A Stateful Intrustion Detection System for World

Download Report

Transcript A Stateful Intrustion Detection System for World 

A Stateful Intrustion
Detection System for
World-wide Web Servers
Vigna G, Robertson W, Kher V, Kemmerer R
Department of Computer Science
UC, Santa Barabara
19th Annual Computer Security Applications Conference
December 08 - 12, 2003 Las Vegas, Nevada
Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
Motivation
Large number of web servers
 Continuous disclosure of vulnerabilities in web
servers – popular targets
 2001-2002 - 23% computer vulnerabilities are
web related

Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
 Intrusion Detection Systems (IDS)

Analyse input streams for manifestation of attack
 Stateless:
 Examines each event in the input stream
independently
 Stateful:
 Considers relationships between events and detect
attacks based on event-histories
Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
 IDS
Network-based:
 Monitors network traffic, events
 Do not consider application-level logic
 Cannot detect attacks based on configuration of
the server-application
 Application-based:
 Process different stages of client request
 IDS tightly coupled to web server and visible
 Performance of web server impacted

Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
IDS

Anomaly detection:
 Models of normal behavior
 Compares log data with normal models to detect
abnormal pattern/activity
 Detect previously unknown attacks
 Large number of false positives
Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
IDS (Intrusion Detection System)

Misuse detection:
 Models of attack descriptions
 Compares with audit data with modeled attack
for evidence of attack
 Detect only attacks that are modeled
 Focused analysis for attack detection
 Less false positives so more popular
Stateful IDS for Web Servers – Vigna G et al., 2003

Introduction
Current IDS - limitations
Simple pattern matching of HTTP requests
 Buffer overflows not detected
 Attacks involving multiple steps cannot be modeled
 Only detect trends in large sets of web-related events
 Focuses on single event stream (network log or server
application log)
 Do not maintain histories of web requests

Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT (IDS)

Based on STAT framework (State-Transition Analysis
Technique)
 Complex multi-step attacks can be modeled
using STATL language
 Performs integrated analysis of multiple event
streams, Network and OS events/logs
 Modular, MultiThreaded
 Application independent runtime with
components that deal with specific application
domains
 More effective detection with less false positives
Stateful IDS for Web Servers – Vigna G et al., 2003
STAT framework
Models attacks as transitions between security states
of a system
 Supported by STATL modeling language

STATL
Describe Events, Attack Scenarios with relevant
variables eg: source of HTTP request
 Events defined by subclassing specific C++ classes
of STAT framework
 Classes encapsulated in language extension modules
and compiled into DLLs
 Events are then used in Scenario description, which
again are compiled into DLLs

Stateful IDS for Web Servers – Vigna G et al., 2003
STATL
Attack Scenario:
Transition
State A
Action/Event
System
Snapshot
State B
Opening TCP conn.
Execution of CGI script
Transition Assertion: eg: specify port, parameters
Stateful IDS for Web Servers – Vigna G et al., 2003
Transitions
Non-consuming
Both states active
State A
State B
Consuming
Only destination state valid
State A
State A
State B
Unwinding
Rollback to previous state
State B
Stateful IDS for Web Servers – Vigna G et al., 2003
STATL



STATcore is the runtime for STATL
Core implements the concepts of state, transition,
instance, etc
Obtains events from logs/audits and matches with
actions, transitions and attack scenarios
Events/logs
Event
Provider
Translate
STATL
extension
Convert
to
STAT
events
incorporate
STATcore
Attack Scenario
Analysis
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT
Language extension module that defines webspecific events
 Event provider that parses web server logs and
generates corresponding events
 Modules for Network, OS events
 A number of STATL scenarios to detect attacks
against web servers
 Response modules to generate alerts

Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT
Class Request : public STAT_Event
{
public:
string request;
string userAgent;
string encodedRequest;
……
}
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT

Counting scenario pattern:

Integer parameters: threshold, alert_freq,
inactivity_timeout
Stateful IDS for Web Servers – Vigna G et al., 2003
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT




Web Crawler Scenario:
 file to specify which User-Agents are allowed
Pattern Matching Scenario:
 Detect attacks embedded in URL using pattern matching
comparing with a list of regular expressions
Repeated Failed Access Scenario:
 Checks multiple client errors. Counter records number of
times a failed request originated from a subnet
Cookie Stealing Scenario:
 Records initial use of session cookie by a remote client by
mapping cookie to an IP address.
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT



Buffer Overflow Scenario:
 Presence of binary data in a request or an extremely long
request are attempts to exploit buffer overflow
Network and application-level buffer overflow detection:
 Examine Web server logs and actual client requests
 If binary data found at network-level and no matching entry
in server log, attack is successful
Document Root Escape Attack:
 Illicit access to a file outside web server’s root.
 Examine Web server log and OS audit records to detect file
system access violations
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT
Evaluation:
Web server: pentium IV - 1.8 GHz, OS:
RedHat 8.0, Apache
Clients: pentium IV - 1.8 GHz, OS:
RedHat 8.0
Network card: Intel EtherExpress 10/100 Ethernet cards
100BaseT full-duplex , cisco catalyst 3500 XL switch
Measurement: Average throughput, response times of web
servers with/without WebSTAT on server.
With WebSTAT: slightly lower throughput
No change in response time
Stateful IDS for Web Servers – Vigna G et al., 2003
WebSTAT
CONCLUSIONS:
 WebSTAT operates on multiple event streams
 Supports more effective detection of web-based attacks,
reduced no. of false positives
 IDS can be performed in high performance servers in realtime
THANKS !