CDIS: Towards a Computer Immune System for Detecting
Network Intrusions
CDIS: Towards a Computer Immune System for Detecting
Network Intrusions
Captain Paul Williams, USAF Information Assurance Architect
HQ Air Intelligence Agency
Captain Paul Williams, USAF Information Assurance Architect
HQ Air Intelligence Agency
Recent Advances in Intrusion DetectionUC Davis, Davis CA10-12 Oct, 2001
Recent Advances in Intrusion DetectionUC Davis, Davis CA10-12 Oct, 2001
22
SponsorSponsor
Mr. John Feldman Defensive Information Warfare Branch (AFRL/IFGB) Information Directorate Air Force Research Laboratory 525 Brooks Rd. Rome, NY 13441-4505 (315) 330-2664 [email protected]
Capt Paul Williams Prof Gregg GunschCapt Kevin Anchor Prof Gary Lamont1Lt John Bebo
Paper based primarily on the Masters Thesis of Capt WilliamsPaper based primarily on the Masters Thesis of Capt Williams
44
IntroductionIntroductionIntroduction
àà Problem DiscussionProblem Discussionàà What is CDIS?What is CDIS?àà ScopeScopeàà Why a NonWhy a Non--Deterministic Deterministic
SearchSearchàà Why a Computational Why a Computational
Immune SystemImmune Systemàà System DesignSystem Designàà Antibody FeaturesAntibody Featuresàà CDIS LifecycleCDIS Lifecycle
àà ExperimentsExperimentsàà Data SetsData Setsàà Test ProcessTest Processàà Results/AnalysisResults/Analysis
àà QuestionsQuestions
55
ProblemProblem
à Most IDS are signature-basedà Signature-based ID is reactiveà Operation depends upon existing
signaturesà Signatures typically created in attack
post-mortem
à Both signature creation and distribution are manual processesà SMS pushing updates to Norton…
66
à Signature success depends on generalityà New attacks are often
variations of old onesà Different enough that
existing signatures cannot catch them
ProblemProblem
77
à alert TCP any any -> any 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: PA; )
ProblemProblem
88
à alert TCP any any -> any 20432(msg:"IDS254 - DDoS shaft client to handler"; flags: PA; )
ProblemProblem
99
à alert TCP any any -> any 20432(msg:"IDS254 - DDoS shaft client to handler"; flags: PA; )
à What if hacker has access to signatures? à Snort is open sourceà Easy to avoid one signature, how
about all of them—Snort has > 1100
ProblemProblem
1010
What is CDIS?Computer Defense Immune System
What is CDIS?What is CDIS?Computer Defense Immune SystemComputer Defense Immune System
àà Motivating Goal: Need to augment signatureMotivating Goal: Need to augment signature--based IDSbased IDSàà Proactive IDProactive ID——Detect unknown or novel attacksDetect unknown or novel attacks
àà Scope: NetworkScope: Network--based intrusion detectionbased intrusion detectionàà IP Only (TCP, UDP, ICMP)IP Only (TCP, UDP, ICMP)àà SingleSingle--packetpacketàà Uses packet header informationUses packet header informationàà Packet content or payload ignoredPacket content or payload ignored
àà Scope: Current research relies upon existing frameworkScope: Current research relies upon existing frameworkàà Not concerned with “plumbing” (while acknowledging that good Not concerned with “plumbing” (while acknowledging that good
plumbing is vital)plumbing is vital)
àà Approach uses nonApproach uses non--deterministic searchdeterministic searchàà Problem domain is enormous Problem domain is enormous
ààCDIS search space contains 10CDIS search space contains 108484 possible eventspossible events
àà Search built around a computational immune system Search built around a computational immune system
Research investigated feasibility of evolutionary search techniques in IDResearch investigated feasibility of evolutionary search techniques in ID
1111
Enterprise Information Systems
Data Storage Multiple AgentsConcepts fromBiological Immunology
Virus Protection Network Based ID
InteractiveEvolutionary
Searcher
Computer Defense Immune System(CDIS)
Hie
rarc
hica
l Dis
trib
uted
Str
uctu
re
Ove
rt At
tack
s
Low and S
low
Covert A
ttacks
Ove
rt At
tack
sOve
rt Atta
cks
Host B
ased ID
Overt Attacks
What is CDIS?What is CDIS?What is CDIS?
