Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Similar documents
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

Operational Experiences With High-Volume Network Intrusion Detection

The Bro Cluster The Bro Cluster

Exploiting Multi-Core Processors For Parallelizing Network Intrusion Prevention

The Bro Network Intrusion Detection System

Seeking Visibility Into Network Activity for Security Analysis

Dynamic Protocol Analysis for Network Intrusion Detection Systems

Byte Level NIDS Improvement

UMSSIA INTRUSION DETECTION

CSE 565 Computer Security Fall 2018

Intrusion Detection and Malware Analysis

A Graphical User Interface Framework for Detecting Intrusions using Bro IDS

Intrusion Detection Systems

Broker. Matthias Vallentin UC Berkeley International Computer Science Institute (ICSI) BroCon '16

Network Security. Chapter 0. Attacks and Attack Detection

Overview Intrusion Detection Systems and Practices

Policy Scripts to Detect Network Intrusions

Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations

High-Performance Packet Recording for Network Intrusion Detection

CE Advanced Network Security

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffic

Malicious Activity and Risky Behavior in Residential Networks

Detecting Network Intruders in Real Time

ARAKIS An Early Warning and Attack Identification System

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Introduction Challenges with using ML Guidelines for using ML Conclusions

CPSC 641: WAN Measurement. Carey Williamson Department of Computer Science University of Calgary

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Master Course Computer Networks IN2097

Activating Intrusion Prevention Service

Network Security Today: Finding Complex Attacks at 100Gb/s

Developing the Sensor Capability in Cyber Security

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

The Reconnaissance Phase

Network Intrusion Detection Systems. Beyond packet filtering

Distributed Cooperative Security Monitoring

SVILUPPO DI UNA TECNICA DI RICONOSCIMENTO STATISTICO DI APPLICAZIONI SU RETE IP

The Need for Collaboration between ISPs and P2P

The Need for Collaboration between ISPs and P2P

icast / TRUST Collaboration Year 2 - Kickoff Meeting

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

T U M. Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic

Master Course Computer Networks IN2097

New Directions in Traffic Measurement and Accounting. Need for traffic measurement. Relation to stream databases. Internet backbone monitoring

CS Review. Prof. Clarkson Spring 2017

Robust TCP Stream Reassembly In the Presence of Adversaries

Authors: Mark Handley, Vern Paxson, Christian Kreibich

HILTI: An Abstract Execution Environment for Deep, Stateful Network Traffic Analysis

Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada

Intrusion Detection Systems

Configuring attack detection and prevention 1

Intrusion Detection System

Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context

Intrusion Detection Systems

AMP-Based Flow Collection. Greg Virgin - RedJack

PROTECTING INFORMATION ASSETS NETWORK SECURITY

On Optimizing Traffic Distribution for Clusters of Network Intrusion Detection and Prevention Systems

Basic Concepts in Intrusion Detection

Intrusion Detection and Malware Analysis

intelop Stealth IPS false Positive

On Optimizing Load Balancing of Intrusion Detection and Prevention Systems. Anh Le, Ehab Al-Shaer, and Raouf Boutaba

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

ANOMALY DETECTION IN COMMUNICTION NETWORKS

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 11

Extensible Network Configuration and Communication Framework

Snort: The World s Most Widely Deployed IPS Technology

Practical Comprehensive Bounds on Surreptitious Communication Over DNS

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

On the Difficulty of Scalably Detecting Network Attacks

Network Intrusion Detection: Capabilities & Limitations

Network Control, Con t

CS 161 Computer Security

Efficient Signature Matching with Multiple Alphabet Compression Tables

Securing Mediated Trace Access Using Black-box Permutation Analysis

Enhancing Network Intrusion Detection With Integrated Sampling and Filtering

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21

Flow-based Worm Detection using Correlated Honeypot Logs

Configuring attack detection and prevention 1

Quadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks

Covert channel detection using flow-data

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Quadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks

Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Shield -- A First Line Worm Defense. Helen J. Wang, Chuanxiong Guo, Dan Simon, and Alf Zugenmaier Feb 25, Motivation

Lab 4: Network Packet Capture and Analysis using Wireshark

CINBAD. CERN/HP ProCurve Joint Project on Networking. Post-C5 meeting, 12 June 2009 (hepix, 26 May 2009)

Reliably Determining the Outcome of Computer Network Attacks

2. INTRUDER DETECTION SYSTEMS

Network Traffic Exploration Application. Presented By Grant Vandenberghe. (613)

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

Network Anomaly Detection Using Autonomous System Flow Aggregates

Traffic Classification Using Visual Motifs: An Empirical Evaluation

Certified Snort Professional VS-1148

Intrusion Detection Systems. Evan Misshula

Transcription:

Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute Lawrence Berkeley National Laboratory Berkeley, CA, USA

Overview Approaches to Network Intrusion Detection. Contextual Signatures. Example applications. Evaluation. Summary.

