Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

A Tamper-resistant Computer Systems Anomaly Detection in Monitoring Framework for

advertisement 
Febrraury 14, 2003
Upadhyaya – Brock Univ. 2003
Buffalo, New York, 14260
University at Buffalo
Computer Science & Eng.
S. Upadhyaya
1
A
A Tamper-resistant
Tamper-resistant
Monitoring
Monitoring Framework
Framework for
for
Anomaly
Anomaly Detection
Detection in
in
Computer
Computer Systems
Systems
February 14, 2003
Upadhyaya – Brock Univ 2003
ƒ General Background
ƒ A New Intrusion Detection Strategy
ƒ Tamper-resistant Monitoring
ƒ Some Experimental Results
ƒ Center of Excellence in IA at Buffalo
ƒ Research and Educational Activities
Outline
Outline
2
Upadhyaya – Brock Univ 2003
A Host
ƒ A computer system
A Service
ƒ A user space program that performs some
useful task
A Vulnerability
ƒ A flaw in a program with security
implications
ƒ An Attacker targets vulnerabilities in
programs to gain elevated privileges
An intrusion detection system (IDS) attempts
to detect and prevent attacks
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Basic
Basic
Terminologies
Terminologies
3
Upadhyaya – Brock Univ 2003
Hacking in 2000 brought down Yahoo,
Amazon, CNN.com etc.
ƒ Cost millions of $ in lost revenues
NIMDA virus a week after the Sept. 11
attack
ƒ Struck leading financial services firms
ƒ Went nationwide, lasted for 5 days,
attacked 86,000 computers
ƒ Forced firms offline, denied customer
access
Sources estimate the impact of cyber
attacks in $13 billion in 2001
Insider Threats
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Cyberspace
Cyberspace Threats
Threats
and
and Vulnerabilities
Vulnerabilities
4
?
?
ƒ
ƒ
ƒ
ƒ
ƒ
Has access to system
Works leisurely
Future access guaranteed
Works in familiar
environment
Knows what is important
Insider
Insider
Upadhyaya – Brock Univ 2003
Needs access to system
Works quickly to avoid
detection
Installs trapdoors for
further access
Works in unfamiliar
environment
February 14, 2003
ƒ
ƒ
ƒ
ƒ
ƒ Outsider
Outsider
External
External Vs.
Vs.
Internal
Internal
?
5
Goal was to find ways to defeat distributed DOS
Upadhyaya – Brock Univ 2003
Cyber security a national level effort, 2002
National strategy was unveiled in Sept.
2002
ƒ
ƒ
Information Security Summit at White
House, Feb. 2000
telecom & financial systems as critical points
Need to be made secure and dependable
Targeting Cyberterrorism
ƒ October 1997, President’s Commission on CIP
ƒ Identifies nation’s electrical, transportation,
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Measures
Measures Taken
Taken by
by the
the
U.S.
U.S. Government
Government
6
Upadhyaya – Brock Univ 2003
Computer crime is certain to continue
Institute controls to preserve
ƒ Confidentiality, Integrity, Availability
Encryption is the most powerful tool
Strongly based on Information Theory
Heavily researched topic - RSA Scheme,
Elliptic Curve
It doesn’t solve all the security problems
Need to develop counter-measures that
would complement existing schemes
February 14, 2003
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Cryptographic
Cryptographic
Techniques
Techniques
7
Upadhyaya – Brock Univ 2003
8
In its general sense -ƒ Acquires information about its environment
to analyze system behavior
ƒ Aims to discover security breaches,
attempted breaches, open vulnerabilities
that could lead to potential breaches
Types of information –
ƒ Long term info. – a knowledge base of
attacks (static)
ƒ Configuration info. – a model of the current
state (static)
ƒ Audit info. – describing the events happening
(dynamic)
February 14, 2003
ƒ
ƒ
What
What is
is IDS?
IDS?
