peds ii - 100720021 an overview of intrusion detection & countermeasure systems – research...
Post on 21-Dec-2015
216 views
TRANSCRIPT
PEDS II - 10072002 1
An Overview of Intrusion An Overview of Intrusion Detection & Countermeasure Detection & Countermeasure
Systems – Research DirectionsSystems – Research DirectionsPart IIPart II
Fernando C. Colon OsorioFernando C. Colon Osorio
Computer Science DepartmentComputer Science Department
Worcester, MA 01609Worcester, MA 01609
PEDS II - 10072002 2
OutlineOutline• Previous Talk – what did we cover last?Previous Talk – what did we cover last?
– Definitions– A Model of an Intrusion– Basic Approaches – Critical research Problems
• PEDS – Part IIPEDS – Part II– S.A.F.E Architecture– S.A.F.E. approach to critical research problems– Other Related topics
• ConclusionsConclusions
PEDS II - 10072002 3
Intrusion Detection System – Intrusion Detection System – DefinitionDefinition
Formal Definition [10], [11]Formal Definition [10], [11]
““Intrusion Detection (ID) is the problem of identifying individuals Intrusion Detection (ID) is the problem of identifying individuals who are who are using,using, or attemptingor attempting to to use a computer system use a computer system without authorization (i.e., crackers) and those who have without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges legitimate access to the system but are abusing their privileges (i.e., the insider threat”). (i.e., the insider threat”).
PEDS II - 10072002 4
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
Attacks BeginAttacks Begin
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
PEDS II - 10072002 5
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
Attack Is SuccessfulAttack Is Successful
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
PEDS II - 10072002 6
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
DiagnosisDiagnosis
RegionRegion
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
PEDS II - 10072002 7
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
Repair/ Repair/ Re-Re-IntegrationIntegration
RegionRegion
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
PEDS II - 10072002 8
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
System System OperationalOperational
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
PEDS II - 10072002 9
Anomaly vs. Misuse IDS Anomaly vs. Misuse IDS systemssystems
In past years, multiple Intrusion Detection systems In past years, multiple Intrusion Detection systems have been proposed an implemented. All of the have been proposed an implemented. All of the proposed systems are based on one or the other of proposed systems are based on one or the other of two basic approaches.two basic approaches.
• anomaly detection anomaly detection • misuse detection. misuse detection.
Note: Kumar [13] presents a fairly complete Note: Kumar [13] presents a fairly complete categorization of the most important systems categorization of the most important systems proposed or build thus far. proposed or build thus far.
PEDS II - 10072002 10
Intrusion TimelineIntrusion TimelineSystem is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
Realm of MisuseRealm of Misuse
Detection Detection TechniquesTechniques
Realm of AnomalousRealm of Anomalous
Detection Detection TechniquesTechniques
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
System is System is Secure/DependableSecure/Dependable
PEDS II - 10072002 11
Figure 1 – Generic Intrusion Detection Model [Denning]Figure 1 – Generic Intrusion Detection Model [Denning]
EnvironmentEnvironment
ClockClock
Activity ProfileActivity Profile
Event GeneratorEvent Generator
S = { sS = { s11, s, s22, …, s, …, sn n }}
Rule SetRule Set
Generate New ProfileGenerate New Profile
DynamicallyDynamically
GenerateGenerate
AnomalyAnomaly
RecordsRecords
UpdateUpdate
ProfileProfile
Audit Trails/
Network Packets/
Application Trails
Assert New Rules
Modify Existing Rules
PEDS II - 10072002 12
Problems with Current ApproachesProblems with Current Approaches
• Amongst the most important consideration and limitations present in the Amongst the most important consideration and limitations present in the design of all such systems are the following set of problems.design of all such systems are the following set of problems.
• Problem # 1: Feature selection and pattern categorization. Problem # 1: Feature selection and pattern categorization.
– Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection.
• Problem # 2: the problem of adaptation. Problem # 2: the problem of adaptation.
– Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized.
– When previously unseen threats appear, the systems perform poorly.
• In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 %
PEDS II - 10072002 13
Problems, contn..Problems, contn..• Problem # 3: Fault Tolerance Problem # 3: Fault Tolerance
– Resistance to subversion: Systems do fail due to accidental or malicious activities.
