Enriching intrusion alerts through multi-host

causalitySam King

Morley MaoDominic Lucchetti

Peter Chen

University of Michigan

2

Motivation

• IDS alerts highlight suspicious activity– Network and host level

• Alerts lack context– How did this activity happen?– What were the effects of this activity?

4

Causality to connect alerts

Remotesocket

ProcessFileSocket

Detection pointFork eventRead/write event

httpd

wget

rootkits.combash

getroot.exe rootproc

5

Overview

• Causality: BackTracker• Bi-directional distributed

BackTracker• Correlating IDS alerts• Conclusions

6

BackTracker

• Help figure out what application was exploited

• Show chain of events between exploit and detection point

• Track causal operating system events and objects

7

BackTracker Example

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

httpdremotesocket

/tmp/xploit/backdoor

bash

wget

remotesocket

8

BackTracker

• Objects: processes, files• Events: read/write, fork, exec, mmap…

• Online component logs events, objects• Offline component generates graphs

• Causality effective technique for highlighting actions of attacker

9

Extending BackTracker

• Use send/receive events to connect hosts on separate hosts– identify packets by source/destination

IP address and TCP sequence number

• Forward tracking

10

Bi-directional distributed BackTracker (BDB)

• Common configuration: firewall• Given a single infected host, track

attack

• Tracking multi-host attacks– Follow attack “upstream”

• Find original source of intrusion• Patch vulnerable server, fix infected laptop

– Follow attack “downstream”• Find other compromised hosts

11

Prioritize Packets

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

/tmp/xploit/backdoor

bashwget

remotesocket

httpd

rc

init

remotesocket

12

Highest process, most recent packet

ProcessFileSocket

Detection pointFork eventRead/write eventbackdoor

/tmp/xploit/backdoor

bashwget

remotesocket

httpd

rc

init

remotesocket

13

Guess and check

• Follow all packets, examine other host• Search for causally linked “intrusions”

Host BHost A

spread_worm

backdoor

bash

httpd

backdoor

/tmp/xploit/backdoor

bash wget

sockethttpd

14

Use NIDS to highlight packets

backdoor

/tmp/xploit/backdoor

bash wget

socketsmbd

smb socket

15

Multi-host attacks• Examined Slapper worm and manual

attack on local network• Significant background noise

– 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd

• All hosts both clients and servers– Download source code, compile

– Gigabytes of network traffic– Millions of events and objects

• 20 minute experiments, break in after 10• Goal: given a single infected host find

source of attack and all infected hosts

16

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

17

ProcessFileSocket

Detection pointCausal event

18

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

19

ProcessFileSocket

Detection pointCausal event

20

Tracking Slapper Forward

ProcessFileSocket

Detection pointCausal event

21

Slapper Worm

Host A

Host D

Host C

Host B

External Network

Slapper worm

Firewall

22

Multi-host manual attack

• Highest process, most recent packet does not always work

• Use Snort to highlight suspicious packets

• Stealthy attack, difficult to detect– Attack one host at a time

• Wait for next target to communicate with current host

– Break into various services– Services under heavy legitimate use– Use previously “unknown” attacks– Perform different tasks on each host

23

Multi-host manual attack

Host A

Host I

Host CHost BExternal Network

Host E

Host D

Host GHost F Host H

Host KHost J Host L

24

Correlating IDS alerts• Many independent sources of IDS alerts

– Host/network– Host/host

• Correlate multiple sources, reduce false positives – correlate through syntactic or timing

relationships– correlate through manually specified

semantic relationships

• BDB can correlate IDS alerts through causal relationships

25

Zero Configuration Snort

• Difficult to configure– False positives

• Services not used• Failed exploit attempts• New rules developed frequently

• Setup system with all default Snort rules– Also enabled several other rules

• Use causality to verify Snort alerts– Detect any processes running as root

26

Zero Configuration Snort Results

• Ran honeypot for two days

• Without correlating alerts– 39 Snort alerts– Many processes run as root

• Zero Configuration Snort– Zero false positives– One true positive

27

ProcessFileSocket

Detection pointCausal event

28

Conclusions

• Can use causality to provide context for intrusion alerts– Follow multi-host attacks– Correlate IDS alerts

• Causality effective mechanism for adding context to intrusion alerts

29

Questions