01/04/2007 ecs236 winter 2007 1 ecs236 Winter 2007: Intrusion Detection Intrusion Detection #2: Explanation-based Anomaly Detection Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ [email protected]
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
What is an anomaly?What is an anomaly? The observation of a target system is
inconsistent, somewhat, with the expected conceptual model of the same system
01/04/2007 ecs236 winter 2007 6
What is an anomaly?What is an anomaly? The observation of a target system is
inconsistent, somewhat, with the expected conceptual model of the same system
And, this conceptual model can be ANYTHING.– Statistical, logical, or something else
01/04/2007 ecs236 winter 2007 7
decay
update
clean
compute thedeviation
alarm generation
threshold control
timer control
raw events long term profile
0 5 10 15 20 25 300
01/04/2007 ecs236 winter 2007 8
decay
update
clean
cognitivelyidentify thedeviation
alarm identification
InformationVisualizationToolkit
raw events cognitive profile
01/04/2007 ecs236 winter 2007 9
Challenge of ANDChallenge of AND We know that the detected anomalies can
be either true-positive or false-positive. We try all our best to resolve the puzzle by
examining all information available to us. But, the “ground truth” of these anomalies
is very hard to obtain– even with human intelligence – Practically this might or might not be OK…
01/04/2007 ecs236 winter 2007 10
What is an anomaly?What is an anomaly?
Events
Expected Behavior Model
Anomaly Detection
01/04/2007 ecs236 winter 2007 11
The ChallengeThe Challenge
Events
Expected Behavior Model
Anomaly Detection
Knowledge about the Target
False Positives & Negatives
01/04/2007 ecs236 winter 2007 12
Problems with ANDProblems with AND We are not sure about whatever we want to
detect… We are not sure either when something is
caught… We are still in the dark… at least in many
cases…
01/04/2007 ecs236 winter 2007 13
What is an anomaly?What is an anomaly?
Events
Expected Behavior Model
Anomaly Detection
Knowledge about the Target
01/04/2007 ecs236 winter 2007 14
Model vs. ObservationModel vs. Observationthe Model Anomaly Detection
Conflicts Anomalies
It could be an attack, but it might well be misunderstanding!!
01/04/2007 ecs236 winter 2007 15
Anomaly ExplanationAnomaly Explanation
the Model Anomaly Detection
Anomaly Analysis and Explanation
EBL
Explaining both the attack and the normal behavior
01/04/2007 ecs236 winter 2007 16
ExplanationExplanation
Model(Simulation or Emulation) Real World Model
Conflicts Anomalies
Events: raw, logical, stochastic
01/04/2007 ecs236 winter 2007 17
EXPANDEXPAND
Good events go into the Model
01/04/2007 ecs236 winter 2007 18
EXPANDEXPAND
Good events go into the Model Malicious events also go into the Model as
signatures (but with an analysis process)
We want to put as much as ground truth into our model!– And, that means discovering their relationship
as well.
01/04/2007 ecs236 winter 2007 19
the Modelmodel-based
event analysis
observed system events
SBL-basedAnomalyDetection
analysisreports
ExampleSelection
Explanation Based
Learning
modelupdate
01/04/2007 ecs236 winter 2007 20
AND AND EXPAND EXPAND
Anomaly Detection– Detect– Analysis and Explanation– Application
01/04/2007 ecs236 winter 2007 21
Routing Protocol FrameworkRouting Protocol FrameworkInformation ModelInformation Model
FIB
RIB
NPDU Header (Network Protocol Data Unit)
(Dest, NextHop, Routing Metrics)
Forwarding Algorithm
OSPF
RIBRIB
RIPv2 BGP4
FIB
ForwardingDecision
Application Layer
Network Layer
RoutingInformationBase
ForwardingInformationBase
01/04/2007 ecs236 winter 2007 22
Operation Model Operation Model Routing Information ExchangeRouting Information Exchange
Hey, Here is the routing information I got so far
Hmm, some of them are obsolete, Here is my update
01/04/2007 ecs236 winter 2007 23
Operation Model Operation Model Route Generation and SelectionRoute Generation and Selection
Which algorithm should I use??Distributed Dijikstra’s algorithm or
Distributed Bellman-Ford algorithm?