February 14, 2003
System
DATA
Database,
Storage
Analyzer
Upadhyaya – Brock Univ 2003
Model of
System
9
Visual Presentation
IDS
IDS Architecture
Architecture
Upadhyaya – Brock Univ 2003
10
Intrusion Detection –
ƒ Pioneered by D. Denning at SRI International
ƒ Misuse detection and anomaly detection
Misuse Detection –
ƒ Called knowledge-based detectors
ƒ Uses a defined set of rules crafted to catch a
specific malicious event
Anomaly Detection –
ƒ Called behavior-based detectors
ƒ Raises an alarm for strange system behavior
ƒ Need a baseline for monitoring
February 14, 2003
ƒ
ƒ
ƒ
Approaches
Approaches to
to
Intrusion
Intrusion Detection
Detection
February 14, 2003
Upadhyaya – Brock Univ 2003
Paul Innella, CISSP’s timeline:
Evolution
Evolution of
of IDS
IDS
11
February 14, 2003
ƒ
ƒ
Upadhyaya – Brock Univ 2003
12
concentrate on sampling at low level
ƒ instrumentation is easy, but volumes
of data
ƒ Huge computation
ƒ Semantics of user activities becomes
diffuse
Intrusion detection requires synthesis of
this data
Mostly after-the-fact
ƒ Existing Intrusion detection techniques
Limitations
Limitations of
of
Current
Current Approaches
Approaches
Upadhyaya – Brock Univ 2003
13
Summary of work cited in national media by Associated Press
(http://www.msnbc.com/news/861865.asp?0si=-&cp1=1)
Monitoring user activity at high level – user
command level
Supported by a query of user intent
ƒ Data to be monitored is small
Starting with a session scope
ƒ With explicit query, we can
define a smaller and
personalized bracket of
privileges or jobs for each
user (Ou)
February 14, 2003
ƒ
ƒ
ƒ
ƒ
A
A New
New Approach
Approach
Indeterminate
Th
Accumulated Cost, monotone,
non-decreasing
Intrusive
Upadhyaya – Brock Univ 2003
ƒ Window of uncertainty needs to be resolved quickly
Non-intrusive
Tl
14
Underlying principle
ƒ Legitimate user’s computational habits rarely change
abruptly leading to reasonably stable profile of
activity for users
Intrusion flagging is non-binary and reasoning about
intrusions is essential to make informed decision
ƒ Cost analysis and reasoning
February 14, 2003
ƒ
ƒ
Reasoning
Reasoning About
About
Intrusions
Intrusions
Task 2
Task 1
February 14, 2003
User
Monitor
2
User
Monitor
1
Task n
Task 2
Upadhyaya – Brock Univ 2003
Task 1
User
Monitor
2
User level
Profiler
User level
Profiler
User
Monitor
1
Files
Task n
User
Monitor
n
Host N
Master Monitor
User
Monitor
n
File Server
Recovery Module
Master Monitor
Host 1
Local Area Network
Files
Network level
Profiler
Secure File
Monitor
To Other Networks
Gateway, Router
Bridge
Distributed
Distributed Intrusion
Intrusion
Detection
Detection
15
February 14, 2003
Upadhyaya – Brock Univ 2003
16
Summary
1 User, No Multiple Logins 1 User, With Multiple Logins 2 Users, No Multiple Logins 2 Users, With Multiple Logins
User
Detection
87.50%
78.60%
74.90%
91.90%
and
Latency
33.4
35
36.1
29
User False Positives
12.50%
21.40%
25.10%
8.10%
False Negatives
0%
0%
0%
0%
User
Detection
98%
89%
100%
94.70%
and
Latency
0
11
0
9.6
Intruder False Positives
0%
0%
0%
0%
False Negatives
2%
11%
0%
5.30%
Intruder
Detection
99%
100%
98.20%
100%
and
Latency
0.4
0.7
0.6
0.5
User False Positives
0%
0%
0%
0%
False Negatives
1.40%
0%
1.80%
0%
Intruder
Detection
56%
81.30%
77.40%
91.50%
and
Latency
15.9
14.8
17
27
Intruder False Positives
0%
0%
0%
0%
False Negatives
44%
18.70%
22.60%
8.50%
Summary
Summary of
of
Experiments
Experiments
Upadhyaya – Brock Univ 2003
ƒ
Attacker’s perspective
must be watched and there are no open ends
Who watches the watcher?
Protecting user space components
ƒ To have secure enclaves, every component of IDS
February 14, 2003
ƒ
ƒ
Tamper-resistant
Tamper-resistant
Monitoring
Monitoring
17
Upadhyaya – Brock Univ 2003
An attacker is successful, if:
He compromises the service running on the
host
He disables or compromises the IDS, if one
is deployed
Note:
ƒ Bypassing an IDS by taking advantage of
its limited coverage is a known weakness
and it is not a part of the attack model
February 14, 2003
ƒ
ƒ
ƒ
ƒ
The
The Attack
Attack Model
Model
18
Upadhyaya – Brock Univ 2003
Failure due to faults and failure due to attacks are
not one and the same
Each software component can potentially fail due to
attacks; we just don't know how yet!
Security of a system is only as strong as the
weakest link
Hence, even if a service is monitored by a separate
detection mechanism, is the entire setup really
secure?
An IDS is a program and it too can be compromised
So, implement it inside the kernel for tamperresistance
Kernel implementations affect the whole system
February 14, 2003
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Criteria
Criteria for
for Analysis
Analysis
19
Upadhyaya – Brock Univ 2003
An attacker has little knowledge about how
the entire system works and the attacks are
by trial and error
Factors that determine the overall security
are:
ƒ For each component, individual
probability of failure
ƒ For a n component system, the total
probability of failure
ƒ An attack can proceed in stages, perstage probability of failure
ƒ Search space for a successful attack
February 14, 2003
ƒ
ƒ
Probabilistic
Probabilistic Analysis
Analysis
20
February 14, 2003
ƒ
Upadhyaya – Brock Univ 2003
of the system and its vulnerabilities
Factors that determine the overall
security are
ƒ A successful attack strategy
ƒ An attacker has complete knowledge
Deterministic
Deterministic
Analysis
Analysis
21
Upadhyaya – Brock Univ 2003
delta- overhead due to isolated execution
theta - overhead due to monitoring
ƒ
ƒ
February 14, 2003
If a detection mechanism is deployed, then
how much overhead will it incur?
