building a provenance based intrusion detection system
play

Building a provenance-based intrusion detection system Thomas - PowerPoint PPT Presentation

Nov 04, 2023 •217 likes •783 views

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

  1. Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1

  2. Talk loosely based on following publications ● Han et al. “UNICORN: Revisiting Host-Based Intrusion Detection in the Age of Data Provenance” , NDSS 2020 ● Pasquier et al. “Runtime Analysis of Whole-System Provenance” , ACM CCS 2018 ● Han et al. “Provenance-based Intrusion Detection: Opportunities and Challenges” , USENIX TaPP 2018 ● Han et al. “FRAPpuccino: Fault-detection through Runtime Analysis of Provenance” , USENIX HotCloud 2017 ● Pasquier et al. “Practical Whole-System Provenance Capture” , ACM SoCC 2017 2

  3. Motivation: System call based intrusion detection System Calls 3

  4. Motivation: System call based intrusion detection System Calls Identify abnormal patterns 4

  5. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions 5

  6. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions Masquerading as benign action 6

  7. Motivation: System call based intrusion detection System Calls [...] Identify abnormal patterns Hidden among benign actions Masquerading as benign action [...] Over a long period of time 7

  8. What is provenance? 8

  9. What is provenance? - From the French “provenir” meaning “coming from” - Formal set of documents describing the origin of an art piece - Sequence of - Formal ownership - Custody - Places of storage - Used for authentication 9

  10. What is data-provenance? - Represent interactions between objects of different types - Data-items ( entities ) - Processing ( activities ) - Individuals and Organisations ( agents ) - Represented as a directed acyclic graph (think information flows) - Edges represent interactions between objects as dependencies - It is a representation of history - Immutable (unless it’s 1984) - No dependency to the future 10

  11. Example provenance (simplified) P1 11

  12. Example provenance (simplified) create P1 S1 12

  13. Example provenance (simplified) create P1 S1 read F1 P2 13

  14. Example provenance (simplified) create P1 S1 read send send F1 P2 S2 Pckt 14

  15. Example provenance (simplified) create P1 S1 read send send F1 P2 S2 Pckt rcv rcv P3 S3 Pckt 15

  16. Example provenance (simplified) create P1 S1 read send send F1 P2 S2 Pckt write rcv rcv F2 P3 S3 Pckt 16

  17. Example provenance (simplified) create P1 S1 Linux kernel compilation: ~2M graph elements read send send F1 P2 S2 Pckt write rcv rcv F2 P3 S3 Pckt 17

  18. How is this useful? 18

  19. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 19

  20. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 20

  21. Provenance-based intrusion detection Related events are connected even across long period of time ▪ 21

  22. How do we get the data? 22

  23. Capture methods Examples 1. Balakrishnan et al. " OPUS: A Lightweight System for Observational Provenance in User Space " Workshop on the Theory and Practice of Provenance . 2013 2. Muniswamy-Reddy et al. " Provenance-aware storage systems" USENIX ATC. 2006. 3. Pasquier et al. " Practical whole-system provenance capture " SoCC. 2017 4. Gehani et al. " SPADE: support for provenance auditing in distributed environments " Middleware Conference. 2012 23

  24. Capture methods Examples 1. Balakrishnan et al. " OPUS: A Lightweight System for Observational Provenance in User Space " Workshop on the Theory and Practice of Provenance . 2013 2. Muniswamy-Reddy et al. " Provenance-aware storage systems" USENIX ATC. 2006. 3. Pasquier et al. " Practical whole-system provenance capture " SoCC. 2017 4. Gehani et al. " SPADE: support for provenance auditing in distributed environments " Middleware Conference. 2012 24

  25. Interposition is unsafe ▪ Watson " Exploiting Concurrency Vulnerabilities in System Call Wrappers " WOOT. 2007 Time-of-audit-to-time-of-use attack ▪ – Race condition Syntactic Race ▪ – different copy of parameters Semantic Race ▪ – Kernel state may change 25

  26. Capture methods Examples 1. Based on Linux reference monitor 2. Best accuracy 3. Stronger formal guarantees 4. Formally specified semantic 5. Best performance Pasquier et al. “Runtime Analysis of Whole-System Provenance” , CCS 2018 26

  27. How to perform detection? 27

  28. Assumptions (and limitations) Runtime detection - We target environment with minimal human intervention - - relatively consistent behaviour - e.g. web servers, CI pipelines etc... Build a model of system behaviour (unsupervised training) - - in a controlled environment - from a representative workload (this is hard!) Detect deviation from the model - Several approaches being explored… - 28