Routing Information Base
Forwarding Information Base
application Layer
network Layer
01/04/2007 ecs236 winter 2007 24
RoutingRouting
I want to knowthe shortest pathor simply “a path”
Routers exchange local information!
SRC
DST
01/04/2007 ecs236 winter 2007 25
Link State
A
B
C
You
YourNeighbor
A B
A B
A B
Flooding
01/04/2007 ecs236 winter 2007 26
01/04/2007 ecs236 winter 2007 27
Link State
A
B
C
You
YourNeighbor
A B
A B
A B
Flooding
You tell the whole world about your relationship with your neighbor
01/04/2007 ecs236 winter 2007 28
Routing InformationRouting Information
Link State:– I let the whole world knows about my
relationship with my neighbors.– (Felix, Neighbor-X) is up!
Distance Vector:– I let all my neighbors knows about my
relationship with the rest of the world.– (Felix can get to Remote-Y) in 5 hops.
01/04/2007 ecs236 winter 2007 29
Link-StateLink-State
01/04/2007 ecs236 winter 2007 30
LSALSA and an and an LSA instanceLSA instance An LSA is associated with a particular link of
network, which is identified by its LS type, LS ID, Advertising Router ID.
An LSA instance gives the state of a particular LSA at a particular time, which can be differentiated by LS sequence number, LS age, LS checksum.
0x80000000 0x80000001 0x7FFFFFFF
01/04/2007 ecs236 winter 2007 31
LSA Format
Type (Hello, Link, Networ, Summary)Type (Hello, Link, Networ, Summary) Advertizing Router ID (Originator)Advertizing Router ID (Originator) Advertized Link or Network.Advertized Link or Network. Sequence Number Sequence Number
RSA Hardware available, where MD5 is RSA Hardware available, where MD5 is inherently hard to parallelize.inherently hard to parallelize.
01/04/2007 ecs236 winter 2007 49
Prevention
LSA Originator Digital SignatureLSA Originator Digital Signature (Perlman, (Perlman, Murphy/Badger, Smith/JJ)Murphy/Badger, Smith/JJ)
Debatable Concerns: (OSPF wk-group)Debatable Concerns: (OSPF wk-group) RSARSA is is too expensivetoo expensive (about 1,000 times worse (about 1,000 times worse
in signature verification with 512 bit keys)in signature verification with 512 bit keys) PKI CertificatePKI Certificate is expensive. is expensive. There are There are otherother routing infrastructure attacksrouting infrastructure attacks
that can that can not be preventednot be prevented by by LSA Digital LSA Digital SignaturesSignatures. (Cost/Market concern). (Cost/Market concern)
Political and Technical.Political and Technical.
01/04/2007 ecs236 winter 2007 50
Can we do it without Can we do it without PKI?PKI?
Preventing compromised intermediate routers???
01/04/2007 ecs236 winter 2007 51
Can we detect the Can we detect the problem?problem?
Authenticated LSAs but the authentication information is kept until a session is over.
This Link is UP!
MAC-Seq#
session
K tuples of [MAC(i), Seq#(i)], RtrID
RSA/MD5
01/04/2007 ecs236 winter 2007 52
Prevention versus Prevention versus DetectionDetection
Prevention: pay a fixed price anyway, even no bad guy exists.
Detection/Isolation: “hopefully” pay less when no bad guy exists. pay more when trying to isolate the bad guys.
In most cases, if something goes wrong, the advertizing router will detect it and try to correct it.
The bad guy has to persistently inject bad LSAs.
Self-Stabilization Protocols: can not handle continuous faults but force the attacker to perform only persistent attacks.
01/04/2007 ecs236 winter 2007 61
A Principle/Heuristic A Principle/Heuristic Rule of Rule of
Intrusion DetectionIntrusion Detection Hit-and-Run Attacks: Hard to Detect/Isolate
– Inject one (or very few) bad packet causing permanent or long term damage.
Persistent Attacks: – The bad guy has to continuously inject attack
packets.