• system being designed must be able to recover from the traditional forms of failures such as crashes, software failures, and so forth.
• System must be able to protect itself from deliberate attempts to compromise it.
• Problem # 4: Performance Problem # 4: Performance
– System must impose minimal overhead on the system is protecting while running.
– System must be capable to sustain its performance characteristics under increasing loads and changes in the pattern of usage.
PEDS II - 10072002 14
Problems, contn..Problems, contn..
• Problem # 5: Intrusion Detection System Evaluation & Problem # 5: Intrusion Detection System Evaluation & CharacterizationCharacterization
– Workloads
– Definition of “Goodness” – i.e., how reliable in detecting intrusions is the system?
• MTBIS• MTTR after an intrusion?• Others?
PEDS II - 10072002 15
SSecure ecure AArchitecture & rchitecture & FFail-safe ail-safe EEnginengine(S.A.F.E.)(S.A.F.E.)
S.A.F.E Intrusion Detection & Countermeasure system was S.A.F.E Intrusion Detection & Countermeasure system was conceived with the specific goal of attacking the above conceived with the specific goal of attacking the above problems, and some others.problems, and some others.
S.A.F.E is a distributed rather than a network or host based systemS.A.F.E is a distributed rather than a network or host based system
• Its structure is similar to the structure proposed in AAFID [ see Balasubrayan and Garcia-Fernandez, 1998] in the sense that it depends on a set of autonomous objects (agents in AAFID nomenclature) that can reside anywhere in a network.
• However, S.A.F.E. differs significantly from AAFID, or other distributed Intrusion Detection systems (see, EMERALD system), in that all control is distributed, and implemented using a system wide distributed system component, called the Trust Manager (TTM),
PEDS II - 10072002 16
SSecure ecure AArchitecture & rchitecture & FFail-safe ail-safe EEnginengine(S.A.F.E.)(S.A.F.E.)
S.A.F.E Intrusion Detection & Countermeasure system architecture: S.A.F.E Intrusion Detection & Countermeasure system architecture:
– Real time– Distributed
• Most existing IDS are either host or network based. Single point of failure, lack of scalability, poor performance
• S.A.F.E architecturally/logically partitions the functions of an IDS system into a set of objects that reside anywhere in the system or the network.
– Hierarchical
• a set of reliable services is provided reliably and securely to the upper layers of the architecture
– Fault-Resilient
• Internal failures• External attacks,
PEDS II - 10072002 17
SSecure ecure AArchitecture & rchitecture & FFail-safe ail-safe EEnginengine(S.A.F.E.)(S.A.F.E.)
S.A.F.E Architectural Components:S.A.F.E Architectural Components:
• Probes := data collection objects. Probes are started/stopped by the Event Generator Object (EGO).
• EGO:= independent running entity that provides some of the basic S.A.F.E. services.
– Starts/Stop probes– Filters data from Probes. It provides data collection and a data abstraction layer (for common
architecture)– Implements lower/level Intrusion detection functions– Provides a Class of Event Service
• Secure Host Manager (SHM):= independent running entity that provides two basic services– Intrusion detection for the host– Implements “learning” functions– In addition, the SHM:
» Provides the Trust Manager with a “Last Gasp” message – “I am Potentially Compromised” before launching its countermeasure functions.
» It stops processing further requests from the Trust Manager – takes itself off-line.» Countermeasure launching.» Starts/Stops all EGO objects
PEDS II - 10072002 18
SSecure ecure AArchitecture & rchitecture & FFail-safe ail-safe EEnginengine(S.A.F.E.)(S.A.F.E.)
S.A.F.E System Wide Services:S.A.F.E System Wide Services:
• TTM:= the trust managerTTM:= the trust manager. The TTM is an independent entity . The TTM is an independent entity serving three major functions:serving three major functions:
– It “knows” which logical “nodes” can be trusted.
• This is accomplished through the concept of a trust relationship matrix. • Nodes trust measure tij is added, modified, and changed using a distributed software algorithm • Algorithm is based on the solution to the “Byzantine General’s Problem”.
