network traffic analysis optimization for signature-based intrusion detection systems dmitry s....
TRANSCRIPT
NETWORK TRAFFIC ANALYSIS OPTIMIZATION FOR SIGNATURE-BASED INTRUSION DETECTION SYSTEMS
Dmitry S. Kazachkin
student, Computational systems lab at CMC MSU
Dennis Y. Gamayunov
scientific advisor, PhD, Computational systems lab at CMC MSU
INTRODUCTION
High-performance traffic analysis at gigabit channels
Optimization of a given signature set matching
Packet – the unit of analysis
Operations number minimization for a single packet
SIGNATURE FORMAL DEFINITION (1)
Packet – pair {H, P}
Header (H) – {H1,H2,...,Hn}, Hi belongs to finite space
Payload (P) – text line of unrestricted length
State vector (C) – {С1,С2,...,Сk}, Ci belongs to finite space
SIGNATURE FORMAL DEFINITION (2)
Header condition – logical predicate; Hi – arguments
Payload condition – set of functions: CondPi(P,C) — logical predicate; payload and
state vector are arguments Effectsi = {Effecti,j(P,C)} — represents side effect
on variable Сi, performed on CondPi(P,C) success
Reaction – element of event classes finite set
SIGNATURE FORMAL DEFINITION (3)
Signature – triplet <SH,SP,R>, where SH – set of header conditions SP – ordered set of payload conditions R – reaction.
RES(<SH,SP,R>,H,P,C): {R}, if all the header conditions return ‘true’ and
all the payload conditions successfully evaluate consecutive.
, else
SNORT SIGNATURESSTRUCTURE
Action – action performed on rule activation (usually, ‘alert’)
Header – context-independent conditions on packet header
Options – context-dependent conditions on packet payload
Info – rule info and message, generated at rule activation
alert tcp any:80 -> any:any (content:”qwerty”; msg:”Panic”)
action header options info
SNORT SIGNATURES FORMALIZATION (1)
Header H1 — protocol type (TCP / UDP / ICMP / other IP)
H2 and H3 — IP and port of packet source
H4 — packet direction (from server/to server)
H5 and H6 — IP and port of packet destination
Payload – packet payload byte string
State vector – C = {C1}, C1 – position of text marker
alert tcp any:80 -> any:any (content:”qwerty”; msg:”Panic”)
action header options info
SNORT SIGNATURES FORMALIZATION (2)
CondHk(H) – logical expression, operating {Hi} only
<CondPk(P,C), Effectk(P,C)> – pair of functions representing pattern matching performed after marker
Reaction – finite set of identifiers, which represent action and info sections
alert tcp any:80 -> any:any (content:”qwerty”; msg:”Panic”)
action header options info
R-LANG LANGUAGEFORMAL SIDE
Automaton - (K, PS, T, PT, s0, I, g q) S – states set; PS – state predicates set; T – transitions set; PT – transition conditions set;
s0 – initial state; I – automaton exemplars set; g – global environment; q – global timer queue
automaton exemplar – series of slices NK x L x Q x E NK – current state; L – local environment; Q – local timer queue; E – local events queue
R-LANG LANGUAGEDECLARATIVE SIDE
Scenario Events subscription Variables declaration – scenario fields Functions declaration – scenario methods States declaration
One is marked as initial Transitions declaration
Transition type – consuming/nonconsuming/unwinding
Condition – logical function Body – code block
SIGNATURE CONVERSIONTO R-LANG (1)
S.T. Eckmann, "Translating Snort rules to STATL scenarios“
Typified events on every packet SrcIP, SrcPort, Direction, DstIP, DstPort Payload
Scenario field variable Current
Header conditions – logical expressions on {Hi}
Payload conditions – boolean function calls, with side-effect on Current
Reactions – alert sending code blocks
SIGNATURE CONVERSIONTO R-LANG (2)scenario sc(<event corresponding to packet type> ev)
{
<Secondary variables definition>
initial state st0;
consuming transition st0->st0
event <event corresponding to packet type> (
<Header condition 1> && … && <Header condition N>
) {
<Restoring state vector>
if(<Payload condition 1>)
…
if(<Payload condition M>)
<Reaction>;
}
};
HEADER-BASED OPTIMIZATION (1) Conditions alternative — a set of pairs <SPi,Ri>, where
SPi – ordered set of payload conditions
Ri — reaction
Alternative-containing signature – a pair <SH, SA>, where SH — set header conditions SA — condition alternative.
