Designing a Web of Highly-Configurable Designing a Web of - - PowerPoint PPT Presentation

Designing a Web of Highly-Configurable Designing a Web of Highly-Configurable Intrusion Detection Sensors Intrusion Detection Sensors

Giovanni Giovanni Vigna Vigna, Richard A. Kemmerer, and Per , Richard A. Kemmerer, and Per Blix Blix RAID 2001 RAID 2001

Reliable Software Group Reliable Software Group University of California Santa Barbara University of California Santa Barbara

http://www. http://www.cs cs.ucsb ucsb.edu edu/~ /~rsg rsg

STAT

2

Intrusion Detection Intrusion Detection

• Intrusion detection traditionally based on analysis of low-

Intrusion detection traditionally based on analysis of low- level events: network packets, system calls, audit records level events: network packets, system calls, audit records

• Intrusion detection has evolved in several ways

Intrusion detection has evolved in several ways

– – New analysis techniques New analysis techniques – – Multiple event sources, possibly introducing distribution Multiple event sources, possibly introducing distribution – – Abstraction: fusion/correlation of high-level events, e.g., alerts Abstraction: fusion/correlation of high-level events, e.g., alerts

• Monitor and surveillance functionality always/still based on

Monitor and surveillance functionality always/still based on sensors sensors

STAT

3

Intrusion Detection Intrusion Detection Sensor Limitations Sensor Limitations

• Sensors are developed in an ad hoc fashion to match

Sensors are developed in an ad hoc fashion to match specific environments/domains/event sources specific environments/domains/event sources

• Sensors are hard to configure

Sensors are hard to configure

• Sensors are hard to control

Sensors are hard to control

• Sensors are hard to extend

Sensors are hard to extend

• Configuration/control/extension is mostly executed statically

Configuration/control/extension is mostly executed statically

• Configuration is mostly done manually

Configuration is mostly done manually

• Identifying “meaningful” sensor configuration can be difficult

Identifying “meaningful” sensor configuration can be difficult

• Number of sensors that can be easily managed is small

Number of sensors that can be easily managed is small

STAT

4

A Web of Sensors A Web of Sensors

• Set of heterogeneous sensors that provide intrusion

Set of heterogeneous sensors that provide intrusion detection functionality within a protected network detection functionality within a protected network

– – STAT Framework STAT Framework – – STATL and the STAT core STATL and the STAT core

• Sensors controlled, coordinated, and configured by means of

Sensors controlled, coordinated, and configured by means of a distributed infrastructure a distributed infrastructure

– – MetaSTAT MetaSTAT

• Explicit modeling of component dependencies and current

Explicit modeling of component dependencies and current sensor configuration supports automated “meaningful” sensor configuration supports automated “meaningful” reconfigurations reconfigurations

STAT

5

The STAT Framework The STAT Framework

Framework supporting the development of intrusion detection Framework supporting the development of intrusion detection infrastructures in heterogeneous environments infrastructures in heterogeneous environments

• Based on the

Based on the State Transition Analysis Technique State Transition Analysis Technique

• Defines a “core” language, STATL, that defines domain-

Defines a “core” language, STATL, that defines domain- independent abstractions independent abstractions

• Provides a “core” module that implements STATL semantics

Provides a “core” module that implements STATL semantics

• Supports development of core extension modules

Supports development of core extension modules (Language Extensions, Event Providers, Attack Scenarios, (Language Extensions, Event Providers, Attack Scenarios, Response Modules) Response Modules)

• Provides a communication and control infrastructure

Provides a communication and control infrastructure

STAT

6

State Transition State Transition Analysis Technique Analysis Technique

• STAT models penetrations as a sequence of state transitions

STAT models penetrations as a sequence of state transitions

• Represents only key activities that lead from an initial safe

Represents only key activities that lead from an initial safe state to a final compromised state state to a final compromised state

– – Signature Actions Signature Actions – – State Assertions State Assertions

STAT

7

State Transition Diagrams State Transition Diagrams

state assertions state assertions initial initial state state signature actions signature actions compromised compromised state state Attacker has Attacker has limited limited privileges privileges Attacker Attacker illicitly gains illicitly gains more privileges more privileges

STAT

8

STATL STATL

• A STATL specification is the description of a complete attack

A STATL specification is the description of a complete attack scenario (a signature) in terms of states and transitions scenario (a signature) in terms of states and transitions

