15 december 1998darpa information survivability program intrusion detection pi meeting 1 derbi:...
TRANSCRIPT
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
1
DERBI: Diagnosis, Explanation and Recovery from Break-Ins
®
iane rt tIn o lna
Mabry TysonDouglas MoranPauline Berry
David Blei
Artificial Intelligence CenterSRI International
333 Ravenswood AvenueMenlo Park CA 94025
http://www.ai.sri.com/~derbi
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
2
Introduction
• PART 1: Presentation of Evaluation Results
– Design assumption:
• an out-of-the-box system
• after-the-fact analysis
• no network monitoring or audit trail data
– Data source: end-of-day filesystem dumps for Pascal
• not available: contents of /tmp, /proc, OS tables, ...
• PART 2: Status of DERBI System
• PART 3: Future
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
3
Evaluation Procedure
Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping
• Manual mapping, no additional information used
• Attacks detected but scored as undetected because we could not identify corresponding session (3)
• Some false positives similarly unscored (approx. 5)
• Full DERBI system not used
– to better fit into scoring protocol
– to provide linearized textual output
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
4
Detection of Buffer Overflow Attacks
Detected, but session not identified
X major+ contributing
Detected Undetected
False
x
+x
False
+
+
137 147
x
x
Inconsistent
uudemon.cleanup
FileSys Changes
x
115
EJECT: 7 of 7; 1 false FORMAT: 6 of 7; 1 falseFFB: 2 of 2
112
x
x
x
77
x
/etc/passwd
11
xNormal Access
uudecode
22
x
+
8
+
28
x
+
35
x
+
63
++
Suspicious login
54
x
+
75
x
+
120
x
++
104
x
+
60Attack ID 13612987 102
Exploit Script:Created
Accessed
6*
xx
xx
x
PS: 3 of 4 + failed attack*
5% 50%Probability(blank if 100%)
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
5
Visibility of Evidence
exploit detectedfailed exploit detected false positive
normal usage
M Tu ThW F M Tu ThW F
uud.clean
eject
format ffb
uudecode
137147
115112
772822
608
753511 12063
35 12028228 63
11516
136
136102
87
6
129
10454
readcreate
ps 6 87
exploit evidence overwritten
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
6
0
2
4
6
8
10
12
14
16B
uff
erO
verf
low
Sym
link/
Rac
e
Rep
lace
dF
ile
Att
ack
Scr
ipts
Wor
kin
gF
iles
Ser
ver
toR
oot
Den
ial o
fS
ervi
ce
Mis
c
TotalUsed
Attack Evidence Rules Used in the Evaluation Test Set
= 18%
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
7
Example Evidence Rule:EJECT buffer overflow
EVIDENCE-TYPE (exploit (setuid root) buffer-overflow)
UNIQUE-NAME eject-1
EVALUATION-NAME eject
PATHS (follow-links '("/usr/bin/eject"))
EVIDENCE
( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or
(window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest
0 0) ;;; assign 0% probability to command being used and 0% believe that it was
((greater-than (TimeAccessed PATH) ;;; use is later than
(max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects
40 100)) ;;; 40% probability of exploit, no change in believe about whether it was exploited
POSIT
((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*)))
EXPLANATION (next slide)
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
8
Evidence Rule:EJECT buffer overflow (cont)
UNIQUE-NAME eject-1
PATHS (follow-links '("/usr/bin/eject"))
EXPLANATION
(explain-evidence
( PATH ;;; variable declarations
(TIME (print-unix-time (TimeAccessed PATH)))
(TIME2 (print-unix-time (TimeModified "/cdrom")))
(TIME3 (print-unix-time (TimeModified "/floppy"))) )
(TimeAccessed PATH) ;;; “as-of” time
"The command ~S is version vulnerable to a buffer overflow attack
and appears to have been used at time ~A
which is more recent than two associated files:
/cdrom (~A) and /floppy (~A)."
PATH TIME TIME2 TIME3)
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
9
Example Output for an Attack+04:53:25 later
====================================
Time: 23-Jul-1998 14:32:39 EDT (901218759)
Exploit: Suspicious-login (Suspicious-login)
Login for user "darleent” from host 194.7.248.153
-------------------------------------------------------------
+00:00:12 later
====================================
Time: 23-Jul-1998 14:32:51 EDT (901218771)
Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1)
"/usr/bin/uudecode" is often used by crackers and
rarely by users, and appears to have been used at
time 23-Jul-1998 14:32:51 EDT.
-------------------------------------------------------------
+00:00:23 later
====================================
Time: 23-Jul-1998 14:33:14 EDT (901218794)
Exploit: EJECT (EJECT-1)
The command "/usr/bin/eject" is version
vulnerable to a buffer overflow attack and appears
to have been used at time
23-Jul-1998 14:33:14 EDT
which is more recent than two associated files:
/cdrom (12-Feb-1998 15:42:46 EST)
and
/floppy (20-Jul-1998 10:32:15 EDT).
Asserting belief/plausibility = (40 100)
------------------------------------------------------------
+12:10:32 later
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
10
• mscan (#80): spotted probing of telnet
• saint (#53): detected rlogin to root via ++
• warez (#66-1): detected creation of “hidden” directory
• xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie
• HTTP tunnel: not matched to session (scored undetected)
– detected installation of bogus uudemon.cleanup
– detected use (via CRON: uucp and later bramy)
More Indirect Detection
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
11
Interesting False Detections
• Rlogin from local host to privileged account (root) that has “+ +” in .rhosts
• root SetUID command installed (“top”)
• login record inconsistencies
– root: lastlog date later than last entry in wtmpx
– start of root login missing (wtmpx truncation?)
– ~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login
– some related to test setup/shutdown (ignored, based on timing).
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
12
DERBI Architecture• Three major components:
– Head: analysis, reasoning, and explanation
– Body: interface between complex queries of Head and simple data from Feet
– Feet: simple data collection - may run on remote system
• file system information
• log files
• Support heterogeneous clusters & low-end systems
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
13
Log File Information Relationships
utmp
utmpx
wtmp
wtmpx
lastlog
syslog
messages
authlog sulog
File system
Shell Init Files
cronlog crontabs
• Partial redundancy of info
• Redundancy a common result of the evolution & growth of systems
•Use to check for tampering
• Also exposes changes to system clock
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
14
Checking a Suspect System
Ultra
Ultra
Ultra Ultra
Ultra
DERBI
DERBI
DERBI
DERBI
Ultra
15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting
16
Future• Analysis for interrelated systems
– overlapping file systems, servers, users, other privileges (not just simple client-server)
• Support of multiple OS’s and OS families
• Expansion and standardization of attack data
– vulnerabilities, exploits, tools, camouflage, packages
• Test and distribution: operational clusters; false positive rates
• Explanation
• More sophisticated analysis
• Identification of higher-level goals