Download - Intrusion Detection Systems - uni- · PDF fileNetwork and system security ! Vulnerability analysis ! ... On Benchmarking Intrusion Detection Systems in ... Network-based intrusion

Intrusion Detection Systems

Aleksandar Milenkoski Chair of Software Engineering University of Würzburg

http://se.informatik.uni-wuerzburg.de/

§  Affiliation history §  Sep. 2011 - Sep. 2014: Marie Curie Research Fellow at the

Karlsruhe Institute of Technology, Karlsruhe, Germany §  March 2013 - May 2013: Visiting Researcher at University of

Rennes 1, Rennes, France §  since Sep. 2014: Doctoral Researcher at University of Würzburg,

Würzburg, Germany

§  Research interests §  Network and system security §  Vulnerability analysis §  Intrusion detection §  Evaluation of intrusion detection systems

Background information

2/41 Intrusion Detection Systems

§  Relevant publications §  Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avrtizer, and Bryan D. Payne.

Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices. ACM Computing Surveys, 48(1):12:1-12:41, September 2015, ACM, New York, NY, USA. 5-year Impact Factor (2014): 5.949.

§  Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Matthias Luft. Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection. In The 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), Kyoto, Japan, November 2015. Springer. November 2015, Acceptance Rate: 23%.

§  Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, and Samuel Kounev. Experience Report: An Analysis of Hypercall Handler Vulnerabilities. In Proceedings of The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014) - Research Track, Naples, Italy, November 2014. IEEE, IEEE Computer Society, Washington DC, USA. November 2014, Acceptance Rate: 25%, Best Paper Award Nomination.

§  Aleksandar Milenkoski, Samuel Kounev, Alberto Avritzer, Nuno Antunes, and Marco Vieira. On Benchmarking Intrusion Detection Systems in Virtualized Environments. Technical Report SPEC-RG-2013-002 v.1.0, SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC), 7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA, June 2013.

Background information (2)

http://se.informatik.uni-wuerzburg.de/staff/aleksandar_milenkoski/

Intrusion Detection Systems 3/41

§  Basics §  What is an intrusion detection system (IDS)? §  Types of intrusion detection systems (IDSes)

§  Snort: The de-facto standard open-source IDS

§  Advanced topics §  IDSes in virtualized environments §  Evaluation of IDSes §  Evaluation of IDSes in virtualized environments

Outline


BASICS

§  The NIST (National Institute of Standards and Technology) definition

Def.: Intrusion detection is the process of monitoring the events occurring in a computer or networked system and analyzing said events for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices

Def.: An IDS is a software, or hardware appliance, which automates the intrusion detection process

Basics


Basics: Basic IDS architecture

Input

Sensors

Analysis Engine

Output


Basics: IDS types

Property IDS Type Monitored platform Host-based

Network-based Hybrid

Attack detection method Misuse-based Anomaly-based Hybrid

Deployment architecture Distributed Non-distributed

Non-exhaustive systematization


§  Host-based §  Monitors the activities on the system (i.e., the host) where it is

deployed to detect local attacks — attacks executed by users of the targeted system itself

§  Network-based §  Monitors network traffic to detect remote attacks—attacks

carried out over a network connection

§  Hybrid

Basics: Monitored platform

http://ossec.github.io/

https://www.snort.org/


§  Misuse-based §  Evaluates system and/or network activities against a set of

signatures of known attacks

§  Anomaly-based §  Uses a baseline profile of regular network and/or system

activities as a reference to distinguish between regular and anomalous activities

§  Hybrid

Basics: Attack detection method


§  Misuse-based versus anomaly-based IDSes

§  Def.: Zero-day attacks — attacks that exploit vulnerabilities that have not been publicly disclosed before the execution of the attacks

§  What is effective: A misuse- or an anomaly-based IDS? §  Example: Adam always reads his e-mails on Sundays around 5

pm. This Saturday, at 11 am, he accessed his inbox. §  Def.: False alert — an alert generated by an IDS when there is

no attack/intrusion. §  What may generate a false alert: A misuse- or an anomaly-

based IDS?

