Information Fusion

By

Ganesh Godavari

Outline of Talk

• Problem Definition– Attack Types

• Correlation Solutions

• OSSIM

• Work Status

Problem Definition

• Fusion of Intrusion Detection Data from Various Sensors distributed over a geographic area. Attacks events are interval based (recall Degrading Denial of Service).

• Note: Fusion is possible only if data can be correlated at both the sensor and intermediary nodes.

Possible Attack Scenarios

Syn Attack• Cause: vulnerability in some TCP/IP stack

implementations.• How does it work: The program sends an TCP

SYN packet in large number and never completing the TCP handshake. This causes a large backlog and deteriorates the performance of the machine.

• Result: Systems performance may slowdown.

Contd..

Ping Flood• Cause: vulnerability in some Operating Systems.• How does it work: An attacker can use a

scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition.

• Result: Systems performance may slowdown.

Contd..

UDP Flood Attack• Cause: Connectionless nature of UDP protocol • How does it work: Attacker sends a UDP packet

to a random port on the victim system. On receiving a UDP packet, OS will determine which application is waiting on the destination port. If there is no application that is waiting on the port, an ICMP (destination unreachable) packet is generated of to the source address.

• Result: Systems performance may slowdown.

Correlation Techniques• Correlation of attacks

– Similarities between the event attributes• E.g. srcIP, dstIP• Cannot detect non obvious attacks (need to check

for temporal relationships!!)– Known attack Scenarios

• E.g. “gesundheit!” signature of Stacheldraht DoS tool– Preconditions and consequences of individual attack

• E.g. “port-scan is performed on a machine to check for venerable ports, before an attack is launched on the ports”

Qualitative Temporal Relationships

• Non obvious patterns among events can be represented using Temporal relationships between interval-based events.

• Listed in the next side are the twenty-four relationships between intervals and 11 relationships between semi-intervals [1] [2][3]

24 relations between EventsRelation

Inverse Relation

Meaning

e1 equal e2

equal e1.begin_time == e2.begin_time and

e1.end_time == e2.end_time

e1 before e2 after e1.end_time < e2.begin_time

e1 meets e2 inv-meets e1.end_time == e2.begin_time

e1 overlaps e2 inv-overlaps e1.begin_time < e2.begin_time and e1.end_time < e2.end_time and e1.end_time > e2.begin_time

e1 during e2 inv-during e1.begin_time > e2.begin_time and e1.end_time < e2.end_time

e1 starts e2

inv-starts

e1.begin_time == e2.begin_time and e1.end_time < e2.end_time

e1 finishes e2 inv-finishes e1.begin_time > e2.begin_time and e1.end_time == e2.end_time

e1 older (than) e2 younger (than) e1.begin_time < e2.begin_time

e1 head-to-head e2 head-to-head e1.begin_time == e2.begin_time

e1 survives e2 survived-by e1.end_time < e2.end_time

e1 tail-to-tail e2 tail-to-tail e1.end_time > e2.end_time

e1 precedes e2 succeeds e1.end_time <= e2.begin_time

e1 contemporary e2 contemporary e1.begin_time < e2.end_time and e2.begin_time < e1.end_time

e1 born-before-death e2 die-after-birth e1.begin_time < e2.end_time

Open Source Security Information Management

• OSSIM project Combines tools like– snort, Spade, Ntop, mrtg …– To provide a global picture of the IDS

• Correlation – Sequence of events

• Create rules: if (recv event A then event B then event C) do { Action }

– Heuristic Algorithm• State variable

– “c” – level of compromise, probability that the machine is compromised

– “a” – level of attack the system is subjected to

Correlation contd..

• A value is assigned to the C or A variable for a machine on the network according to three rules: – machine 1 attacks machine 2 will increase the

A of machine 2 and the C of machine 1. – If Attack is successful then value of C will

increase for machines 1 and 2. – If events are internal then C increases for the

originating machine.

Current Project Status

• Created a test-bed of 3 machines.

• Able to parse Snort Alerts.

• Need to correlate/fuse the alerts generated during an hour before sending to the intermediary nodes.

References• ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun.

ACM, 26, 11: 832–843, November 1983.• FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54,

199–227.• PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG. 2001. Abstraction-

based intrusion detection in distributed environments. ACM Trans. on Info. and System Security (TISSEC) 4, 407 – 452.