gpn 2009 may 29, kansas city, missouri an open security defense architecture for open collaborative...

GPN 2009May 29, Kansas City, Missouri

An open security defense architecture for open collaborative

cyber infrastructures

Xinming (Simon) OuKansas State University

The Great Plains Network Annual Meeting 2009Kansas City, Missouri


Challenges to securing cyber infrastructures

• Cyber warfare is asymmetric– Attack only needs to break a few points– Defense has to be comprehensive

• Attackers have an upper hand in automation– Many automated exploit tools– Not so many good defense tools

• Openness of academic cyber infrastructures – Unrealistic to have draconic control on access

2


Multi-step AttacksInternet

Demilitarized zone (DMZ)

Corporation

webServer

workStationwebPages

fileServer

Firewall 2

buffer

overrun

Trojan horsesharedBinaryNFS shell

Firewall 1

3


Solution

System adminSecurity expert

CERT advisory

Information about users

Linux security behavior;Windows security behavior;Common attack techniques

Apache1.3.4bug!

Host configurationNetwork configuration

Reasoning System

potential attack paths

4


baseline security status

Automated analyzer

Information collection

Enterprise Network

Security scanningand monitoring

Suggested configuration change to harden security

Broader Security Community

NVDOVAL/Nessus

RepositoryCVSS

High-level security knowledge

Baseline security knowledge


MulVAL

Interaction Rules from Security

Experts

MulVAL Scanner

MulVAL Scanner

Analyzer

Could root be compromised on any of

the machines?Ou, Govindavajhala, and Appel. Usenix Security 2005

Answers

Network Analyzer

Vulnerability Information (e.g.

NIST NVD)

Network reachability information

Vulnerability definition (e.g. OVAL, Nessus

Scripting Language)

User information

6


Interaction Rules

execCode(Attacker, Host, PrivilegeLevel) :- vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Attacker, Host, Protocol, Port).

internet

dmzwebServer

Firewall 1

vulExists(webServer, httpd, remote, privilegeEscalation).

serviceRunning(webServer, httpd, tcp, 80, apache).

networkAccess(attacker, webServer, tcp, 80).

execCode(attacker, webServer, apache).Oops!

From MulVAL Scanner & OVAL, NVD

From MulVAL Scanner

Derived

7


MulVAL Attack-Graph Toolkit

Datalog representation

Machine configuration

Network configuration

Security advisories

MulVAL reasoning

engine

Proofs of assertions

Grap

h

Bu

ilder Logical

attack graph

Interaction rules

Ou, Boyer, and McQueen. ACM CCS 2006

Joint work with Idaho National Laboratory

8


Test on a Real Network

• Used MulVAL to check the configuration of four Linux servers– Reported a potential two-stage attack path due to

multiple vulnerabilities on a server.• Three local kernel vulnerabilities

• One buffer overflow bug in libpng

• Local users are trusted

• Web browser links libpng

9


system administrator

Network Monitoring

Tools

Abnormally high trafficAbnormally high traffic

TrendMicro server communicating

with known BotNet controllers

TrendMicro server communicating

with known BotNet controllers

memory dump

Seemingly malicious

code modules

Found open IRC sockets with other

TrendMicro servers

netflow dump

These TrendMicro Servers are certainly compromised!

10

The next challenge: Situation Awareness


High-confidence Conclusions with Evidence

Targeting subsequent observations

Mapping observations to their semantics

IDS alerts, netflow dump, syslog, server log …

Observations

Internal model

Reasoning Engine

11






Observations

Internal model

Reasoning Engine

12


Observation Correspondence

Mapping observations to Internal condition.what you can see

what you want to know

obs(anomalyHighTraffic) int(attackerNetActivity)

obs(netflowBlackListFilter(H, BlackListedIP))

obs(memoryDumpMaliciousCode(H))

obs(memoryDumpIRCSocket(H1,H2))

p

int(compromised(H))l

int(compromised(H))l

int(exchangeCtlMessage(H1,H2))l

13






Observations

Internal model

Reasoning Engine

14


Internal ModelLogical relation among internal conditions.

Condition1 Condition2“leads to” relation

i.e. Condition1 may cause Condition2

m1 m2

int(compromised(H1)) int(probeOtherMachine(H1,H2))p c

int(compromised(H1)) int(sendExploit(H1,H2))p c

int(sendExploit(H1,H2)) int(compromised(H2))l p

int(compromised(H1)),int(exchangeCtlMessage(H1,H2))

p c

int(compromised(H2))

15


Proof Strengthening

Observations:

f is likely true f is likely true

O1 O2

f is certainly true

proof strengthening

O3

16


The SnIPS system

Reasoning Engine

Snort alerts

(summarized tuples)

Observation Correspondence

User query, e.g. which machines are “certainly” compromised?

High-confidence answers with

evidence

pre-processing

Internal ModelSnort Rule Repository

Done only once

17


Automate Model Building for Snort

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"WEB-MISC guestbook.pl access”;uricontent:"/guestbook.pl”;classtype:attempted-recon; sid:1140;)

obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)),

int(probeOtherMachine(FromHost, ToHost)), ?).

Internal predicate mapped from “classtype”

18


Automate Model Building for Snort

Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosingin some cases.

Ease of Attack: Exploits exists

obsMap(obsRuleId_3614, obs(snort(’1:1140’, FromHost, ToHost, _Time)),

int(compromised(ToHost)), p)

Hints from natural-language description of Snort rules

obsMap(obsRuleId_3615, obs(snort(’1:1140’, FromHost, ToHost, _Time)),int(probeOtherMachine(FromHost, ToHost)), ).l ?

19


CoverageInternal Predicate % of rules

Predicates Handled by the internal model

59%

Suspicious 41%

• Snort has about 9000 rules.

• This is just a base-line and needs to be fine-tuned.

• Would make more sense for the rule writer to define the observation correspondence relation when writing a rule.

20


Experiment on Treasure Hunt data• Data collected during a

graduate-level course exercise

• Data set contains multi-stage attacks as in real world scenario

• A large variety of monitoring data

21


Some Results| ?- show_trace(int(compromised(H), c)). int(compromised(’192.168.10.90’),c) strengthenedPf

int(compromised(’192.168.10.90’),l) intRule_1

int(probeOtherMachine(’192.168.10.90’,’192.168.70.49’),l) obsRulePre_1

obs(snort(’122:1’,’192.168.10.90’,’192.168.70.49’,_h272))

int(compromised(’192.168.10.90’),l) intRule_3

int(sendExploit(’128.111.49.46’,’192.168.10.90’),c) obsRuleId_3749

obs(snort(’1:1807’,’128.111.49.46’,’192.168.10.90’,_h336))

An exploit was sent to

192.168.10.90

An exploit was sent to

192.168.10.90

A probe was sent from

192.168.10.90

A probe was sent from

192.168.10.90

192.168.10.90 was certainly

compromised!

192.168.10.90 was certainly

compromised!

22


Summary

• Open knowledge sharing and automated knowledge reuse is key in effective cyber defense

• Advantages of logic-based techniques– Publishing and incorporation of knowledge/information

through well-understood logical semantics– Efficient and sound analysis by leveraging the reasoning

power of well-developed logic-deduction systems

23


Who We Are

24

Argus: Cyber Security Research Group at Kansas State University

http://people.cis.ksu.edu/~xou/argus/

Contact me: Simon [email protected]


Thank You!

Questions?

gpn 2009 may 29, kansas city, missouri an open security defense architecture for open collaborative...

Documents

kansas city

missouri slide

usenix security

missouri challenges

missouri test

real network

mulval scanner oval

vulexists webserver