1212
àà Computational Immune System (CIS)Computational Immune System (CIS)àà Abstract model of human immune systemAbstract model of human immune systemàà Concepts of self and nonConcepts of self and non--selfselfàà Evolutionary SearcherEvolutionary Searcher
àà Evolutionary ComputationEvolutionary Computationàà PopulationPopulation--basedbasedàà Rely upon random variation and selectionRely upon random variation and selectionàà Based upon mechanics of natural selection and survival of fittesBased upon mechanics of natural selection and survival of fittestt
àà CDIS is similar to other work using CISCDIS is similar to other work using CISàà Different search spaceDifferent search spaceàà Different matching functionsDifferent matching functions
àà LimitationsLimitationsàà Cannot detect some attacksCannot detect some attacksàà Cannot currently categorize or identify detected attacksCannot currently categorize or identify detected attacks
Burglar Alarm—not perfect, only provides indication that something is wrongBurglar Alarm—not perfect, only provides indication that something is wrong
What is CDIS?What is CDIS?What is CDIS?
1313
Warthog and Ferret prototypesWarthog and Ferret prototypesàà Implement the CDIS architectureImplement the CDIS architecture
àà Examine TCP / ICMP / UDP Examine TCP / ICMP / UDP packetspackets
àà Warthog was used for testingWarthog was used for testingàà Ferret is still in development Ferret is still in development
àà Provide a GUI and testProvide a GUI and test--bedbed
System DesignSystem DesignSystem Design
1414
System DesignSystem DesignSystem Design
1515
AntibodiesAntibodiesàà General signatures or General signatures or
detectorsdetectorsàà Up to 28 features from Up to 28 features from
packet headerpacket headeràà Protocol chosen Protocol chosen
randomlyrandomlyàà Features used chosen Features used chosen
randomlyrandomlyàà Range for each feature Range for each feature
randomly definedrandomly defined
àà Points and ranges Points and ranges represented by binary represented by binary stringsstringsàà Easy to manipulate with Easy to manipulate with
genetic algorithmgenetic algorithm
àà Detect nonDetect non--selfself
àà Search spaceSearch space
System DesignSystem DesignSystem Design
1616
CDIS Antibody LifecycleCDIS Antibody LifecycleCDIS Antibody Lifecycle
The CDIS Antibody Lifecycle is adapted from the antibody lifecycle defined by Hofmeyr and Forrest at the University of New Mexico and Harmer at the Air Force Institute of Technology
1717
CDIS Antibody Lifecycle CDIS Antibody Lifecycle CDIS Antibody Lifecycle
àà Antibody CreationAntibody Creationàà Antibodies randomly createdAntibodies randomly created
àà Negative SelectionNegative Selectionàà Ensures antibodies do not Ensures antibodies do not
detect selfdetect self
1818
Affinity MaturationAffinity Maturationàà Makes the antibodies more Makes the antibodies more
generalgeneralàà Genetic Algorithm search Genetic Algorithm search
for optimal antibody rangesfor optimal antibody rangesàà HypervolumeHypervolume made as large made as large
as possibleas possible
àà Optional processOptional processàà As implemented, very As implemented, very
computationally expensivecomputationally expensiveàà Insignificant gains on Insignificant gains on
Lincoln Labs data setsLincoln Labs data setsààEasier to add more Easier to add more
antibodiesantibodies
CDIS Antibody Lifecycle CDIS Antibody Lifecycle CDIS Antibody Lifecycle
1919
DetectionDetectionàà Uses an imperfect Uses an imperfect
matching algorithmmatching algorithm
àà ID domain uses points and ID domain uses points and ranges in hyper volumeranges in hyper volumeàà Ranges allow multiple Ranges allow multiple
points to match signaturepoints to match signature
àà AntiVirus AntiVirus domain uses domain uses sliding window, binary sliding window, binary string comparatorstring comparator
CDIS Antibody Lifecycle CDIS Antibody Lifecycle CDIS Antibody Lifecycle
2020
àà CostimulationCostimulationàà Self not defined perfectly and drifts over timeSelf not defined perfectly and drifts over timeàà Will cause false alarmsWill cause false alarmsàà Attempt to reduce these false alarmsAttempt to reduce these false alarmsàà Multiple antibodies must detect a packet as nonMultiple antibodies must detect a packet as non--selfself
CDIS Antibody Lifecycle CDIS Antibody Lifecycle CDIS Antibody Lifecycle
2 3 4 … n
Detected packets undergo system-wide costimulation
System results (Lower false positive rate balanced against higher false negative rate)
Network DataIndividual computers examine network packets and perform internal costimulation
1
2121
ExperimentsExperimentsExperiments
àà GoalsGoalsàà Determine self and nonDetermine self and non--selfselfàà Detect unknown attacksDetect unknown attacksàà Determine error ratesDetermine error ratesàà Examine impact of affinity Examine impact of affinity
maturationmaturationàà Examine impact of costimulationExamine impact of costimulation
àà TestingTestingàà Used Warthog prototypeUsed Warthog prototypeàà Two data setsTwo data setsàà Multiple runs for each data setMultiple runs for each data set
Negative Selection Time vs. Size of Self
51.74
5.92 8.77
11.43
020406080
100120
1K 10K 100K 1MSize of Self (packets)
Neg
ativ
e S
elec
tion
Tim
e (s
ec)
Error Rate vs. Detection Threshold
00.20.40.60.8
11.2
0.85
0.86
0.87
0.88
0.89 0.
