01/04/2007 ecs236 winter 2007 1

ecs236 Winter 2007:

Intrusion DetectionIntrusion Detection#2: Explanation-based Anomaly Detection

Dr. S. Felix Wu

Computer Science Department

University of California, Davishttp://www.cs.ucdavis.edu/~wu/

sfelixwu@gmail.com

01/04/2007 ecs236 winter 2007 2

Intrusion DetectionIntrusion Detection

IntrusionDetection

Model

Input eventsequence Results

Pattern matching

01/04/2007 ecs236 winter 2007 3

decay

update

clean

compute thedeviation

alarm generation

threshold control

timer control

raw events long term profile

0 5 10 15 20 25 300

01/04/2007 ecs236 winter 2007 4

What is an anomaly?What is an anomaly?

01/04/2007 ecs236 winter 2007 5

What is an anomaly?What is an anomaly? The observation of a target system is

inconsistent, somewhat, with the expected conceptual model of the same system

01/04/2007 ecs236 winter 2007 6

What is an anomaly?What is an anomaly? The observation of a target system is

inconsistent, somewhat, with the expected conceptual model of the same system

And, this conceptual model can be ANYTHING.– Statistical, logical, or something else

01/04/2007 ecs236 winter 2007 7

decay

update

clean

compute thedeviation

alarm generation

threshold control

timer control

raw events long term profile

0 5 10 15 20 25 300

01/04/2007 ecs236 winter 2007 8

decay

update

clean

cognitivelyidentify thedeviation

alarm identification

InformationVisualizationToolkit

raw events cognitive profile

01/04/2007 ecs236 winter 2007 9

Challenge of ANDChallenge of AND We know that the detected anomalies can

be either true-positive or false-positive. We try all our best to resolve the puzzle by

examining all information available to us. But, the “ground truth” of these anomalies

is very hard to obtain– even with human intelligence – Practically this might or might not be OK…

01/04/2007 ecs236 winter 2007 10

What is an anomaly?What is an anomaly?

Events

Expected Behavior Model

Anomaly Detection

01/04/2007 ecs236 winter 2007 11

The ChallengeThe Challenge

Events

Expected Behavior Model

Anomaly Detection

Knowledge about the Target

False Positives & Negatives

01/04/2007 ecs236 winter 2007 12

Problems with ANDProblems with AND We are not sure about whatever we want to

detect… We are not sure either when something is

caught… We are still in the dark… at least in many

cases…

01/04/2007 ecs236 winter 2007 13

What is an anomaly?What is an anomaly?

Events

Expected Behavior Model

Anomaly Detection

Knowledge about the Target

01/04/2007 ecs236 winter 2007 14

Model vs. ObservationModel vs. Observationthe Model Anomaly Detection

Conflicts Anomalies

It could be an attack, but it might well be misunderstanding!!

01/04/2007 ecs236 winter 2007 15

Anomaly ExplanationAnomaly Explanation

the Model Anomaly Detection

Anomaly Analysis and Explanation

EBL

Explaining both the attack and the normal behavior

01/04/2007 ecs236 winter 2007 16

ExplanationExplanation

Model(Simulation or Emulation) Real World Model

Conflicts Anomalies

Events: raw, logical, stochastic

01/04/2007 ecs236 winter 2007 17

EXPANDEXPAND

Good events go into the Model

01/04/2007 ecs236 winter 2007 18

EXPANDEXPAND

Good events go into the Model Malicious events also go into the Model as

signatures (but with an analysis process)

We want to put as much as ground truth into our model!– And, that means discovering their relationship

as well.

01/04/2007 ecs236 winter 2007 19

the Modelmodel-based

event analysis

observed system events

SBL-basedAnomalyDetection

analysisreports

ExampleSelection

Explanation Based

Learning

modelupdate

01/04/2007 ecs236 winter 2007 20

AND AND EXPAND EXPAND

Anomaly Detection– Detect– Analysis and Explanation– Application

01/04/2007 ecs236 winter 2007 21

Routing Protocol FrameworkRouting Protocol FrameworkInformation ModelInformation Model

FIB

RIB

NPDU Header (Network Protocol Data Unit)

(Dest, NextHop, Routing Metrics)

Forwarding Algorithm

OSPF

RIBRIB

RIPv2 BGP4

FIB

ForwardingDecision

Application Layer

Network Layer

RoutingInformationBase

ForwardingInformationBase

01/04/2007 ecs236 winter 2007 22

Operation Model Operation Model Routing Information ExchangeRouting Information Exchange

Hey, Here is the routing information I got so far

Hmm, some of them are obsolete, Here is my update

01/04/2007 ecs236 winter 2007 23

Operation Model Operation Model Route Generation and SelectionRoute Generation and Selection

Which algorithm should I use??Distributed Dijikstra’s algorithm or

Distributed Bellman-Ford algorithm?

