Transcript IDS Research & Teaching

Research Introduction
Dr. C. Henry Tseng
Assistant Professor
NTPU CSIE
UC Davis CS PhD
Outline
• Past Research: Intrusion Prevention for MANET
– Intrusion Detection for MANET
– Automatic Response for MANET
– Current NSC Research
– Intrusion Prevention for VANET
– Botnet Research
– Web application Defense
– Botnet Communication Detection
• Work Experience:
– McAFee IntruShield: Packet and Thread analysis, DDOS Defense
– Cisco IOS OSPF DE: Role of Cisco DE, Major IOS OSPF features
– Telcordia Applied Research: Vehicular Network Application Platform
Intrusion Prevention Overview
• Intrusion Prevention
– Intrusion Detection + Automatic Response
• Intrusion Detection
– Threat and Vulnerability Analysis
– Detection Approach
– Alarm and Recovery
• Automatic Response
– Cooperative Response
– Cost Sensitive Response
Intrusion Prevention for MANETs
• Specification based Intrusion Detection
• DEMEM:
– Distributed Evidence-driven Message Exchanging Model for
intrusion detection in MANETs
• Automatic Response System(ARS) for MANETs
– Intrusion Prevention = IDS + ARS
• Three publications in top IDS symposium
– RAID, Recent Advanced Intrusion Detection
Mobile Ad hoc Network (MANET)
• No base stations
• Node: Host + Router
5
Threats in MANET
• Fundamental Assumptions of MANET
– Nodes are cooperative
– Nodes are honest
• Vulnerable characteristics
– Wireless channel
– Mobile dynamic network topology
– Fully distributed environment
6
MANET Routing Attack Model
• Drop packets
– Limited damage
– Detect by trained statistical profile
• Forge forwarded routing message
– Including forge identity
– Public key based authentication can prevent it
• Forge originated routing message
– Difficult to detect due to mobility
– This is our target
7
Intrusion Detection Approaches
• Signature based detection
– Known attack patterns
– “0” day detection
• Statistical based detection
– Data mining
– Statistical profile
• Anomaly based detection
– Detection by rules or policies
Specification based Approach
•
•
•
•
•
Describe normal behavior of target protocol
Point out vulnerable message fields
Demonstrate potential attack methods
Develop detection engines to prevent attacks
Develop distributed message exchange
framework
Optimized Link State Routing (OLSR)
• Link state routing: Similar to OSPF
• Multipoint Relays (MPR)
– Subset of 1-hop neighbors reaching all 2-hop neighbors.
– Reduce flooding packets
MPR selector of B,C and D
B
A
C
A
D
B
C
MPR of A
10
Routing Attack Methods in OLSR
•
Attacker is message originator
–
–
–
•
Forge 1-hop neighbors in a Hello
Forge MPRs in a Hello
Forge MPR selectors in an initiated TC
Attacker is message forwarder
–
Forge MPR selectors in a forwarded TC
11
Detection Constraints
First
constraint (C1)
Neighbors in Hello messages must be
reciprocal
Second
constraint (C2)
MPRs must reach all 2-hop neighbors
Third
constraint (C3)
MPR selectors must match
corresponding MPRs
Fourth
constraint (C4)
Fidelity of forwarded TC messages
must be maintained
12
DEMEM Architecture
(Distributed Evidence-driven Message Exchanging Intrusion detection Model)
ID
ID
C
ID Message for
local neighbors
ID
ID
A
Routing
Detector acts as
intrusion detection Outgoing
S
Message
layer processing
ingoing & outgoing Intrusion Detection
Detectors routing messages
Incoming
validate routing
ID Message
Message
messages from
Authentication
neighbors
B
IP
13
ID Messages in OLSR
ID
B
ID
ID-Forward
A
ID
ID-Evidence
S
ID-Request
• ID-Evidence: Supply OLSR Evidence for 2-hop
neighbors
• ID-Forward: Trigger selected Forwarders
sending ID-Evidence
• ID-Request: Ask resending ID-Evidence in
case of message lost
14
Detection and Recovery
•
•
•
•
Exchange routing evidence
Detect fake routing information
Remove fake routing info from control messages
Recalculate correct routing table
Man in the middle Attack
5
8
1, 5, 7 correct their tables, and
Hello
(6) = TC(6)
{1,5,7,9,3,8}
send
correct
=1,5,7}
TC (6) = {1,5,7,3,8}
6
7
4
2
1
3
16
Automatic Response Models for MANETs
• Cooperative Automatic Response model
– Distributed agents exchange local alarms and raise global alarm
• Intrusion Alarm Validation
– Temporary coordinator
– An ARS Protocol that gathers local alarms and raises global
alarms
– Prevent false/fake alarms
• Cost-Sensitive Intrusion Responses
Response Architecture
IDS
ARS
Mobile nodes
Distributed, Cooperative, Each node has detection
and response agents deployed !!
Intrusion Alarm Validation
• Local Alarm – direct Observation
• AREQ (Alarm Request) – Handling message lost of local alarms
• Global Alarm – indirect Observation
Cost-Sensitive Approach
• Attack Damage
– Attack Damage Index (ADI)
• Response Cost
– Topology Dependency Index (TDI)
• Response Cost < Attack Damage
– Compare TDI and ADI
20
Adaptive Isolation
• Compare ADI with TDI
– ADI >> TDI  Isolate the attacker
– ADI << TDI  Relocate first and then isolate
• Adaptive Isolation
– Isolate the attacker only when ADI >
2* TDI
– If isolate an attacker, it loses 2-way connection
– ADI is only for 1 way connection
21
Current Research
Current NSC Projects
• Intrusion Prevention for VANETs
– NCKU: 2 PhD & 2 MS students from Prof. Laih’s team
– IPS of AODV, OLSR, VADD by following works of RAID papers
– 3 years (Co-PI), New PI will be NCKU Prof. 林輝堂
• May be reduced to 1 year due to changing PI
• Botnet
–
–
–
–
Testbed@NCKU: 1 year (3rd year)
Web application Defense: 1 year
Botnet Communication Detection (new proposal)
NTPU: 4 MS, 15 BS students, 14 PCs
Intrusion Detection for VANETs
• New detection model for VANETs
– Apply specification based approach to protect routing establishing
process
• Target Protocols
– AODV, OLSR: for urban VANETs
– VADD: Protecting Intersection Mode
VANET Simulation Experiment
• VANET mobility trace generation
– MOVE
• MOVE+Ns2
– VADD: 1 PhD thesis
• MOVE+GlomoSim
– AODV: 1 PhD thesis
– OLSR: Rewriting RAID papers
AODV IPS
• Issues
–
–
–
–
–
Tracing dynamic request on remand flooding messages
Deploying at fully distributed environment
Message Overhead
False positives
Message Delay
• Modeling IPS
–
–
–
–
Tracing mechanism
FSM of AODV IPS algorithm & Deployment Architecture
Attack model & scenario
Experiment & Overhead measurement
VADD IPS
• VADD Analysis
– LVADD
– DVADD
– HVADD
• Modeling
–
–
–
–
Extended FSM modeling for VADD
FSM of IPS algorithm
Attack model scenario
Experiment & Overhead measurement
Testbed@NCKU
• Emulab from Utah U.
–
–
–
–
200 nodes, freely swap in & out
Running at NCHC network, 3rd year project
Having several good sample research projects
About 10 professors getting envolved
• Issues
– Close network environment
• cannot connect real C&C
– Not for regular fixed servers
Our solutions
• Active & passive malware collection
– Collection latest samples from TANET & HiNet
– Building malware database & fixed testbed
• Botnet replay mechanism for testbed
– Build network replay of botnet malware
– Build test & replay tools for testbed
Passive Malware Collection
• Nepenthes
– Same as NCHC
– Running since this summer
• Current results
– No output from campus network due to IPS
– Install Hinet DSL since October
– Two samples per day from DSL
Active Malware Collection
• Migration from NCTU NBL
– Lots of samples at NCTU beta site
– Most of them are new and not detected by anti-virus program in
the beginning until 1-2 weeks
• Integrating into NTPU NSL Lab
– Spam mail module: rewrite 2/3 codes to be integrated with NTPU
Spam mail database
– P2P module: cannot work at campus network due to IPS policy
Solution: collect malware from DSL link
– Integration works will be done this month and expect lots of results
Replay botnet at Testbed@NCKU
• Build network replay of botnet malware
– Test malware at HiNet
• Build PCAP files for replay
– Differentiate botnet malware
• by active network traffic toward C&C
• Build test & replay tools for testbed
– Replay tools for PCAP files
– Replay traffic between bot & C&C
Web application Defense
• Spec based IPS for web application
– Selecting a target web application
– Dealing with XSS attacks by spec based approach
• Collect Botnet malware against web applications
• Testing Wireless Application Firewall (WAF)
– Deploy spec based IPS as rule at WAF
Botnet Communication Detection
• New NSC proposal
– Survey Guofei Gu & Wenke Lee’s works
• BotHunter, BotSniffer, BotMiner
– Base on botnet collection & analysis testbed
• C&C protocol profiling
– FSM profile of C&C protocols
• IRC botnet
• HTTP bonet
– Hybrid of rule base and statistical profile
– Detect C&C communication at real traffic
Work Experience
McAFee IntruShield
• IntruVert Networks Inc.
– Invented IntruShield; established in 2000
– McAFee acquired it in 2003 by USD 100M
• Major features
– Network signature based IDS for ISP;
– Support 4G bps traffic; monitor each connection
• Development teams
–
–
–
–
Embedded System Team
Intrusion Detection Team (IDT)
I was in IDT during 2001.7 – 2002.6
2002.7 first release 1.0
Language for Intrusion Detection
• Written by XML
– Define language syntax by DTD
– Define detection behavior by XML
• Protocol Spec FSM in XML
– Define protocol header parsing state machine
– Define field name for data retrieval
• Attack Signature in XML
– Define attack patterns by protocol field names
‘?’
‘=’
HTTP Analysis FSM
• HTTP Message field
– (Protocol)-(Command)-uri-path
• Valid in “In uri” state
– (Protocol)-(Command)-uri-query-params
• Valid in “In param” state
• HTTP Attack Signature
– http-req-uri-path = \.php3$“/
– http-req-uri-query-params =
PHP_AUTH_USER=boogieman
– Whitehats ids206
• Allow login Phorum 3.0.8 web page w/o password
SNMP Analysis FSM
Type
Length
Type
Length
Value
Value
• Message field
– (Protocol)-(Command)-(Field Type)-field : Value State
– (Protocol)-(Command)-(Field Type)-length: Length State
• Attack Signature
– snmp-set-varbind-object-id-field = 1.3.6.1.2.1.1.5.0
– snmp-set-varbind-value-field-length > 256
– Buffer overflow attack against data field of SNMP MIB DB:
ID=1.3.6.1.2.1.1.5.0
Summary
• McAFee IntruShield
– Successful high speed gateway IDS
– Still available in the market
• IDS language
– Based on XML & DTD
– Describe packet header analysis behavior
• Prototype of IDS industry
– Need to improve its Intrusion Response system
Cisco IOS OSPF
• Cisco IOS
– 80% of Cisco products, 60% of high end routers
– Huge embedded system based on FreeBSD
– Pure C, single process and Heap
• OSPF
– Major routing protocol (and BGP)
• IOS OSPF
– Support major Cisco routing features
42
Major Feature (1)
• High Availability
– Duplicate router in hot
standby
– Take over Master router
without traffic loss
• Related Features
–
–
–
–
Stateful switchover
Non-Stop Forwarding
IETF Graceful Restart
Bidirectional Forwarding
Detection
43
Major Feature (2)
• Virtual Routing Forwarding (VRF)
– Supports several virtual networks
– Separated routing tables and processes (MultiTopology Routing (MTR))
– Work with BGP/MPLS/LDP
44
Cisco IOS Debug
• Network debug
– Enable necessary debugs
• Memory debug
– Single process, Single heap
• Regression test
– Ensure quality of original features
• Reproduce bugs
– Difficult if customer’s bugs
45
Telcordia Research
• Former Bell Core
– Created from Bell System in 1984
– 1800 US patents: caller ID, DSL, ATM, 3G
• Applied Research
– Service provider contracts
– Government projects
– Cooperate with III and ITRI
46
Rudolph: Telematics Application Solution
Fleet Management Application Service (FMAS):
FMAS is a complete fleet management solution.
It provides task management service and
communication interface. Managers can trace
drivers, vehicles, and task schedules in real time.
Context Aware Application Service (CAAS):
CAAS provides personal tracking services to
children and elders for safety reason, such as realtime monitoring, personal mobility analysis, geofence protection, and behavior report.
Core Telematics Platform (CTP):
CTP is the core communication center of the
Telematics system. It offers GUIs for
administrators and coordinates the
communications between administrators, service
modules, and data sensors.
47
Metro Transit Telematics Application Platform
Joint Service Agent
Bus Tracing
Statistics & Audit
Bus Arrangement
Bus Fleet Management
Bus Telematics Service Interface
3rd Party Data
Exchange
Bus Data Input
Bus
Schedule
Search
Service
Management
48
On-Board Diagnostics(OBD)
• OBD II
– Stand interface of vehicle's self-diagnostic system
– Access state of health information for various vehicle sub-systems
• Implementation
– ELM 327
– Diagnosis software
• Application
– Remote vehicle health monitoring and management
49
Project Quality Management
• CMMI level 3
– CMM level 5
• Telcordia project documents
– Project plan, test plan, requirement, design, test cases,
deployment
• Traceability
– Linking deliverables, requirements, designs, test cases,
deployment by numbers