Set of signatures with the same header are converted to alternative-containing signature this way:
Alternative-containing signature evaluation result is defined as:
HEADER-BASED OPTIMIZATION (2) R-lang transition body of the alternative-containing
signature model: <Restoring state vector>
if(<Series of payload conditions 1>) <Reaction 1>;
<Restoring state vector>
if(<Series of payload conditions 2>) <Reaction 2>;
…
<Restoring state vector>
if(<Series of payload conditions N>) <Reaction N>;
We get the same RES set with less operation by grouping signatures with the same header conditions set.
519 different header condition sets for Snort base of 6372 signatures grants a good performance speed-up
HEADER-BASED OPTIMIZATION (3)
Tree-style order provides even more economy.
consuming transition st0->st0
event <event corresponding to packet type>(true){
if(<Header condition 1>) {
if(<Header condition 2>)
<predicate alternative for header granted by 1,2>
if(<Header condition 3>)
if(<Header condition 4>)
<predicate alternative for header granted by 1,3,4>
}
}
Snort analysis engine use that header optimization only, that does not allow achieving further speed-up on a fixed signature set.
PREDICATE TREE Fact: Condition chains contained in conditions
alternative can have the same beginnings.
Predicate tree ST – tree: the edges are marked with a payload condition the nodes are marked with a reaction set, possibly empty the leafs are marked with non-empty reaction sets
A B
A C DC
A
{R1}
{R2}
{R3}
A B
C DC
{R1}
{R2}
{R3}
PREDICATE TREE EVALUATION Predicate tree evaluation
recursive traversal of tree from root node conditions control sub-trees evaluation reaction performing if current node is marked context restoration after sub-tree evaluation
RES(ST, P,C) – {all the reaction achieved}
Statement: Let predicate tree ST is converted from condition alternative SA. Then
RES(ST,P,C)=RES(SA,P,C).
ADDITIONAL OPTIMIZATIONS
Synonymic bunch – set of leafs: the same {R} the same edges parent
PCRE union Aho-Corasick algorithm
{R}
{R}
{R}
A2
An … {R}
B
A1
STATIC RESULT ANALYSIS
Tree profit = edges number in the tree - total number of payload conditions
Relational tree profit = tree profit / total number of payload conditions
For 2 signature groups (Samba): ~2000 signatures tree profit > 11000 relational tree profit > 80%
Overall relational tree profit ~62%. 40 pairs of identical signatures
DYNAMIC RESULT ANALYSIS N seconds of flood with legal packets, a bad packet after
them
Test 1 – legal traffic is ignored by most rules FTP “HELP” command
Test 2 – legal traffic is checked by lots of rules specially constructed HTTP request
Seconds of alert delay
Before Optimization After optimization
Test 1, 5 seconds 123 10
Test 1, 20 seconds 391 24
Test 2, 5 seconds 103 37
Test 2, 20 seconds 203 133
CONCLUSION
Proposed methods provides significant speed-up of packet analysis at experimental IDS.
Though speed-up is significant, it is still not enough. There is a need for other optimizations, e.g. parallel signature matching.
REFERENCES
1. Snort IDS, http://www.snort.org
2. S.T. Eckmann, "Translating Snort rules to STATL scenarios" presented at the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), Davis, CA, October 2001, LNCS 2212, pp. 69-84.
3. M. Norton, "Optimizing Pattern Matching for Intrusion Detection," white paper, Sourcefire Inc., 2004 [Online] Avaliable: http:// docs.idsresearch.org/OptimizingPatternMatching/ForIDS.pdf.
4. D.U. Gamayunov, “Network objects behavior analysis for detecting computer attacks” PhD thesis, Faculty of Computational Math and Cybernetics, Moscow State University, Moscow, 2007.
5. S.T. Eckmann, G. Vigna, and R. A. Kemmerer. “STATL: An Attack Language for State-based Intrusion Detection” Dept. of Computer Science, University of California, Santa Barbara, 2000.
6. G. Vigna, R. Kemmerer, "NetSTAT: A Network-based Intrusion Detection Approach." Proceedings of the 14th Annual Computer Security Application Conference, Scottsdale, Arizona, December 1998.
7. M. Roesch. "Writing Snort Rules: How To write Snort rules and keep your sanity" [Online] Avaliable: http://www.snort.org.
Thank you for attention