15 december 1998darpa information survivability program intrusion detection pi meeting 1 derbi:...

15 December 1998 DARPA Information Survivability ProgramIntrusion Detection PI Meeting

1

DERBI: Diagnosis, Explanation and Recovery from Break-Ins

®

iane rt tIn o lna

Mabry TysonDouglas MoranPauline Berry

David Blei

Artificial Intelligence CenterSRI International

333 Ravenswood AvenueMenlo Park CA 94025

http://www.ai.sri.com/~derbi


2

Introduction

• PART 1: Presentation of Evaluation Results

– Design assumption:

• an out-of-the-box system

• after-the-fact analysis

• no network monitoring or audit trail data

– Data source: end-of-day filesystem dumps for Pascal

• not available: contents of /tmp, /proc, OS tables, ...

• PART 2: Status of DERBI System

• PART 3: Future


3

Evaluation Procedure

Scoring based on *.list files. DERBI not designed to use those data sources = no automatic mapping

• Manual mapping, no additional information used

• Attacks detected but scored as undetected because we could not identify corresponding session (3)

• Some false positives similarly unscored (approx. 5)

• Full DERBI system not used

– to better fit into scoring protocol

– to provide linearized textual output


4

Detection of Buffer Overflow Attacks

Detected, but session not identified

X major+ contributing

Detected Undetected

False

x

+x

False

+

+

137 147

x

x

Inconsistent

uudemon.cleanup

FileSys Changes

x

115

EJECT: 7 of 7; 1 false FORMAT: 6 of 7; 1 falseFFB: 2 of 2

112

x

x

x

77

x

/etc/passwd

11

xNormal Access

uudecode

22

x

+

8

+

28

x

+

35

x

+

63

++

Suspicious login

54

x

+

75

x

+

120

x

++

104

x

+

60Attack ID 13612987 102

Exploit Script:Created

Accessed

6*

xx

xx

x

PS: 3 of 4 + failed attack*

5% 50%Probability(blank if 100%)


5

Visibility of Evidence

exploit detectedfailed exploit detected false positive

normal usage

M Tu ThW F M Tu ThW F

uud.clean

eject

format ffb

uudecode

137147

115112

772822

608

753511 12063

35 12028228 63

11516

136

136102

87

6

129

10454

readcreate

ps 6 87

exploit evidence overwritten


6

0

2

4

6

8

10

12

14

16B

uff

erO

verf

low

Sym

link/

Rac

e

Rep

lace

dF

ile

Att

ack

Scr

ipts

Wor

kin

gF

iles

Ser

ver

toR

oot

Den

ial o

fS

ervi

ce

Mis

c

TotalUsed

Attack Evidence Rules Used in the Evaluation Test Set

= 18%


7

Example Evidence Rule:EJECT buffer overflow

EVIDENCE-TYPE (exploit (setuid root) buffer-overflow)

UNIQUE-NAME eject-1

EVALUATION-NAME eject

PATHS (follow-links '("/usr/bin/eject"))

EVIDENCE

( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or

(window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest

0 0) ;;; assign 0% probability to command being used and 0% believe that it was

((greater-than (TimeAccessed PATH) ;;; use is later than

(max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects

40 100)) ;;; 40% probability of exploit, no change in believe about whether it was exploited

POSIT

((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*)))

EXPLANATION (next slide)


8

Evidence Rule:EJECT buffer overflow (cont)

UNIQUE-NAME eject-1

PATHS (follow-links '("/usr/bin/eject"))

EXPLANATION

(explain-evidence

( PATH ;;; variable declarations

(TIME (print-unix-time (TimeAccessed PATH)))

(TIME2 (print-unix-time (TimeModified "/cdrom")))

(TIME3 (print-unix-time (TimeModified "/floppy"))) )

(TimeAccessed PATH) ;;; “as-of” time

"The command ~S is version vulnerable to a buffer overflow attack

and appears to have been used at time ~A

which is more recent than two associated files:

/cdrom (~A) and /floppy (~A)."

PATH TIME TIME2 TIME3)


9

Example Output for an Attack+04:53:25 later

====================================

Time: 23-Jul-1998 14:32:39 EDT (901218759)

Exploit: Suspicious-login (Suspicious-login)

Login for user "darleent” from host 194.7.248.153

-------------------------------------------------------------

+00:00:12 later

====================================

Time: 23-Jul-1998 14:32:51 EDT (901218771)

Exploit: DOWNLOADING-EXPLOIT (UUDECODE-1)

"/usr/bin/uudecode" is often used by crackers and

rarely by users, and appears to have been used at

time 23-Jul-1998 14:32:51 EDT.

-------------------------------------------------------------

+00:00:23 later

====================================

Time: 23-Jul-1998 14:33:14 EDT (901218794)

Exploit: EJECT (EJECT-1)

The command "/usr/bin/eject" is version

vulnerable to a buffer overflow attack and appears

to have been used at time

23-Jul-1998 14:33:14 EDT

which is more recent than two associated files:

/cdrom (12-Feb-1998 15:42:46 EST)

and

/floppy (20-Jul-1998 10:32:15 EDT).

Asserting belief/plausibility = (40 100)

------------------------------------------------------------

+12:10:32 later


10

• mscan (#80): spotted probing of telnet

• saint (#53): detected rlogin to root via ++

• warez (#66-1): detected creation of “hidden” directory

• xsnoop (#71): detected root remote logins (and FTP) paired to immediately preceding SU to root by user alie

• HTTP tunnel: not matched to session (scored undetected)

– detected installation of bogus uudemon.cleanup

– detected use (via CRON: uucp and later bramy)

More Indirect Detection


11

Interesting False Detections

• Rlogin from local host to privileged account (root) that has “+ +” in .rhosts

• root SetUID command installed (“top”)

• login record inconsistencies

– root: lastlog date later than last entry in wtmpx

– start of root login missing (wtmpx truncation?)

– ~root/.cshrc access does not match root login and far from SU, but 30 seconds after suspicious remote login

– some related to test setup/shutdown (ignored, based on timing).


12

DERBI Architecture• Three major components:

– Head: analysis, reasoning, and explanation

– Body: interface between complex queries of Head and simple data from Feet

– Feet: simple data collection - may run on remote system

• file system information

• log files

• Support heterogeneous clusters & low-end systems


13

Log File Information Relationships

utmp

utmpx

wtmp

wtmpx

lastlog

syslog

messages

authlog sulog

File system

Shell Init Files

cronlog crontabs

• Partial redundancy of info

• Redundancy a common result of the evolution & growth of systems

•Use to check for tampering

• Also exposes changes to system clock


14

Checking a Suspect System

Ultra

Ultra

Ultra Ultra

Ultra

DERBI

DERBI

DERBI

DERBI

Ultra


16

Future• Analysis for interrelated systems

– overlapping file systems, servers, users, other privileges (not just simple client-server)

• Support of multiple OS’s and OS families

• Expansion and standardization of attack data

– vulnerabilities, exploits, tools, camouflage, packages

• Test and distribution: operational clusters; false positive rates

• Explanation

• More sophisticated analysis

• Identification of higher-level goals

15 december 1998darpa information survivability program intrusion detection pi meeting 1 derbi:...

Documents