a lgebra f or c apability b ased a ttack c orrelation wistp 2008 1
TRANSCRIPT
ALGEBRA FOR CAPABILITY BASED ATTACK CORRELATIONWISTP 20081
OUTLINE
Introduction Capability Model Algebraic structures of Capability model Alert correlation using Capability model Conclusion
2
INTRODUCTION
Increasing security concern More sensitive data is stored than before
Increasing use of sophisticated attack tools & their automation (CERT’s overview of attack trends (04-18-02))
IDS Mostly used security and surveillance
monitoring tool for the network infrastructure
3
INTRODUCTION
Reasoning type
Rules-basedAttack
Scenarios-based
Uncertainty TemporalNeural
Networks-based
Bayesian-belief
Others
Manual knowledge acquisition
Prolog tools
SEC
ASAX
LAMBDA(MIRADOR
Project)
AdeLe
JIGSAW
Hyper-alerts
Fuzzy Logic techniques
Possibilistic models
Dempster-Shafer Theory
Chronicles
Feed-forward Networks (BP
based algorithms)
Self-Organizing
Maps
CIDS
EMERALD e-Bayes
STAT
M2D2
IMPACT
M-Correlator EMERALD
Automatic Knowledge acquisition
Clustering techniques
Data Mining: (Association
rules, etc)
Log Weaver SPICE
Source:- Pouget, Fabien, and Marc Dacier. Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institute Eurecom, France, Dec 2003.
Attack Correlation techniques
4
DRAWBACKS
State based approach can not handle missing alerts
Intermediate redundant step
Attack Variants
5
EXAMPLE
Attack correlation using system state Example
Establish connection Buffer overflow Password File modified
Capability based Example
Can access a host Have credential to use a service Have root privilege
Zhou et. Al., Modeling Network Intrusion Detection Alerts for Correlation, ACM Transactions on Information and System Security, Vol. 10, No. 1, Article 4, February 2007.
6
RELATED WORK
Logical connections among alerts in an intrusion incident? Requires/Provides Model (JIGSAW, Templeton and
Levitt, 2000)
A systematic model to precisely define the logical relationship? Capability Model(Jingmin at el. ( Feb, 2007))
To make a mature capability model need to know basic characteristic of Capability in
context of attack correlation Need identification of Algebraic properties
7
CAPABILITY MODEL
Alerts
Capability of connection Capability is a 6-tuple
“From the source to destination can perform the action with credential (on the property) of the service within a time interval”
Attacker will have Capability set
source DestinationTime
ActionService & Property
8
ServiceService …..………..……File ManagementFile Management
Database ManageDatabase Manage
PropertyFile ManagementProperty
File Management
…..………..……PathPath
PermissionPermission
IntervalInterval …..………..……FromFrom
BetweenBetween
ActionAction …..………..……ReadRead
BlockBlockblock, delay, spoof, pause, abort, unblock
Attributes
CredentialCredential …..………..……UpdatersUpdatersAdministratorAdministrator
root, navneet9
ACTION TYPE
Action Type Action Value
Read read, list, know,
Write create, modify, append, delete,
Communicate send, recv, connect, encrypt, decrypt
Exec invoke, exec ,
Block block(not permitted to run), delay(slow down), spoof( can replace), pause ( can be stopped at any time), abort( forcefully terminate), unbolck
10
Mail Server
INTERNET
External User
Web Server
DNS Sever
Firewall
Router
LAN
DMZ
Intruder
DIRECT & INDIRECT CAPABILITY
Success
Direct Capability• Know file exist• Can open File
Indirect Capability
• Can use credit card• Can send fake mail• Can masquerade as benign user etc….
