New Methods in Attack Detection
Shambhu Upadhyaya (PI)
Computer Science and Engineering
University at Buffalo
Kevin Kwiat (Program Manager)
Air Force Research Lab, Rome, NY
Overall Outline
 Road map
 Significant accomplishments
 Publications
 Specific research projects
 Results
 Conclusion
CEISARE @
2
Road Map I
 Research Projects

Encapsulation of owner’s intent (1998)

Reasoning framework for IDS (1999)

Secure voting protocol work (2000)

IDS simulation (2001)

Encapsulation of program’s intent, Building secure enclaves (2002)
 Funding

AFOSR seed grant (1999)

AFOSR grant through AFRL and in part through ACRC (2000 – 2004)

AFOSR summer fellowships (through RDL, II and NRC)

DARPA seedling (2003)
CEISARE @
3
Road Map II


Students supported

Kiran Mantha, MS, 2001 (Deloitte & Touche, NY)

Ramkumar Chinchani, MS, 2002 (PhD student)

Neelesh Arora, MS, 2003 (Thomson Financial, NY)

Ashish Garg (PhD student)

Anusha Iyer (PhD student)

Aarthie Muthukrishnan (MS student)

Madhu Chandrasekharan (MS student)
Others involved

Ben Hardekopf (AFRL)

Alex Eisen (IASP Scholar)

Melissa Thomas (IASP Scholar)
CEISARE @
4
Significant Accomplishments




Research

Several publications, 1MS Thesis (2001), 1 Ph.D. dissertation (2004)

Funding from other agencies such as DARPA, NSA/ARDA
Conference/Workshops

Panel organization (IEEE SRDS 2000), Tutorial in IEEE MILCOM 2002

Plenary talk at MMM-2003, St. Petersburg, Russia (upcoming)
Academic

Center of Excellence status from NSA (2002), funding from DoD

Kevin Kwiat appointed as Research Associate Professor in CSE Dept.
Media

Research cited in Scientific American, Dec. 2002

Associated Press coverage of MILCOM 2002 work
CEISARE @
5
Publications


Conferences/Workshops

SCS International SPECTS, 1999 (Upadhyaya & Kwiat)

SCS SSC, 2000 (Mantha, Chinchani, Upadhyaya, Kwiat)

IEEE Aerospace Conf. , 2001 (Hardekopf, Kwiat, Upadhyaya)

IEEE SMC Workshop, 2001 (Upadhyaya, Chinchani, Kwiat)

IEEE SRDS, 2001 (Upadhyaya, Chinchani, Kwiat)

SCS Int. SPECTS, 2001 (Hardekopf, Kwiat, Upadhyaya)

IEEE MILCOM, 2002 (Chinchani, Upadhyaya, Kwiat)

IEEE Int. IA Workshop, 2003 (Chinchani, Upadhyaya, Kwiat)
Book Chapter


Kluwer Academic Press, 2003
Journals

Several papers in the works
CEISARE @
6
Research Projects

Encapsulation of owner’s intent – Concept development, preliminary
simulation, investigation of scalability (Ref: Upadhyaya, Kwiat, SPECTS
1999, Mantha, Chinchani, Upadhyaya, Kwiat, SCSC 2000, IEEE MILCOM
2003)

Reasoning about intrusions (Chinchani, Upadhyaya, Kwiat, IEEE SMC
2001, SRDS 2001)

Building secure enclaves (Chinchani, Upadhyaya, Kwiat, IEEE IAW 2003)

Simulation support for IA experiments (Garg, Upadhyaya, Chinchani,
Kwiat, SCSC 2003)

Secure voting protocols (Hardekopf, Kwiat, Upadhyaya, IEEE Aero 2001)
CEISARE @
7
Encapsulation of Owner’s Intent – A New
Proactive Intrusion Assessment Paradigm

Very few anomaly detection systems work well

A major factor overlooked is User

Bring the user into the loop

Encapsulation of user’s intent serves as a “certificate”

Can you make more accurate detection decisions?

Working at high level attaches greater significance to semantics
to user’s operations

Contributes to user’s affirming the truth in COA
CEISARE @
8
Where Does Our Work Fit In?
CEISARE @
9
Salient Features of our IDS

Handling threats posed by insiders

Rule-based misuse detectors not very successful

Anomaly detectors are more promising, but not practical due to
involved data collection, learning and high false alarms

Based on generation of a run-time plan for users

Composing verifiable assertions based on queries of users

Idea is based on sound principles of signature analysis

Does away with audit trail analysis

Detection of intricate and subtle attacks

Lower detection latency
CEISARE @
10
Outline of the Central Topic

Background and related work

Guidelines through lessons learned

An analogy and demonstration of Basic principle

Implicit vs Explicit intent encapsulation

Implementation of a small system

Related problems


Reasoning framework

Who watches the watcher?