Routing Information Base

Forwarding Information Base

application Layer

network Layer

01/04/2007 ecs236 winter 2007 24

RoutingRouting

I want to knowthe shortest pathor simply “a path”

Routers exchange local information!

SRC

DST

01/04/2007 ecs236 winter 2007 25

Link State

A

B

C

You

YourNeighbor

A B

A B

A B

Flooding

01/04/2007 ecs236 winter 2007 26

01/04/2007 ecs236 winter 2007 27

Link State

A

B

C

You

YourNeighbor

A B

A B

A B

Flooding

You tell the whole world about your relationship with your neighbor

01/04/2007 ecs236 winter 2007 28

Routing InformationRouting Information

Link State:– I let the whole world knows about my

relationship with my neighbors.– (Felix, Neighbor-X) is up!

Distance Vector:– I let all my neighbors knows about my

relationship with the rest of the world.– (Felix can get to Remote-Y) in 5 hops.

01/04/2007 ecs236 winter 2007 29

Link-StateLink-State

01/04/2007 ecs236 winter 2007 30

LSALSA and an and an LSA instanceLSA instance An LSA is associated with a particular link of

network, which is identified by its LS type, LS ID, Advertising Router ID.

An LSA instance gives the state of a particular LSA at a particular time, which can be differentiated by LS sequence number, LS age, LS checksum.

0x80000000 0x80000001 0x7FFFFFFF

01/04/2007 ecs236 winter 2007 31

LSA Format

Type (Hello, Link, Networ, Summary)Type (Hello, Link, Networ, Summary) Advertizing Router ID (Originator)Advertizing Router ID (Originator) Advertized Link or Network.Advertized Link or Network. Sequence Number Sequence Number

smallest:smallest: 0x 800000010x 80000001 largest: largest: 0x7FFFFFFF0x7FFFFFFF

Age (0, 60 minutes)Age (0, 60 minutes)

01/04/2007 ecs236 winter 2007 32

RIB - OSPFRIB - OSPFLSA-ID ADV Seq# Checksum AgeA=B A 0x850012a7 0x452b 20:13A=B B 0x84230b41 0x3729 13:12A=D A 0x9012000e 0x2567 01:22…

01/04/2007 ecs236 winter 2007 33

OSPF LSA Flooding, IOSPF LSA Flooding, I

Router

If I have notreceived thisLSA (Link StateAdvertisement).

ACK

01/04/2007 ecs236 winter 2007 34

OSPF LSA Flooding, II

Router

If I havereceived thisLSA (Link StateAdvertisement).

ACK

01/04/2007 ecs236 winter 2007 35

OSPF LSA Flooding, III

Router

If I have somethingbetter/fresher/newer..

my newer copy

Sequence NumberComparison.

01/04/2007 ecs236 winter 2007 36

How to decide How to decide “freshness”??“freshness”??

01/04/2007 ecs236 winter 2007 37

Sequence #Sequence #

ATMSeq#

01/04/2007 ecs236 winter 2007 38

Sequence #: old vs. new LSAs

ATM

0x80000001

Next: 0x80000002Only accept LSAs withnewer/larger Seq#.

01/04/2007 ecs236 winter 2007 39

Sequence # Self-Stabilization

ATM

(1). 0x90001112

(2). router crashes.

(3). 0x80000001.

(4). 0x90001112 an old copy still exists!

(5). 0x90001113

01/04/2007 ecs236 winter 2007 40

Sequence #: Counter Flushing

ATM

(1) 0x7FFFFFFF MaxSeq#

(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.

01/04/2007 ecs236 winter 2007 41

Fresher LSA?Fresher LSA?Seq#A ? Seq#B

ChS:A ? ChS:B

AgeA-AgeB

=

=

>

><

< A

A

A

B

B

B

15 -15

otherwise

A, B are treated the same.

Three parameters forLSA:- Sequence Number- Checksum- Age

01/04/2007 ecs236 winter 2007 42

Malicious Intermediate Routers

up

up dm

dm

Flooding

EVIL!All the linkscan be attacked.

01/04/2007 ecs236 winter 2007 43

How to Attack OSPF?How to Attack OSPF?

Think… Try it!!

– What is the objective?– How to accomplish your goal?