9
0.91
0.92
0.93
Detection Threshold
Err
or R
ate
False Negative Rate
False Positive Rate
`
2222
àà Datasets Datasets àà Used attackUsed attack--free Lincoln Labs datafree Lincoln Labs dataàà 2643 attack packets generated2643 attack packets generated
àà Small Scale Tests (initial testing)Small Scale Tests (initial testing)àà 10K self packets10K self packetsàà 20K test packets (includes 2643 20K test packets (includes 2643
attack packets)attack packets)
àà Larger Scale Tests (more realistic)Larger Scale Tests (more realistic)àà 1.3 million self packets1.3 million self packetsàà 1.1 million test packets (includes 1.1 million test packets (includes
same 2643 attack packets)same 2643 attack packets)
Experiments – Test SetsExperiments Experiments –– Test SetsTest Sets
Much more testing is necessary!Much more testing is necessary!
2323
àà Small Scale Tests (initial Small Scale Tests (initial testing)testing)àà Full CDIS antibody life cycleFull CDIS antibody life cycleàà Sets of 32, 64, 128, 256, 512, Sets of 32, 64, 128, 256, 512,
1024, and 2048 antibodies used1024, and 2048 antibodies used
àà Larger Scale Tests (more Larger Scale Tests (more realistic)realistic)àà No affinity maturationNo affinity maturationàà Sets of 32, 64, 128, 256, and Sets of 32, 64, 128, 256, and
512 antibodies512 antibodies
ExperimentsExperimentsExperiments
2424
àà CDIS Discriminated Self From NonCDIS Discriminated Self From Non--SelfSelfàà CDIS Detected Unknown AttacksCDIS Detected Unknown Attacksàà Low falseLow false--positive and falsepositive and false--negative negative
error rates, in generalerror rates, in generalàà Number of antibodies affects error ratesNumber of antibodies affects error ratesàà Limited testing shows 512 antibodies Limited testing shows 512 antibodies
worked wellworked well
àà Affinity maturation workedAffinity maturation workedàà Reduced false negative rate significantlyReduced false negative rate significantlyàà Only slightly increased false positive rateOnly slightly increased false positive rateàà Very expensive to perform due to Very expensive to perform due to
database implementationdatabase implementationàà Better results were achieved by adding Better results were achieved by adding
more antibodiesmore antibodies
àà Costimulation worked well to reduce Costimulation worked well to reduce falsefalse--positive rate without significantly positive rate without significantly raising falseraising false--negative ratenegative rate
Experimental ResultsExperimental ResultsExperimental Results
2525
Small Scale Test Results(False Positives)
Small Scale Test ResultsSmall Scale Test Results(False Positives)(False Positives)
False Positives Before Affinity Maturation
0
0.02
0.04
0.06
0.08
32 64 128 256 512 1024 2048
Number of Antibodies
Err
or R
ate
False Positives Before Costimulation
False Positives After Costimulation
False Positives After Affinity Maturation
0
0.05
0.1
0.15
0.2
32 64 128 256 512 1024 2048
Number of Antibodies
Err
or R
ate
False Positives Before Costimulation
False Positives After Costimulation
2626
Small Scale Test Results(False Negatives)
Small Scale Test ResultsSmall Scale Test Results(False Negatives)(False Negatives)
False Negatives Before Affinity Maturation
00.10.20.30.40.50.6
32 64 128 256 512 1024 2048
Number of Antibodies
Err
or
Rat
e
False Negatives Before Costimulation
False Negatives After Costimulation
False Negatives After Affinity Maturation
0
0.05
0.1
0.15
0.2
0.25
32 64 128 256 512 1024 2048