Basics: Attack detection method (2)


§  Non-distributed §  Non-compound IDS that can be deployed only at a single

location

§  Distributed §  Compound IDS that consists of multiple intrusion detection

subsystems that can be deployed at different locations and communicate to exchange intrusion detection-relevant data

Basics: Deployment architecture


§  Def.: Coordinated attacks --- carefully orchestrated attacks that target multiple victims at specific moments in time towards achieving a given malicious goal

§  Example: An attacker using a single IP address (1.1.1.1) first breaks into a mail server of CityBank deployed in Europe and then uses stolen (valid) credentials to access a mail server of CityBank in US.

§  What is effective: A non-distributed or distributed IDS?

Basics: Deployment architecture (2)

IDS Europe

Central analysis Alert [1.1.1.1]

IDS US

Login event [1.1.1.1]

Deny access to 1.1.1.1


SNORT The de-facto standard IDS

§  What is Snort? §  Snort is a packet analysis tool

§  Network-based intrusion detection system §  Sniffer §  Forensic data analysis tool

§  Advantages of Snort §  Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64,

HP-UX, …) §  Fast §  Configurable (Many reporting/logging options) §  Free (GPL/Open Source Software)

Introduction to Snort

https://www.snort.org/


§  Snort is a misuse-based IDS §  Detects „signatures“ of attacks using rules

§  Known attacks have „signatures“ --- sequence of bytes that characterize a malicious packet almost for sure §  Example: Code Red Worm 2001

§  Exploited vulnerability in IIS 4.0 and 5.0 §  Buffer overflow vulnerability

Attack detection

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbcd3%7801%u9090%u6805%ucbd3%u7801


Architecture of Snort

Packet Decoder

Preprocessor

Detection engine

Output stage

Packet stream

Sniffing

Snort

Data flow

Alerts/Logs


§  Packet decoder §  has the job of determining which underlying protocols are used

in the packet (such as Ethernet, IP, TCP, etc.) §  looks for errors or anomalies in the fields of packet header

headers

§  Preprocessor §  allows users and programmers to drop modular plugins into

Snort (e.g., SMTP, POP, FTP preprocessors)

§  Detection engine §  evaluates packets against rules

§  Output stage §  generates output

Architecture of Snort (2)


Detection engine: Rules

Rule header Alert tcp 1.1.1.1 any -> 2.2.2.2 any

Rule options (flags: SF; msg: “SYN-FIN Scan”;)

Alert tcp 1.1.1.1 any -> 2.2.2.2 any

Alert tcp 1.1.1.1 any -> 2.2.2.2 any

(flags: S12; msg: “Queso Scan”;)

(flags: F; msg: “FIN Scan”;)

alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: “SYN-FIN scan”;)

Alerts to traffic from outside the 10.1.1.x subnet to the 10.1.1.x subnet with the Syn and the Fin flags set.

Rule header Rule options


§  “Interesting” packets are sent to log files …

§  … also to various add-ons §  SnortSnarf (html output) §  SnortPlot (plots of attacks) §  Swatch (email alerts)

Output stage

Usability is important

http://sourceforge.net/projects/snortsnarf/

http://www.unix.gr/cgi-bin/cat.cgi?firesoft/snortplot.pl

http://wiki.ipfire.org/en/addons/swatch/start


§  Snort „as is“ is a non-distributed IDS

§  However, third-party tools can be used §  Demarc [now offline]: NIDS management console

Snort as a distributed IDS



Advanced topics IDSes in virtualized environments

Evaluation of IDSes Evaluation of IDSes in virtualized

environments

§  Virtualized environment §  Hypervisor (Xen, KVM, Vmware..) §  Virtual machines (VMs)

§  The hypervisors „observes“ all VM activities (system and network activities)

Introduction

Guest VM

Hypervisor

Guest VM

NIC Network traffic


Architecture

VMFence, Xenini, OSSEC, Wizard, Snort …


§  Benefits §  Isolation from malicious VM users §  Transparency

§  Drawbacks §  Some host-based IDSes require modifications of the

hypervisor: Difficult deployment in closed-source hypervisors (vendor support is a must)

§  If no hypervisor modification: host-based IDSes have access to low-level, hypervisor data (e.g., memory dumps): Cannot be easily interpreted by an attack analysis engine