Secure voting in distributed systems

Generic simulation platform development
Summary
CEISARE @
11
Background and Related Work
 Rule based [Ilgun et al., 95], [Cheng, 02], Wagner &
Dean, 01]
 Program behavior based [Ko et al., 97]
 User behavior based [Spyrou, 96]
 RBAC [Ferraiolo & Kuhn, 92]
 Real-time detection (NADIR)
 Distributed and concurrent schemes (DIDS, GrIDS,
EMERALD)
CEISARE @
12
Guidelines
 Use the principle of least privilege to achieve better
security
 Use mandatory access control wherever appropriate
 Data used for intrusion detection should be kept
simple and small
 Intrusion detection capabilities are enhanced if
environment specific factors are taken into account
CEISARE @
13
Thinking Out of the Box
RULES:

All 9 dots should be connected with no more than 4
straight lines

No tracing back and must be done without taking off your
hand
CEISARE @
14
Analogy from Control Flow Checking



Generate compile-time signatures & assertions and embed them
into instruction stream
Monitor execution and look for discrepancy
Technique is based on sound principles – EDC/ECC
Address
Processor
Memory
BUS
Tags Reset
SIG-REG
SIG-GEN
COMPARATOR
CEISARE @
CU
BD
Error Signal
15
Basic Principle
User
Session
Scope
Filter
Plan
Generator
Sprint
Plan
One-time effort
Runtime effort
Runtime
Commands
Assertion
Generator
Runtime
Watchdog
Engine
Tolerance limits,
Counters,
Thresholds etc..
Intrusion Signal
CEISARE @
16
User Intent Encapsulation
CEISARE @
17
Intent as a Certificate

Even when IDS is accurate, decision may be wrong

User cannot be held accountable if he contests

Bring the user into loop early on

User (bona fide or intruder) is queried for his intent

Expressed intent becomes a certificate of normal user
activity

Issues

Process of encapsulation shouldn’t be intrusive

Capture maximum information with min. effort to the user
CEISARE @
18
Implicit vs. Explicit Intent
CEISARE @
19
Sketch of the Algorithm
User logs into the system
Chooses the job s/he wishes to perform
Check the size of the session scope
If too large,warn user
YES
User wants to change it
Launch inter work-space level monitor
Create workspaces for the jobs
Launch workspace level monitor thread per workspace
Launch command level monitor thread per command
Report command type
Authenticate command
Loop
Report object accessed
Monitor Command
CEISARE @
20
Simulation and Results

A university environment was simulated

Client-server architecture using Sun Ultra Enterprise 450 Model
4400 and Sun Ultra 5’s running Solaris 2.7

Intrusion scenarios

Legitimate user

Intruder

Two legitimate logins

First login from user, second login from intruder

First login from intruder, second login from user

Two intruders login
CEISARE @
21
Test Cases

User activity collected over two months

Test cases grouped into four categories

1-user, 1-user with multiple logins, multiple users, multiple users
with multiple logins


Two sets of experiments – worst case and average case

Legitimate and intrusive operations
32 attacks

Obvious ones such as transferring /etc/passwd files, exploiting
vulnerabilities such as rdist, perl 5.0.1

Subtle attacks similar to mimicry attacks
CEISARE @
22
Screenshots of Query Interface
CEISARE @
23
Another Illustration
CEISARE @
24
Runtime Monitoring Setup
CEISARE @
25
Summary of Results
Summary
1 User, No Multiple Logins 1 User, With Multiple Logins 2 Users, No Multiple Logins 2 Users, With Multiple Logins
User
Detection
87.50%
78.60%
74.90%
91.90%
and
Latency
33.4
35
36.1
29
User False Positives
12.50%
21.40%
25.10%
8.10%
False Negatives
0%
0%
0%
0%
User
Detection
98%
89%
100%
94.70%
and
Latency
0
11
0
9.6
Intruder False Positives
0%
0%
0%
0%
False Negatives
2%
11%
0%
5.30%
Intruder
Detection
99%
100%
98.20%
100%
and
Latency
0.4
0.7
0.6
0.5
User False Positives
0%
0%
0%
0%
False Negatives
1.40%
0%
1.80%
0%
Intruder
Detection
56%
81.30%
77.40%
91.50%
and
Latency
15.9
14.8
17
27
Intruder False Positives
0%
0%
0%
0%
False Negatives
44%
18.70%
22.60%
8.50%
CEISARE @
26
Some Research Questions
 What if the user lies to the query?
 How do you enhance performance?
 Who is watching the watcher?
 How do you perform more comprehensive
evaluation?
CEISARE @
27
1) What if the User Lies?
 A cognate user is expected to specify a focused
session-scope
 Selection of overly permissive session-scope
must be discouraged
 Can be done by penalizing a quality of service
 Monitoring cost can be drawn from user’s
budget
CEISARE @
28
2) Performance Enhancements
 Profiling user operations
 Take into consideration frequency of operations and
temporal characteristics of system usage
 Dynamically updating session-scope
 In the statistical anomaly detection engine, one could
prune rarely used operations from the session-scope
 One could allow users to update/refine session-scope
(but may disrupt the learning process)
CEISARE @
29
Reasoning Framework