Number of Antibodies
Err
or
Rat
e
False Negatives Before Costimulation
False Negatives After Costimulation
2727
Large Scale Test ResultsLarge Scale Test ResultsLarge Scale Test Results
Phase Two TestFalse Negatives (No Affinity Maturation Tested)
0
0.0002
0.0004
0.0006
0.0008
0.001
32 64 128 256 512
Number of Antibodies
Err
or R
ate
False Negatives Before Costimulation
False Negatives After Costimulation
Phase Two TestFalse Positives (No Affinity Maturation Tested)
0
0.0002
0.0004
0.0006
0.0008
0.001
32 64 128 256 512
Number of Antibodies
Err
or R
ate
False Positives Before Costimulation
False Positives After Costimulation
2828
Questions?Questions?Questions?
2929
This briefing is provided for information only. The opinions expressed within are those of the author and do not necessarily
reflect the views of the USAF or US Government
This briefing is provided for information only. The opinions expressed within are those of the author and do not necessarily
reflect the views of the USAF or US Government
3030
Backup MaterialBackup MaterialBackup Material
3131
Related Work (1)Related Work (1)
à University of Memphis (Dasgupta)à “A new Approach for Intrusion Detection”
àVery similar to CDISàGA-based detectorsàDifferent matching algorithm
à Multi-agent system for network intrusion detectionàAgents monitor network àLook for changes such as malfunctions, faults, abnormalities, misuse, deviations,
intrusionsàAgents recognize each other's activitiesàAgents take actions according to the security policies
3232
Related Work (2)Related Work (2)
à University of Memphis (Dasgupta)à Intelligent Decision Support System for Intrusion Detection and
ResponseàGA-based Classifier-based decision support toolàMonitors various system-level or network featuresà Initial rules set using domain knowledgeàMonitored features matched against rulesàNew rules evolve during operation (learning)àRules can be used for response actions
3333
Related Work (3) Related Work (3)
à University of New Mexico (Forrest and Hofmeyr)à Theoryà Host-based IDS
àDefines self as sequences of system calls made by privileged programsàDetects abnormal, or non-self, system calls
à Network-based IDS (LISYS)àUses three features for defining self
à source IP addressà destination IP addressà TCP portà Only TCP SYN packets examined
3434
Related Work (4)Related Work (4)
à University College London – (Kim and Bentley)à Describe salient features for a CIS-based IDSà Negative Selection
à Investigating role of negative selection as defined by Forrestà “Severe scaling problem” in handling network traffic
à Clonal SelectionàLibrary of antibodiesàDetect abnormal traffic or known patterns of intrusionsàClonal selection lets antibodies evolve (mutation)
3535
FeaturesUsedFeaturesFeaturesUsedUsed
3636
Original Antibody LifecycleOriginal Antibody LifecycleOriginal Antibody Lifecycle
Randomly Created
Mature and Naive
Death
Activated
Memory
1011101010010001
Matches Event(s)
CostimulationMatches Event(s)No costimulation
Doesn’t Match Event DuringLifetime
Matches Self
Negative Selection
Doesn’t Match Self
Affinity Maturation
3737
Antibody Generation TimeAntibody Generation TimeAntibody Generation Time
Negative Selection Time vs. Size of Self
51.74
5.92 8.77
11.43
020406080
100120
1K 10K 100K 1MSize of Self (packets)
Neg
ativ
e S
elec
tion
Tim
e (s
ec)
3838
Scan TimeScan TimeScan Time
Scan Time vs. Size of Self
49.17
6.95 8.29
12.30
1
10
100
1.2K 10.2K 120K 1.2M
Database Size (packets)
Sca
n T
ime
(sec
)
Top Related