Benefits and drawbacks


§  If no hypervisor modification: host-based IDSes have access to low-level, hypervisor data (e.g., memory dumps): Cannot be easily interpreted by an attack analysis engine

§  Solution: Interpreter

Virtual machine introspection

Memory dump

Interpreter

Analysis

LibVMI http://libvmi.com/




environments

§  IDS evaluation answers two major questions: §  How well this IDS performs? §  Is this IDS better than that one? §  Evaluation criteria: attack detection accuracy, performance

overhead…

§  Benefits of evaluation of IDSes §  Enables the comparison of different IDSes §  Enables the improvement of the configuration of deployed

IDSes Reduced risk of security breaches

Introduction


Core components

Measurement methodology Metrics

Workloads


Workloads

Categorization criteria Workload type Content Pure benign

Pure malicious Mixed

Form Executable Trace

http://metasploit.com

ExploitDatabase http://www.exploit-db.com/

PacketStorm http://packetstormsecurity.com/

Securityfocus http://www.securityfocus.com/


Workloads: Honeypots


Workloads: Trace form

Repository Content Activities Labelled Realistic Anonymized Metadata CAIDA Mixed Netw. No Yes Yes Yes DEFCON Malicious Netw. No No No No DARPA Mixed Netw./

Host Yes No No Yes

ITA Benign Netw. No Yes Yes No LBNL Benign Netw. No Yes Yes Yes MAWILab Mixed Netw. Yes Yes Yes Yes

The DARPA datasets: http://www.ll.mit.edu/ideval/data/

„Ground truth“ is important


Metrics

Metric Formula False negative rate β = P ( neg. A | I ) True positive rate 1-β = P (A | I ) False positive rate α = P ( A | neg. I ) True negative rate 1-α = P ( neg. A | neg. I )

A An IDS generates an alert I An attack is performed P Probability

These metrics originate from signal detection theory J. Hancock and P. Wintz, Signal Detection Theory. New York: McGraw–Hill, 1966.


§  ROC (Receiver Operating Characteristic) curve §  Plots true positive rate (1-β) against the corresponding false

positive rate (α) for each IDS operating point

§  Def.: IDS operating point --- IDS configuration yielding (α, 1-β)

Metrics (2)

Common goal: Identification of an optimal operating point

0.5 1 1.5 2 2.5 3

·10�3

0

0.2

0.4

0.6

0.8

1

False positive rate (↵)

Intrusiondetectioncapability(C

ID)


Measurement methodology

§  Attack detection accuracy is not the only relevant IDS property §  Is accuracy of any relevance if attacks are detected too late?

Attack-detection-related Attack detection accuracy Attack coverage Resistance to evasion techniques

Attack detection and reporting speed

Resource consumption-related CPU consumption Memory consumption

Network consumption

Others Performance overhead Workload processing capacity


IDS Evaluation: Historical overview

1995 2014

1996

Puketza et al. develop an approach and a framework

for evaluating IDSes in a systematic manner

1997

1998 1999

Researchers from Lincoln Laboratory at MIT generate trace files

for evaluating IDSes (i.e., the DARPA datasets) and evaluate multiple IDSes

2000

2011

Dumitras et al. present the WINE datasets

and a platform for evaluating IT security systems

2000 - 2014

Small-scale IDS evaluation studies are carried out by researchers designing novel IDSes

and occasionally appear in trade magazine articles

1998

Debar et al. develop a workbench

for evaluating IDSes




environments

§  IDSes that detect virtualization-specific attacks §  Attacks targeting hypervisors

§  Hypercalls §  Identical to system calls §  Critical attack surface of hypervisors [Rutkowska, J.,

Wojtczuk, R. @ BlackHat USA 2008]

§  Hypercall IDSes §  Examples: Collabra, Xenini, CC Detector, OSSEC, ... §  Components in the hypervisor, anomaly-based

IDSes in virtualized environments


§  How do we extensively evaluate the accuracy of hypercall IDSes? §  There are no workloads: no traces, attack scripts targeting

hypercall (hypervisor) weaknesses are extremely rare

§  An approach for generating IDS evaluation workloads §  Injection of malicious hypercall activities (e.g., attacks,

covert channel operations) during regular operation of VMs §  Live testing of hypercall IDSes

An open issue


§  hInjector §  Publicly available at https://github.com/hinj/hInj

Attack injection

MVM! Hypervisor!

