Transcript document

Network Security
and
Intrusion Detection
Survey of the Art and Practice
Dr. Michah Lerner
AT&T Labs
15-August-2000
15-August-2000
AT&T
Outline





Model
Principles
Assumptions
Methods
Products
No silver bullets
Published sources only
Note: this talk describes some attack models.
If you’d like “try them out”, don’t!
15-August-2000
AT&T
Intrusion Detection Systems, IDS
 Identified by Dorothy Denning in 1987 IEEE
Software Engineering
•
Protect systems and networks from threats,
vulnerabilities, and intrusions
 Art includes:
• “Bro: A System for Detecting Network Intruders in Real
•
Time” (Vern Paxon)
JiNao – Protect link state routing – Felix Wu

Rule-based expert system, statistical analysis, protocol analysis,
OSPF MIB, distributed programming interface (DPI)
 Vendors include:
•
•
Amazon.com lists 171 security products
Axent (NetProwler, and Tivoli modules), ISS, Network
Associates, Cisco
15-August-2000
AT&T
A Story …
 Jane the Dandelion wine merchant
• Running SSL to protect her eCommerce site
 Coalition against Dandelion Wine
• Quietly launches a chosen ciphertext attack
•
against her SSL server (Daniel Bleichenbacher,
LNCS 1462, 1998)
Exploit weakness in SSL V.3.0


Generate many authentication requests
SSL reports which ones were incorrectly formatted
 The Coalition obtained her master secret!
• They tested about one million chosen
ciphertexts – on her server!
• She just thought that SSL was slow!
• IDS would have found incomplete
SSL handshakes, and probably
foiled the intruder
15-August-2000
AT&T
Assumptions
 Assumptions …
• RFC 1636 – encryption essential to security
Open networks violate this assumption
 Encryption should protect control information, as well as
contents
 See section 7.3 of the RFC

• In attack from Vi  net  Vj assume only one of Vi,
Vj is the attacker

DDOS violates this assumption
 Assumptions are “sometimes” wrong
• Replay attack can masquerade with encrypted data
• Distributed attacks can leverage multiple attackers
• Encryption can be broken
15-August-2000
AT&T
Concept – Collection & Analysis
CERN European Laboratory for Particle Physics
Birth Place of “The Web Browser” – http://www.cern.ch
Every time something suspicious is detected, the session’s security weight is increased
 When the security weight gets higher than a given threshold, detailed monitoring starts
 Encryption was, until recently, not allowed by the French law

Not much used for first break-in discovery, but invaluable
for security incident analysis and follow-up: it
Security
answers typical questions like:
officer
 When did the first break-in happen?
 Which other systems may have
Filter
been attacked?
 Which other services on the
attacked system may have
been compromised?

Reports
Suspicious behavior
Network
Analyzer
15-August-2000
AT&T
Data
base
Intrusion – Examples
 Denial of Service
 Hijacking of session or router
 Theft
• Resources – bandwidth theft or blockage
• Identity
• Information
15-August-2000
AT&T
Intrusion at any layer or slice
Difficult and Complex Problem
Application
Static &
dynamic page
Quality of
Service
Media
Transport
Content
Media
MPEG etc.
HTTP
H.323
SIP
RTSP
RSVP
RTCP
Transport
RTP
TCP
Physical
Link
Network
UDP
IPv4, IPv6
PPP
SONET
15-August-2000
AAL3/4
AAL5
ATM
PPP
Ethernet
AT&T
V.34
Mobsters101 – How to Intrude
 Resources
• Exhaust, overload or consume
 Control Functions
• Undermine direct control protocols
1
For discussion purposes only

Assert authentication or authorization
contrary to policy
Block authentication or authorization

Subvert timing or other policing methods

1
• Undermine indirect control
 Transport Functions


Transmit forged content
Modify, Read or Block content
 “Many attackers use tools like COPS or SATAN, which automate the process of
checking for known bugs in remote network systems. These freely available tools,
as well as commercial tools such as ISS’s Internet Scanner, are designed to help
systems administrators audit their own networks, but are equally useful to an
attacker.” [Wallach99]
 See http://www.cert.org/advisories
15-August-2000
AT&T
Intrusion – Definition
 Intrusion
• Violation of the network policy, even where the policy
is not completely stated
 Policy
•
Allocation, usage and return of resources
Possibly multiple policies active on a network
 Varied requirements of business, administration or trust

