Lecture #8: Correlation. Matthijs Koot / SNE-IDS college 07-08

Transcription

1 Lecture #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam / SNE-IDS college 07-08

2 Outline

3 Common problems with point-solution IDSs. Common problems with point-solution IDSs: Too many false positives The rare true positive will be overlooked Too many alerts for a single intrusion Causes brain damage to the (human) IDS operator No high-level views What is the blackhat trying to do? Can we predict his next step? (probabilistically) Does the attack impact critical business systems?

4 Correlation. Correlation provides (partial) solution: Algorithms & External info Correlation Intrusion alerts (uncorrelated) = Alert (unknown) Intrusion alerts (correlated) = Alert cor. attack 1 = Alert cor. attack 2 = False positive

5 Outline

6 . : IDSs (alerts) Host IDS (misuse/anomaly) Network IDS (misuse/anomaly) Application IDS (misuse/anomaly) Logs (log entries) Host: syslog, NT Eventlog Network: firewalls, routers, switches Application: Apache/IIS log, Oracle/MS-SQL log, SAP Other (context knowledge) Configuration Mgmt DB (CMDB) Network/service health monitors (Nagios, Solarwinds, etc) Vulnerability assessment systems

7 Outline

8 . : Signals Events Alerts Network traffic OS activity Application data Hardware sensors

9 Log policy and alert policy. Log policy and alert policy: Signals Log policy Alert policy Network traffic Events Alerts OS activity Application data Hardware sensors

10 Event correlation and alert correlation. Event correlation and alert correlation: Log policy Alert policy Signals Events Alerts Network traffic OS activity Application data Hardware sensors Event correlation

11 Definitions. Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building. Source: Extending with Alert Correlation and Intrusion Tolerance", Dan Gorton, 2003

12 Example correlation table. Today s focus is alert correlation. But here is an example event correlation table: Source: Log Correlation for - A Proof of Concept", Abad et al., 2003 (paper)

13 Outline

14 Log policy. Log policy: what should (not) be logged? Candidate-loggables (signals): Application/data-level activity OS-level activity Network-level activity Hardware-level activity What signals are (not) relevant to recognizing malicious activity? (non-trivial!) Examine known attacks for (potential) log trails Deploy honeynet, get attacked, and learn Log everything, always (this might allow better recognition of 0-day attacks) Logging guidelines (NIST , NSA, vendors) Trade-off: logging detail vs. cost in performance/storage

15 Alert policy. Alert policy: what events (don t) yield an alert? Context Situation-specific understanding of threat and intrusion CTO: attacks on technology CIO/CISO: attacks on information Compliancy officer: attack compromizing compliancy to law and regulations (e.g. attacks against audit trails (Sox), leakage of customer or patient data) CEO/CFO: attacks on high-value assets and business goals What combination of events indicate an intrusion? Examine known attack strategies for (potential) traces Deploy honeynet, get attacked, and learn Share/maintain expert rules in a common, public knowledgebase for security logs/events/alerts (CAPEC?)

16 Outline

17 Goals. Goals of alert correlation: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker

18 process. Source: and Correlation", Krügel, Valeur and Vigna, 2005 (book)

19 process. Source: and Correlation", Krügel, Valeur and Vigna, 2005 (book)

20 Outline

21 . : Normalize syntax and semantics Semantics: CVE, Bugtraq, intrusion alert ontology Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP IDMEF = Message Exchange Format

22 (2). Example IDMEF: <IDMEF-Message version="0.3"> <Alert ident="12345" impact="unknown"> <Analyzer analyzerid="snort:1.8.6: "> <Node><name>brp-snort</name></Node> </Analyzer> <CreateTime ntpstamp="0xc12b141a.0xa5baa000"/> <Source><Node> <Address category="ipv4-addr"> <address> </address></address> </Node></Source> <Target><Node> <Address category="ipv4-addr"> <address> </address></address> </Node></Target> <Classification origin="vendor-specific"> <name>icmp PING NMAP</name></Classification> </Alert> </IDMEF-Message> Adapted from: A Comprehensive Approach to Intrusion Alert Correlation", Valeur et al., 2004 (paper)

23 (3). IDXP is the transport model for IDMEF: IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile

24 Outline

25 Alert reduction (1): fusion. Alert reduction (1): fusion recognize and remove redundancy in alerts from different sensors

26 Alert reduction (2): verification. Alert reduction (2): verification recognize and remove irrelevant and failed attacks Passive Verify target s (in)vulnerability in CMDB (e.g. ignore OS/2-Warp attacks on MINIX machines) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check (config) files against known-good hashes (e.g. Tripwire)

27 Outline

28 Intention recognition and alert clustering. Two possible approaches to correlation: Alert clustering Don t know what s happening, but these alerts appear to be related." Rather like anomaly-detection (statistics and probabilism). Intention recognition Aha! Alerts seem to match <attack-pattern>." Rather like misuse-detection (predefined patterns).

29 Alert thread reconstruction. Alert thread reconstruction (alert clustering) Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread; one thread represents one attack (session) Which attributes should be compared? How? Exact match (a 1.srcIP = a 2.srcIP) Domain-specific non-exact (proximity, subnet) What weight is assigned to each attribute? Similarity matrices/expectations (require human knowledge, prone to human error).

30 Alert thread reconstruction (2). One view on correlativity between two alerts h i and h j : p p Cor(h i, h j ) = w ij Cor(x i, y j )/ w ij (1) i,j=1 i,j=1 Here, two alerts h i and h j have p attributes with values x 1..x p resp. y 1..y p. The weight w ij is empirically fine-tuned. Cor(x i, y j ) is evaluated using similarity matrices. Source: Automatic attack plan recognition from intrusion alerts", Li et al., 2007

31 Predefined attack scenarios. Predefined attack scenarios (intention recognition): Specification of attack scenarios: Attack Scenario Language (Krügel) Chronicles formalism (Débar) LAMBA (Cuppens)

32 Prerequisite-consequence analysis. Prerequisite-consequence analysis (intention recognition): Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Fact specifies an alert (attributes) Prerequisite specifies a necessary condition for an attack to be successful (predicate) Consequence specifies possible result (predicate) If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation

33 Prerequisite-consequence analysis (2). Example hyper-alert correlation graph: Source: Constructing Attack Scenario s through Correlation of Intrusion Alerts", Ning et al., 2002

34 Discussed: + policy Reasons for doing event/alert correlation Normalization, reduction, correlation (ad 2005) Not discussed (but should have): Bayes, Granger-Causality, EWMA control charts, visualization

35 Feedback! Questions Questions regarding this lecture? Lab assignments: NONE. (focus on your project proposal) These slides will be uploaded here: