From Declarative Signatures to Misuse IDS 4th International - - PowerPoint PPT Presentation

from declarative signatures to misuse ids
SMART_READER_LITE
LIVE PREVIEW

From Declarative Signatures to Misuse IDS 4th International - - PowerPoint PPT Presentation

Dec 30, 2022 162 likes •414 views

From Declarative Signatures to Misuse IDS 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) October 10-12, 2001 - Davis, CA, USA Jean-Philippe P OUZOL Mireille D UCASS IRISA / INSA de Rennes (France)

slide-1
SLIDE 1

Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

From Declarative Signatures to Misuse IDS

4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) October 10-12, 2001 - Davis, CA, USA

Jean-Philippe POUZOL Mireille DUCASSÉ

IRISA / INSA de Rennes (France)

slide-2
SLIDE 2

2 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Outline of this talk

Rule-based languages Declarative specifications Specifying multi-event signatures is complex Automatic rule generation An example of specification Sutekh : a declarative signature language Not well suited to maintain a signature database

slide-3
SLIDE 3

3 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Misuse IDS

Misuse IDS Signatures Events Alerts

  • Sun BSM
  • Tcpdump logs
  • Web server logs
slide-4
SLIDE 4

4 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

IDS in distributed environments

  • No global time in distributed environments :

sequences must be detected in probes

  • Data reduction is more efficient if performed as soon

as possible IDS = local probes alert correlation

+

Mono-event signatures in probes is insufficient

slide-5
SLIDE 5

5 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Rule-based IDS and pattern matching

  • Rule-based IDS perform pattern matching . Kumar

distinguished 4 class of patterns [Kumar, PhD, 95]

  • Kumar also proposed a model of rule-based IDS

based on Colored Petri Nets with variables – All the above patterns can be recognized within this model.

  • Signatures in this model can be translated into other

rule-based IDS languages

c) Regular Expression d) Other (e.g.: negation) a) Existence b) Sequence (interval, duration)

slide-6
SLIDE 6

6 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Rule Based IDS

Events Signatures (rules) Alerts Rule Based IDS

  • P-BEST (Emerald)

[Lindqvist et al., Secur & Priv 99]

  • ASAX

[Habra et al., ESORICS 92]

  • STAT

[Vigna et al, DISCEX 00]

  • Sun BSM
  • Tcpdump logs
  • Web server logs
slide-7
SLIDE 7

7 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Specification vs. Matching

Pattern Specification language Algorithm to search patterns

Regular expressions Finite State automata Algebraic languages Push-down automata

slide-8
SLIDE 8

8 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Rules are not well suited for specification

Rule construction is complex and error prone

– Non trivial graph construction if rule coding is performed "by hand".

e.g. : searching a conjunction of events with a system which does not provide this construct

– Transition can easily be forgotten, or set between wrong states

Signatures are scattered in many rules

slide-9
SLIDE 9

9 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Rules are not well suited for specification

Rule readability is low, debugging is difficult

– One need to "simulate" the evolution of the transition system to extract the underlying pattern

Signatures are scattered in many rules

slide-10
SLIDE 10

10 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Rules are not well suited for specification

Signature evolution can be "expensive"

– Adding a feature to the pattern can generate important changes in the whole transition system

Signatures are scattered in many rules

slide-11
SLIDE 11

11 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Example : encoding negation in rules

  • Signature in STAT [Eckmann,ACM Wrkshp on ID, 00]

Several transitions for a single idea

delete_1 delete_2 logout create_file login read_rhost

1 2 3 4

another_one

5

logout_2 delete_3

3 transitions for delete / 2 transitions for logout

slide-12
SLIDE 12

12 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Building et maintaining rule-based signature databases is too tedious and error prone This cannot be done by hand

slide-13
SLIDE 13

13 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Declarative Signatures

Events Alerts Rule Based IDS Rules Signature Compiler Declarative Signatures

Declarative layer

slide-14
SLIDE 14

14 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Declarative Languages for IDS

  • ADeLe

[Michel et al., Intl Conf on Inform Sec 01]