– It delivers the “Last Gasp Message” to other nodes in the system.
– Prevents partition of the trust system.
• Atomicity Manager (ATOM)Atomicity Manager (ATOM) := independent entity providing := independent entity providing atomic secure operations across the system.atomic secure operations across the system.
– running entity that provide some of the basic S.A.F.E. services.
PEDS II - 10072002 19
SSecure ecure AArchitecture & rchitecture & FFail-safe ail-safe EEngine (S.A.F.E.)ngine (S.A.F.E.)
PP
PP
PP
EGOEGO
SHMSHM
TT
TT
MM
EGOEGO
SHMSHMTT
TT
MM
PP
PP
PP
PP
EGOEGO
TT
TT
MM
SHMSHM
SHMSHM
EGOEGO
PP
PP
PP
PP
EGOEGO
PPPP
PEDS II - 10072002 20
S.A.F.E. SHM Intrusion Detection & Learning S.A.F.E. SHM Intrusion Detection & Learning EngineEngine
( class(( class(xx), ), xx ) )
CC11((xx))
CC22((xx))
CCkk((xx))
wwi i * C* Cii ( (xx))
True/FalseTrue/False
(Intrusion Correctly(Intrusion Correctly
Identified)Identified)
GG((wwi i ))
GG((wwi i ))
GG((wwi i ))
wwi i * C* Cii ( (xx))
wwi2i2* C* C22 ( (xx))
wwk k * C* Ckk ( (xx))
..
..
..
Lower Lever IntrusionLower Lever Intrusion
Detection (EGO)Detection (EGO)
PEDS II - 10072002 21
Intrusion Detection ModelsIntrusion Detection ModelsFigure 3 – Model of An Intrusion/ Attack
Node b
Node h
Node g
Node e Node d
Node a
Node f
Node c
Tab,
Tae, Tea
Tce, Tec
TebTbd
Tdg
TegTef
Thg
Tfh
Source of Attack
Node Under Attack
PEDS II - 10072002 22
A network ModelA network Model• A trust function Tij (t) for i ¹ j, exist between two nodes, it is not necessarily symmetrical. A trust function Tij (t) for i ¹ j, exist between two nodes, it is not necessarily symmetrical.
• The trust function Tij (t) changes over time. The trust function Tij (t) changes over time.
• In addition, the lack of trust between two nodes will be denoted as having a trust relationship of zero value, Tij (t) = 0. In addition, the lack of trust between two nodes will be denoted as having a trust relationship of zero value, Tij (t) = 0.
• In the above example, Node a is the source of the intruder attack, while Node h is the target of the attack. Note that, the In the above example, Node a is the source of the intruder attack, while Node h is the target of the attack. Note that, the path for the intruder ispath for the intruder is
– Path 1: a Ü e Ü g Ü h– Path 2: a Ü b Ü e Ü g Ü h– Path 3: a Ü d Ü g Ü h
• This topological constraint amongst nodes in a network has a significant advantage over other approaches. That is, it This topological constraint amongst nodes in a network has a significant advantage over other approaches. That is, it allows the designer of the IDC System to create multiple logical layers of defense against intruders, in effect, creating allows the designer of the IDC System to create multiple logical layers of defense against intruders, in effect, creating time to detect potential intrusions and dwarfed them. time to detect potential intrusions and dwarfed them.
• ExampleExample
– Let’s say that nodes b and e suspect an intrusion by using traditional audit methods. Then, nodes b and e can invoke a state change on their trust relationships with other nodes in such a way that,
Taj (t) = 0 for all j Taj (t) = 0 for all j ¹ a and t > t of intrusion; and a and t > t of intrusion; andEquation 1:Equation 1:
Tej (t) = 0 for all j ¹ e and t > t of intrusion.Tej (t) = 0 for all j ¹ e and t > t of intrusion.
PEDS II - 10072002 23
Problems & Well Known Solutions Problems & Well Known Solutions Present in the IDCS fieldPresent in the IDCS field
• Problem # 1: Feature selection and pattern Problem # 1: Feature selection and pattern
categorization.categorization.
