reducing ids false positives by clustering related alerts
DESCRIPTION
Reducing IDS False Positives by Clustering Related Alerts. Mark Heckman Promia, Inc. Davis, California. New Research. Begun in early Spring 2003 Goal: to detect multistage attacks and reduce false positives To be part of the Promia IASM security information management and analysis system - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/1.jpg)
Reducing IDS False Positives by Clustering Related Alerts
Mark HeckmanPromia, Inc.
Davis, California
![Page 2: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/2.jpg)
Promia, Inc. 2
New Research
• Begun in early Spring 2003• Goal: to detect multistage attacks
and reduce false positives• To be part of the Promia IASM
security information management and analysis system
• To be deployed in Fall 2003-Spring 2004
![Page 3: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/3.jpg)
Promia, Inc. 3
Intrusion Detection Systems
• What an IDS does:– monitors a protected system – detects “suspicious activity” – reports what it detects
• Examples: Cisco IDS (formerly NetRanger), ISS RealSecure, Snort
![Page 4: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/4.jpg)
Promia, Inc. 4
What is Suspicious Activity?
• Activity that has been previously correlated with known attacks (a.k.a. signatures)
• Sometimes, simply unusual activity (anomalies)
![Page 5: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/5.jpg)
Promia, Inc. 5
Problems with IDSs
• Lots of benign activity looks suspicious (a.k.a. false positives)
• Some real attacks don’t ( a.k.a. false negatives)
![Page 6: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/6.jpg)
Promia, Inc. 6
Why are False Positives Bad?
• Suck up security resources• Distract/confuse human analysts • Real attacks are less likely to be
detected and stopped• Ratio of false positives to true
positives may be thousandsto one
![Page 7: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/7.jpg)
Promia, Inc. 7
Why not Eliminate False Positives?
• IDSs can only detect suspicious activity• To eliminate false positives means
losing some true positives• Need human analyst to determine
what is a real attack, what is a successful attack, etc.– Humans use other tools, domain knowledge, etc.– Cannot yet automate what human analysts do
![Page 8: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/8.jpg)
Promia, Inc. 8
The Security Analyst’s Nightmare• Protecting critical computing
resources• Have Intrusion Detection Systems• But, a flood of IDS alerts
– Some alerts are true; most are false• You have limited resources• The security of the free world
depends on you. What do you do?
![Page 9: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/9.jpg)
Promia, Inc. 9
Today’s Topic
• Solutions to the false positive problem
• Focus on clustering related alerts• A simple model for determining
relatedness• Implementation using
requires/provides capabilities
![Page 10: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/10.jpg)
Promia, Inc. 10
Some Real-world Solutions
• Throw the IDS away• Put tape over the blinking red light
on the console and ignore the alerts
• Massively staff and keep up as well as you can, hoping that, as traffic grows lighter overnight, you can catch up before the next morning
![Page 11: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/11.jpg)
Promia, Inc. 11
A Better Solution
• Identify most common false alerts• Turn them off (configure IDS)• Reduce analyst’s workload
• But, may be blind to real attack!
![Page 12: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/12.jpg)
Promia, Inc. 12
The “Best” Practical Solution
• Prioritize alerts• Focus on the “most interesting”
– Dangerous (vulnerable or critical resource)
– Unusual (anomalous)– Organized (related in a pattern of
directed, intelligent activity)
![Page 13: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/13.jpg)
Promia, Inc. 13
Prioritizing Based on Vulnerability
• E.g., if you have Apache web server, ignore IIS attacks– Or ignore if old attack and you are
patched
• But, need database of versions, vulnerabilities
• May miss warnings and precursors
![Page 14: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/14.jpg)
Promia, Inc. 14
Prioritizing Based on Anomalousness• Real attacks are likely to be unusual
when compared to normal activity• But, unusual not necessarily bad
– E.g., host-based user monitors, Bro project
• Normal not necessarily good– E.g., Nimda
• Usually, no semantics– E.g., Therminator project (?)
![Page 15: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/15.jpg)
Promia, Inc. 15
Prioritizing Based on Organization
• Organized alerts more likely to be real– Organized means related in a pattern of
directed, intelligent activity – a model
• E.g., Attacks usually occur in steps– Ping sweep, port scan, exploit
• But, will miss “magic bullet” attacks• Will flag benign, directed activity
![Page 16: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/16.jpg)
Promia, Inc. 16
PROMIA
Ideally, Combine all Three Methods
• Each compensates for weaknesses of others
• E.g., Vulnerabilities and Organization give semantics that Anomalousness lacks
• Next stage in IDS development?
![Page 17: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/17.jpg)
Promia, Inc. 17
• Simple pattern: Match alerts by source and destination– Almost no semantics
• Intermediate pattern: Group alerts that are known to represent specific attacks (meta-signatures)– Will miss complex or new attacks
How to Identify Organized Alerts (1)
![Page 18: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/18.jpg)
Promia, Inc. 18
• Advanced Intermediate pattern: Use a model of attack stages, assign alerts to stages– Attack semantics– Basic predictive capability
How to Identify Organized Alerts (2)
![Page 19: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/19.jpg)
Promia, Inc. 19
How to Identify Organized Alerts (3)
• Advanced pattern: Use a model of attacker capabilities
• Each alert indicates new capabilities gained by attacker
• One attack step provides new capabilities that are required by another attack step
![Page 20: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/20.jpg)
Promia, Inc. 20
Capability Model of Attacks• Per Templeton and Levitt, 2000• Model of attacks based on abstract
concepts• A concept requires certain
capabilities, – specific information or a specific situation
that must hold for the concept to hold• A concept may, in turn, provide
capabilities to another concept
![Page 21: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/21.jpg)
Promia, Inc. 21
Concept Structure
Provides
Concept
Where
RequiresDoS SeqNum Probing Spoofed Packet Send
RSH Connection
Spoofing
Remote Execution
![Page 22: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/22.jpg)
Promia, Inc. 22
Model Pros and Cons
• It is hierarchical and abstract• Does not require a priori
knowledge of particular scenario so can describe many, previously unseen, scenarios
• But, must invent concepts – is the model ever complete?
