Massively distributed intrusions detection : goals, challenges and - - PowerPoint PPT Presentation

massively distributed intrusions detection goals
SMART_READER_LITE
LIVE PREVIEW

Massively distributed intrusions detection : goals, challenges and - - PowerPoint PPT Presentation

Feb 20, 2023 230 likes •646 views

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michal Hauspie CRIStAL, CNRS UMR 9189 quipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . .

slide-1
SLIDE 1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille

Michaël Hauspie CRIStAL, CNRS UMR 9189 – Équipe 2XS

Michaël Hauspie SEC2 2015 30 juin 2015 1 / 31

slide-2
SLIDE 2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Plan

1

Context

2

Collaborative IDS

3

DISCUS

4

Conclusion

Michaël Hauspie SEC2 2015 30 juin 2015 2 / 31

slide-3
SLIDE 3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Plan

1

Context

2

Collaborative IDS

3

DISCUS

4

Conclusion

Michaël Hauspie SEC2 2015 30 juin 2015 3 / 31

slide-4
SLIDE 4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Intrusion detection is hard in a cloud context

Cloud specific issues

Complex and dynamic network architectures Sensible data

Attacks can avoid standard security solutions

by trying to lead the attack from inside the network [1] by spliting the attack using several hosts, network routes [4]

Michaël Hauspie SEC2 2015 30 juin 2015 4 / 31

slide-5
SLIDE 5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Bandwith and computing power is cheap to rent : Cloud As A Weapon [1]

  • D. Bryan and M. Anderson. Cloud computing, a weapon of mass

destruction, DEFCON 2010 Thunderclap Less than a few dollars to put a host down Instead of infecting host to create a botnet, just rent them !

Michaël Hauspie SEC2 2015 30 juin 2015 5 / 31

slide-6
SLIDE 6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Usual security solutions tends be located at the edge of the network

Firewalls

usually located at the connection between data center and ISP filters network packet based on security rules

Intrusion Detection Systems (IDS)

monitors the network (NIDS) or the

  • perating system (HIDS)

passive system : its goal is to raise alerts pattern matching or behavior analysis

Michaël Hauspie SEC2 2015 30 juin 2015 6 / 31

slide-7
SLIDE 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Attacks can come from outside

Michaël Hauspie SEC2 2015 30 juin 2015 7 / 31

slide-8
SLIDE 8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Attacks can be performed from inside

Michaël Hauspie SEC2 2015 30 juin 2015 8 / 31

slide-9
SLIDE 9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Attacks can stay inside

Michaël Hauspie SEC2 2015 30 juin 2015 9 / 31

slide-10
SLIDE 10

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Plan

1

Context

2

Collaborative IDS

3

DISCUS

4

Conclusion

Michaël Hauspie SEC2 2015 30 juin 2015 10 / 31

slide-11
SLIDE 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

One solution may be distributed, collaborative IDS

Push IDS inside the infrastructure

More probes means more information More information means better detection (or at least, may lead to)

Michaël Hauspie SEC2 2015 30 juin 2015 11 / 31

slide-12
SLIDE 12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

One solution may be distributed, collaborative IDS

Push IDS inside the infrastructure

More probes means more information More information means better detection (or at least, may lead to)

Why not almost everywhere ?

Firewalls Switches Network cards/link Hypervisors

Michaël Hauspie SEC2 2015 30 juin 2015 11 / 31

slide-13
SLIDE 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Plan

1

Context

2

Collaborative IDS

3

DISCUS General presentation Syntax overview Table mechanism Example

4

Conclusion

Michaël Hauspie SEC2 2015 30 juin 2015 12 / 31

slide-14
SLIDE 14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DISCUS is our proposal to deploy IDS everywhere [3]

Main ideas

Put IDS probes as close to monitoring targets as possible Probes can be software or hardware

▶ Embedded : cheap , but not very powerful, and hard to program ▶ FPGA : very good power/cost ratio , but hard to create ▶ Kernel or userspace software (snort, standalone software, kernel

module) : can achieve high performance but need powerful hardware (high cost)

Michaël Hauspie SEC2 2015 30 juin 2015 13 / 31

slide-15
SLIDE 15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Let’s put probes everywhere

Michaël Hauspie SEC2 2015 30 juin 2015 14 / 31

slide-16
SLIDE 16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating software for the probes is not that easy

