information fusion by ganesh godavari. outline of talk problem definition –attack types...
TRANSCRIPT
![Page 1: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/1.jpg)
Information Fusion
By
Ganesh Godavari
![Page 2: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/2.jpg)
Outline of Talk
• Problem Definition– Attack Types
• Correlation Solutions
• OSSIM
• Work Status
![Page 3: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/3.jpg)
Problem Definition
• Fusion of Intrusion Detection Data from Various Sensors distributed over a geographic area. Attacks events are interval based (recall Degrading Denial of Service).
• Note: Fusion is possible only if data can be correlated at both the sensor and intermediary nodes.
![Page 4: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/4.jpg)
Possible Attack Scenarios
Syn Attack• Cause: vulnerability in some TCP/IP stack
implementations.• How does it work: The program sends an TCP
SYN packet in large number and never completing the TCP handshake. This causes a large backlog and deteriorates the performance of the machine.
• Result: Systems performance may slowdown.
![Page 5: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/5.jpg)
Contd..
Ping Flood• Cause: vulnerability in some Operating Systems.• How does it work: An attacker can use a
scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition.
• Result: Systems performance may slowdown.
![Page 6: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/6.jpg)
Contd..
UDP Flood Attack• Cause: Connectionless nature of UDP protocol • How does it work: Attacker sends a UDP packet
to a random port on the victim system. On receiving a UDP packet, OS will determine which application is waiting on the destination port. If there is no application that is waiting on the port, an ICMP (destination unreachable) packet is generated of to the source address.
• Result: Systems performance may slowdown.
![Page 7: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/7.jpg)
Correlation Techniques• Correlation of attacks
– Similarities between the event attributes• E.g. srcIP, dstIP• Cannot detect non obvious attacks (need to check
for temporal relationships!!)– Known attack Scenarios
• E.g. “gesundheit!” signature of Stacheldraht DoS tool– Preconditions and consequences of individual attack
• E.g. “port-scan is performed on a machine to check for venerable ports, before an attack is launched on the ports”
![Page 8: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/8.jpg)
Qualitative Temporal Relationships
• Non obvious patterns among events can be represented using Temporal relationships between interval-based events.
• Listed in the next side are the twenty-four relationships between intervals and 11 relationships between semi-intervals [1] [2][3]
![Page 9: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/9.jpg)
24 relations between EventsRelation
Inverse Relation
Meaning
e1 equal e2
equal e1.begin_time == e2.begin_time and
e1.end_time == e2.end_time
e1 before e2 after e1.end_time < e2.begin_time
e1 meets e2 inv-meets e1.end_time == e2.begin_time
e1 overlaps e2 inv-overlaps e1.begin_time < e2.begin_time and e1.end_time < e2.end_time and e1.end_time > e2.begin_time
e1 during e2 inv-during e1.begin_time > e2.begin_time and e1.end_time < e2.end_time
e1 starts e2
inv-starts
e1.begin_time == e2.begin_time and e1.end_time < e2.end_time
e1 finishes e2 inv-finishes e1.begin_time > e2.begin_time and e1.end_time == e2.end_time
e1 older (than) e2 younger (than) e1.begin_time < e2.begin_time
e1 head-to-head e2 head-to-head e1.begin_time == e2.begin_time
e1 survives e2 survived-by e1.end_time < e2.end_time
e1 tail-to-tail e2 tail-to-tail e1.end_time > e2.end_time
e1 precedes e2 succeeds e1.end_time <= e2.begin_time
e1 contemporary e2 contemporary e1.begin_time < e2.end_time and e2.begin_time < e1.end_time
e1 born-before-death e2 die-after-birth e1.begin_time < e2.end_time
![Page 10: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/10.jpg)
Open Source Security Information Management
• OSSIM project Combines tools like– snort, Spade, Ntop, mrtg …– To provide a global picture of the IDS
• Correlation – Sequence of events
• Create rules: if (recv event A then event B then event C) do { Action }
– Heuristic Algorithm• State variable
– “c” – level of compromise, probability that the machine is compromised
– “a” – level of attack the system is subjected to
![Page 11: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/11.jpg)
Correlation contd..
• A value is assigned to the C or A variable for a machine on the network according to three rules: – machine 1 attacks machine 2 will increase the
A of machine 2 and the C of machine 1. – If Attack is successful then value of C will
increase for machines 1 and 2. – If events are internal then C increases for the
originating machine.
![Page 12: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/12.jpg)
Current Project Status
• Created a test-bed of 3 machines.
• Able to parse Snort Alerts.
• Need to correlate/fuse the alerts generated during an hour before sending to the intermediary nodes.
![Page 13: Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status](https://reader036.vdocuments.us/reader036/viewer/2022083005/56649f295503460f94c429be/html5/thumbnails/13.jpg)
References• ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun.
ACM, 26, 11: 832–843, November 1983.• FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54,
199–227.• PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG. 2001. Abstraction-
based intrusion detection in distributed environments. ACM Trans. on Info. and System Security (TISSEC) 4, 407 – 452.