Delay Injection for. Service Dependency Detection

Transcription

1 Delay Injection for Service Dependency Detection Richard A. Kemmerer Computer Security Group Department of Computer Science University of California, Santa Barbara ARO/MURI Meeting - October 28, 2013

2 Correlation Engine COAs Data Data Data Data Real World Enterprise Network Mission Cyber-Assets Simulation/Live Security Exercises Analysis to get up-to-date view of cyber-assets Analyze and Characterize Attackers Analysis to determine dependencies between assets and missions Predict Future Actions Mission Model Cyber-Assets Model Create semantically-rich view of cyber-mission status Sensor Alerts Data Impact Analysis 2

3 Motivation Thrust I: Obtaining an up-to-date view of the available cyber-assets Need to know and model assets on your network network services (beyond IP address and ports) Thrust II: Obtaining understanding of the dependencies between missions and assets Find dependencies and redundancies between services Find relationships (mappings) between missions and assets Find assets and activities critical for network (or particular mission) 3

4 Quick Recap and Updates Determine relationships between services one service relies on another one (direct dependency) two services needed together (indirect dependency) B DNS Web A LDAP A B Mail C C 4

5 Quick Recap and Updates Extract activities and their related assets activity is a set of services that cooperate to achieve a higher-level goal building blocks for missions of course, this could be done manually we proposed an automated approach (not all activities are obvious) We proposed an approach based on passive observation of network traffic conducted experiments in the CS network at 5

6 Extracting Dependencies Basic idea of our passive activity extraction approach Find multiple services that are all correlated intuition is that multiple services that work together do this for a purpose; the network is leveraged to achieve a certain goal Problems correlation does not imply causation false positives direction of dependency cannot be determined 6

7 Extracting Dependencies Basic Idea Perform active discovery actively perturb traffic for service A, monitor how service B reacts when B depends on service A, we expect to see the effect of the perturbation introduce delays into requests (flows) to service A active watermarking, but for flows, not for packets when B does not depend on A, there should be no effect How to introduce perturbations 7

8 Introducing Delays Service A Service B Idle period Busy period 8

9 Introducing Delays In the real world, idle and busy periods not as easily detectable unrelated requests unexpected delays caching effects Need (many) more than one observation period (window) Need to perform statistical tests Developed Rippler an application-independent active approach to dependency detection 9

10 Rippler Statistical Tests Unknown distribution of service requests D(μ, σ) In case service has dependency, ρ delayed requests result in Idle period D 1 (μ (1-ρ), σ 1 ) Busy period D 2 (μ (1+ρ), σ 2 ) Hypothesis: Two services are independent, hence μ idle = μ busy 10

11 Rippler Statistical Tests To show the dependency of two services A and B, we want to reject the hypothesis that the two services are independent Null hypothesis (H 0 ) states that B is independent of A, so H 0 μ idle = μ busy Our approach is to statistically show that μ idle μ busy ; therefore, B is dependent on A We use 3 different statistical tests Two independent samples means t-test Two dependent samples means Paired t-test Two dependent samples means Signed Rank Test (Paired Wilcoxon) If any of the tests reject the null hypothesis we conclude that B is dependent on A 11

12 Statistical Tests Independent samples t-test The probability that the distributions from which two samples are drawn have the same means 12

13 Statistical Tests We can do better: Paired samples t-test Less sensitive to noise 13

14 Statistical Tests Even better Paired Wilcoxon test Takes advantage of the fact the idle time window and the busy time window samples are pairwise related For all three tests, we can show that increasing the number of sample intervals will eventually allow us to make a decision (even when the fraction of delayed requests is very small) 14

15 Environmental Effects on the Accuracy of the Statistical Tests In real networks there are a number of factors that may affect the accuracy of the statistical tests Low number of requests to the server Low percentage of the requests to the server affected by the delayer Noise and Jitter Cached services Overloaded services Popular services These can all be addressed by increasing the sample size 15

16 Simulations Demonstrate the desirable properties of the system (more data yields precise results) 16

17 Simulations Demonstrate the desirable properties of the system (more data yields precise results) 17

18 Real World Experiment Installed a delay mechanism at the CS Department Perturbed connections from CS lab machines to 54 services 4 months worth of data (133 GB of NetFlow data) 12.5 billion connections to interesting services 500ms delay introduced Detected 38 dependencies among the 54 services 18

19 Compared Against Three Previous Passive Dependency Systems Systems were Sherlock, Orion, and NSDMiner Ran on same NetFlow dataset Manually labeled 156 dependencies detected (superset from all 4 systems) 68 were true dependencies 70 were false dependencies Unable to determine correctness of 18 dependencies 19

20 Compared Against Three Previous Passive Dependency Systems 20

21 Conclusions Active discovery of dependencies Refined and tuned traffic flow watermarking scheme Multiple statistical tests to identify even small perturbations Simulations and experimental evaluation Can achieve arbitrarily low false positives if provided with large enough data set Compared favorably against previous passive dependency schemes Rippler is the first application-independent active dependencydetection system 21

22 Future Work Leveraging dependencies for sophisticated what-if analysis Work on methods to stimulate service activities and trigger missions 22

23 Questions? 23