– Simply stated, in Denning’s Model, Figure 1, it is assumed that the event generator can effectively select, a priori, the set of features or measures to monitor which will render an optimal set for Intrusion Detection.
PEDS II - 10072002 24
Figure 1 – Generic Intrusion Detection Model [Denning]Figure 1 – Generic Intrusion Detection Model [Denning]
EnvironmentEnvironment
ClockClock
Activity ProfileActivity Profile
Event GeneratorEvent Generator
S = { sS = { s11, s, s22, …, s, …, sn n }}
Rule SetRule Set
Generate New ProfileGenerate New Profile
DynamicallyDynamically
GenerateGenerate
AnomalyAnomaly
RecordsRecords
UpdateUpdate
ProfileProfile
Audit Trails/
Network Packets/
Application Trails
Assert New Rules
Modify Existing Rules
PEDS II - 10072002 25
Learning, Feature Selection, Inductive Learning, Learning, Feature Selection, Inductive Learning, Learning with a teacher, KDD systemsLearning with a teacher, KDD systems
Given a training set characterized by training samples, Given a training set characterized by training samples,
TT = { ( = { ( xx11, , yy11), ( ), ( xx22, , yy22), …, ( ), …, ( xxnn, , yynn) }) }
For some unknown functionFor some unknown functionƒ((x) x) = y= y
Where each Where each xxi i is an attribute vector of the formis an attribute vector of the form
XXii = { x = { xi1i1, x, xi2i2, …, x, …, xikik }, },
And each yAnd each yi i is the class label belonging to the setis the class label belonging to the set
YY = { y = { y11, y, y22, …, y, …, ymm }, then }, then
Find the mapping (function), Find the mapping (function), ƒ*,, such that such that
ƒ*((xx)) ƒ((xx) )
PEDS II - 10072002 26
Learning, Feature Selection, Inductive Learning, Learning, Feature Selection, Inductive Learning, Learning with a teacher, KDD systems, contn…Learning with a teacher, KDD systems, contn…
Three Important and critical questions:Three Important and critical questions:
Q1: Does an Q1: Does an ƒ*((xx) exists?, i.e., is there a pattern?, is there knowledge to be mined?, ) exists?, i.e., is there a pattern?, is there knowledge to be mined?, is there learning to be developed?; is there learning to be developed?;
Q2: What are the correct set of features xQ2: What are the correct set of features x ikik providing “best” inference rules? providing “best” inference rules?
Q3: If Q3: If ƒ*((xx) exists, then what is the computational complexity of the algorithms trying ) exists, then what is the computational complexity of the algorithms trying to find to find ƒ*((xx)?)?
In this context, we are interested in algorithms that can find ƒ*(x) in finite time. Or what is the computational quality, Q c( s), of the algorithm?
In this context, given two algorithm that find ƒ*(x), A1 and A2, then
Q Q cc( A( A11) > Q ) > Q cc( A( A22) if the computational running time of A) if the computational running time of A1 1 << A A2.2.
PEDS II - 10072002 27
Problems & Well Known Solutions Problems & Well Known Solutions Present in the IDCS fieldPresent in the IDCS field
• Problem # 2: the problem of adaptation. Problem # 2: the problem of adaptation.
– Systems have been build and deployed that deal very effectively with threats or intrusions previously reported or categorized.
– When previously unseen threats appear, the systems perform poorly.
