ACI DADDi Runion du 18 novembre 2005 Herv Debar (France Tlcom - - PowerPoint PPT Presentation

▶

Nov 08, 2022 137 likes •326 views

ACI DADDi Runion du 18 novembre 2005 Herv Debar (France Tlcom R&D) A partir des travaux d'Elvis Tombini France Telecom D1 - 21/11/05 Research & Development Overview of WebAnalyser 664 signatures that recognize

SLIDE 1

D1 - 21/11/05

France Telecom Research & Development

ACI DADDi Réunion du 18 novembre 2005

Hervé Debar (France Télécom R&D) A partir des travaux d'Elvis Tombini

SLIDE 2

Distribution of this document is subject to France Telecom’s authorization D2 - 21/11/05

France Telecom Research & Development

Overview of WebAnalyser

664 signatures that recognize
Attacks (~50%)
Attack hints (e.g. evasive actions, perl code, …)
Attack contexts (e.g. method, status code)
Combinations of signatures (a.k.a. prolog rules)
Diagnosis based on severity value
Positive integer
Function of the severity value of each signature
0 means no known abnormal element found in log entry
4 classes of output:
C0: S=0, normal
C1: S in [1,4], abnormal encodings and unsuccessful attacks
C2: in between, possibly successful, no automated interpretation possible
C3: S in [9, … ], definitively successful attacks

SLIDE 3

Distribution of this document is subject to France Telecom’s authorization D3 - 21/11/05

France Telecom Research & Development

Back to basic definitions

Anomaly detection Misuse detection

Known normal Known attack Attack Normal Unknown Unknown

Really Safe Events Really Intrusive Events False Positives False Negatives False Positives False Negatives

SLIDE 4

Distribution of this document is subject to France Telecom’s authorization D4 - 21/11/05

France Telecom Research & Development

Flat combination (NIDES88-92)

Anomaly intrusion detection results Misuse intrusion detection results

Safe Unknown Unknown Intrusive

Conflict ?

False negative False positive

Intrusive events Intrusive events Normal activity Normal activity

SLIDE 5

Distribution of this document is subject to France Telecom’s authorization D5 - 21/11/05

France Telecom Research & Development

Distribution of web server logs

0,01 % Possibly successful attacks 0,03 Definite attempts, Mostly unsuccessful 10,87% 20,82% Abnormal artifacts and unsuccessful attacks 89,13% 79.14% Normal traffic France Télécom 2001 Supélec 2003 Diagnosis

SLIDE 6

Distribution of this document is subject to France Telecom’s authorization D6 - 21/11/05

France Telecom Research & Development

Reshaping volumes

Anomaly intrusion detection results Misuse intrusion detection results

Safe Unknown Unknown Intrusive

False positive

Intrusive events Intrusive events Normal activity Normal activity

Our assumption: Anomaly detection is correct on safe

SLIDE 7

Distribution of this document is subject to France Telecom’s authorization D7 - 21/11/05

France Telecom Research & Development

Cascading instead of combining

Anomaly intrusion detection results Misuse intrusion detection results

Safe Unknown Unknown Intrusive

False positive

Intrusive events Intrusive events Normal activity Normal activity

False negative

SLIDE 8

Distribution of this document is subject to France Telecom’s authorization D8 - 21/11/05

France Telecom Research & Development

Resize and recognize unknown

Anomaly intrusion detection results Misuse intrusion detection results

Safe Unknown Unknown Intrusive

False positive

Intrusive events Intrusive events Normal activity Normal activity

False negative

SLIDE 9

Distribution of this document is subject to France Telecom’s authorization D9 - 21/11/05

France Telecom Research & Development

Cascade architecture

Event Normalizer Anomaly Detection Yes Counter Measure Diagnostic Feedback No Misuse Detection ? Unknown Anomaly ? Normal Event YES Identified Misuse YES

Three state diagnosis

SLIDE 10

Distribution of this document is subject to France Telecom’s authorization D10 - 21/11/05

