Towards Automating Intrusion Alert Analysis
description
Transcript of Towards Automating Intrusion Alert Analysis
![Page 1: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/1.jpg)
Computer Science
Towards Automating Intrusion Alert Analysis
Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu
Cyber Defense Laboratory
Department of Computer Science
North Carolina State University
![Page 2: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/2.jpg)
Computer Science 2
Background
• Traditional intrusion detection systems (IDS)– Focus on low-level attacks or anomalies– Actual alerts are mixed with false alerts– Intensive intrusions unmanageable amount of
alerts
• It’s necessary to develop automatic tools to construct attack scenarios and facilitate intrusion analysis.
![Page 3: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/3.jpg)
Computer Science 3
Related Research
• Exploit similarities between alert attributes– Ex.: Valdes and Skinner (2001), Staniford et al. (2000)
• Exploit known attack scenarios– Ex.: Cuppens and Ortalo (2000), Dain and
Cunningham (2001), Debar and Wespi (2001)
• Use pre- and post-conditions of attacks– JIGSAW by Templeton and Levitt (2000)
• Cannot deal with missing detections and failed attacks• Our initial work is an extension to JIGSAW
– MIRADOR approach by Cuppens and Miege (2002)• Developed independently and in parallel to our work
– Our work (2002, 2003)• Others
– M2D2 by Morin et al. (2002), Mission-Impact by Porras et al. (2002)
![Page 4: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/4.jpg)
Computer Science 4
Outline
• Construct attack scenarios from intrusion alerts via correlation– Correlation based on prerequisites and
consequences of attacks
• Analyze intensive alerts
• Extract attack strategies from correlated alerts
![Page 5: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/5.jpg)
Computer Science 5
Correlation Based on Prerequisites and Consequences of Attacks
• Goal– Construct high-level attack scenarios from low-
level alerts
![Page 6: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/6.jpg)
Computer Science 6
Correlation Based on Prerequisites and Consequences of Attacks (Cont’d)• Basic Idea
– Hyper-alert types: Encode our knowledge about each type of attacks
• Prerequisites and Consequences– Reason about hyper-alerts based on the knowledge
Prerequsite: ExistHost(VictimIP)^VulnerableSadmind(VictimIP)
Consequence: {GainAccess(VictimIP)}
Alert attributes: {VictimIP, VictimPort}
SadmindBufferOverflow
![Page 7: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/7.jpg)
Computer Science 7
C(h1) = {VulnerableSadmind(152.1.19.5),
VulnerableSadmind(152.1.19.9)}
h1 h2
P(h2) = {ExistHost(152.1.19.5),
VulnerableSadmind(152.1.19.5)}
SadmindPing SadmindBufferOverfow
Correlation Based on Prerequisites and Consequences of Attacks (Cont’d)• Reasoning of alerts
– An earlier hyper-alert prepares for a later one if the former makes the later easier to be successful
• Decompose prerequisites and consequences into pieces of predicates
• Match the predicates
![Page 8: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/8.jpg)
Computer Science 8
Experimental Evaluation
• Purposes of experiments– How well can the proposed method construct
attack scenarios?– Can alert correlation help differentiate between
true and false alerts?• Conjecture: correlated alerts are more possible to be true
alerts.
![Page 9: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/9.jpg)
Computer Science 9
Experimental Evaluation (Cont’d)
• DARPA 2000 intrusion detection scenario specific datasets– A novice attacker installs components for and carries out a
DDOS attack – LLDOS 1.0 (inside and DMZ)– LLDOS 2.0.2 (inside and DMZ)
•NetPoke
•RealSecure
•Network Sensor•Isolated network
![Page 10: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/10.jpg)
Computer Science 10
Hyper-Alert Correlation Graph Discovered from the Inside Traffic of LLDOS 1.0
![Page 11: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/11.jpg)
Computer Science 11
Experimental Evaluation (Cont’d)
• Two measures– Completeness: How well can we correlate the related
alerts?
– Soundness: How correctly are the alert correlated?€
Rc =#Correctly Correlated Alerts
#Related Alerts
€
Rs =#Correctly Correlated Alerts
#Correlated Alerts
![Page 12: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/12.jpg)
Computer Science 12
Experimental Evaluation (Cont’d)
0%10%20%30%40%50%60%70%80%90%
100%
DataSet1
DataSet2
DataSet3
DataSet4
CompletenessSoundness
![Page 13: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/13.jpg)
Computer Science 13
Experimental Evaluation (Cont’d)
0102030405060708090
100
DataSet 1
DataSet 2
DataSet 3
DataSet 4
Before Correlation
After Correlation
0
10
20
30
40
50
60
70
80
Data Set 1 Data Set 2 Data Set 3 Data Set 4
False Positive Rate
Detection Rate
![Page 14: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/14.jpg)
Computer Science 14
• Additional details can be found in– Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing
Attack Scenarios through Correlation of Intrusion Alerts," in ACM CCS 2002, pages 245--254, November 2002.
![Page 15: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/15.jpg)
Computer Science 15
Analyze Intensive Intrusion Alerts
• Limitations of the previous correlation technique– Difficult to cope with very large set of correlated
alerts
• Our solution– Interactive analysis utilities
• Independent• Complementary • Used as building blocks• Can be applied iteratively to a previous analysis results.
