application-integrated data collection for security monitoring...used webload from radview software...
TRANSCRIPT
![Page 1: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/1.jpg)
Application-IntegratedData Collectionfor Security Monitoring
Magnus Almgren and Ulf LindqvistSystem Design Lab, SRI International
The work described here was funded by DARPA under contract number F30602-99-C-0149 and F30602-98-C-0059. The views herein are those of the authors and do not necessarily reflect the views of the supporting agency.
![Page 2: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/2.jpg)
2
IntroductionHow many network IDSs can detect this?
How many network IDSs can detect this?
![Page 3: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/3.jpg)
3
Outline Part OneTraditional NIDS and HIDSHost-located data collectionApplication-integrated moduleProof-of-concept implementationImplementation architecture and data flow
Part Two
![Page 4: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/4.jpg)
4
Traditional Network IDSProblem areas:
Encrypted trafficEvasion tricksNetwork speedSession/transaction reconstruction and statefulnessTimely preemption difficult
Advantages:Passive, non-invasiveHiddenCan monitor multiple hosts from one location
![Page 5: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/5.jpg)
5
Traditional Host IDSData sources
Audit data – useful, but limited insight into application dataApplication/system log files – limited content, disk space management
Usually, data produced after the factBlind to most network-level attacks
![Page 6: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/6.jpg)
6
Host-located Real-time Event Data Collection on Multiple Levels
Application-integrated IDSApplication
OS IDS analyzing audit trail (system calls)
Network Network IDS (located on network or host)
Security violations manifest themselves differently on different levelsThe data sources are complementary
![Page 7: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/7.jpg)
7
Application-integrated ModuleAdvantages
Unencrypted informationIndependent of network speedDetailed information availableTrue session and transaction decoding and reconstructionOpportunity for preemptive capability
DisadvantagesTailored for a specific applicationInvasive: Could impact application performance and stability
Complements data collection on other levels
![Page 8: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/8.jpg)
8
Proof-of-concept: One type of application
Web serverWeb is a popular, ubiquitous serviceAllowed through most firewallsExisting EMERALD analysis engine for HTTP Many Web servers allow custom extensions
Apache Web serverApache ~60% of market according to NetcraftOpen-source, well-documented module interface
![Page 9: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/9.jpg)
9
Host
Web server
Implementation Architecture and Data Flow
1. The Web server receives a request
2. Module produces transaction data
3. Message is sent to eXpert-HTTP
4. eXpert-HTTP performs analysiseXpert-HTTP
Datacollectionmodule
EMERALDlibraries
Transaction recordsas EMERALD messages
Alerts
![Page 10: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/10.jpg)
10
Outline Part TwoInside the Apache ServerPerformance evaluationEvasion techniquesProblems with this approachFuture workRelated approachesConclusions
![Page 11: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/11.jpg)
11
Inside the Apache ServerApache uses a request loop Hooks are available in all phases of the loopOur module is hooked to the logging phase
Currently no feedback from analysis unitPassive data collection
[Stein 1999]
![Page 12: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/12.jpg)
12
Performance Experiment SetupGoal: Measure impact on user experienceUsed WebLoad from RadView Software
Set up to request a single URL repeatedlyMeasured transaction round-trip timeEach run was 60 minutes with 10 virtual clients on a single physical host
Static page: text and one imageDynamic page: CGI program
![Page 13: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/13.jpg)
13
Performance Results: Static Page50 KB text + 12 KB JPEG
0.0590.057std dev1.5%1.5211.499average2.1%1.5171.486medianImpactW/ IDSNo IDSRound-trip (s)
![Page 14: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/14.jpg)
14
Performance Results: Dynamic PageExecution of a CGI program
0.0480.034std dev3.6%1.2381.195average3.1%1.2291.192medianImpactW/ IDSNo IDSRound-trip (s)
![Page 15: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/15.jpg)
15
Evasion TechniquesUsing lower protocol levels [Ptacek and Newsham]
Crafting ambiguous HTTP request
1. GET /cgi-bin/phf
2. GET /%00cgi-bin/phf
3. GET / HTTP 1.1Host: victimContent-Length: 3
123GET /cgi-bin/phf
The evasion techniques work because Web servers and NIDS decode them differently
Tab
![Page 16: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/16.jpg)
16
Problems1) Invasive
Because the module must run within the server application, it could impact stabilityTesting is difficult
Server applications typically do not run from batch inputForced to use scripts rather than data files
2) Application-specificA module must be written specifically for every application you want to monitorEvery application has its own interface (or none) for customized moduleBut: For many services, only a few major brands
![Page 17: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/17.jpg)
17
Future WorkOther Web server brands
iPlanet – prototype ready
Other servicesFTPSMTP (sendmail)Remote access (telnet, rlogin)Databases
Great potential for improved analysis
In many cases, knows how the request was serviced (e g document or CGI program)Could detect evasion attemptsKnows the exact local filename request refers toCheck expected control flow of program
![Page 18: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/18.jpg)
18
Preemption: Two-tiered approachProblem:
Complete analysis in module ⇒ performance hitAnalysis on separate host ⇒ excludes preemption
Solution: Two-tier analysisModule contains simple (fast) analysis engine: hash of suspicious source/CGI programeXpert-HTTP performs complete (slower) analysis and keeps a global stateeXpert updates the module’s (simple) knowledgeThree options for server module: serve request, deny request, or wait for further analysis
![Page 19: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/19.jpg)
19
Per-request GranularitySingle requests can be stopped or delayed (awaiting analysis)Select requests for analysis depending on the type (static, dynamic, directory)Compare with a packet-filtering firewall
IP address/port granularityCan only block, not delay
![Page 20: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/20.jpg)
20
Related Approachesmod_id by Burak Dayioglu (www.dayioglu.net)
Performs simple CGI name matching inside module (development discontinued)
TripWire for Web pagesLimited to stopping altered content from being served (MD5 checksums)
Interfacing Trusted Applications with Intrusion Detection Systems Marc Welz and Andrew Hutchison, RAID 2001
![Page 21: Application-Integrated Data Collection for Security Monitoring...Used WebLoad from RadView Software Set up to request a single URL repeatedly Measured transaction round-trip time Each](https://reader036.vdocuments.net/reader036/viewer/2022071117/60020625a4a8e6136777da47/html5/thumbnails/21.jpg)
21
ConclusionsApplication-integrated data collection for IDS complements data from other levels and locationsAddresses the three most severe problems NIDS are currently facing:
EncryptionEvasionNetwork speed
Prototype integrated with Apache and with EMERALD infrastructure and analysis engine