• Domain-independent language

Domain-independent language

– – Extensions for Extensions for

• IP networks

IP networks

• Solaris BSM

Solaris BSM

• WinNT event logging facility

WinNT event logging facility

• Apache event logs

Apache event logs

• Syslog

Syslog facility facility

• IDMEF Alerts

IDMEF Alerts

• Parameterized descriptions

Parameterized descriptions

– – Generic attacks customizable by installation or policy Generic attacks customizable by installation or policy

STAT

9

The STAT Core Module The STAT Core Module

• Implements STATL basic

Implements STATL basic abstractions abstractions

– – Scenario Scenario

• State

State

• Transitions (consuming, non-

Transitions (consuming, non- consuming, unwinding) consuming, unwinding)

• Signature actions

Signature actions

• Assertions

Assertions

• Global environment

Global environment

• Local environment

Local environment

• Code fragments

Code fragments

– – Events Events – – Timers Timers – – Synthetic events Synthetic events

• Defines general semantics

Defines general semantics

– – Event matching Event matching – – Scenario processing Scenario processing – – Unwinding Unwinding

• Can be dynamically extended to

Can be dynamically extended to build a STAT-based sensor build a STAT-based sensor

– – Scenario Scenario plugins plugins – – Language extensions Language extensions – – Event providers Event providers – – Responses modules Responses modules

STAT

10

The Framework At Work The Framework At Work

• Define a Language Extension, i.e., the events, types, and

Define a Language Extension, i.e., the events, types, and predicates to be used in a specific domain predicates to be used in a specific domain

• Compile the extension into a Language Extension Module

Compile the extension into a Language Extension Module

• Develop an Event Provider that transforms external data into

Develop an Event Provider that transforms external data into events as defined by one or more Language Extensions events as defined by one or more Language Extensions

• Compile the Event Provider into a dynamically linkable module

Compile the Event Provider into a dynamically linkable module

• Develop STATL scenarios that use the events defined in one or

Develop STATL scenarios that use the events defined in one or more Language Extensions more Language Extensions

• Translate/compile the scenario into a Scenario

Translate/compile the scenario into a Scenario Plugin Plugin

• If necessary, develop response libraries to be used with the

If necessary, develop response libraries to be used with the scenario scenario

• Link everything together (shake well) and run your sensor

Link everything together (shake well) and run your sensor

STAT

11

Creating a Sensor Creating a Sensor

Attack Scenarios Attack Scenarios Compilation Compilation

STATL Core Language Application- specific Language Extension Intrusion Detection System Language Application- specific Extension Module STAT Core Module Intrusion Detection Sensor

Scenario Plugins Scenario Plugins Compilation Compilation

Off-line Process Off-line Process Run-time Architecture Run-time Architecture

Compilation Compilation

Event Provider Event Provider

STAT

12

OK, You Can Develop OK, You Can Develop Your Own IDS, But... Your Own IDS, But...

• What if one wants to change the configuration of a sensor at

What if one wants to change the configuration of a sensor at run time, without having to stop the whole thing? run time, without having to stop the whole thing?

• How can one be sure that all the pieces (extensions,

How can one be sure that all the pieces (extensions, providers, scenarios) fit together? providers, scenarios) fit together?

• What if one wants to control a multitude of sensors deployed

What if one wants to control a multitude of sensors deployed throughout the network? throughout the network?

• What if one wants to aggregate/fuse/correlate the alerts

What if one wants to aggregate/fuse/correlate the alerts produced by the deployed sensors? produced by the deployed sensors?

STAT

13

MetaSTAT MetaSTAT

• A communication and control infrastructure for STAT-based

A communication and control infrastructure for STAT-based sensors sensors

• CommSTAT

CommSTAT communication infrastructure allows for the communication infrastructure allows for the exchange of alerts and control commands over secure exchange of alerts and control commands over secure connections connections

• MetaSTAT

MetaSTAT Controller dispatches commands to the sensors Controller dispatches commands to the sensors

• The STAT Proxy mediates communication

The STAT Proxy mediates communication

– – Performs local module management (installation/configuration) Performs local module management (installation/configuration) – – Relays commands to sensors (loading/activation) Relays commands to sensors (loading/activation)

STAT

14

MetaSTAT MetaSTAT

• MetaSTAT Configurator

MetaSTAT Configurator manages sensors manages sensors

– – Database of available modules and corresponding dependencies Database of available modules and corresponding dependencies – – Database of current sensor configurations Database of current sensor configurations – – Allows the manager to submit reconfiguration requests Allows the manager to submit reconfiguration requests – – Checks for meaningfulness of reconfiguration Checks for meaningfulness of reconfiguration

• MetaSTAT

MetaSTAT Collector component aggregates sensor alerts in Collector component aggregates sensor alerts in a centralized database to support analysis and correlation a centralized database to support analysis and correlation

STAT

15

A Web Of Sensors A Web Of Sensors

Module Database Sensor Database Alert Database Sensor Proxy MetaSTAT

STAT

16

Host Sensor Core Scenario Prototype Instances

Sensor Configuration Sensor Configuration

Event Provider

CommSTAT Proxy To MetaSTAT Event Provider library Language Extension library Scenario plugin Response library

STAT

17

Module Database Module Database

• Models and stores the information about

Models and stores the information about

– – The available The available modules modules (Language Extensions, Event Providers, (Language Extensions, Event Providers, Attack Scenarios, and Responses) Attack Scenarios, and Responses) – – A number of A number of external components external components (e.g., a specific auditing facility) (e.g., a specific auditing facility)

• Models and stores the dependencies between modules and

Models and stores the dependencies between modules and components components

– – Activation dependencies: Activation dependencies: Module A needs module B in order to be Module A needs module B in order to be loaded and activated loaded and activated – – Functional dependencies Functional dependencies: Module A needs module B in order to : Module A needs module B in order to produce meaningful results or any results at all produce meaningful results or any results at all

STAT

18

Module Management Module Management

• Each Module may be

Each Module may be

– – Installed Installed – – Loaded Loaded – – Activated Activated

• A STAT sensor configuration is uniquely defined by a set of

A STAT sensor configuration is uniquely defined by a set of installed/activated modules and available external installed/activated modules and available external components components

• A configuration is

A configuration is valid valid if all the activation dependencies are if all the activation dependencies are satisfied satisfied

• A configuration is

A configuration is meaningful meaningful if it is valid and all the if it is valid and all the functional dependencies are also satisfied functional dependencies are also satisfied

STAT

19

Module Database Schema Module Database Schema

Binary

bin module id module id state name

Response Function

module id 1:1 module id module id module id parameter filepath module id module id function name module id module id module id N:1 N:1 N:1 1:N 1:N 1:N module id 1:N

Activation Dependency

module id input type input id module id

• utput id
• utput type

module id dep module id

Functional Dependency

module id external component id

Module Output Module Input Plugin Parameter Plugin State Dependency Information

type name version description module id

• s platform

Module Index

STAT

20

Sensor Database Sensor Database

• Models and stores information about the current

Models and stores information about the current configuration of a Web of Sensors configuration of a Web of Sensors

– – Installed modules (at each STAT Proxy site) Installed modules (at each STAT Proxy site) – – Loaded/Activated modules (in each STAT Sensor) Loaded/Activated modules (in each STAT Sensor) – – Available external components (at each host) Available external components (at each host)

STAT

21

Sensor Database Sensor Database

sensor id sensor address sensor port

Sensor Index External Component

sensor id external component id sensor id module id function name state name plugin id scenario prototype id module type sensor id module id sensor id module id module id sensor id prototype id parameter filepath

Activated module Activation information

<sensor id, module id> 1:N sensor id

Activated response function

sensor id 1:N

Activated plugin Installation Index

N:1 N:1 sensor id sensor id N:1

STAT

22

MetaSTAT Configurator MetaSTAT Configurator

• Intrusion Detection Administrator (IDA) requires high-level

Intrusion Detection Administrator (IDA) requires high-level reconfiguration reconfiguration

• The

The MetaSTAT MetaSTAT Configurator Configurator determines the required sensor determines the required sensor configuration examining the Module Database configuration examining the Module Database

• The

The MetaSTAT Configurator MetaSTAT Configurator determines which modules are determines which modules are already available using the Sensor Database already available using the Sensor Database

• The

The MetaSTAT Configurator MetaSTAT Configurator determines the steps that are determines the steps that are necessary to complete the reconfiguration necessary to complete the reconfiguration