 Resources
• Finite
• Independent
• Layered
• Protocol-driven
15-August-2000
 Protocols
• Efficient, not perfect
• IP spoofing – packets
are not uniquely attributable to the origin
• Costly to stop
AT&T
Prevention – Policies & Assurances
 Violations of policy may define intrusion
 Except:
• Seldom have such a precise policy in IP
• The policy could be buggy
• New applications could violate the policy
• Cost is prohibitive for many applications
• Can plug anything into the Internet – not just “safe”
applications. IEEE 802.3 (Ethernet) is ubiquitous
 An alternative to formal policy is assurances
• General policy, but less rigorous
Availability – connections, bandwidth, low delay
 Integrity – privacy, reliability, and low error-rate

15-August-2000
AT&T
Detection
 Assurances are threatened by:
•
Misuse – specific attack behavior
Based on expert knowledge of patterns associated with attack
 Patterns of misuse defined by experts, or by machine learning
– should not occur
 Examples:

– Mismatched SYN/ACK
– Same authenticated user from multiple locations?
– Multiple failed authentications? From different address??

•
Problem: only recognizes anticipated threats (but can combine
several threats that might otherwise be missed)
Anomalous use – possible attack
Recognize increased risk to network
 Compare actual with expected behavior
 Load rising atypically?

15-August-2000
AT&T
How to Protect the Assurances?
 Redundancy
• Makes it harder to corrupt
• Make it easier to identify corruption
• May make it easier to locate the corruption
 Explicit redundancy: add to network or data
• Tags and attributes
• Input/output validation
 Implicit redundancy: already in the network
• Anonymous – timing
• Private – network attributes
• Content – privacy and easily evaded
• Per-protocol or general properties
State-machine compliance?
 Frame-format?

15-August-2000
AT&T
Two Keys to Protection
Prevention
 Define multiple layers
• Define behavior of each
•
•
layer, including resources
Enforce each behavior
Prohibit actions that may
compromise the behavior
 Examples
• IP DDOS does not affect
•
•
•
•
ATM integrity
Replay of short-lifetime
HTTP cookies is traceable
Link-layer marking
Ingress/egress filtering
End-to-end coordination
15-August-2000
Detection
 Identify correct behavior
 Reinforce or augment
• Redundancy



Format (protocol)
Augmentation (tags)
Validations
 Characterize activities
 Recognize anomalies
• Unusual transit duration,
•
•
•
AT&T
route, or augmentation
Item – invalid packet header
Aggregate – bad path or
invalid protocol sequence
Honeypot traces
Explicit Redundancy – Protection
 Content transformation
• SSL
• Cookies
 Protocol hardening against adversarial “errors”
•
•
IPSec
Invalid session properties (i.e. stale keys, invalid
context or content) may indicate attack
 Packet augmentation
• Security labels
• Properties inherited from ingress
• Requirements incumbent upon egress
• Min/max trust and validation of information flow1
 Management at Ingress/Egress
•
Interaction with authentication and multiple domains
15-August-2000
AT&T
Implicit Redundancy – Detection
 Packet
• Well-formed packets (protocol-compliant)
• Well-defined packets (service behavior)
• Source, destination, format

May validate endpoints and actions
 Traffic profile
•
Acquire by observation of usage
Statistical model – “distinctive characteristics (packet size,
timing) … not on connection contents”
 Resists encryption, and preserves privacy
 Database of representative samples

 Does the traffic profile fit the source/destination
profiles?
15-August-2000
AT&T
General Technique
 Collect traffic and audit information
• Protocol analysis
• Various sensors
Content-independent sensors may work even on encrypted data
 State-based sensors evaluate the trustworthiness of connection
path
 State-free sensors operate without change to firewall or
network-element

 Compute patterns of misuse or abuse
 Recognize patterns of a possible attack
Previously observed or predicted attack patterns
 Uncharacteristic changes in predicted performance

15-August-2000
AT&T
Information to Collect
 Audit information
•
•
Management information bases (MIBS) and logs
After-the-fact analysis of traffic artifacts
 Historical information
•
•
Recognition of previously used contents, such as serial
numbers, someone else’s password, etc.
Strength of evidence follows the strength of the content
source
 Distributed
• Exchange data on suspected intrusions (IETF IDWG)
• Information from IP authentication systems
15-August-2000
AT&T
Information to Compute
 Attack signatures
• Hard problem – needs attack models to organize data
• Attacks are often distributed – requires coordination
• ISS publishes about 350 Real Secure Signatures at
http://www.iss.net
Backdoors
 Denial of Service
 Distributed Denial of Service
 OS Sensor
 Suspicious Activity
 Unauthorized Access Attempts