  29. Example: UNICORN ▪ Han et al. “UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats” , NDSS 2020 29

  30. Example: UNICORN Graph streamed in, converted to histogram, labelled using (modified) 1) struct2vec 30

  31. Example: UNICORN 2) At regular interval, histogram converted to a fixed size vector using similarity preserving graph sketching 31

  32. Example: UNICORN 3) Feature vectors are clustered 32

  33. Example: UNICORN 4) Cluster forms “ meta-state ”, transitions are modelled In deployment, anomaly detected via clustering and “meta-state” model 33

  34. Relatively simple Labelled directed acyclic graph ▪ – node/edge types – security context (when available) Modification and combination of existing algorithms ▪ – struct2vec – similarity preserving hashing – clustering Right combination + domain knowledge ▪ 34

  35. How to evaluate? 35

  36. Comparison state of the art Manzoor et al. " Fast memory-efficient anomaly detection in streaming heterogeneous graphs " ACM KDD, 2016. R -> neighborhood size for struct2vec algorithm 36

  37. Evaluation with DARPA datasets 37

  38. Evaluation with DARPA datasets SUCH GOOD RESULTS ARE NOT NORMAL 38

  39. Building our own dataset ▪ Attack designed to look similar to background activity 39

  40. Building our own dataset ▪ Attack designed to look similar to background activity ▪ Is that enough? 40

  41. Runtime performance 41

  42. Runtime performance 42

  43. Runtime performance Memory usage: ~500MB CPU usage 15% on 1 core 43

  44. Some insights from this work 44

  45. We can build practical provenance-based IDSs We can detect intrusion out of graph structure with little metadata ▪ – Vertex type (thread, file, socket etc…) – Edge type (read, write, connect etc…) Processing speed ▪ – Current prototype – Data generation speed < processing speed! 45

  46. Proper evaluation is hard! - Dataset are hard to generate - What is a good quality dataset? - Hard to compare across papers, a lot is not available - Experiments (i.e. attacks) - Capture Mechanisms - Analysis pipelines - Leads to unsatisfactory evaluation - I may be able to compare to similar techniques (may reuse dataset) - … very hard for unrelated one (i.e. ingest different data type) - Adversarial ML? 46

  47. Identifying threats: explainability is a problem There is a problem within the last batch of X graph elements ▪ – 2,000 in previous figures Good luck finding out what went wrong ▪ Provenance forensic is an active field of research ▪ – Promising work out of the DARPA programme … but could we do better during detection? ▪ 47

  48. Thank you! Questions? tfjmp.org camflow.org 48

  49. CamFlow capture mechanism - Leverage existing kernel features whenever possible - Avoid alteration of existing code - We therefore build upon: - Linux Security Module - to capture system events - NetFilter - to capture network events - RelayFS - to transfer provenance to user space - SecurityFS - to provide a userspace interface for settings 49

  50. Extent of modification Modifications to the Linux Kernel code System Headers C File Total LoC PASS (v2.6.27) 18 69 87 5100 pub. 2006 LPM (v2.6.32) 13 61 74 2294 pub. 2015 CamFlow (v5.4.15) 3 0 3 4220 circa 2020 50

  51. Capture overhead Micro-benchmark Macro-benchmark Sys Call Whole Selective Prog. Whole Selective stat 100% 28% unpack 2% <1% open/close 80% 18% build 2% 0% fork 6% 2% postmark 11% 6% exec 3% <1% Selective : cost of allocating/freeing provenance “blob” + recording or not decision Whole : Selective + cost of recording provenance information 51

  52. IDS performance (more) 52

  53. IDS performance (more) 53

  54. IDS performance (more) CPU over long time period? 15% CPU time across cores 54

  55. Add a few slides on advanced persistent threats 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1 Talk loosely based on following publications Han et al. SIGL: Securing Software Installations Through Deep Graph Learning ,

635 views • 41 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * ,

Kargus: A Highly scalable Software based Intrusion Detection System M. Asim Jamshed * , Jihyung Lee , Sangwoo Moon , InsuYun * , Deokjin Kim , Sungryoul Lee , Yung Yi , KyoungSoo Park * * Networked &amp; Distributed

776 views • 41 slides
A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security

A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security

A NEW HOD BASED INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORK IK2206: Internet Security and Privacy Sumanta Saha Md. Safiqul Islam Md. Sakhawat Hossen W IRELESS A D H OC N ETWORK Wireless ad hoc networks are autonomous nodes that

372 views • 15 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
BT-IDS: An anomaly-based Intrusion Detection System for Bluetooth Devices Shalaka Satam, Pratik