![Page 16: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/16.jpg)
Computer Science 16
Interactive Analysis Utilities
• Hyper-alert generating utilities– Aggregation/disaggregation
– Clustering analysis
• graph decomposition: a special case
– Focused analysis
• Feature extraction utilities– Frequency analysis
– Link analysis
– Association analysis
![Page 17: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/17.jpg)
Computer Science 17
Alert Aggregation/Disaggregation
• Aggregation– To simplify the correlation graph, the same type of hyper-
alerts can be aggregated together.• An interval constraint (e.g. 10 seconds) is used to control the
aggregation.
![Page 18: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/18.jpg)
Computer Science 18
Aggregation/Disaggregation with Abstraction
• Alerts reported by IDSs usually are low-level alerts, and can be abstracted to more general alerts.
• Hyper-alerts can be aggregated together and form new hyper-alerts with more abstracted alert type.– The abstraction level to be aggregated
– Interval constraint
![Page 19: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/19.jpg)
Computer Science 19
Alert Aggregation/Disaggregation (cont’d)
• Disaggregation – Aggregated hyper-alerts can be disaggregated to show
detailed information.
Disaggregate
![Page 20: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/20.jpg)
Computer Science 20
Case Study with DEFCON8 Dataset
• Some common attack strategies were easily identified– e.g., Nmap_Scan PmapDump ToolTalk_Overflow
– e.g., HTTP-based attacks from 010.020.011.074 to 010.020.001.014, 010.020.001.015, 010.020.001.019…
• Observation– There were many BackOrifice and NetBus alerts
– i.e., attackers were coordinating multiple machines during their attacks
– Makes correlation and attack identification more difficult!
• Selected results
![Page 21: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/21.jpg)
Computer Science 21
Using Adjustable Graph Reduction
• Most hyper-alerts of the same type are close to each other in time in the DEFCON8 dataset
0
5000
10000
15000
20000
25000
0 20 40
Interval constraint (seconds)
Count
# nodes
# edges
![Page 22: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/22.jpg)
Computer Science 22
Largest Correlation Graph after Maximum Graph Reduction
Aggregated from a graph with
•2,940 nodes
•25,321 edges
![Page 23: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/23.jpg)
Computer Science 23
Using Graph Decomposition
• Clustering Constraint:• (A1.srcIP = A2.srcIP) ^
(A1.destIP = A2.destIP)
Intuition: sharing the same source and destination IP addresses.
![Page 24: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/24.jpg)
Computer Science 24
• Additional details can be found in– Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing
Intensive Intrusion Alerts Via Correlation," in RAID 2002, pages 74--94, October 2002.
![Page 25: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/25.jpg)
Computer Science 25
Learning Attack Strategies from Correlated Alerts• It’s desirable, and sometimes necessary, to understand
attackers’ strategies– Intrusion response, incident handling, profiling attackers or
attacking tools, etc.
• Static vulnerability analysis – Example: Attack graphs– Requires specifications of security properties– Limited to combinations of known attacks
• Learning attack strategies from alerts– Complement static vulnerability analysis– Allow examination of attack strategies in different
granularities
![Page 26: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/26.jpg)
Computer Science 26
Representation of Attack Strategies
• Attack strategy– Intrinsic relationships between steps in a sequence of
attacks
– Intuition: an attack strategy consists of attack steps and the constraints among these steps
• Attack strategy graph– A graph representation that captures the intrinsic
relationships between steps in an attack strategy.
![Page 27: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/27.jpg)
Computer Science 27
Equality Constraint
• An equality constraint for hyper-alert types T1 and T2
– Equality relations between attributes in these two types.
– Given a type T1 alert h1 and a type T2 alert h2
• h1 prepares for h2 if they satisfy an equality constraint
– Can be derived from T1 and T2.
T1 T2
SadmindPing SadmindBufferOverfow
T1.destIP = T2.victimIP
•VulSadmind(VictimIP)•VulSadmind(destIP)
consequenceprerequisite
![Page 28: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/28.jpg)
Computer Science 28
Attack Strategy Graph
• Extracted from LLDOS 1.0 alerts (IDS: RealSecure)
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
![Page 29: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/29.jpg)
Computer Science 29
Learning Algorithm
• Two steps– Aggregate intrusion alerts that belong to the same
step of a sequence of attacks into one hyper-alert– Extract the constraints between the attack steps
• The result is represented as an attack strategy graph
![Page 30: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/30.jpg)
Computer Science 30
• Additional details can be found in– Peng Ning, Dingbang Xu, "Learning Attack
Strategies from Intrusion Alerts," To appear in ACM CCS 2003, October, 2003.
![Page 31: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/31.jpg)
Computer Science 31
Future Work
• Intrusion Alert Analysis– Integrate intrusion alerts with other information
sources– Hypothesize and reason about missed attacks
![Page 32: Towards Automating Intrusion Alert Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/568157c4550346895dc54ea7/html5/thumbnails/32.jpg)
Computer Science 32
Thank You!