Failure
Direct and Indirect Capability
12
WHY TIME NOTION
Attacker A can read any file of machine M from his machine H using credential labUser
Capability :- { source-H, destination-M, labUser, read, (file(all),content)}
User U has opened his email account between 10AM to 11 AM
Capability :- { source-H, destination-M, labUser, read, (file(email), content)}
Unbounded validation period
bounded validation period
i.e. [10AM-11AM]]
13
Algebraic structuresAlgebraic structures
RelationsRelations
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
14
OPERATIONS
15
JOIN
IP:10.20.5.2IP:10.20.1.1root
send
IIS
ftp
Time
IP:10.20.5.2IP:10.20.1.1root
receiveIIS
ftp
Time
IP:10.20.5.2IP:10.20.1.1
root
communicate
IIS
ftp
Time
16
JOIN
17
SPLIT
IP:10.20.5.2IP:10.20.1.1root
read and write /etc/password
content
Tmp
IP:10.20.5.2IP:10.20.1.1root
read
/etc/password
content
Tmp
IP:10.20.5.2IP:10.20.1.1
root
write
/etc/password
content
Tmp
18
REDUCE
Reduce
C2C1
Example:-
Cap1=(SLab,Dlab, W,/home/Bob/xyz, content, root,Between:1997-07-16T19:20:30+01:00[+1H])Cap2=(SLab,Dlab, W, /home/Bob/xyz, content, Bob,Between:1997-07-16T19:20:30+01:00[+1H])
19
SUBTRACT
20
AlgebraAlgebra
RelationRelation
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
21
Algebraic structuresAlgebraic structures
CAPABILITY RELATION
Contain ship Overlapped vs Independent Mutually Exclusive
C1
C2
Contain ship
C1 C2
C1 C2
Overlapped
Independent
22
AlgebraAlgebra
RelationRelation InferenceInference
Comparable Inference
Comparable Inference
Resultant InferenceResultant Inference
Compromise Inference
Compromise Inference
External InferenceExternal
Inference
OverlappedOverlapped
Mutually ExclusiveMutually Exclusive
IndependentIndependent
OperationOperation
JoinJoin
SplitSplit
ReduceReduce
SubtractSubtract
23
Algebraic structuresAlgebraic structures
COMPARABLE
Two capabilities are comparable if they have Same value of source, destination, action Same type of service, property Within same time interval
Example C1 = (pushpa, dblab, read, /etc/passwd,
content, user1,at:1997-07-16T19:20:30+01:00)
C2 = (pushpa, dblab, read, All files, content, user1, at:1997-07-16T19:20:30+01:00) 24
COMPARABLE INFERENCE
One cap. can be logically inferred from another cap.
C1 = (src, dst, read, (/etc/passwd), content, user1,t1) C2 = (src, dst, read, (All files, content,) user1,t2)C1 can be logically inferred from C2 if t1,t2 belongs to
same time window
C3 = (src, dst, know, All accounts, name, user1,t1) C4 = (src, dst, read, /etc/passwd, content, user1,t2)C3 can be logically inferred from C4 if t1,t2 belongs to
same time window 25
EXTERNAL INFERENCE
If C1 and C2 is two Capability then
c2.dest=c1.source c2 has capability to run arbitrary program
26
CAPABILITY MODEL BASED CORRELATION
27
CORRELATING ALERT USING MODIFIED CAPABILITY MODEL
H-alert M-Attack Correlation Algorithm
28
H-ALERT
IDS
H-alert
Require Provide Raw
•Time•Direction . . .
capsethaset
H-alert i1
H-alert i1H-alert i1
Timestamp M-attack[2007-12-06T18 : 13 :30 + 05 :30]
29
CORRELATION ALGORITHM
30
31
PROS
Join Benefit
minimize the number of comparison Pitfall
Costly due to recursive
Split Benefit
Only need direct inference while corr. Pitfall
Redundancy Unnecessary split increase no. of comparison
32
ALTERNATE WAYS
Way1 :- Only join Way2:- Only split Way 3:- Join and split both
33
CONCLUSION
Defined modified capability model and logical association between capabilities.
Added semantic notion to avoid false correlation
Identified and defined relations between capabilities and derived Inference rules along with semantic that have been used in correlation
34
FUTURE WORK
Develop language for whole framework
Other Optimize algorithms and to achieve better
performance. Optimize the algorithm of join operation and
to use that in given alternate correlation algorithm. This would help in making whole system real time with low false rate.
To model the defence capability of security administrator 35
THANK YOU
36
QUESTION?
37