f

i

X s L G s

F

AgendaDiagnoser

Daignoser is represented as a directed graph O = < Z, A >

Z set of detector states called O-states

A set of detector transitions called O-transitions

Each O-state z Z comprises a subset of equivalent model

states representing uncertainty about the actual states

Each O-transition a A is set of equivalent model transitions

representing uncertainty about actual transition that occurs

AgendaFi –Diagnosability Conditions

fa ilu re

a b c

a ' b' c' d'

1 2

3

1 ' 2 '

3 '

4 '

5 '

(a ) A ct iv e D ES M o de l

z1

{ a ,a '}

a1 ={1 ,1 ' } z2

{ b,b'}z3

{ c ,c '}

a2 ={2 ,2 ' }

a3 ={3 ,3 ' }

a4 ={4 ' } z4

{ d'}

a5 ={5 '}

(b) D ia g n o s e r fo r D ES m o de l (a )

4

z5

{ c}a6 ={4 }

a7 ={4 }

Example (Contd..)

Active DiagnosabilityExample (Contd..): Active Diagnosis

a b c

a ' b' c' d'

1 2

3

1 ' 2 ' 4 '

5 '

( c) A ct iv e D ES M o de l: a f t e r t ra ce { 1 ',2 ',3 '} e lim in a te d

(d) D ia g n o s e r fo r D ES m o de l ( c)

z1

{ a ,a '}

a1 ={1 ,1 ' } z2

{ b,b'}z3

{ c ,c '}

a2 ={2 ,2 ' }a4 ={4 ' } z4

{ d'}

a5 ={5 '}

z5

{ c}a6 ={4 }

a7 ={4 }

4

fa ilu re

Agenda

Active DES for Modeling ARP Attacks

LAN

A

B

C

D

Host

Host

Host

Host

IDS

Supervisory Controller

Diagnoser

All Traffic of LAN due to Port Mirroring

Probe RequestControllable Event

Attack Detection

Agenda

Active DES for Modeling ARP Attacks

Attacks Considered: Request Spoofing

= { RQP, RSP, PRQP, PRSP, failure } States with

no primes correspond to normal situation

single prime ( ’ ) correspond to request spoofing

Model Variable set V = { IPS, MACS }

IPS has the domain as D1 = { x.x.x.x | x {1, 2, · · · , 255 } }

MACS has the domain as D2 = { hh−hh−hh−hh−hh−hh | h Hex }

Clock variable y determines if the probe responses have arrived within

Treq time of sending the corresponding request.

Agenda

DES model: Normal Condition

s2 s3 s41, 2, , , ,{ ,

},{ 0}IPS

MACS

s s RQP IPS RQP

MACS RQP y

2, 3, ,{ }, ,

,{ 0}}IPDs s PRQP IPS PRQP

y

3, 4, ,{ , },{ },

,

IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

1 :uc

2 : c3 :uc

s1

4, 1, , , ,

,

s s

4 :uc5 : c

2,1,

,,{

},

,req

ss

yT

Agenda

DES model: Request Spoofing

s2'

s3' s4’

1', 2 ', , , ,{ ,

},{ 0}IPS

MACS

s s RQP IPS RQP

MACS RQP y

2',

3',

,{},

,

,{0}}

IPD

ssPRQPIPS

PRQP

y

3', 4 ', ,{ , },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

s5’

4 ', 5 ', ,{ , ! },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

1' :uc

2 ':c

3' :uc 4' :uc

s1'

5', 1', , , , ,s s

7' : c

s6' s7’6' :uc

3', 6 ', ,{ , ! },{ },

,

IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

6", 7", ,{ , },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

7 ', 1', , , ,

,

s s

5' :uc

8' :uc

2 ', 1', , , ,

,

reqs s y T

4 ', 1', , , , ,reqs s y T

6 ', 1', , , , ,reqs s y T

3', 1', , , , ,reqs s y T

9' :uc

11' :uc

10' :uc

12' :uc

Agenda

Normal/Attack certain O-state

Normal certain O-state : An O state which contains only model

states corresponding to normal situation (N-O node)

Attack Certain O-state : An O-state which contains only model

states corresponding to attacks (Fi-certain O-node)

Normal/Attack certain O-states denote that the current model

state estimate comprises only normal/attack states, thereby,

making a decision (Fi-uncertain O-node)

Agenda

Daignoser for ARP Spoofing Attacks

1 11: , 'a

57

:'

a

z1:s1,s1' z2:

s2,s2'2 22 : , 'a

z3:s3,s3'

3 33: , 'a

z5:s6'

z4:s4,s4'

5 74 : , 'a 10

5 :'

a

4 126 : , 'a

49 : 'a z7:s5'

z6:s1'

Two Indeterminate cycles:

z1-z2 : Avoided by sending PRQP

z1-z2-z3-z4: May not be avoided, depends on response for PRQP1. IP address of the IP-MAC pair being verified is not up2. IP address of the IP-MAC pair being verified is that of attacker

Two Indeterminate cycles:

z1-z2 : Avoided by sending PRQP

z1-z2-z3-z4: May not be avoided, depends on response for PRQP1. IP address of the IP-MAC pair being verified is not up2. IP address of the IP-MAC pair being verified is that of attacker

Agenda

DES model: Request Spoofing

s2'

s3' s4’

1', 2 ', , , ,{ ,

},{ 0}IPS

MACS

s s RQP IPS RQP

MACS RQP y

2',

3',

,{},

,

,{0}}

IPD

ssPRQPIPS

PRQP

y

3', 4 ', ,{ , },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

s5’

4 ', 5 ', ,{ , ! },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

1' :uc

2 ':c

3' :uc 4' :uc

s1'

5', 1', , , , ,s s

7' : c

s6' s7’6' :uc

3', 6 ', ,{ , ! },{ },

,

IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

6", 7", ,{ , },{ },

,IPS MACS reqs s PRSP IPS PRSP MACS PRSP y T

7 ', 1', , , ,

,

s s

5' :uc

8' :uc

2 ', 1', , , ,

,

reqs s y T

4 ', 1', , , , ,reqs s y T

6 ', 1', , , , ,reqs s y T

3', 1', , , , ,reqs s y T

9' :uc

11' :uc

10' :uc

12' :uc

Conclusions

Active DES based IDS for detecting ARP spoofing.

Analyze spoofing attack scenarios which can be detected and which cannot be.

Traces required to be eliminated (i.e., events which are to be enabled and which are not to enabled) bythe controller for attack detection were also identified.

Agenda

References

1. Brian J. d’Auriol, Kishore Surapaneni, and Brian J. Dauriol, “A state transition model case study

for intrusion detection systems,” in International Conference on Security and Management, 2004,

pp. 186–192.

2. G. Vigna and R. A. Kemmerer, “NetSTAT: A network-based intrusion detection approach,” in

Proceedings of the 14th Annual Computer Security Applications Conference, 1998, pp. 25–35.

3. Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest, “Learning DFA

representations of HTTP for protecting web applications,” Computer Networks, vol. 51, pp. 1239–

1255, 2007.

4. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, “A fast automaton-based method for detecting

anomalous program behaviors,” in Proceedings of the Symposium on Security and Privacy,,

2001, pp. 144–155.

5. V. Ramachandran and S. Nandi, “Detecting ARP spoo£ng: An active technique,” ICISS05:1st

International Conference on Information Systems Security, LNCS, vol. 3803, pp. 239–250, 2005.

6. M. Sampath, S. Lafortune, and D. Teneketzis, “Active diagnosis of discrete-event systems,” IEEE

Transactions on Automatic Control, vol. 43, pp. 908–929, 1998.

THANK YOU