Issues

Heterogeneous targets → lots of expertise Collaboration is hard Deployment is hard

Michaël Hauspie SEC2 2015 30 juin 2015 15 / 31

slide-17
SLIDE 17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating software for the probes is not that easy

Issues

Heterogeneous targets → lots of expertise Collaboration is hard Deployment is hard

Use of a Domain Specific Language (DSL)

Focus on detection logic, not implementation details Use compile tools to handle heterogeneity and deployment

Michaël Hauspie SEC2 2015 30 juin 2015 15 / 31

slide-18
SLIDE 18

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DSL focus on specific logic

Not as expressive as generic purpose languages

Michaël Hauspie SEC2 2015 30 juin 2015 16 / 31

slide-19
SLIDE 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DSL focus on specific logic

Not as expressive as generic purpose languages

▶ Limit development errors ▶ Ensure strong properties on generated software ▶ Allow better automatic optimisation Michaël Hauspie SEC2 2015 30 juin 2015 16 / 31

slide-20
SLIDE 20

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Event syntax

  • n

my_event_name (args_list) [where condition] [...] action_list [...] ;

Actions

Raise another event (now or later) Raise an alert Handle tables’ structure

Michaël Hauspie SEC2 2015 30 juin 2015 17 / 31

slide-21
SLIDE 21

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Filtering HTTP packets

  • n

tcp_packet (... , int16 dst_port , ...) where dst_port == 80 raise http_packet (...) ;

Michaël Hauspie SEC2 2015 30 juin 2015 18 / 31

slide-22
SLIDE 22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Tables : a structure to share data

Distributed database of contextual data Table entries are aggregates of primary types Provides a way to collaborate

Michaël Hauspie SEC2 2015 30 juin 2015 19 / 31

slide-23
SLIDE 23

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Declaration of a table

table tcp_connection { ipaddr src ,dst ; int16 p_src ,p_dst ; enum tcp_connection_state state ; time last_pkt ; (...) } ;

Removing entries and purging tables

remove entry from tcp_connection when entry.state == TCP_CLOSED ;

  • n purge

tcp_connection select entry where entry.last_pkt + 3600 < now ;

Michaël Hauspie SEC2 2015 30 juin 2015 20 / 31

slide-24
SLIDE 24

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using tables in events : updating last packet timestamp

  • n

tcp_packet(ipaddr src , ipaddr dst , ...) update entry.last_pkt = now

Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

slide-25
SLIDE 25

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using tables in events : updating last packet timestamp

  • n

tcp_packet(ipaddr src , ipaddr dst , ...) for first entry in tcp_connection with entry.src == src and entry.dst == dst and (...) update entry.last_pkt = now

Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

slide-26
SLIDE 26

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using tables in events : updating last packet timestamp

  • n

tcp_packet(ipaddr src , ipaddr dst , ...) for first entry in tcp_connection with entry.src == src and entry.dst == dst and (...) update entry.last_pkt = now ifnone insert into tcp_connection { src = src ; dst = dst ; state = TCP_INIT ; last_pkt = now ; (...) } ;

Michaël Hauspie SEC2 2015 30 juin 2015 21 / 31

slide-27
SLIDE 27

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use case : detecting SYN Flood attacks

A basic DoS attack : SYN Flood [2]

Opening a lot of TCP connections Initiating the handshake but not finishing it Memory congestion

Michaël Hauspie SEC2 2015 30 juin 2015 22 / 31

slide-28
SLIDE 28

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Use case : detecting SYN Flood attacks

A basic DoS attack : SYN Flood [2]

Opening a lot of TCP connections Initiating the handshake but not finishing it Memory congestion

Detection

Count number of partially opened TCP connections per client Alert when the number reaches a fixed threshold (50)

Michaël Hauspie SEC2 2015 30 juin 2015 22 / 31

slide-29
SLIDE 29

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table

table dos_attempt { ipaddr src ; int16 count ; time last_attempt ; } ; remove entry from dos_attempt when entry.count > 50 ;

  • n purge

dos_attempt select entry where

  • entry. last_attempt + 3600 < now ;

Michaël Hauspie SEC2 2015 30 juin 2015 23 / 31

slide-30
SLIDE 30

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Finding partially opened TCP connections

  • n

tcp_packet(ipaddr src , ..., int9 flags , ...) where flags == tcp_flags.SYN raise check_dos_attempt (src , dst , src_port , dst_port) in 50 ms ;