  • LAMBDA

[Cuppens et al., RAID'00]

Languages for attack databases

  • MuSigs

[Lin et al., IEEE Comp Sec Fund Wrkshp 98]

  • Logweaver [Roger et al., IEEE Comp Sec Fund Wrshp 01]

Signature languages

Dedicated and optimized algorithms More expressive signature languages No implementation has been proposed

Our contribution

  • Expressive language ⇒ Sutekh
  • Implementation ⇒ Compiling Sutekh into rules
slide-15
SLIDE 15

15 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Example of Attack

Target

  • admintool(Solaris)
  • Front-end for package

installation

  • suid-root in several

Solaris distributions

  • A package contains 2

files : pkgmap / pkginfo Exploit

  • CERT (CA-1996-16)
  • Build a "fake" package

with an overflow string

  • Install the fake package

with admintool ⇒ gain root acces

  • Source code available
  • n the Internet
slide-16
SLIDE 16

16 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Example of Signature in Sutekh (1/2)

  • System calls for file creation
  • System calls for program execution

Basic blocks : Filters Conjunction of constraints on an event

createFile(Regexp, File, UserId) = [ … ]. Path name must match Regexp Path name is unified with File Real user ID is unified with UserId execProg(ProgName, UserId) = [ … ]. Path name is unified with ProgName Real user ID is unified with UserId

slide-17
SLIDE 17

17 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Example of Signature in Sutekh (2/2)

createFile("*/pkginfo", File1, User) createFile("*/pkgmap", File2, User) admintool() = execProg("/usr/bin/admintool", User) then ) ( and such that same_dir(File1, File2) ( ) trigger admitool_alert(User) ( )

slide-18
SLIDE 18

18 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Declarative semantics of Sutekh

  • People do not need to know the operational layer
  • People need to know the exact meaning of Sutekh

expression S1 = Ea then Eb S2 = Eb then Ec S = S1 then S2 . . . <Ea> . . . <Eb> . . . <Ec> . . . Is this an instance of S ? α1 α2 α3 α4

≤ ≤ <

S1 S2 Sutekh formal semantics No !

slide-19
SLIDE 19

19 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

From declarative signatures to rules

  • We re-use existing rule-based research

– Many research has been done in AI context – Efficient algorithms exist (e.g. : RETE) – Several IDS rely on this paradigm

  • We prefer compiling to embedding

– To ensure independence of the specification language and the implementation – To adapt compilation strategy from one specification language to an other Keep as much independence as possible from source and target languages

slide-20
SLIDE 20

20 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Compiling Sutekh into rules

  • Four steps algorithm

– Build a state/transition diagram corresponding to the temporal constraints on events – Statically analyze the evolution of variable binding along paths of the diagram – Use this analysis to optimize the placement of constraint verifications – Generate code for the target rule-based language

slide-21
SLIDE 21

21 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Compiling Sutekh into rules

([ f1 = A, f2 != B ] then [ f1 = A, f3 = B ]) such_that (pred(A)).

[ f1 = A, f2 != B ] pred(A) 1 3 2 [f1 = A, f3 = B ] pred(A)

{} {A} {A,B}

Variable binding

slide-22
SLIDE 22

22 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Compiling Sutekh into rules

([ f1 = A, f2 != B ] then [ f1 = A, f3 = B ]) such_that (pred(A)).

1 3 2

{} {A,X} {A,X,B}

Variable binding [f1 = A, f3 = B ] pred(A) B != X [ f1 = A, f2 = X ] pred(A) B != X

slide-23
SLIDE 23

23 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Conclusion

  • In the current trend of declarative specification

– Sutekh is as expressive as fragments of LAMBDA

  • r ADeLe dedicated to signatures

– We add a precise semantics to the language – We propose a first approach to implement the specification

  • Further work

– Specification of repetitive (counting) patterns by adding inductive signatures

slide-24
SLIDE 24

Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

From Declarative Signatures to Misuse IDS

4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) October 10-12, 2001 - Davis, CA, USA

Jean-Philippe POUZOL Mireille DUCASSÉ

IRISA / INSA de Rennes (France)