• Only three detect RIP attacks on routing
• None of the published signatures mention streaming,
VoIP, MPEG, Quality of Service, or attacks on OSPF
15-August-2000
AT&T
Detailed Taxonomy
Knowledge-based
• Expert systems; Signature analysis
• Petri nets; State-transition analysis
Behavior-based
• Statistics; Expert systems
• Neural networks; “User Intention”
model
Source:
IBM RZ 3176 (# 93222)
10/25/99 Computer
Science/Mathematics
(23 pages). A
ReviseTaxonomy for
Intrusion-Detection
Systems by Hervé
Debar, Marc Dacier,
Andreas Wespi
15-August-2000
AT&T
Information Collection Tools





Tcpdump
Bro
NetMon
Snort
All can
use rules
15-August-2000
AT&T
Protocol Monitoring
 Validate Appropriate Traffic Flows:
• Multiple granularities of description
• Recognize change from the behavior
Activation/deactivation of connections
 Correlation/evaluation of connection attributes

 How
•
Protocol scrubbing [InfoComm 2000]
State machines for correct protocol flow
 Error states for erroneous traffic

•
•
Pattern recognition
Simulation/validation of expected behaviors

Does the expected response follow, or something else?
15-August-2000
AT&T
ASAX and Russel
(RUle-baSed Sequence Evaluation Language)
 State full event detection
 Correlation of events across multiple hosts
•
consolidate intrusion evidence from several scattered sources
and correlate them intelligently at a central location.
automata
Declarative
Language
Russel
Rules
FW-1
Router
Internet
ISP
FUNDP
Univ.
Sniffer
ASAX
15-August-2000
AT&T
• SYN-Flood
• IP spoof
• Port Scan
• Host Scan
• etc.
Source: Aziz Mounji
[email protected]
Russell -- ASX
Automatic
Actions
Evt1
• Disable account
• Log to file
• SNMP traps
• Email Sec-Ad
• Exec any command
• Send event to manager
Evt2
Interface
with C
Event Stream
Evtn
time
Rule1(uid)
Rule1(uid)
Rulek(x,y)
15-August-2000
State full
Detection
Rule1(uid)
Rulek(uid)
Rulek(uid)
AT&T
What if Alert?
 Block offending traffic sources
 Terminate suspicious processes
 Coordinate with multiple domains
• Intruder Detection and Isolation Protocol
(IDIP)
 Trace
 Report
 Directive
15-August-2000
(discovery coordinator)
AT&T
Products
(Names changing all the time)
 Boundary controllers
• NAI Gauntlet, ARGuE, MPOG, etc.
• Secure Computing Sidewinder
 Detectors
• Axent, Cisco
• SRI Emerald expert-system
• NAI CyberCop
• ISS RealSecure
• NFR www.nfr.net
• Event-based traffic analysis, pattern matching,
aggregation and adaptation

SUNY, BRO, CIDF, IDIAN, DPF packet filter compiler …
15-August-2000
AT&T
Vendors and Products – Tivoli Compatibility
Source: RZ 3253 (# 93299) 06/26/00; Computer Science 45 pages Integration of Host-based
Intrusion Detection Systems into the Tivoli Enterprise Console, Christian Gigandet (IBM Research;
Zurich Research Laboratory)
15-August-2000
AT&T
Cisco Intrusion
Detection System
• NetSonar (Scanner)
• NetRanger (Monitor)


15-August-2000
AT&T
The Cisco Secure IDS includes two
components: Sensor (renamed
NetSonar) and Director (renamed
NetRanger).
Cisco Secure IDS Sensors, which are
high-speed network "appliances,"
analyze the content and context of
individual packets to determine if
traffic is authorized.
15-August-2000
AT&T
ISS
 RealSecure
•
•
Network engine
resides on PC,
monitors network
transmissions for
“signs of abuse
and attack”
About 350 attack
signatures
currently
published
15-August-2000
AT&T
Attack Recognition
Platform Support
Active Response
Response
Signature Definition
Management Programming
Data Acquisition