01/04/2007 ecs236 winter 2007 62
Network Network Protocol/System DesignProtocol/System Design If we can force the attackers to only launch
“persistent attacks,” we have a better chance to detect and isolate the attack sources.
OSPF Flooding, for example, does a fairly good job. (still need some formal/theoretical research work here…)
01/04/2007 ecs236 winter 2007 63
Attacks on OSPF/RFCAttacks on OSPF/RFC
Persistent Attacks Hit-and Run
known Digital SignaturePreventable Attacks
One “sort-of” Hit-and-Run attack in OSPFv2 RFCis the “External-Forwarding-Link LSA Attack,” and it cannot be prevented by Digital Signature.
?
01/04/2007 ecs236 winter 2007 64
Attacks on Attacks on OSPF/ImplementationOSPF/ImplementationPersistent Attacks Hit-and Run
known Digital SignaturePreventable Attacks
MaxSeq# attack ( ) was a Persistent Attack in OSPF/RFC,but, with implementation bugs, it becomes a Hit-and-Runattack ( ).
01/04/2007 ecs236 winter 2007 65
Results for OSPF:Results for OSPF:
According to the RFC, all the known Digital-Signature-preventable attacks can be efficiently detectable. (There are no known Hit-and-Run OSPF attacks that can be prevented by PKS digital-signature.)
According to the OSPF Implementations, one such Hit-and-Run attack does exist.
01/04/2007 ecs236 winter 2007 66
Max-Sequence Number Max-Sequence Number AttackAttack
Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)
Implementation Bug! (Two Packages) MaxSeq# LSA Purging has not been
implemented correctly!!
01/04/2007 ecs236 winter 2007 67
Sequence #: Counter Flushing
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
01/04/2007 ecs236 winter 2007 68
Sequence #: Counter Flushing
ATM
(1) 0x7FFFFFFF MaxSeq#
(2) 0x7FFFFFF with MaxAge to purge this entry.(3) 0x80000001.
01/04/2007 ecs236 winter 2007 69
MaxSq# Attack
ATMSeq#
(1) 0x90001112
(2) 0x7FFFFFFF MaxSeq#
(3) 0x80000001 fight-back
(4). 0x7FFFFFFF
01/04/2007 ecs236 winter 2007 70
Properties of MaxSeq# Properties of MaxSeq# AttacksAttacks
Hit-and-Run for an Hour. The bad guy can “control” the topology database for an hour.
The Victim continuously argues with its (very likely, honest) neighbors about which LSA is fresher. (0x7FFFFFFF versus 0x80000001).
To eliminate the problem before one hour, “All” routers must be shut down “simultaneously.”
Or, have an active process to pump the purging packets into the network.
01/04/2007 ecs236 winter 2007 71
Max-Sequence Number Max-Sequence Number AttackAttack
Block LSA updates for one hour by injecting one bad LSA. (You can hit it once and come back in an hour.)
Implementation Bug! (Two independently developed OSPF packages.)
MaxSeq# LSA Purging has not been implemented correctly!!
Announced in May, 1997.
01/04/2007 ecs236 winter 2007 72
Detection Detection Isolation Isolation
Detection Understand Isolation
01/04/2007 ecs236 winter 2007 73
Partitioned by Bad Partitioned by Bad Router(s)Router(s)
Area FOO Area BAREVE
EVE can cheat FOO about BAR’s topology without beingdetected by BAR.(EVE can intercept the tampered BAR’s LSAs from FOO to BAR.)
01/04/2007 ecs236 winter 2007 74
But….But….
Any packets from FOO to BAR will pass EVE anyway. (I.e., EVE already has the access to all the packet streams between FOO and BAR.)
It is not necessary for EVE to attack the routing information exchange protocols.
01/04/2007 ecs236 winter 2007 75
Is the network partitioned?
YES.YES. The bad guy doesn’t need to attack RIB!The bad guy doesn’t need to attack RIB!
NO.NO. With OSPF, the bad LSAs should flowed back With OSPF, the bad LSAs should flowed back
to the originator.to the originator. The originator will fight back to correct the The originator will fight back to correct the
problem. (Self Stabilization)problem. (Self Stabilization) The bad guy has to persistently attack.The bad guy has to persistently attack.