• In the 1999 DARPA - Off-Line Intrusion Detection Evaluation [14], it was reported that the systems under test failed to detect an attack in 17.2 %
PEDS II - 10072002 28
Figure 1 – Generic Intrusion Detection Model [Denning]Figure 1 – Generic Intrusion Detection Model [Denning]
EnvironmentEnvironment
ClockClock
Activity ProfileActivity Profile
Event GeneratorEvent Generator
S = { sS = { s11, s, s22, …, s, …, sn n }}
Rule SetRule Set
Generate New ProfileGenerate New Profile
DynamicallyDynamically
GenerateGenerate
AnomalyAnomaly
RecordsRecords
UpdateUpdate
ProfileProfile
Audit Trails/
Network Packets/
Application Trails
Assert New Rules
Modify Existing Rules
PEDS II - 10072002 29
Figure 2 – A simplified Intrusion Detection EngineFigure 2 – A simplified Intrusion Detection Engine
EnvironmentEnvironment ClockClock
Memory of IDSMemory of IDS
(Rule Set/ Activity Profile(Rule Set/ Activity Profile
Decision EngineDecision Engine
ffg g ((, S, M, P(n), T, G ), S, M, P(n), T, G )
S = { sS = { s11, s, s22, …, s, …, sn n }}
1, 2, …, n }
Create New Rules/ProfilesCreate New Rules/Profiles
Modify Existing Rules/ProfilesModify Existing Rules/Profiles
PEDS II - 10072002 30
Meta - LearningMeta - Learning
Loose Definition [chang’ 93]:Loose Definition [chang’ 93]:
““Learning from learned knowledge”Learning from learned knowledge”
References: References:
[chang’ 93]:= P. Chang and S. Stolfo. “Experiments on multistrategy learning by meta-learning”, Proc. Second [chang’ 93]:= P. Chang and S. Stolfo. “Experiments on multistrategy learning by meta-learning”, Proc. Second International Workshop, Multistrategy Learning, pp. 150-165, 1993.International Workshop, Multistrategy Learning, pp. 150-165, 1993.
PEDS II - 10072002 31
Meta – Learning, contn…Meta – Learning, contn…
Let the training set be instances of correct Let the training set be instances of correct classifications and predictions, such as the classifications and predictions, such as the Training set is of the form:Training set is of the form:
TT = { class( = { class( xx), ), CC11((xx), ), CC22((xx)), …,, …, CCkk((xx) | ) | x x E }
PEDS II - 10072002 32
S.A.F.E. SHM Intrusion Detection & Learning S.A.F.E. SHM Intrusion Detection & Learning EngineEngine
( class(( class(xx), ), xx ) )
CC11((xx))
CC22((xx))
CCkk((xx))
wwi i * C* Cii ( (xx))
True/FalseTrue/False
(Intrusion Correctly(Intrusion Correctly
Identified)Identified)
GG((wwi i ))
GG((wwi i ))
GG((wwi i ))
wwi i * C* Cii ( (xx))
wwi2i2* C* C22 ( (xx))
wwk k * C* Ckk ( (xx))
..
..
..
PEDS II - 10072002 33
Problems, contn..Problems, contn..
• Problem # 3: Fault Tolerance Problem # 3: Fault Tolerance
– Resistance to subversion: Systems do fail due to accidental or malicious activities.
• The Trust Manager (TTM)
• Problem # 4: Performance Problem # 4: Performance
– Distributed architecture– Light weight processes– Simple objects
PEDS II - 10072002 34
Problems, contn..Problems, contn..
• Problem # 5: Intrusion Detection Systems Evaluation & Problem # 5: Intrusion Detection Systems Evaluation & CharacterizationCharacterization
– Workloads – testing, e.g., the 1999 DARPA evaluation uses 10 workload or traces to compare systems
• Results are empirical• Not representative of all environments• Very little data available
– Definition of “Goodness” (Modeling)
• how reliable in detecting intrusions is the system?, and• how intrusion resilient is the underlying system being protected?
PEDS II - 10072002 35
Intrusion TimelineIntrusion TimelineSystem is Secure/DependableSystem is Secure/Dependable
System is System is Secure/DependableSecure/Dependable
11stst
IntrusionIntrusion
AttemptAttempt
22ndnd
IntrusionIntrusion
AttemptAttempt
NthNth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
IntrusionIntrusion
Detected byDetected by
IDS and/orIDS and/or
IDCSIDCS
IntrusionIntrusion
CountermeasuresCountermeasures
LaunchedLaunched
ŒŒ NNthth
MTBASIMTBASI
Attacks BeginAttacks Begin
MTTIDMTTID
System is System is Secure/Dependable Secure/Dependable
MMthth
MthMth
IntrusionIntrusion
AttemptAttempt
(Success)(Success)
MTTCIMTTCI
MTBSIMTBSI
MTTRMTTR
PEDS II - 10072002 36
Problem # 5: Intrusion Detection Systems Evaluation & Problem # 5: Intrusion Detection Systems Evaluation & Characterization, contn..Characterization, contn..
