reducing false positives in intrusion detection systems by means of frequent episodes lars olav...
TRANSCRIPT
Reducing false positives in intrusion detection systems by means of frequent episodes
Lars Olav Gigstad
Intrusion Detection
• Signatures poorly describe the attack making them trigger on benign traffic as a result.
• Processing time restrictions often leads to shortcuts.
• Writing correct signatures is a difficult task.
• Signatures triggers on rare or suspicious traffic.
• Trigger on low-level phenomenas.
Research Questions
• Can alerts effectively be correlated with frequent episodes?
• How effective is false positive reduction?
Data Gathering
• KDD Cup ’99– 5 Weeks of traffic data.– 2 attack free weeks.
• Honeynet– 3 computers
• Apache• FTP• SQL Server
– Automated attacks
System Overview
IDSAlert log
Data mining
Filter Output
Rules
Accepted Rules
Data Mining• Data preperation:
– Parse SNORT alert log– Parse BRO alert log
• Data mining:– Phase 1: Frequent episodes.– Phase 2: Remove unwanted episodes.– Phase 3: Attribute rules
• Analysis:– Present rules
Data Preperation
[**] [1:1200:10] ATTACK-RESPONSES Invalid URL [**][Classification: Attempted Information Leak] [Priority: 2] 03/01-15:28:08.918757 207.200.75.201:80 -> 172.16.117.132:6243TCP TTL:63 TOS:0x0 ID:7669 IpLen:20 DgmLen:473 DF***AP*** Seq: 0xC832EB1A Ack: 0xA5904714 Win: 0x7FE0 TcpLen: 20[Xref => http://www.microsoft.com/technet/security/bulletin/MS00-063.mspx]
Data Preperation
• Alert attributes– ID, the type of alert.– Source IP.– Destination IP.– Source port.– Destination port.– TTL, time to live.– IP, size of IP header in bytes.– Dgmlen, size of packet in bytes.– Time, time of occurrence.
Data Mining• Data preperation:
– Parse SNORT alert log– Parse BRO alert log
• Data mining:– Phase 1: Frequent Episodes.– Phase 2: Remove unwanted episodes.– Phase 3: Attribute rules
• Analysis:– Present rules
Frequent Episodes
• Events: – Single action – Alarm– System input
• Sequence of events
Frequent Episodes
• Episode: a collection of event.
• Episode Types:– Parallell– Serial– Complex
A CA
B
A
C
B
Frequent Episodes
Episode:
Subepisodes:
A B C
A B
A C
B C
Attribute Rules
• Intra-episode rules– A.SourceIP = B.SourceIP– A.DestinationIP = B.DestinationIP
• Inter-episode rules– A.DestinationPort = 80
A B
Data Mining• Data preperation:
– Parse SNORT alert log– Parse BRO alert log
• Data mining:– Phase 1: Frequent Episodes.– Phase 2: Remove unwanted episodes.– Phase 3: Attribute rules
• Analysis:– Present rules
Data Mining• Data preperation:
– Parse SNORT alert log– Parse BRO alert log
• Data mining:– Phase 1: Frequent Episodes.– Phase 2: Remove unwanted episodes.– Phase 3: Attribute rules
• Analysis:– Present rules
Rules GeneratedIF [1:1013:11]THEN [1:1012:12] conf(0.353) freq(0.006) [1:1288:10]
IF [1:1013:11] [1:1012:12]THEN [1:1288:10] conf(1.0) freq(0.006)
[1].src = [2].src = [3].src[1].dst = [2].dst = [3].dst[1].src_port = [2].src_port = [3].src_port[1].dst_port = [2].dst_port = [3].dst_port[1].ttl = [2].ttl = [3].ttl[1].dgmlen = [2].dgmlen = [3].dgmlen
[1].dst_port = 80[2].dst_port = 80[3].dst_port = 80[1].ttl = 64[2].ttl = 64[3].ttl = 64[1].src = 172.16.115.87[2].src = 172.16.115.87[3].src = 172.16.115.87[1].dst = 209.61.100.129[2].dst = 209.61.100.129[3].dst = 209.61.100.129
IF [1:1149:13]THEN [1:1149:13] conf(0.53) freq(0.007)
[1].src = [2].src[1].dst = [2].dst[1].dst_port = E[2].dst_port[1].ttl = E[2].ttl
[1].dst_port = 80[2].dst_port = 80[1].ttl = 64[2].ttl = 64
Results
Week 1 Week 4
Questions?