ecs236 winter 2007: intrusion detection #2: explanation-based anomaly detection
DESCRIPTION
ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ [email protected]. Intrusion Detection. Model. Input event sequence. Results. Intrusion Detection. - PowerPoint PPT PresentationTRANSCRIPT
01/04/2007 ecs236 winter 2007 1
ecs236 Winter 2007:
Intrusion DetectionIntrusion Detection#2: Explanation-based Anomaly Detection
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
01/04/2007 ecs236 winter 2007 2
Intrusion DetectionIntrusion Detection
IntrusionDetection
Model
Input eventsequence Results
Pattern matching
01/04/2007 ecs236 winter 2007 3
decay
update
clean
compute thedeviation
alarm generation
threshold control
timer control
raw events long term profile
0 5 10 15 20 25 300
01/04/2007 ecs236 winter 2007 4
What is an anomaly?What is an anomaly?
01/04/2007 ecs236 winter 2007 5
What is an anomaly?What is an anomaly? The observation of a target system is
inconsistent, somewhat, with the expected conceptual model of the same system
01/04/2007 ecs236 winter 2007 6
What is an anomaly?What is an anomaly? The observation of a target system is
inconsistent, somewhat, with the expected conceptual model of the same system
And, this conceptual model can be ANYTHING.– Statistical, logical, or something else
01/04/2007 ecs236 winter 2007 7
decay
update
clean
compute thedeviation
alarm generation
threshold control
timer control
raw events long term profile
0 5 10 15 20 25 300
01/04/2007 ecs236 winter 2007 8
decay
update
clean
cognitivelyidentify thedeviation
alarm identification
InformationVisualizationToolkit
raw events cognitive profile
01/04/2007 ecs236 winter 2007 9
Challenge of ANDChallenge of AND We know that the detected anomalies can
be either true-positive or false-positive. We try all our best to resolve the puzzle by
examining all information available to us. But, the “ground truth” of these anomalies
is very hard to obtain– even with human intelligence – Practically this might or might not be OK…
01/04/2007 ecs236 winter 2007 10
What is an anomaly?What is an anomaly?
Events
Expected Behavior Model
Anomaly Detection
01/04/2007 ecs236 winter 2007 11
The ChallengeThe Challenge
Events
Expected Behavior Model
Anomaly Detection
Knowledge about the Target
False Positives & Negatives
01/04/2007 ecs236 winter 2007 12
Problems with ANDProblems with AND We are not sure about whatever we want to
detect… We are not sure either when something is
caught… We are still in the dark… at least in many
cases…
01/04/2007 ecs236 winter 2007 13
What is an anomaly?What is an anomaly?
Events
Expected Behavior Model
Anomaly Detection
Knowledge about the Target
01/04/2007 ecs236 winter 2007 14
Model vs. ObservationModel vs. Observationthe Model Anomaly Detection
Conflicts Anomalies
It could be an attack, but it might well be misunderstanding!!
01/04/2007 ecs236 winter 2007 15
Anomaly ExplanationAnomaly Explanation
the Model Anomaly Detection
Anomaly Analysis and Explanation
EBL
Explaining both the attack and the normal behavior
01/04/2007 ecs236 winter 2007 16
ExplanationExplanation
Model(Simulation or Emulation) Real World Model
Conflicts Anomalies
Events: raw, logical, stochastic
01/04/2007 ecs236 winter 2007 17
EXPANDEXPAND
Good events go into the Model
01/04/2007 ecs236 winter 2007 18
EXPANDEXPAND
Good events go into the Model Malicious events also go into the Model as
signatures (but with an analysis process)
We want to put as much as ground truth into our model!– And, that means discovering their relationship
as well.
01/04/2007 ecs236 winter 2007 19
the Modelmodel-based
event analysis
observed system events
SBL-basedAnomalyDetection
analysisreports
ExampleSelection
Explanation Based
Learning
modelupdate
01/04/2007 ecs236 winter 2007 20
AND AND EXPAND EXPAND
Anomaly Detection– Detect– Analysis and Explanation– Application
01/04/2007 ecs236 winter 2007 21
Routing Protocol FrameworkRouting Protocol FrameworkInformation ModelInformation Model
FIB
RIB
NPDU Header (Network Protocol Data Unit)
(Dest, NextHop, Routing Metrics)
Forwarding Algorithm
OSPF
RIBRIB
RIPv2 BGP4
FIB
ForwardingDecision
Application Layer
Network Layer
RoutingInformationBase
ForwardingInformationBase
01/04/2007 ecs236 winter 2007 22
Operation Model Operation Model Routing Information ExchangeRouting Information Exchange
Hey, Here is the routing information I got so far
Hmm, some of them are obsolete, Here is my update
01/04/2007 ecs236 winter 2007 23
Operation Model Operation Model Route Generation and SelectionRoute Generation and Selection
Which algorithm should I use??Distributed Dijikstra’s algorithm or
Distributed Bellman-Ford algorithm?