• The

The MetaSTAT MetaSTAT Controller sends the appropriate control Controller sends the appropriate control messages messages

• STAT Proxies perform installation

STAT Proxies perform installation

• STAT Sensors reconfigure accordingly

STAT Sensors reconfigure accordingly

STAT

23

Example Example

• Intrusion Detection Administrator (IDA) wants to deploy FTP

Intrusion Detection Administrator (IDA) wants to deploy FTP monitoring scenarios monitoring scenarios

• The Module Database is searched for suitable modules

The Module Database is searched for suitable modules

• A subset is selected

A subset is selected

• The Module Database is examined for possible activation

The Module Database is examined for possible activation dependencies dependencies

• The Module Database is searched for possible functional

The Module Database is searched for possible functional dependencies dependencies

• Results trigger a new series of queries

Results trigger a new series of queries

STAT

24

Dependency Graph Dependency Graph

ftp FTP PROTOCOL wu-ftp-bovf

lang ext event scenario

ftp-protocol-verify

scenario O

tcpip ftp

lang ext lang ext A A A

STREAM netproc network-driver tcpip

A

syslog ftpd-quote-abuse SYSLOG syslog2 syslog syslog win-app-event winevent NTlogging

E O I O O O lang ext lang ext lang ext lang ext scenario event event provider event provider lang ext event external component external component external component

syslogd syslogd

A E A E A I A E I external component event provider event provider

syslog1

STAT

25

Example Example

• Configurator

Configurator determines the complete set of dependencies determines the complete set of dependencies

• Configurator

Configurator compares required modules with compares required modules with installed/activated modules as stored in the Sensor installed/activated modules as stored in the Sensor Database Database

• Configurator

Configurator compiles a compiles a deployment plan deployment plan

• Plan passed to the Controller

Plan passed to the Controller

• Controller ships messages to Proxies

Controller ships messages to Proxies

• Proxies perform installations and forward loading/activation

Proxies perform installations and forward loading/activation messages to sensors messages to sensors

• Detection begins...

Detection begins...

• Possible custom responses are shipped/installed/activated

Possible custom responses are shipped/installed/activated

STAT

26

Advantages of the Advantages of the Approach Approach

• High customizability

High customizability

• Dynamic re-

Dynamic re-configurability configurability

• Support for automated reconfiguration allows management

Support for automated reconfiguration allows management

• f a high number of sensors
• f a high number of sensors
• Separation of analysis mechanisms from domain-dependent

Separation of analysis mechanisms from domain-dependent elements and response functionality elements and response functionality

• Modules can be reused across sensors

Modules can be reused across sensors

STAT

27

Advantages of the Advantages of the Approach Approach

• Multiple Language Extensions and Event Providers can be

Multiple Language Extensions and Event Providers can be used within the same sensor used within the same sensor

• Responses can be associated with intermediate steps in

Responses can be associated with intermediate steps in attack scenarios attack scenarios

• Support for alert collection and distribution

Support for alert collection and distribution

• Third-party tools can be easily integrated through STAT

Third-party tools can be easily integrated through STAT Proxies Proxies

STAT

28

Future Work Future Work

• Web of sensors are usually associated with a single

Web of sensors are usually associated with a single administrative domain administrative domain

• Different Webs may require some sort of wide-area

Different Webs may require some sort of wide-area integration integration

• Use of the Siena content-based message delivery system to

Use of the Siena content-based message delivery system to distribute alerts and control commands in wide-area distribute alerts and control commands in wide-area networks networks

• Ultimate goal: Internet-scale coordination and control of

Ultimate goal: Internet-scale coordination and control of intrusion detection capability intrusion detection capability

• Going beyond: re-configuring active attack scenario

Going beyond: re-configuring active attack scenario instances (load balancing, tracking mobile code, etc) instances (load balancing, tracking mobile code, etc)

STAT

29

People Involved People Involved

• Richard Kemmerer

Richard Kemmerer

• Giovanni

Giovanni Vigna Vigna

• Per

Per Blix Blix

• Jacob

Jacob Copenhaver Copenhaver

• Steve

Steve Eckmann Eckmann

• Chris

Chris Kruegel Kruegel

• Siva

Siva Sankaridurg Sankaridurg

• Fredrik

Fredrik Valeur Valeur

• Jingyu Zhou

Jingyu Zhou