• Definition of “Goodness” – i.e., how reliable is the system with Definition of “Goodness” – i.e., how reliable is the system with respect to intrusions?respect to intrusions?
• MTBFi – mean time between failures/intrusion (defn: in this context a failure is a successful intrusion) – a measure of the underlying system being protected.
• MTTID – mean time to intrusion detection
• MTTCI – mean time to countermeasure issuance
• MTTR – mean time to contain & repair a successful intrusion
• Of course – Availability or A(t) = P ({system is operational and intrusion free at time t1 if it was intrusion free at time t0 }
Other metrics:
• MTBASI – mean time between 1st attack and successful intrusion
PEDS II - 10072002 37
Problem # 5: Intrusion Detection Systems Evaluation & Problem # 5: Intrusion Detection Systems Evaluation & Characterization, contn..Characterization, contn..
• Definition of “Goodness” – i.e., how reliable is the system with respect Definition of “Goodness” – i.e., how reliable is the system with respect to intrusions?to intrusions?
• MTBFi – mean time between failures/intrusion (defn: in this context a failure is a successful intrusion)
– A measure of the quality of the software system (O/S, Applications, and so forth)
• Further assume that MTBFi Reliability of the software, then,
– Techniques such as Component Base Reliability Estimation (CBRE), see Krishnamurthy and Mathur;
– Software Test Coverage and Reliability techniques, see Malaiya and Karcich- where software testing & coverage is used as
» predictors of software reliability» To estimate the remaining defects or number of residual faults; and» Mean time between failures or bugs.
Are all applicable.
• Challenge – to define an accurate model!!!
PEDS II - 10072002 38
Other related Topics – Honeypots & Other related Topics – Honeypots & HoneynetsHoneynets
Honeypot:Honeypot:
• A honeypot is a fake or false system to lure the hacker into. It provides A honeypot is a fake or false system to lure the hacker into. It provides another obstacle for the hacker.another obstacle for the hacker.
• honeypot systems are decoy servers or systems set up to gather honeypot systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system.information regarding an attacker or intruder into your system.
• honeypot traps tempt intruders into areas which appear attractive, worth honeypot traps tempt intruders into areas which appear attractive, worth investigating and easy to access, taking them away from the really investigating and easy to access, taking them away from the really sensitive areas of your systems. They do not replace other traditional sensitive areas of your systems. They do not replace other traditional Internet security systems but act as an additional safeguard with alarms.Internet security systems but act as an additional safeguard with alarms.
• A honeypot is a resource which pretends to be a real target. A honeypot is A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attack and distraction of an attacker and the gain of information about an attack and the attacker.the attacker.
PEDS II - 10072002 39
honeypotshoneypots
honeypots will help you:honeypots will help you:
• notice when you are penetrated notice when you are penetrated
• learn how attacks are formed learn how attacks are formed
• identify who is attacking you identify who is attacking you
PEDS II - 10072002 40
honeypot Exampleshoneypot Examples
• honeypot Projecthoneypot Project
– http://www.landfield.com/isn/mail-archive/2000/Nov/0124.html
• Deception Tool Kit ProjectDeception Tool Kit Project
– http://www.all.net/dtk/index.html
• SpecterSpecter
– http://www.specter.com/default50.htm
PEDS II - 10072002 41
““Specter” – Basic IdeaSpecter” – Basic Idea
• Virtual Machine (VM) environmentVirtual Machine (VM) environment– Early Traps– Early detection
PEDS II - 10072002 43
Honeypots LimitationsHoneypots Limitations
• Hard to MaintainHard to Maintain• Human Resource Intensive – Specialize Human Resource Intensive – Specialize
KnowledgeKnowledge
– Operating Systems– Network security– Current deficiencies (holes) in both O/S
and applications
PEDS II - 10072002 44
HoneynetHoneynet
Honeynet Honeynet Honeypots Honeypots
Honeynet (Defn)Honeynet (Defn)
• A network systemA network system
• All systems are standard production All systems are standard production systems systems
• All usage is ~ Production All usage is ~ Production