France Telecom Research & Development

Simple anomaly detection system Resource tree

/ Index.php Forum/ News/index.php Submit.php Index.php {id,subject,content} {id} {} http://myserver/ http://myserver/forum/submit.php?id=1&subject=security+failure&content=such http://myserver/forum/index.php http://myserver/forum/index.php?id=1

SLIDE 11

Distribution of this document is subject to France Telecom’s authorization D11 - 21/11/05

France Telecom Research & Development

Characteristics of resources

Eliminated fields
IP address
Size
Fields used for characterizing resources
Existence of auth data (not the data itself)

– Protected resource

Timestamp (week-end, week-day)
Method (GET, POST, HEAD, anything else)
Existence of parameters (dynamic resource)
Protocol (1.x or 0.9)
Response (status code)
Additional computed variables (volume information)
Average number of requests per day
Proportion of this request among the others per day

SLIDE 12

Distribution of this document is subject to France Telecom’s authorization D12 - 21/11/05

France Telecom Research & Development

Clustering

7,38% 63911 1,78% 386 6 0,23% 1965 7,51% 1628 5 1,16% 10014 20,68% 4483 4 8,66% 74981 10,22% 2216 3 82,46% 714115 58,82% 12751 2 0,12% 1051 0,99% 215 1 Percentage Number of requests Percentage Nb of resources Group

SLIDE 13

Distribution of this document is subject to France Telecom’s authorization D13 - 21/11/05

France Telecom Research & Development

Group interpretation

Group 2: successful GET requests (200, 300)
Normal activity of web server
Group 6: redirected GET requests (300)
Small in individuals, large in requests
Also representative of normal activity
Group 3: unsuccessful GET and HEAD
Group 4: similar to 3 but focusing on day-of-week
Group 5: similar to 3 but focusing on week-end
Group 1: important variance on all variables

SLIDE 14

Distribution of this document is subject to France Telecom’s authorization D14 - 21/11/05

France Telecom Research & Development

Group profiles summary

1,4,5 Small 3,6 Average 2 Large Volume 1,4,5 Separation WD/WE 2,3,6 All days Request by day 1 Trash can … 3,4,5 Failed GET 2,6 Successful GET Method + status code Groups Name Profile

SLIDE 15

Distribution of this document is subject to France Telecom’s authorization D15 - 21/11/05

France Telecom Research & Development

Model of normal behaviour

Group 2 + 6: normal
90% of activity on well defined resources
Group 4 + 5: not normal
28% of resources for only 2% of requests
No particular issue as well
Group 3
Close to 2 and 6, but on 404
Interpretation: recurrent errors on automated processes

– Can also be demonstrative of failed worm attempts

Choose to integrate into normal for the moment
Group 1
Too much statistical variation for assignment into model

SLIDE 16

Distribution of this document is subject to France Telecom’s authorization D16 - 21/11/05

France Telecom Research & Development

Model evaluation

It is possible to construct a simple behaviour model
Missing a few failed attempts

386 Yes 6 386 1628 No 5 111 4483 No 4 24 2219 Yes 3 12751 Yes 2 23 216 No 1 Malicious resources Number of resources In model Group

SLIDE 17

Distribution of this document is subject to France Telecom’s authorization D17 - 21/11/05

France Telecom Research & Development

Example results

Misuse 2,2 M events Unknown C0 = 1,75 M events Intrusive C1=450k C2=786 C3=368 Misuse Anomaly Unknown C0 = 100k events Intrusive C1=20k C2=236 C3=368 Safe 2,1k

SLIDE 18

Distribution of this document is subject to France Telecom’s authorization D18 - 21/11/05

France Telecom Research & Development

Manual analysis of the combination results

Safe events (2.1M)
No attack found
Intrusive events (20k)
C1 : False positives remains
C2 : Most false positives eliminated
C3 : Real attacks
Unknown events (100k)
No attack found

Note: false positive = no operator action required