Routing Information Base
Forwarding Information Base
application Layer
network Layer
01/04/2007 ecs236 winter 2007 24
RoutingRouting
I want to knowthe shortest pathor simply “a path”
Routers exchange local information!
SRC
DST
01/04/2007 ecs236 winter 2007 25
Link State
A
B
C
You
YourNeighbor
A B
A B
A B
Flooding
01/04/2007 ecs236 winter 2007 26
01/04/2007 ecs236 winter 2007 27
Link State
A
B
C
You
YourNeighbor
A B
A B
A B
Flooding
You tell the whole world about your relationship with your neighbor
01/04/2007 ecs236 winter 2007 28
Routing InformationRouting Information
Link State:– I let the whole world knows about my
relationship with my neighbors.– (Felix, Neighbor-X) is up!
Distance Vector:– I let all my neighbors knows about my
relationship with the rest of the world.– (Felix can get to Remote-Y) in 5 hops.
01/04/2007 ecs236 winter 2007 29
Link-StateLink-State
01/04/2007 ecs236 winter 2007 30
LSALSA and an and an LSA instanceLSA instance An LSA is associated with a particular link of
network, which is identified by its LS type, LS ID, Advertising Router ID.
An LSA instance gives the state of a particular LSA at a particular time, which can be differentiated by LS sequence number, LS age, LS checksum.
0x80000000 0x80000001 0x7FFFFFFF
01/04/2007 ecs236 winter 2007 31
LSA Format
Type (Hello, Link, Networ, Summary)Type (Hello, Link, Networ, Summary) Advertizing Router ID (Originator)Advertizing Router ID (Originator) Advertized Link or Network.Advertized Link or Network. Sequence Number Sequence Number
smallest:smallest: 0x 800000010x 80000001 largest: largest: 0x7FFFFFFF0x7FFFFFFF
Age (0, 60 minutes)Age (0, 60 minutes)
01/04/2007 ecs236 winter 2007 32
RIB - OSPFRIB - OSPFLSA-ID ADV Seq# Checksum AgeA=B A 0x850012a7 0x452b 20:13A=B B 0x84230b41 0x3729 13:12A=D A 0x9012000e 0x2567 01:22…
01/04/2007 ecs236 winter 2007 33
OSPF LSA Flooding, IOSPF LSA Flooding, I
Router
If I have notreceived thisLSA (Link StateAdvertisement).
ACK
01/04/2007 ecs236 winter 2007 34
OSPF LSA Flooding, II
Router
If I havereceived thisLSA (Link StateAdvertisement).
ACK
01/04/2007 ecs236 winter 2007 35
OSPF LSA Flooding, III
Router
If I have somethingbetter/fresher/newer..
my newer copy
Sequence NumberComparison.
01/04/2007 ecs236 winter 2007 36
How to decide How to decide “freshness”??“freshness”??
01/04/2007 ecs236 winter 2007 37
Sequence #Sequence #
ATMSeq#
01/04/2007 ecs236 winter 2007 38
Sequence #: old vs. new LSAs
ATM
0x80000001
Next: 0x80000002Only accept LSAs withnewer/larger Seq#.
01/04/2007 ecs236 winter 2007 39
Sequence # Self-Stabilization
ATM
(1). 0x90001112
(2). router crashes.
(3). 0x80000001.
(4). 0x90001112 an old copy still exists!
(5). 0x90001113
01/04/2007 ecs236 winter 2007 40
Sequence #: Counter Flushing
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
01/04/2007 ecs236 winter 2007 41
Fresher LSA?Fresher LSA?Seq#A ? Seq#B
ChS:A ? ChS:B
AgeA-AgeB
=
=
>
><
< A
A
A
B
B
B
15 -15
otherwise
A, B are treated the same.
Three parameters forLSA:- Sequence Number- Checksum- Age
01/04/2007 ecs236 winter 2007 42
Malicious Intermediate Routers
up
up dm
dm
Flooding
EVIL!All the linkscan be attacked.
01/04/2007 ecs236 winter 2007 43
How to Attack OSPF?How to Attack OSPF?
Think… Try it!!