• May not have sensors for some concepts
![Page 23: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/23.jpg)
Promia, Inc. 23
Applying Capability Model to IDSs• Want to use IDSs as sensors to
capability model• IDS alerts indicate capabilities• Concepts whose capabilities can’t be
determined through IDS alerts can’t be used (or can be used only partly)
• Some alerts might not correspond to any concepts if model is incomplete
![Page 24: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/24.jpg)
Promia, Inc. 24
A Brilliant Insight
• Signature-based IDSs constitute an implicit attack model
• Each alert description contains some idea of the requires and provides
• Each alert is a concept• Complete set of alerts (concepts) is
a “complete” model of attacks
![Page 25: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/25.jpg)
Promia, Inc. 25
Example Alert Description
• Alert: IP options-Strict Source Route
• Description: “Setting this option can allow a remote host to pose as a local host on your network. Services that rely on IP addresses as authentication may be compromised as a result.”
![Page 26: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/26.jpg)
Promia, Inc. 26
Possible Concept for this Alert
• Concept: IP options-Strict Source Route
• Requires:– Attacker knows target exists– Network path between attacker and
target– Attacker knows route to target
• Provides:– Identity Masquerade
![Page 27: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/27.jpg)
Promia, Inc. 27
OK, Maybe not so Brilliant an Insight
• An alert usually only a partial concept– E.g., example doesn’t include other
capabilities necessary for spoof to work
• Describes suspicious activity, but not certain if provides are ever true– E.g., “can allow a remote host”, or “may
be compromised”
• Hard to infer the capabilities
![Page 28: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/28.jpg)
Promia, Inc. 28
So, It’s not Perfect; Deal with it
• Even a partial concept is acceptable – use whatever capabilities are suggested– Other alerts may fill in missing capabilities
• Assume the worst case, that all the “cans” and “maybes” happen– If don’t happen, then won’t be any follow-
on alerts– May have other sensors that can tell
![Page 29: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/29.jpg)
Promia, Inc. 29
But, what about the Capabilities?
• Recipe:– Look at the hundreds of alerts over
and over again– Induce a model
• Signature writers didn’t have abstract model in mind, but it is there
![Page 30: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/30.jpg)
Promia, Inc. 30
Basis for an IDS Capability Model
• Objects– Devices, services, etc.
• Attributes (and Attack Types)– Existence (recon), Version (recon),
Function (DoS), etc.
• (Object,Attribute) -> Capability– E.g., DeviceExists, DeviceVersion,
DeviceDoS, ServiceDoS, etc.
![Page 31: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/31.jpg)
Promia, Inc. 31
Promia IDS Capability Model
• First done for Cisco IDS (network-based) - Currently, 20-25 capabilities
• Coming soon: RealSecure and Snort– RealSecure has some host-based alerts
and so will require new capabilities
• Will add OS logs, firewalls, and other sensors
![Page 32: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/32.jpg)
Promia, Inc. 32
An Early Prototype
![Page 33: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/33.jpg)
Promia, Inc. 33
A Cluster of Related Alerts
![Page 34: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/34.jpg)
Promia, Inc. 34
Hypothesized Concepts
![Page 35: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/35.jpg)
Promia, Inc. 35
Problem with Managing Alerts
• In a busy installation, may have thousands of alerts every hour
• A real attack, however, may manifest itself over many hours or days
• But, r/p system has limited memory and other resources, so can’t keep all the alerts around for potential clustering
![Page 36: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/36.jpg)
Promia, Inc. 36
Solutions to Managing Alerts Problem• Aggregate identical or similar alerts
– Keep counts; throw away the duplicates• Use anomaly values to determine
how long to keep an alert around– Real attacks more likely to be unusual
• Run r/p clustering batch on archived data– E.g., slice based on target IP
![Page 37: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/37.jpg)
Promia, Inc. 37
Lessons Learned So Far
• Using IDS alerts as concepts, it is hard to come up with good, complete set of capabilities
• Hard to consistently apply capabilities to alerts/concepts– Need standard key/guide
• But, better than starting from scratch
![Page 38: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/38.jpg)
Promia, Inc. 38
Things I Didn’t Talk About, but Someone Else is Working on Them
• A formal model of how to link alerts using requires/provides capabilities– Cuppens and Miege, 2002
• How to make analytical use of the alert clusters– Peng Ning, et. al., 2001
![Page 39: Reducing IDS False Positives by Clustering Related Alerts](https://reader035.vdocuments.us/reader035/viewer/2022070413/56814d19550346895dba51ed/html5/thumbnails/39.jpg)
Promia, Inc. 39
Contact Info
Mark HeckmanPromia, Inc.1490 Drew Ave., Ste. 180Davis, CA 95616
530-756-2598 (temporary)[email protected]