A critical problem with anomaly detection is false positive

Intrusion flagging requires more than set inclusion check

Not a binary decision – Sequences of operations need to be considered

Cost analysis


Cost of operation

Cost of deviation

Cost of monitoring
Actions at higher levels defined in terms of actions at lower levels

Eg.,: (ReadByte, WriteByte) -> (CreateFile,deleteFile,WriteFile)
->(HardDisk)
CEISARE @
30
Cost Analysis Based Reasoning
Tl
Non-intrusive
Th
Indeterminate
Intrusive
Accumulated Cost, monotone,
non-decreasing

Reasoning by stochastic modeling of job activity

Two thresholds Tl and Th defined

When cost maps into mid region, situation ambiguous

Cost gradients used to shrink the window

Algorithms developed to trigger threshold movements so that a speedy decision on
intrusion can be arrived

(Ref: IEEE SRDS 2001)
CEISARE @
31
3) Who is Protecting the
Protector?
 Tamper-resistant security monitoring
 Available choices
 Replication (Chameleon at UIUC) 
 Layered Hierarchy (AAFID at Purdue)
 Both can be easily compromised
 Proposed solution
 Circulant graph
 Overhead is manageable
 There is no mutual trust
among the watchers
 (Ref: IEEE IWIA 2003)
CEISARE @
32
4) Comprehensive Evaluation
Intrusion detection models
140
120
100
80
60
40
20
0
1980
1985
1990
1995
2000
2005
Time
Current status of IDS
CEISARE @
33
Our Approach
 A generic platform for intrusion modeling and testing of
IDS
 Desirable features
 Test and evaluate any intrusion detection model
 Measure performance for improvement
 Consider variety of intrusion scenarios
 Collect pre-deployment measures
 Analogy is drawn from network simulators
CEISARE @
34
What Exists in the Open?
 Other approaches
 Razak: Network intrusion simulation
 Schiavo & Rowe: Intrusion detection tutors
 Roberts: Simulation of Malicious Intruders
 What is lacking above?
 None of the above provide a generic platform for
modeling and simulation
 Performance of models cannot be evaluated
CEISARE @
35
Our Steps
 Study features of a variety of IDS
 Consider network simulation and OS simulation
 Develop a common language to facilitate various formats
conversion (interoperability)
 Perform some case studies
 (Ref: SCS SCSC 2003)
 Even monitoring, Access control subsystems
CEISARE @
36
Work in Progress
 Intrusion detection and Proactive recovery (subcontract
to Colorado State University)
 Dynamic Reasoning based User Intent Driven IDS
(DRUID) prototype development (DARPA seedling)
 GUI for session scope input
 Command monitor
 Statistical Engine
 Data analysis, training and testing
CEISARE @
41
Prototype Status
CEISARE @
42
Security Enhancement in Distributed
Voting – A Related Project
 Joint work with UB and AFRL
 Guaranteeing owner’s intended result by
distributed monitoring and voter isolation
 Uniquely combines fault tolerance and security
 Doesn’t require trusted third party
CEISARE @
43
Danger of
2-Phase Commit Protocol
majority trustworthy
• Phase 1: processors distribute
their results and vote on them
such that each processor
determines the majority
User waits for
majority result
• Phase 2: processor in the
majority commits result to the
user
User is sent
malicious result -
SELF-DESTRUCT
CEISARE @
44
Timed-Buffer Distributed Voting
trustworthy
untrustworthy
• Addresses “last mile” of distributed
voting
• Buffer until “silence is consent”
• Reverses 2-phase commit protocol
Suspect results buffered
– Instead of voting then
committing - commits first (to
buffer) then votes (period of
dissension)
– Prevents disastrous commit
phase - unlikely for classical
fault tolerance but not
information attack
Integrity restored and
buffer released
CEISARE @
45
ACRC Application of TB-DVA
SECURE SERVER
GATEWAY
SECURE WIRED LINK
WIRELESS CLIENT
SECURE WIRELESS LINK
SECURE DATA IS
EXPOSED
(when translated from IP standards to wireless and vice-a-versa)
• Apply fault tolerance techniques to protect, detect,
and react to attacks and enable service restoration
CEISARE @
46
Summary
 Developed a new intrusion assessment
paradigm – Encapsulation of owner’s intent
 Brings user into the loop
 User’s encapsulated intent serves as a
certificate
 Feasibility study
 Practical implementation study
CEISARE @
47