enriching intrusion alerts through multi-host causality
DESCRIPTION
Enriching intrusion alerts through multi-host causality. Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan. Motivation. IDS alerts highlight suspicious activity Network and host level Alerts lack context How did this activity happen? - PowerPoint PPT PresentationTRANSCRIPT
Enriching intrusion alerts through multi-host
causalitySam King
Morley MaoDominic Lucchetti
Peter Chen
University of Michigan
2
Motivation
• IDS alerts highlight suspicious activity– Network and host level
• Alerts lack context– How did this activity happen?– What were the effects of this activity?
4
Causality to connect alerts
Remotesocket
ProcessFileSocket
Detection pointFork eventRead/write event
httpd
wget
rootkits.combash
getroot.exe rootproc
5
Overview
• Causality: BackTracker• Bi-directional distributed
BackTracker• Correlating IDS alerts• Conclusions
6
BackTracker
• Help figure out what application was exploited
• Show chain of events between exploit and detection point
• Track causal operating system events and objects
7
BackTracker Example
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
httpdremotesocket
/tmp/xploit/backdoor
bash
wget
remotesocket
8
BackTracker
• Objects: processes, files• Events: read/write, fork, exec, mmap…
• Online component logs events, objects• Offline component generates graphs
• Causality effective technique for highlighting actions of attacker
9
Extending BackTracker
• Use send/receive events to connect hosts on separate hosts– identify packets by source/destination
IP address and TCP sequence number
• Forward tracking
10
Bi-directional distributed BackTracker (BDB)
• Common configuration: firewall• Given a single infected host, track
attack
• Tracking multi-host attacks– Follow attack “upstream”
• Find original source of intrusion• Patch vulnerable server, fix infected laptop
– Follow attack “downstream”• Find other compromised hosts
11
Prioritize Packets
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
/tmp/xploit/backdoor
bashwget
remotesocket
httpd
rc
init
remotesocket
12
Highest process, most recent packet
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
/tmp/xploit/backdoor
bashwget
remotesocket
httpd
rc
init
remotesocket
13
Guess and check
• Follow all packets, examine other host• Search for causally linked “intrusions”
Host BHost A
spread_worm
backdoor
bash
httpd
backdoor
/tmp/xploit/backdoor
bash wget
sockethttpd
14
Use NIDS to highlight packets
backdoor
/tmp/xploit/backdoor
bash wget
socketsmbd
smb socket
15
Multi-host attacks• Examined Slapper worm and manual
attack on local network• Significant background noise
– 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd
• All hosts both clients and servers– Download source code, compile
– Gigabytes of network traffic– Millions of events and objects
• 20 minute experiments, break in after 10• Goal: given a single infected host find
source of attack and all infected hosts
16
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
17
ProcessFileSocket
Detection pointCausal event
18
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
19
ProcessFileSocket
Detection pointCausal event
20
Tracking Slapper Forward
ProcessFileSocket
Detection pointCausal event
21
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
22
Multi-host manual attack
• Highest process, most recent packet does not always work
• Use Snort to highlight suspicious packets
• Stealthy attack, difficult to detect– Attack one host at a time
• Wait for next target to communicate with current host
– Break into various services– Services under heavy legitimate use– Use previously “unknown” attacks– Perform different tasks on each host
23
Multi-host manual attack
Host A
Host I
Host CHost BExternal Network
Host E
Host D
Host GHost F Host H
Host KHost J Host L
24
Correlating IDS alerts• Many independent sources of IDS alerts
– Host/network– Host/host
• Correlate multiple sources, reduce false positives – correlate through syntactic or timing
relationships– correlate through manually specified
semantic relationships
• BDB can correlate IDS alerts through causal relationships
25
Zero Configuration Snort
• Difficult to configure– False positives
• Services not used• Failed exploit attempts• New rules developed frequently
• Setup system with all default Snort rules– Also enabled several other rules
• Use causality to verify Snort alerts– Detect any processes running as root
26
Zero Configuration Snort Results
• Ran honeypot for two days
• Without correlating alerts– 39 Snort alerts– Many processes run as root
• Zero Configuration Snort– Zero false positives– One true positive
27
ProcessFileSocket
Detection pointCausal event
28
Conclusions
• Can use causality to provide context for intrusion alerts– Follow multi-host attacks– Correlate IDS alerts
• Causality effective mechanism for adding context to intrusion alerts
29
Questions