– What is the objective?– How to accomplish your goal?
01/04/2007 ecs236 winter 2007 44
ProblemProblem Prevent/Detect compromised intermediate
router(s) from tampering “Link State Advertisements (LSAs)” originated from some other routers.
This Link is UP!
down
01/04/2007 ecs236 winter 2007 45
Defense??Defense??
Crypto-based Non-crypto-based
01/04/2007 ecs236 winter 2007 46
LSA Digital Signature
PKSPKS
This Link is UP!
private key
This Link is UP!
public key
01/04/2007 ecs236 winter 2007 47
Advantages for PKS
One compromised router will not be able to One compromised router will not be able to affect others about affect others about other linksother links..
With only key-MD5, one compromised With only key-MD5, one compromised router can disable all the crypto.router can disable all the crypto.
01/04/2007 ecs236 winter 2007 48
Public Key is Expensive
At least, in software.At least, in software. Experiments on Pentium/133, Linux 2.027:Experiments on Pentium/133, Linux 2.027:
HMAC MD5:HMAC MD5: 78.3778.37 usecusec RSA/MD5 (verify):RSA/MD5 (verify): 88.0088.00
msecmsec RSA/MD5 (sign):RSA/MD5 (sign): 166.00 166.00 msecmsec
RSA Hardware available, where MD5 is RSA Hardware available, where MD5 is inherently hard to parallelize.inherently hard to parallelize.
01/04/2007 ecs236 winter 2007 49
Prevention
LSA Originator Digital SignatureLSA Originator Digital Signature (Perlman, (Perlman, Murphy/Badger, Smith/JJ)Murphy/Badger, Smith/JJ)
Debatable Concerns: (OSPF wk-group)Debatable Concerns: (OSPF wk-group) RSARSA is is too expensivetoo expensive (about 1,000 times worse (about 1,000 times worse
in signature verification with 512 bit keys)in signature verification with 512 bit keys) PKI CertificatePKI Certificate is expensive. is expensive. There are There are otherother routing infrastructure attacksrouting infrastructure attacks
that can that can not be preventednot be prevented by by LSA Digital LSA Digital SignaturesSignatures. (Cost/Market concern). (Cost/Market concern)
Political and Technical.Political and Technical.
01/04/2007 ecs236 winter 2007 50
Can we do it without Can we do it without PKI?PKI?
Preventing compromised intermediate routers???
01/04/2007 ecs236 winter 2007 51
Can we detect the Can we detect the problem?problem?
Authenticated LSAs but the authentication information is kept until a session is over.
This Link is UP!
MAC-Seq#
session
K tuples of [MAC(i), Seq#(i)], RtrID
RSA/MD5
01/04/2007 ecs236 winter 2007 52
Prevention versus Prevention versus DetectionDetection
Prevention: pay a fixed price anyway, even no bad guy exists.
Detection/Isolation: “hopefully” pay less when no bad guy exists. pay more when trying to isolate the bad guys.
Self-Stabilization Time: – (Detection + Isolation)
01/04/2007 ecs236 winter 2007 53
Let’s look at the attack Let’s look at the attack again!!again!!
Why do we need to ADD something to handle OSPF attacks?
01/04/2007 ecs236 winter 2007 54
Sequence #: old vs. new LSAs
ATM
0x80000001
Next: 0x80000002Only accept LSAs withnewer/larger Seq#.
01/04/2007 ecs236 winter 2007 55
Attack
ATMSeq#
(1) 0x90001112
- 0x90001111- 0x90001112 (later)- 0x90001113
01/04/2007 ecs236 winter 2007 56
Attack and Fight-Back
ATMSeq#
(1) 0x90001112
(2) 0x90001113(3) 0x90001114 fight-back
01/04/2007 ecs236 winter 2007 57
Seq++ Attack and Fight-Back
ATM(1) 0x90001112
(2) 0x90001113(3) 0x90001114 fight-back
1
3
01/04/2007 ecs236 winter 2007 58
Victim
Attacker
ATM
down
Seq#
Current Seq# 9123abe0
Attacking Seq# 9123abe1
Originator??
Responding Seq# 9123abe2
01/04/2007 ecs236 winter 2007 59
Attacker
Attacker
Victim
ATM
down
Seq#
Current Seq# 9123abe0
Attacking Seq# 9123abe1
Originator??
Responding Seq# 9123abe2
Partition
01/04/2007 ecs236 winter 2007 60
OSPF Security StrengthOSPF Security Strength
In most cases, if something goes wrong, the advertizing router will detect it and try to correct it.
