Toward Self-directed Intrusion
Detection
June, 2005
Paul Barford
Assistant Professor
Computer Science
University of Wisconsin
Motivation - the good
• Network security analysts have many tasks
–
–
–
–
–
–
Abuse monitoring
Audit and forensic analysis
Firewall/ACL configuration
Vulnerability testing
Policy
Liaison
• Network management
• End host management
wail.cs.wisc.edu
2
Motivation - the bad
• Adversaries are smart
• Vulnerabilities and threats are significant
– Worms
• Slammer, Blaster, Sasser, Witty, MyDoom, etc.
• Persistent and growing background radiation (Pang et al. ‘04)
– Scans
• Billions per day Internet-wide and growing (Yegneswaran et al.
‘03)
– Viruses
• No longer clearly defined (eg. Agobot)
– DDos
• Bot-nets consisting of hundreds of thousands of drones
wail.cs.wisc.edu
3
Motivation - the ugly (sort of)
• Network intrusion detection systems (NIDS)
– Static signatures - hard to tune and maintain
– Lots of alarms
– Scalability problems
• Firewalls and intrusion prevention systems
– Limited capability
• Bulletin boards and commercial services
– May not be timely enough
• Traffic monitors (eg. FlowScan, AutoFocus)
– A step in the right direction
wail.cs.wisc.edu
4
Objective
• Network situational awareness based on selfdirected network intrusion detection
– “The degree of consistency between one’s perception
of their situation and reality”
– “An accurate set of information about one’s
environment scaled to a specific level of interest”
– Expand notions of traditional abuse monitoring and
forensic analysis
• Adapts to malicious traffic
– Front-end for firewalls/IPS
wail.cs.wisc.edu
5
Mechanisms
• Data sharing between networks
– Eg. DOMINO (Yegneswaran et al., NDSS ‘04)
• Monitoring unused address space
– Eg. iSink (Yegneswaran et al., RAID ‘04)
– Eg. BroSA (Yegneswaran et al. ‘05)
• Automatic generation of resilient signatures
– Eg. Nemean (Yegneswaran et al., USENIX Security
‘05)
wail.cs.wisc.edu
6
DOMINO architecture
• Hierarchical overlay network
– Descending order of security and trust
• Data sharing
– XML-based schema
– Summary exchange protocol extends IDMEF
– Push or pulling periodically
• Data/alert fusion and filtering
– Subject of on-going research (eg, Barford et al.
Allerton, ‘04)
wail.cs.wisc.edu
7
Unused address monitoring
• Packets are (nearly) all malicious
– There have been some very weird misconfigurations
• Enables active responses
– Key for understanding details
• Widely available
– We monitor four class B’s and one class A
– Useful in large and small
• Easier to share this data
wail.cs.wisc.edu
8
iSink architecture
• Passive component: Argus
– libpcap-based monitoring tool
• Active component: based on Click modular
router
– Library of stateless responders to collect details
of intrusions
• NAT filter: to manage (redundant) traffic
– Source/destination filtering
wail.cs.wisc.edu
9
Activities on ports (port 135)
• Distribution of exploits
varies with network
– 170 byte requests on Class
A
– Blaster, RPC-X1 all 3
networks
– Welchia LBL
– Empty connections
• UW Networks
wail.cs.wisc.edu
10
Real-time honeynet reports
• Bro plug-in for situational summary generation
– Periodic reports
•
•
•
•
New events
High variance events
Low variance events
Top profiles
– Adaptive
• NetSA in depth
– Identify large events quickly
– On-going
wail.cs.wisc.edu
11
Semantics-aware signatures
• Objective: automated generation of resilient
NIDS signatures
– Signatures must be both specific and general
• Challenge: generate signatures for attack
vectors that have never been seen
– Multi-step and polymorphic attacks
• Approach: create a transformation algorithm to
synthesize semantics-aware signatures from
iSink data
– Session and application protocol semantic awareness
(Sommer & Paxson, ‘03)
wail.cs.wisc.edu
12
Nemean architecture
• Data abstraction
– Transport normalizer
– Aggregation
– Service normalizer
• Clustering
– Group sessions/connections using similarity metric
• Signature generation
– Machine learning to build finite state automata
wail.cs.wisc.edu
13
Signature example (Welchia)
Start
Get /
200
Search /
411
Search /
411
Get /
200
• Multistage attack (3 steps)
– GET /  200 OK
– SEARCH /  411
Length Required
– SEARCH /AAAA…
Search /AAAAA[more]
400
Search /AAAAA[more]
400
Search /AAAAA[more]
400
wail.cs.wisc.edu
14
Summary
• Malicious activity in the Internet is a huge
problem and is likely to persist for a long time
• Current network security analysis tools are
largely inadequate
• We advocate network situational awareness
through self-directed intrusion detection
– Distributed data sharing
– Unused address space monitoring
– Automated semantics-aware signature generation
wail.cs.wisc.edu
15