Michaël Hauspie SEC2 2015 30 juin 2015 24 / 31

slide-31
SLIDE 31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Finding partially opened TCP connections

  • n

tcp_packet(ipaddr src , ..., int9 flags , ...) where flags == tcp_flags.SYN raise check_dos_attempt (src , dst , src_port , dst_port) in 50 ms ;

  • n

check_dos_attempt (ipaddr src , ..., int16 dst_port) for first entry in tcp_connections with entry.src == src and (...) and

  • entry. connection_state

!= OPENED raise dos_attempt (src) ;

Michaël Hauspie SEC2 2015 30 juin 2015 24 / 31

slide-32
SLIDE 32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dealing with DOS attempts

  • n

dos_attempt (ipaddr src) for first entry in dos_attempt with entry.src == src update entry.count += 1 update

  • entry. last_attempt = now

raise check_threshold (src) ifnone insert into dos_attempt { (...) } ;

Michaël Hauspie SEC2 2015 30 juin 2015 25 / 31

slide-33
SLIDE 33

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dealing with DOS attempts

  • n

dos_attempt (ipaddr src) for first entry in dos_attempt with entry.src == src update entry.count += 1 update

  • entry. last_attempt = now

raise check_threshold (src) ifnone insert into dos_attempt { (...) } ;

  • n

check_threshold (ipaddr src) for first entry in dos_attempt with entry.src == src and entry.count >= 50 alert("Some message") ;

Michaël Hauspie SEC2 2015 30 juin 2015 25 / 31

slide-34
SLIDE 34

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DISCUS development process

Michaël Hauspie SEC2 2015 30 juin 2015 26 / 31

slide-35
SLIDE 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Plan

1

Context

2

Collaborative IDS

3

DISCUS

4

Conclusion

Michaël Hauspie SEC2 2015 30 juin 2015 27 / 31

slide-36
SLIDE 36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What’s done

Compiler, optimizer Targets : embedded micro-controller, linux user space (libpcap), Snort scripts Automatic snort to discus translation : 98% of snort rules can be converted to DISCUS script

▶ remaining 2% involves C code (snort modules)

Simple data handling/sharing

Michaël Hauspie SEC2 2015 30 juin 2015 28 / 31

slide-37
SLIDE 37

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Next steps

Enhanced data handling/sharing

Efficient Secure Adapted to heterogeneous targets

Michaël Hauspie SEC2 2015 30 juin 2015 29 / 31

slide-38
SLIDE 38

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Next steps

Enhanced data handling/sharing

Efficient Secure Adapted to heterogeneous targets

More targets !

FPGA !

▶ High performance, quite low cost ▶ Integrates IDS in switches

Network cards firmwares

Michaël Hauspie SEC2 2015 30 juin 2015 29 / 31

slide-39
SLIDE 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Next steps

Dynamic reconfiguration

Redefine security rules Without stopping monitoring

More domains

Industrial Control System Security

▶ No more standard IP networks ▶ Real time guaranties ?

Securing IoT

▶ Tiny IDS in every Thing Michaël Hauspie SEC2 2015 30 juin 2015 30 / 31

slide-40
SLIDE 40

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Questions ?

Michaël Hauspie – michael.hauspie@univ-lille1.fr [1]

  • D. N. M. Bryan et M. Anderson. Cloud Computing, a Weapon of

Mass Destruction ? 2010. url : https://www.defcon.org/html/links/dc-archives/dc-18- archive.html. [2] Ramana Rao Kompella. « On Scalable Attack Detection in the Network ». In : 2004. [3]

  • D. Riquet, G. Grimaud et M. Hauspie. « DISCUS : A massively

distributed IDS architecture using a DSL-based configuration ». In : Proceedings of the 2014 International Conference on Information Science, Electronics and Electrical Engineering (ISEEE’2014). Sapporo City, Hokkaido, Japan, 2014. [4]

  • D. Riquet, G. Grimaud et M. Hauspie. « Large-scale coordinated

attacks : Impact on the cloud security ». In : Proceedings of The Second International Workshop on Mobile Commerce, Cloud Computing, Network and Communication Security 2012 (MCNCS 2012). Palermo, Italy, juin 2012.

Michaël Hauspie SEC2 2015 30 juin 2015 31 / 31