Information Fusion
Download
Report
Transcript Information Fusion
Information Fusion
By
Ganesh Godavari
Outline of Talk
• Problem Definition
– Attack Types
• Correlation Solutions
• OSSIM
• Work Status
Problem Definition
• Fusion of Intrusion Detection Data from
Various Sensors distributed over a
geographic area. Attacks events are
interval based (recall Degrading Denial of
Service).
• Note: Fusion is possible only if data can
be correlated at both the sensor and
intermediary nodes.
Possible Attack Scenarios
Syn Attack
• Cause: vulnerability in some TCP/IP stack
implementations.
• How does it work: The program sends an TCP
SYN packet in large number and never
completing the TCP handshake. This causes a
large backlog and deteriorates the performance
of the machine.
• Result: Systems performance may slowdown.
Contd..
Ping Flood
• Cause: vulnerability in some Operating Systems.
• How does it work: An attacker can use a scanner
that pings a system to find out more information
about the network, or the attacker can use a tool
to send a large number of pings in an attempt to
"flood" the network and create a denial of
service condition.
• Result: Systems performance may slowdown.
Contd..
UDP Flood Attack
• Cause: Connectionless nature of UDP protocol
• How does it work: Attacker sends a UDP packet
to a random port on the victim system. On
receiving a UDP packet, OS will determine
which application is waiting on the destination
port. If there is no application that is waiting on
the port, an ICMP (destination unreachable)
packet is generated of to the source address.
• Result: Systems performance may slowdown.
Correlation Techniques
• Correlation of attacks
– Similarities between the event attributes
• E.g. srcIP, dstIP
• Cannot detect non obvious attacks (need to check
for temporal relationships!!)
– Known attack Scenarios
• E.g. “gesundheit!” signature of Stacheldraht DoS tool
– Preconditions and consequences of individual attack
• E.g. “port-scan is performed on a machine to
check for venerable ports, before an attack is
launched on the ports”
Qualitative Temporal Relationships
• Non obvious patterns among events can
be represented using Temporal
relationships between interval-based
events.
• Listed in the next side are the twenty-four
relationships between intervals and 11
relationships between semi-intervals [1]
[2][3]
24 relations between Events
Relation
Meaning
e1 equal e2
Inverse
Relation
equal
e1 before e2
after
e1.end_time < e2.begin_time
e1 meets e2
inv-meets
e1.end_time == e2.begin_time
e1 overlaps e2
inv-overlaps
e1 during e2
inv-during
e1.begin_time < e2.begin_time and
e1.end_time < e2.end_time and
e1.end_time > e2.begin_time
e1.begin_time > e2.begin_time and
e1.end_time < e2.end_time
e1 starts e2
inv-starts
e1 finishes e2
inv-finishes
e1 older (than) e2
younger (than)
e1.begin_time < e2.begin_time
e1 head-to-head e2
e1 survives e2
e1 tail-to-tail e2
head-to-head
survived-by
tail-to-tail
e1.begin_time == e2.begin_time
e1.end_time < e2.end_time
e1.end_time > e2.end_time
e1 precedes e2
e1 contemporary e2
succeeds
contemporary
e1.end_time <= e2.begin_time
e1.begin_time < e2.end_time and
e2.begin_time < e1.end_time
e1 born-before-death e2
die-after-birth
e1.begin_time < e2.end_time
e1.begin_time == e2.begin_time and
e1.end_time == e2.end_time
e1.begin_time == e2.begin_time and
e1.end_time < e2.end_time
e1.begin_time > e2.begin_time and
e1.end_time == e2.end_time
Open Source Security Information
Management
• OSSIM project Combines tools like
– snort, Spade, Ntop, mrtg …
– To provide a global picture of the IDS
• Correlation
– Sequence of events
• Create rules: if (recv event A then event B then event C) do {
Action }
– Heuristic Algorithm
• State variable
– “c” – level of compromise, probability that the machine is
compromised
– “a” – level of attack the system is subjected to
Correlation contd..
• A value is assigned to the C or A variable
for a machine on the network according to
three rules:
– machine 1 attacks machine 2 will increase the
A of machine 2 and the C of machine 1.
– If Attack is successful then value of C will
increase for machines 1 and 2.
– If events are internal then C increases for the
originating machine.
Current Project Status
• Created a test-bed of 3 machines.
• Able to parse Snort Alerts.
• Need to correlate/fuse the alerts
generated during an hour before sending
to the intermediary nodes.
References
•
•
•
ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun. ACM,
26, 11: 832–843, November 1983.
FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54, 199–
227.
PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG. 2001. Abstractionbased intrusion detection in distributed environments. ACM Trans. on Info. and
System Security (TISSEC) 4, 407 – 452.