ID module embedded in router/switch/firewall:
•
•
•
•
Processor provides most of the analysis.
Speed. Hardware assist with packet classification provides wire-speed intrusion detection.
Security is painful. Shrink-wrap ID engine -- easy to install, easy to manage with relatively low cost.
ID module as an ASIC:
–
–
–
•
Evaluates all incoming and outgoing traffic for intrusions across all ports
Switching. Monitors heavily routed or switched networks at the most heavily-trafficked network junctions.
Speed. May also address speed issues by embedding ID in higher-performance hardware.
ID module running on adapter card:
–
–
–
•
APIs solve top 4 problems
ID as a true design component. Installed on networking backplane, e.g. multi-gigabit switch, Probably only way to handle
Switching. Embedded in high-performance network device allows access to all packets at single location.
Speed. Wire-speed intrusion detection.
ID module embedded in host protocol stack:
– Attached to protocol stack above encryption layer.
AT&T of encrypted traffic while still providing adequate value.
– 15-August-2000
Encryption. Allows intrusion detection to exist in the presence
CyberSafe Centrax
15-August-2000
AT&T
Summary
 Maintain integrity:
• Per layer
• Per slice (protocol)
 Validate packets
•
Ingress/egress counters
 Squelch attack sources that do not comply with
reasonable usage
•
•
Test carefully to ensure not a new application
Streaming media is not a UDP attack!
 Measure and understand “flow” properties
•
Recognize statistically significant variation from these
path properties
15-August-2000
AT&T
Backup Slides
A bit more formality
A glimpse at some academic research
15-August-2000
AT&T
Assumptions
 Assumptions
• RFC 1636 – encryption essential to security
Open networks violate this assumption
 Encryption should protect control information, as well as
contents

•
In attack from Vi  net  Vj assume only one of Vi,
Vj is the attacker

DDOS violates this assumption
 Assumptions are sometimes wrong
• Replay attack can masquerade with encrypted data
• Distributed attacks can leverage multiple attackers
• Encryption can be broken
15-August-2000
AT&T
General Network Model
(circumscribes problem domain)




G = (V, E)
Path = {Vin, {Ej}, {Vj}, … {Ek}, {Vk}, {El}, {Vout}}
Path consists of vertices and edges
Edges E:
• Propagate signal
 Vertices V:
• Receive signal
• Compute output
• Emit signal
15-August-2000
AT&T
Network Model
 Edges (links)
• Signal propagation
• Impairments due to random noise
Redundancy manages noise, fade or analog error
 Detect and correct by protocols through algebraic redundancy

 Vertices (routers/switches)
• Aggregate bits into packet
• Classify and enqueue packet
Packet-type and priority (UDP? TCP? ICMP? RSVP?)
 Loss due to load variation and queue size
 Detect and correct by redundant payload or retransmission

•
Dequeue packet
Data packet: compute output as f(packet, control)
 Control packet: modify control as f(packet, control)

15-August-2000
AT&T
Vertex Control function
f(packet,control)
 Data packet:
•
Pure IP: f(packet, control) is nearly the identity function

•
modify TTL, next-hop, etc
Proxy or active protocol: f(packet, control) not identity

Augment packets in more complex “custom” ways
 Control packets:
• Routing: static or dynamic
• Resource: modify resources, i.e. queues, priorities
• Behavior: modify function, i.e. classifier, marking, etc.
15-August-2000
AT&T
Monitoring Entity Signatures
 Entity output descriptions
• Compute usage signatures (local and complete)
Entity to neighbors
 Entity to endpoints

 Entity input descriptions:
• Receivers compute signature of received data
 Comparisons
•
Entities exchange signatures (or log centrally)
 Anomaly detected from signature mismatches
15-August-2000
AT&T
JiNao – Protect Link-State Routing
Routing Protocol
OSPF
Routing Protocol
EIGRP
RIB
RIB
RIB
FIB

Where should
I forward this
packet?
Router/OS Kernel
SNMPv3 Eng.
Originator
Routing Protocol
BGP
JiNao
Decision Module
Detection Module
IDS MIB
Info. Abst.
Module
Protocol
Engine
15-August-2000
Statistical
Analysis
Protocol
Analysis
Prevention Module
Interception
Module
Network
AT&T
Finite state machine with
timing analysis, verifies
Validity of OSPF actions,
and guards against any
intrusion – even one with
“valid” security credentials