ƒ
Performance
Performance
Analysis
Analysis
22
February 14, 2003
ƒ
Upadhyaya – Brock Univ 2003
and another is a directed edge
No mutual trust among processes
ƒ Each process is a node
ƒ Interaction between one process
ƒ Reduces to a graph problem
Problem
Problem
Transformation
Transformation
23
Upadhyaya – Brock Univ 2003
Chameleon project at UIUC
Can be easily compromised
February 14, 2003
ƒ
ƒ
Simple
Simple
Replication
Replication
24
Upadhyaya – Brock Univ 2003
An example is the AAFID project at Purdue
Can be easily compromised
February 14, 2003
ƒ
ƒ
Layered
Layered Hierarchy
Hierarchy
25
Upadhyaya – Brock Univ 2003
Very difficult to subvert
Provides an infinite hierarchy of monitoring
using finite no. of monitors
ƒ
ƒ
February 14, 2003
New proposed architecture
ƒ
Circulant
Circulant DiGraph
DiGraph
26
February 14, 2003
Upadhyaya – Brock Univ 2003
Comparison
Comparison
27
February 14, 2003
ƒ
Upadhyaya – Brock Univ 2003
monitor
Multiple outgoing edges from a node
are threads
ƒ Requires a sense-decide-act loop
ƒ Uses FreeBSD's kqueue subsystem
ƒ Each node in the graph is a process
Implementation
Implementation
28
February 14, 2003
Upadhyaya – Brock Univ 2003
Results
Results
29
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Upadhyaya – Brock Univ 2003
30
kqueue subsystem to support more
events
The long term goal is to devise a way to
provide a generic tamper-resistant
wrapper
Extend it to network level monitoring
Our website:
ƒ http://www.cse.buffalo.edu/caeiae/
Other projects – security in mobile
networks, biometrics authentication etc.
ƒ The short term goal is to supplement the
Future
Future Work
Work
February 14, 2003
Upadhyaya – Brock Univ 2003
CEISARE
CEISARE Webpage
Webpage
31
Upadhyaya – Brock Univ 2003
32
Purdue –
ƒ Eugene Spafford, Director of CERIAS
ƒ One of the four witness to testify before the
House Science committee on infosec in 2001
ƒ Leads the center with about 5 faculty and
numerous students and projects
ƒ Developed an IDS Using Autonomous Agents
UC Davis –
ƒ Karl Levitt and Matt Bishop direct the security
lab
ƒ Developed GrIDS (Graph based IDS)
CMU – Home of CERT/CC
Cornell
ƒ Language-based security led by F. Schneider
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Major
Major Players
Players --Academia
Academia
Upadhyaya – Brock Univ 2003
33
IBM Watson, IBM Zurich -ƒ Global Security Analysis Laboratory
ƒ Marc Dacier at Zurich leads the IDS projects
Microsoft
ƒ Recently started the Trustworthy Computing
initiative
Cisco
ƒ Does research and development
ƒ Builds intrusion detection appliances –
sensors and software
February 14, 2003
ƒ
ƒ
ƒ
Major
Major Players
Players --Industries
Industries
Upadhyaya – Brock Univ 2003
34
SRI International -ƒ Developer of EMERALD through funds from
ITO, DARPA
Air Force Research Lab -ƒ Defensive Information Warfare Branch
Naval Research Lab -ƒ Center for High Assurance Computer Systems
ƒ Multi-level security
National Institute of Standards and Technology -ƒ Computer Security Resource Center
National Security Agency -ƒ Research and education
February 14, 2003
ƒ
ƒ
ƒ
ƒ
ƒ
Major
Major Players
Players ––
Labs/Government
Labs/Government
Upadhyaya – Brock Univ 2003
35
SANS (System Administration, Networking and
Security) Institute
ƒ http://www.sans.org/aboutsans.php
CERT/CC
ƒ http://www.cert.org/
CERIAS (Center for Education and Research in
Information Assurance and Security)
ƒ http://www.cerias.purdue.edu/
NIST (National Institute of Standards and Tech.)
ƒ http://csrc.nist.gov/index.html
February 14, 2003
ƒ
ƒ
ƒ
ƒ
Popular
Popular Websites
Websites
Related documents
ACTS2011.xls - association of clinical and translational statisticians
ACTS2011.xls - association of clinical and translational statisticians
A Tamper-resistant Monitoring Framework for Anomaly Detection in Computer Systems
A Tamper-resistant Monitoring Framework for Anomaly Detection in Computer Systems
Speaking of Writing - the Hornell City School District!
Speaking of Writing - the Hornell City School District!
Download
advertisement