The bad guy has to persistently inject bad LSAs.
Self-Stabilization Protocols: can not handle continuous faults but force the attacker to perform only persistent attacks.
01/04/2007 ecs236 winter 2007 61
A Principle/Heuristic A Principle/Heuristic Rule of Rule of
Intrusion DetectionIntrusion Detection Hit-and-Run Attacks: Hard to Detect/Isolate
– Inject one (or very few) bad packet causing permanent or long term damage.
Persistent Attacks: – The bad guy has to continuously inject attack
packets.
01/04/2007 ecs236 winter 2007 62
Network Network Protocol/System DesignProtocol/System Design If we can force the attackers to only launch
“persistent attacks,” we have a better chance to detect and isolate the attack sources.
OSPF Flooding, for example, does a fairly good job. (still need some formal/theoretical research work here…)
01/04/2007 ecs236 winter 2007 63
Attacks on OSPF/RFCAttacks on OSPF/RFC
Persistent Attacks Hit-and Run
known Digital SignaturePreventable Attacks
One “sort-of” Hit-and-Run attack in OSPFv2 RFCis the “External-Forwarding-Link LSA Attack,” and it cannot be prevented by Digital Signature.
?
01/04/2007 ecs236 winter 2007 64
Attacks on Attacks on OSPF/ImplementationOSPF/ImplementationPersistent Attacks Hit-and Run
known Digital SignaturePreventable Attacks
MaxSeq# attack ( ) was a Persistent Attack in OSPF/RFC,but, with implementation bugs, it becomes a Hit-and-Runattack ( ).
01/04/2007 ecs236 winter 2007 65
Results for OSPF:Results for OSPF:
According to the RFC, all the known Digital-Signature-preventable attacks can be efficiently detectable. (There are no known Hit-and-Run OSPF attacks that can be prevented by PKS digital-signature.)
According to the OSPF Implementations, one such Hit-and-Run attack does exist.
01/04/2007 ecs236 winter 2007 66
Max-Sequence Number Max-Sequence Number AttackAttack
Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)
Implementation Bug! (Two Packages) MaxSeq# LSA Purging has not been
implemented correctly!!
01/04/2007 ecs236 winter 2007 67
Sequence #: Counter Flushing
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
01/04/2007 ecs236 winter 2007 68
Sequence #: Counter Flushing
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
01/04/2007 ecs236 winter 2007 69
MaxSq# Attack
ATMSeq#
(1) 0x90001112
(2) 0x7FFFFFFF MaxSeq#
(3) 0x80000001 fight-back
(4). 0x7FFFFFFF
01/04/2007 ecs236 winter 2007 70
Properties of MaxSeq# Properties of MaxSeq# AttacksAttacks
Hit-and-Run for an Hour. The bad guy can “control” the topology database for an hour.
The Victim continuously argues with its (very likely, honest) neighbors about which LSA is fresher. (0x7FFFFFFF versus 0x80000001).
To eliminate the problem before one hour, “All” routers must be shut down “simultaneously.”
Or, have an active process to pump the purging packets into the network.
01/04/2007 ecs236 winter 2007 71
Max-Sequence Number Max-Sequence Number AttackAttack
Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)
Implementation Bug! (Two independently developed OSPF packages.)
MaxSeq# LSA Purging has not been implemented correctly!!
Announced in May, 1997.
01/04/2007 ecs236 winter 2007 72
Detection Detection Isolation Isolation
Detection Understand Isolation
01/04/2007 ecs236 winter 2007 73
Partitioned by Bad Partitioned by Bad Router(s)Router(s)
Area FOO Area BAREVE
EVE can cheat FOO about BAR’s topology without beingdetected by BAR.(EVE can intercept the tampered BAR’s LSAs from FOO to BAR.)
01/04/2007 ecs236 winter 2007 74
But….But….
Any packets from FOO to BAR will pass EVE anyway. (I.e., EVE already has the access to all the packet streams between FOO and BAR.)
It is not necessary for EVE to attack the routing information exchange protocols.
01/04/2007 ecs236 winter 2007 75
Is the network partitioned?
YES.YES. The bad guy doesn’t need to attack RIB!The bad guy doesn’t need to attack RIB!
NO.NO. With OSPF, the bad LSAs should flowed back With OSPF, the bad LSAs should flowed back
to the originator.to the originator. The originator will fight back to correct the The originator will fight back to correct the
problem. (Self Stabilization)problem. (Self Stabilization) The bad guy has to persistently attack.The bad guy has to persistently attack.