01/04/2007 ecs236 winter 2007 44

ProblemProblem Prevent/Detect compromised intermediate

router(s) from tampering “Link State Advertisements (LSAs)” originated from some other routers.

This Link is UP!

down

01/04/2007 ecs236 winter 2007 45

Defense??Defense??

Crypto-based Non-crypto-based

01/04/2007 ecs236 winter 2007 46

LSA Digital Signature

PKSPKS

This Link is UP!

private key

This Link is UP!

public key

01/04/2007 ecs236 winter 2007 47

Advantages for PKS

One compromised router will not be able to One compromised router will not be able to affect others about affect others about other linksother links..

With only key-MD5, one compromised With only key-MD5, one compromised router can disable all the crypto.router can disable all the crypto.

01/04/2007 ecs236 winter 2007 48

Public Key is Expensive

At least, in software.At least, in software. Experiments on Pentium/133, Linux 2.027:Experiments on Pentium/133, Linux 2.027:

HMAC MD5:HMAC MD5: 78.3778.37 usecusec RSA/MD5 (verify):RSA/MD5 (verify): 88.0088.00

msecmsec RSA/MD5 (sign):RSA/MD5 (sign): 166.00 166.00 msecmsec

RSA Hardware available, where MD5 is RSA Hardware available, where MD5 is inherently hard to parallelize.inherently hard to parallelize.

01/04/2007 ecs236 winter 2007 49

Prevention

LSA Originator Digital SignatureLSA Originator Digital Signature (Perlman, (Perlman, Murphy/Badger, Smith/JJ)Murphy/Badger, Smith/JJ)

Debatable Concerns: (OSPF wk-group)Debatable Concerns: (OSPF wk-group) RSARSA is is too expensivetoo expensive (about 1,000 times worse (about 1,000 times worse

in signature verification with 512 bit keys)in signature verification with 512 bit keys) PKI CertificatePKI Certificate is expensive. is expensive. There are There are otherother routing infrastructure attacksrouting infrastructure attacks

that can that can not be preventednot be prevented by by LSA Digital LSA Digital SignaturesSignatures. (Cost/Market concern). (Cost/Market concern)

Political and Technical.Political and Technical.

01/04/2007 ecs236 winter 2007 50

Can we do it without Can we do it without PKI?PKI?

Preventing compromised intermediate routers???

01/04/2007 ecs236 winter 2007 51

Can we detect the Can we detect the problem?problem?

Authenticated LSAs but the authentication information is kept until a session is over.

This Link is UP!

MAC-Seq#

session

K tuples of [MAC(i), Seq#(i)], RtrID

RSA/MD5

01/04/2007 ecs236 winter 2007 52

Prevention versus Prevention versus DetectionDetection

Prevention: pay a fixed price anyway, even no bad guy exists.

Detection/Isolation: “hopefully” pay less when no bad guy exists. pay more when trying to isolate the bad guys.

Self-Stabilization Time: – (Detection + Isolation)

01/04/2007 ecs236 winter 2007 53

Let’s look at the attack Let’s look at the attack again!!again!!

Why do we need to ADD something to handle OSPF attacks?

01/04/2007 ecs236 winter 2007 54

Sequence #: old vs. new LSAs

ATM

0x80000001

Next: 0x80000002Only accept LSAs withnewer/larger Seq#.

01/04/2007 ecs236 winter 2007 55

Attack

ATMSeq#

(1) 0x90001112

- 0x90001111- 0x90001112 (later)- 0x90001113

01/04/2007 ecs236 winter 2007 56

Attack and Fight-Back

ATMSeq#

(1) 0x90001112

(2) 0x90001113(3) 0x90001114 fight-back

01/04/2007 ecs236 winter 2007 57

Seq++ Attack and Fight-Back

ATM(1) 0x90001112

(2) 0x90001113(3) 0x90001114 fight-back

1

3

01/04/2007 ecs236 winter 2007 58

Victim

Attacker

ATM

down

Seq#

Current Seq# 9123abe0

Attacking Seq# 9123abe1

Originator??

Responding Seq# 9123abe2

01/04/2007 ecs236 winter 2007 59

Attacker

Attacker

Victim

ATM

down

Seq#

Current Seq# 9123abe0

Attacking Seq# 9123abe1

Originator??

Responding Seq# 9123abe2

Partition

01/04/2007 ecs236 winter 2007 60

OSPF Security StrengthOSPF Security Strength

In most cases, if something goes wrong, the advertizing router will detect it and try to correct it.

The bad guy has to persistently inject bad LSAs.

