Designing a Web of Highly-Configurable Designing a Web of Highly-Configurable Intrusion Detection Sensors Intrusion Detection Sensors Giovanni Vigna Vigna, Richard A. Kemmerer, and Per , Richard A. Kemmerer, and Per Blix Blix Giovanni RAID 2001 RAID 2001 Reliable Software Group Reliable Software Group University of California Santa Barbara University of California Santa Barbara http://www. http://www.cs cs.ucsb ucsb.edu edu/~ /~rsg rsg
Intrusion Detection Intrusion Detection STAT • Intrusion detection traditionally based on analysis of low- • Intrusion detection traditionally based on analysis of low- level events: network packets, system calls, audit records level events: network packets, system calls, audit records • Intrusion detection has evolved in several ways • Intrusion detection has evolved in several ways – New analysis techniques – New analysis techniques – Multiple event sources, possibly introducing distribution Multiple event sources, possibly introducing distribution – – Abstraction: fusion/correlation of high-level events, e.g., alerts Abstraction: fusion/correlation of high-level events, e.g., alerts – • • Monitor and surveillance functionality always/still based on Monitor and surveillance functionality always/still based on sensors sensors 2
Intrusion Detection Intrusion Detection Sensor Limitations Sensor Limitations STAT • Sensors are developed in an ad hoc fashion to match • Sensors are developed in an ad hoc fashion to match specific environments/domains/event sources specific environments/domains/event sources • Sensors are hard to configure • Sensors are hard to configure • Sensors are hard to control • Sensors are hard to control • Sensors are hard to extend • Sensors are hard to extend • Configuration/control/extension is mostly executed statically • Configuration/control/extension is mostly executed statically • Configuration is mostly done manually • Configuration is mostly done manually • Identifying “meaningful” sensor configuration can be difficult • Identifying “meaningful” sensor configuration can be difficult • Number of sensors that can be easily managed is small • Number of sensors that can be easily managed is small 3
A Web of Sensors A Web of Sensors STAT • Set of heterogeneous sensors that provide intrusion • Set of heterogeneous sensors that provide intrusion detection functionality within a protected network detection functionality within a protected network – STAT Framework STAT Framework – – STATL and the STAT core – STATL and the STAT core • • Sensors controlled, coordinated, and configured by means of Sensors controlled, coordinated, and configured by means of a distributed infrastructure a distributed infrastructure – MetaSTAT MetaSTAT – • Explicit modeling of component dependencies and current • Explicit modeling of component dependencies and current sensor configuration supports automated “meaningful” sensor configuration supports automated “meaningful” reconfigurations reconfigurations 4
The STAT Framework The STAT Framework STAT Framework supporting the development of intrusion detection Framework supporting the development of intrusion detection infrastructures in heterogeneous environments infrastructures in heterogeneous environments • Based on the State Transition Analysis Technique State Transition Analysis Technique • Based on the • Defines a “core” language, STATL, that defines domain- • Defines a “core” language, STATL, that defines domain- independent abstractions independent abstractions • • Provides a “core” module that implements STATL semantics Provides a “core” module that implements STATL semantics • Supports development of core extension modules • Supports development of core extension modules (Language Extensions, Event Providers, Attack Scenarios, (Language Extensions, Event Providers, Attack Scenarios, Response Modules) Response Modules) • • Provides a communication and control infrastructure Provides a communication and control infrastructure 5
State Transition State Transition Analysis Technique Analysis Technique STAT • STAT models penetrations as a sequence of state transitions • STAT models penetrations as a sequence of state transitions • Represents only key activities that lead from an initial safe • Represents only key activities that lead from an initial safe state to a final compromised state state to a final compromised state – Signature Actions – Signature Actions – State Assertions State Assertions – 6
State Transition Diagrams State Transition Diagrams STAT Attacker Attacker Attacker has Attacker has illicitly gains illicitly gains limited limited more privileges more privileges privileges privileges signature actions signature actions compromised compromised initial initial state state state state state assertions state assertions 7
STATL STATL STAT • A STATL specification is the description of a complete attack • A STATL specification is the description of a complete attack scenario (a signature) in terms of states and transitions scenario (a signature) in terms of states and transitions • Domain-independent language • Domain-independent language – Extensions for – Extensions for • IP networks • IP networks • Solaris BSM Solaris BSM • • WinNT event logging facility WinNT event logging facility • • Apache event logs • Apache event logs • Syslog Syslog facility facility • • IDMEF Alerts IDMEF Alerts • • • Parameterized descriptions Parameterized descriptions – Generic attacks customizable by installation or policy – Generic attacks customizable by installation or policy 8
The STAT Core Module The STAT Core Module STAT • Implements STATL basic • Defines general semantics • Implements STATL basic • Defines general semantics abstractions abstractions – Event matching Event matching – – Scenario Scenario – – Scenario processing Scenario processing – • State State – Unwinding – Unwinding • Transitions (consuming, non- Transitions (consuming, non- • Can be dynamically extended to • Can be dynamically extended to consuming, unwinding) consuming, unwinding) build a STAT-based sensor build a STAT-based sensor • Signature actions Signature actions – Scenario Scenario plugins plugins – • Assertions Assertions – Language extensions – Language extensions • Global environment Global environment – Event providers Event providers • Local environment Local environment – • Code fragments Code fragments – Responses modules Responses modules – – Events Events – – Timers Timers – – Synthetic events Synthetic events – 9
The Framework At Work The Framework At Work STAT • Define a Language Extension, i.e., the events, types, and • Define a Language Extension, i.e., the events, types, and predicates to be used in a specific domain predicates to be used in a specific domain • Compile the extension into a Language Extension Module • Compile the extension into a Language Extension Module • Develop an Event Provider that transforms external data into • Develop an Event Provider that transforms external data into events as defined by one or more Language Extensions events as defined by one or more Language Extensions • Compile the Event Provider into a dynamically linkable module • Compile the Event Provider into a dynamically linkable module • • Develop STATL scenarios that use the events defined in one or Develop STATL scenarios that use the events defined in one or more Language Extensions more Language Extensions • Translate/compile the scenario into a Scenario Plugin Plugin • Translate/compile the scenario into a Scenario • • If necessary, develop response libraries to be used with the If necessary, develop response libraries to be used with the scenario scenario • Link everything together (shake well) and run your sensor • Link everything together (shake well) and run your sensor 10
Creating a Sensor Creating a Sensor STAT Off-line Process Run-time Architecture Off-line Process Run-time Architecture STATL Compilation Compilation STAT Application- Application- Core Language Core Module specific specific Language Extension Extension Module Compilation Compilation Event Provider Event Provider Intrusion Intrusion Detection Detection System Attack Scenarios Attack Scenarios Scenario Plugins Scenario Plugins Sensor Language Compilation Compilation 11
Recommend
More recommend