BT-IDS: An anomaly-based Intrusion Detection System for Bluetooth Devices Shalaka Satam, Pratik

BT-IDS: An anomaly-based Intrusion Detection System for Bluetooth Devices Shalaka Satam, Pratik Satam and Salim Hariri Cloud and Autonomic Computing Center Semi Annual IAB Meeting Tucson, Arizona Project Team Members n UA Faculty p Salim

269 views • 11 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel,

Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel,

Anomaly Based Intrusion Detection in Distributed Applications without global clock Eric Totel, Mouna Hkimi, Michel Hurfin, Mourad Leslous, Yvan Labiche SEC2-2016 5 July 2016 Outline of the Presentation Position of the problem Building

374 views • 26 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
21 st May 2020 Topics to cover Interpretation of Policy Decision making and the tilted

21 st May 2020 Topics to cover Interpretation of Policy Decision making and the tilted

Tom Cosgrove QC and Robin Green 21 st May 2020 Topics to cover Interpretation of Policy Decision making and the tilted balance Green Belt Heritage Interpretation of Policy Policy Interpretation Two aspects: (i) Approach to

1.1k views • 67 slides
Lecture 12: Kuhn and Revolutions 1 From lecture 11: 1. Pre-paradigm science... 2. Normal

Lecture 12: Kuhn and Revolutions 1 From lecture 11: 1. Pre-paradigm science... 2. Normal

HPSC 1001/1901/2101/2901 WHAT IS THIS THING CALLED SCIENCE? Semester 2, 2020 Lecture 12: Kuhn and Revolutions 1 From lecture 11: 1. Pre-paradigm science... 2. Normal science... 3. Accumulation of Anomalies... 4. Crisis... then 5.

536 views • 14 slides
Plan for this class Welcome to 4003-380 Logistics Introduction to CS Theory Syllabus

Plan for this class Welcome to 4003-380 Logistics Introduction to CS Theory Syllabus

Plan for this class Welcome to 4003-380 Logistics Introduction to CS Theory Syllabus &amp; Ground Rules Student Info Forms / Attendance Joe Geigel What is this Course About ------ break --------- Discrete Math Review

107 views • 7 slides
Parent Delegate &amp; Alternate Meeting October 26, 2016 Perceptions &amp; Expectations: How

Parent Delegate &amp; Alternate Meeting October 26, 2016 Perceptions &amp; Expectations: How

Parent Delegate &amp; Alternate Meeting October 26, 2016 Perceptions &amp; Expectations: How They Impact the Equitable Learning Environment. Whats In a Name? 1. Does your name have a special meaning or significance to you? What is

292 views • 14 slides
Discussion on Parallel Session Land and Property Rights Amelia U. Santos-Paulino UNCTAD Think

Discussion on Parallel Session Land and Property Rights Amelia U. Santos-Paulino UNCTAD Think

Discussion on Parallel Session Land and Property Rights Amelia U. Santos-Paulino UNCTAD Think Development Think WIDER Conference 14 September 2018, Helsinki 1 Some background Land and property rights Around 70% of land in developing

399 views • 11 slides
SOCI 224: Social Structure of Modern of Ghana Session 2 The Political Institution in

SOCI 224: Social Structure of Modern of Ghana Session 2 The Political Institution in

SOCI 224: Social Structure of Modern of Ghana Session 2 The Political Institution in Transition Lecturers: Dr. Fidelia Ohemeng &amp; Dr. Mark K. M. Obeng Department of Sociology Contact Information: fohemeng@ug.edu.gh College of Education

947 views • 19 slides
Mathematical Practice and Human Cognition Remarks on Quinns Science of Mathematics Bernd

Mathematical Practice and Human Cognition Remarks on Quinns Science of Mathematics Bernd

Mathematical Practice and Human Cognition Remarks on Quinns Science of Mathematics Bernd Buldt Department of Philosophy Indiana U - Purdue U Fort Wayne (IPFW) Fort Wayne, IN, USA e-mail: buldtb@ipfw.edu CL 16 Hamburg 2016

536 views • 25 slides
Custom Functions for Specifying Nonlinear Terms to gnm Heather Turner, David Firth and Andy

Custom Functions for Specifying Nonlinear Terms to gnm Heather Turner, David Firth and Andy

Custom Functions for Specifying Nonlinear Terms to gnm Heather Turner, David Firth and Andy Batchelor Department of Statistics University of Warwick, UK H. Turner, D. Firth and A. Batchelor () Custom nonlin Functions UseR August 2008

365 views • 19 slides

More recommend