Self-Stabilization Protocols: can not handle continuous faults but force the attacker to perform only persistent attacks.

01/04/2007 ecs236 winter 2007 61

A Principle/Heuristic A Principle/Heuristic Rule of Rule of

Intrusion DetectionIntrusion Detection Hit-and-Run Attacks: Hard to Detect/Isolate

– Inject one (or very few) bad packet causing permanent or long term damage.

Persistent Attacks: – The bad guy has to continuously inject attack

packets.

01/04/2007 ecs236 winter 2007 62

Network Network Protocol/System DesignProtocol/System Design If we can force the attackers to only launch

“persistent attacks,” we have a better chance to detect and isolate the attack sources.

OSPF Flooding, for example, does a fairly good job. (still need some formal/theoretical research work here…)

01/04/2007 ecs236 winter 2007 63

Attacks on OSPF/RFCAttacks on OSPF/RFC

Persistent Attacks Hit-and Run

known Digital SignaturePreventable Attacks

One “sort-of” Hit-and-Run attack in OSPFv2 RFCis the “External-Forwarding-Link LSA Attack,” and it cannot be prevented by Digital Signature.

?

01/04/2007 ecs236 winter 2007 64

Attacks on Attacks on OSPF/ImplementationOSPF/ImplementationPersistent Attacks Hit-and Run

known Digital SignaturePreventable Attacks

MaxSeq# attack ( ) was a Persistent Attack in OSPF/RFC,but, with implementation bugs, it becomes a Hit-and-Runattack ( ).

01/04/2007 ecs236 winter 2007 65

Results for OSPF:Results for OSPF:

According to the RFC, all the known Digital-Signature-preventable attacks can be efficiently detectable. (There are no known Hit-and-Run OSPF attacks that can be prevented by PKS digital-signature.)

According to the OSPF Implementations, one such Hit-and-Run attack does exist.

01/04/2007 ecs236 winter 2007 66

Max-Sequence Number Max-Sequence Number AttackAttack

Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)

Implementation Bug! (Two Packages) MaxSeq# LSA Purging has not been

implemented correctly!!

01/04/2007 ecs236 winter 2007 67

Sequence #: Counter Flushing

ATM

(1) 0x7FFFFFFF MaxSeq#

(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.

01/04/2007 ecs236 winter 2007 68

Sequence #: Counter Flushing

ATM

(1) 0x7FFFFFFF MaxSeq#

(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.

01/04/2007 ecs236 winter 2007 69

MaxSq# Attack

ATMSeq#

(1) 0x90001112

(2) 0x7FFFFFFF MaxSeq#

(3) 0x80000001 fight-back

(4). 0x7FFFFFFF

01/04/2007 ecs236 winter 2007 70

Properties of MaxSeq# Properties of MaxSeq# AttacksAttacks

Hit-and-Run for an Hour. The bad guy can “control” the topology database for an hour.

The Victim continuously argues with its (very likely, honest) neighbors about which LSA is fresher. (0x7FFFFFFF versus 0x80000001).

To eliminate the problem before one hour, “All” routers must be shut down “simultaneously.”

Or, have an active process to pump the purging packets into the network.

01/04/2007 ecs236 winter 2007 71

Max-Sequence Number Max-Sequence Number AttackAttack

Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)

Implementation Bug! (Two independently developed OSPF packages.)

MaxSeq# LSA Purging has not been implemented correctly!!

Announced in May, 1997.

01/04/2007 ecs236 winter 2007 72

Detection Detection Isolation Isolation

Detection Understand Isolation

01/04/2007 ecs236 winter 2007 73

Partitioned by Bad Partitioned by Bad Router(s)Router(s)

Area FOO Area BAREVE

EVE can cheat FOO about BAR’s topology without beingdetected by BAR.(EVE can intercept the tampered BAR’s LSAs from FOO to BAR.)

01/04/2007 ecs236 winter 2007 74

But….But….

Any packets from FOO to BAR will pass EVE anyway. (I.e., EVE already has the access to all the packet streams between FOO and BAR.)

It is not necessary for EVE to attack the routing information exchange protocols.

01/04/2007 ecs236 winter 2007 75

Is the network partitioned?

YES.YES. The bad guy doesn’t need to attack RIB!The bad guy doesn’t need to attack RIB!

NO.NO. With OSPF, the bad LSAs should flowed back With OSPF, the bad LSAs should flowed back

to the originator.to the originator. The originator will fight back to correct the The originator will fight back to correct the

problem. (Self Stabilization)problem. (Self Stabilization) The bad guy has to persistently attack.The bad guy has to persistently attack.