enriching intrusion alerts through multi-host causality

Post on 09-Feb-2016

38 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Enriching intrusion alerts through multi-host causality. Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan. Motivation. IDS alerts highlight suspicious activity Network and host level Alerts lack context How did this activity happen? - PowerPoint PPT Presentation

TRANSCRIPT

Enriching intrusion alerts through multi-host

causalitySam King

Morley MaoDominic Lucchetti

Peter Chen

University of Michigan

2

Motivation

• IDS alerts highlight suspicious activity– Network and host level

• Alerts lack context– How did this activity happen?– What were the effects of this activity?

4

Causality to connect alerts

Remotesocket

ProcessFileSocket

Detection pointFork eventRead/write event

httpd

wget

rootkits.combash

getroot.exe rootproc

5

Overview

• Causality: BackTracker• Bi-directional distributed

BackTracker• Correlating IDS alerts• Conclusions

6

BackTracker

• Help figure out what application was exploited

• Show chain of events between exploit and detection point

• Track causal operating system events and objects

7

BackTracker Example

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

httpdremotesocket

/tmp/xploit/backdoor

bash

wget

remotesocket

8

BackTracker

• Objects: processes, files• Events: read/write, fork, exec, mmap…

• Online component logs events, objects• Offline component generates graphs

• Causality effective technique for highlighting actions of attacker

9

Extending BackTracker

• Use send/receive events to connect hosts on separate hosts– identify packets by source/destination

IP address and TCP sequence number

• Forward tracking

10

Bi-directional distributed BackTracker (BDB)

• Common configuration: firewall• Given a single infected host, track

attack

• Tracking multi-host attacks– Follow attack “upstream”

• Find original source of intrusion• Patch vulnerable server, fix infected laptop

– Follow attack “downstream”• Find other compromised hosts

11

Prioritize Packets

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

/tmp/xploit/backdoor

bashwget

remotesocket

httpd

rc

init

remotesocket

12

Highest process, most recent packet

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

/tmp/xploit/backdoor

bashwget

remotesocket

httpd

rc

init

remotesocket

13

Guess and check

• Follow all packets, examine other host• Search for causally linked “intrusions”

Host BHost A

spread_worm

backdoor

bash

httpd

backdoor

/tmp/xploit/backdoor

bash wget

sockethttpd

14

Use NIDS to highlight packets

backdoor

/tmp/xploit/backdoor

bash wget

socketsmbd

smb socket

15

Multi-host attacks• Examined Slapper worm and manual

attack on local network• Significant background noise

– 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd

• All hosts both clients and servers– Download source code, compile

– Gigabytes of network traffic– Millions of events and objects

• 20 minute experiments, break in after 10• Goal: given a single infected host find

source of attack and all infected hosts

16

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

17

ProcessFileSocket

Detection pointCausal event

18

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

19

ProcessFileSocket

Detection pointCausal event

20

Tracking Slapper Forward

ProcessFileSocket

Detection pointCausal event

21

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

22

Multi-host manual attack

• Highest process, most recent packet does not always work

• Use Snort to highlight suspicious packets

• Stealthy attack, difficult to detect– Attack one host at a time

• Wait for next target to communicate with current host

– Break into various services– Services under heavy legitimate use– Use previously “unknown” attacks– Perform different tasks on each host

23

Multi-host manual attack

Host A

Host I

Host CHost BExternal Network

Host E

Host D

Host GHost F Host H

Host KHost J Host L

24

Correlating IDS alerts• Many independent sources of IDS alerts

– Host/network– Host/host

• Correlate multiple sources, reduce false positives – correlate through syntactic or timing

relationships– correlate through manually specified

semantic relationships

• BDB can correlate IDS alerts through causal relationships

25

Zero Configuration Snort

• Difficult to configure– False positives

• Services not used• Failed exploit attempts• New rules developed frequently

• Setup system with all default Snort rules– Also enabled several other rules

• Use causality to verify Snort alerts– Detect any processes running as root

26

Zero Configuration Snort Results

• Ran honeypot for two days

• Without correlating alerts– 39 Snort alerts– Many processes run as root

• Zero Configuration Snort– Zero false positives– One true positive

27

ProcessFileSocket

Detection pointCausal event

28

Conclusions

• Can use causality to provide context for intrusion alerts– Follow multi-host attacks– Correlate IDS alerts

• Causality effective mechanism for adding context to intrusion alerts

29

Questions

top related