Approaches to Network Intrusion Detection Detect attacks by observing network traffic. Anomaly detection Derive some normal behaviour. Watch for deviations. Specification-based detection. Define legitimate traffic. Watch for violations. Misuse detection Build a library of attack characteristics. Try to detect them in the traffic.

Misuse-Detection by Signature Matching Signature: Characteristic sequence of bytes. Used by most operationally deployed NIDs (e.g. Snort). Advantages Easy to comprehend, accumulate and share. For some attacks, very tight Precise detection. Disadvantages For many attacks, not tight False positives. But if too tight, miss even tiny variations False negatives. No notion of relevance: Was the attack successful? Problem: Just looking at bytes ignores (available) context.

Contextual Signatures (1) Goals Reduce false-positives. Prioritize alerts by importance. Idea: Enhance pattern matching by incorporating context Start with (extended) traditional signatures. Do not generate an alert for every match but analyze further. Context on different levels: Low-level: Syntactic context, connection state. High-level: Knowledge about network state.

Contextual Signatures (2) Open-Source NIDS Bro as platform Deployed for example at UCB, LBNL and TUM. Supports different detection approaches. Abstracts network traffic into events. Provides full scripting language to evaluate events. Until now: signature matching possible but cumbersome. Contextual Signatures for Bro Build new signature engine as a starting point. On a match, raise an event rather than an alert. Utilize already existing rich contextual state.

Example Applications Exploit Scanning Aggregation of alerts reduces alert volume. Vulnerability Profiles Knowing a system s specifics helps to prioritize alerts. Attacks with multiple steps Recognizing sequence of steps increases accuracy. Request/Reply Signatures Server s response may indicate result of attacks.

IIS Exploit Attempt Alert if server does not respond as expected. signature cmdexe-success { ip-proto == tcp dst-port == 80 http /.*cmd\.exe/ requires-signature-opposite! http-error tcp-state established event "WEB-IIS cmd.exe success" } signature http-error { ip-proto == tcp src-port == 80 payload /.*HTTP\/1\.. *4[0-9][0-9]/ tcp-state established event "HTTP error reply" }

Features of the Signature Engine Pattern matching uses full regular expressions Expressive power. High performance Parallel matching in time linear in size of input. But: Size of DFA may grow expontentially Build incrementally. Interfaces to Bro s already existing functionality Connection state management (time-outs, bi-directionality). Protocol analyzers (TCP, HTTP, FTP,...... ). Scripting language (events, call-backs, identifiers). Leverage Snort s library by means of a converter.

Evaluation of the Signature Engine Evaluation by comparing against Snort Convert ca. 1100 Snort signatures into Bro s language. Run both systems on traces from different enviroments 30-minutes full trace from U Saarbrücken (ca. 10GB). 2-hours HTTP client-traffic from LBL (ca. 670MB). Compare alerts and run-time. This does not evaluate the contextual signatures, but is a necessary first step to make sure the engine is usable. Overall results Systems mostly agree on alerts and show comparable run-time. More interesting: It is surprisingly difficult to compare two NIDSs.

Difficulties: Who s correct? If they disagree, who is correct? What is correct? Different internal semantics State management: Time-out based vs. memory-bounded. TCP stream reassembly: Real stream vs. virtual packets. Level of detail: Fine-grained vs. coarse-grained. How to configure the systems to compare the results?

Difficulties: Who s more efficient? Run-time depends on algorithms. Bro analyzes much more carefully than Snort. Run-time depends on traffic Small patch speeds up Snort by a factor of 2.6 for Web traffic. Snort s serial matching can be twice as fast as the parallel (!). Run-time depends on hardware Moving from P3 to P4, Bro gets faster while Snort gets slower. Bro vs. Snort: From 2 times slower to 3 times faster.

Summary Most deployed NIDSs use basic pattern matching. Contextual signatures consider more than bytes. Integration into Bro allows powerful applications. Leveraging Snort signatures provides a base set. It is hard to compare NIDs fairly. Future work: using contextual signatures operationally.

Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute Lawrence Berkeley National Laboratory Berkeley, CA, USA

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback