Transcript presentation source

Distributed Network Intrusion Detection
An Immunological Approach
Steven Hofmeyr
Stephanie Forrest
Patrik D’haeseleer
Dept. of Computer Science
University of New Mexico
Albuquerque, NM
{steveah, forrest, patrik}@cs.unm.edu
http://cs.unm.edu/~steveah/research.html
Introduction
• Intrusion detection:
– Assume that systems are not secure.
– Attempt to detect violations of security policy (intrusions) by monitoring and
analyzing system behavior.
– Construct a model of normal behavior and look for deviations from the model
(anomaly detection).
• Building the model (defining self):
– TCP/IP traffic over a broadcast LAN.
– Based on Network Security Monitor (NSM).
• Every computer on the network should participate in IDS:
– Distributed detection
– Use negative-selection algorithm
• Diversity of protection:
– Permutation masks
Background: Defining Self
•
NSM: Network Security Monitor (UCDavis)
{Mukherjee et al. Network Intrusion Detection. IEEE Network, pp26-41, 1994}
External host
Internal host
10.10.10.2
Datapath triple
(10.10.10.2, 20.20.20.5, ftp)
Broadcast
LAN
•
The right approach:
–
–
–
–
•
Anomaly detection
Sparsely connected graph
Normal patterns reasonably stable
Attackers highly likely to perturb graph
Disadvantages:
– Heavyweight
– Single point of failure
– Not scalable
20.20.20.5
The Biological Viewpoint
•
•
•
Self (proteins) = normal datapath triples
Nonself (proteins) = triples generated during an attack
Universe = Self  Nonself
•
Anomaly detection:
– Detection system trained on self
– Detection system classifies new triples as self (normal) or nonself
(anomalous)
•
NSM: a single monolithic detector matching self (positive detection)
How the Immune System
Distributes Detection
•
Immune system: Many small detectors matching nonself (negative
detection).
•
Advantages of distributed negative detection:
–
–
–
–
–
Localized (no communication costs)
Scalable
Tunable
Robust (no single point of failure)
Negative selection algorithm minimizes false positives
The Negative Selection Algorithm
1. Randomly generate a
detector string.
2. Does the detector string
match self?
3. If no, accept
If yes, go to 1.
(regenerate).
Results in a set of valid detectors
NO
YES
ACCEPT
REJECT
Applying Negative Detection to Network Traffic
•
Representation:
– SYN packet triples mapped to 49-bit strings
•
Generalized detection:
– Partial matching with r-contiguous bits rule
Triple
0110100101
0100110100
Detector
1110111101
1110111101
Match
No Match
r=4
•
Consequences of Partial Matching:
– Advantage: Lightweight (few detectors per host)
– Disadvantage: Holes limit detection
Holes
Overcoming Holes
•
•
Problem: Holes limit detection for any partial match rule.
Solution: A different permutation mask for each host.
•
Result: In the broadcast network, detection is limited by the intersection of all
hole sets.
Experimental Setup
• UNM CS subnet of 50 machines on a switched segment.
– 100 49-bit string detectors per machine
• Training set (self):
– Collected over 43 days
– 1 266 000 TCP SYN packets
– 3763 unique binary self strings
• Normal test set (supposedly self):
– Collected over 7 days
– 182 629 TCP SYN packets
– 626 unique binary self strings
• Abnormal test set (nonself):
– 8 different incidents, 7 real occurrences, 1 synthetic
– Real abnormal behavior includes: massive portscanning, limited
probing, address-space probing, local host compromise
– Synthetic: 200 random connections between internal (LAN) hosts
Experimental Results
•
Normal is reasonably stable.
Title:
Cre at or:
Prev ie w :
This EPS pict ure w a s no t s av ed
w ith a pre view inc lu de d in it.
Co mmen t:
This EPS pict ure w ill p rin t to a
Pos tSc rip t p rin ter, bu t n ot to
o the r ty pe s of p rin te rs.
•
Low false positives:
– P(false positive per self string) = 0.000304
– 55 strings, but only 10 unique
– Effectively: under 2 false alarms per day
•
High detection rates with few detectors
– 100% successful detection: 8 out of 8 abnormal incidents detected
– Only 100 detectors per host
•
Permutation masks improve detection
– Up to an order of magnitude improvement
– Overcomes hole limitation
The Problem of Incomplete Self Sets
(Suppose the training set is incomplete)
• Activation threshold:
–
–
–
–
–
Detector is not activated on every match.
Must have exceeded x matches before activation.
No time horizon.
Helps with stealth attacks (distributed in time).
Reduced false positives by an order of magnitude.
• Adaptive activation:
– Tune local activation thresholds dynamically.
– Whenever a detector matches its first pattern, the activation
threshold for that computer is reduced by 1.
– Has a time horizon (threshold gradually returns to default value).
– Hypothesized to help with distributed coordinated attacks.
Experimental Results
Intrusions with and without permutation masks
Incident
Phear
Fraction
nonself
1.00
Anomaly Signal
Threshold 1
Threshold 10
permutation No permutation
1.00
0.50
0.09
Cartan
0.44
Dt03ln93 0.17
Xtream 0.62
0.44
0.17
0.62
0.43
0.16
0.59
0.34
0.16
0.61
Cougar
Sauron
Pc35nl
Synthetic
0.58
0.10
1.00
0.94
0.53
0.09
0.84
0.33
0.49
0.09
0.43
0.01
0.54
0.10
1.00
1.00
Experimental and Theoretical Results:
Permutation Masks Overcome the Hole Limit
Title:
Creator:
Prev iew :
This EPS picture w as not s av ed
w ith a preview inc luded in it.
Comment:
This EPS picture w ill print to a
Pos tSc ript printer, but not to
other ty pes of printers.
Pushing the Immune Metaphor
• The analogy thus far:
– Distributed networks and immunology
– Combining negative detection and network
intrusion detection
– Diversity via permutation masks
• For the future:
– Distributed generation of detectors
– Dynamic detector sets
– Adaptation and memory (misuse detection)