User!

Kernel!

Hardware!

Injector!

LKM!

Configuration! Logs!

Filter!

Memory!

Hypercall handler!

6!

2! 4!

!

vCPU!

3! 5!

3! 5!

1!

shared_info!

IDS !(in SVM)!

monitors!


§  Design criteria for realistic and practically feasible IDS evaluation

§  Injection of realistic attacks [35 PoCs, new attacks can be

easily configured] §  Injection during regular system operation §  Non-disruptive attack injection §  Low performance overhead

Attack injection (2)


§  IDS under test: Xenini [Maeiro et al. 2011] §  Sequence of hypercalls of length n [n=10] §  Calculates anomaly scores between 0 and 1 and fires an

alert if a given threshold th is exceeded

§  Scenarios §  [Scenario #1] Evaluate the attack detection accuracy of

Xenini for th in [0.1; 0.5] §  [Scenario #2] Evaluate Xenini‘s ability to detect IDS

evasive attacks --- „mimicry“ and „smoke screen“ attacks

IDS evaluation experiments


§  The SPEC_sc2013 environment

IDS evaluation experiments (2)

SPECweb 2005 workload driver!

SPECimap !workload driver!

SPECjAppServer2004!workload driver!

SPECbatch!workload driver!

Application server VM![front-end]!

J2EE Application server!

GlassFish 4.0!OS!

Linux 3.17.2 x86_64!

Network file server VM![back-end]!

Network file server!sshfs 2.5!

OS!Linux 3.17.2 x86_64!

Web server VM![front-end]!

Web server!Apache 2.4.7!

OS!Linux 3.17.2 x86_64!

Mail server VM![front-end]!

IMAP mail server!Dovecot 2.2.9!

OS!Linux 3.17.2 x86_64!

Batch server VM![front-end]!

OS!Linux 3.17.2 x86_64!

Database server VM![back-end]!

Database server!PostgreSQL 9.3.5!

OS!Linux 3.17.2 x86_64!

Batch server!SPECbatch server!

Hypervisor !Xen 4.4.1!

Clients!

Servers!


§  [Scenario #1]

§  IDS training

§  Attack injection and calculation of metric values


Targeted vulnerability Detected

CVE-2012-3495 ✔

CVE-2012-5525 x

CVE-2012-5513 ✔

CVE-2012-5510 ✔

CVE-2013-4494 x

CVE-2013-1964 x 0 1 2 3 4

·10�6

0

0.2

0.4

0.6

0.8

1

False positive rate

Truepositiverate

[0.3⇥ 10

�2]

[0.23⇥ 10

�2]

[0.078⇥ 10

�2]

[0.079⇥ 10

�2]


th = 0.5

39/41


i r e t i r e t i r e t i r e t e v e n t c h a n n e l o p s t a c k s w i t c h

g e t d e b u g r e g e v e n t c h a n n e l o p vcpu op g r a n t t a b l e o p

i r e t i r e t i r e t i r e t e v e n t c h a n n e l o p s t a c k s w i t c h

g e t d e b u g r e g e v e n t c h a n n e l o p vcpu op g r a n t t a b l e o p

„Mimicry“ version of CVE-2013-1964

0.5 seconds [~13647 hypercall sequences]

. . . . . .

benign hypercall activity

grant_table_op grant_table_op

„Smoke screen“ version of CVE-2013-1964 Intrusion Detection Systems 40/41

§  [Scenario #2]

§  IDS training until time ts = 5285 sec.

§  Attack injection and calculation of metric values


Targeted vulnerability Anomaly scores Unmodified „Mimicry“ „Smoke screen“

CVE-2012-3495 1.0 0.17 0.25 CVE-2012-5513 0.32 0.107 0.28 CVE-2012-5510 1.0 0.14 0.31 CVE-2013-4494 0.21 0.14 0.14 CVE-2013-1964 0.25 0.14 0.14


THANK YOU!

Download - Intrusion Detection Systems - uni- · PDF fileNetwork and system security ! Vulnerability analysis ! ... On Benchmarking Intrusion Detection Systems in ... Network-based intrusion

Top Related