Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-1 Towards an Integrated Real- Time Intrusion Assessment and Recovery Framework for Network Management Shambhu J. Upadhyaya Dept. of Computer Science & Eng. SUNY at Buffalo Buffalo, New York, 14260 October 2000 (Research Supported by AFOSR, AFRL)
39
Embed
Towards an Integrated Real-Time Intrusion Assessment and Recovery Framework for Network Management
Towards an Integrated Real-Time Intrusion Assessment and Recovery Framework for Network Management. Shambhu J. Upadhyaya Dept. of Computer Science & Eng. SUNY at Buffalo Buffalo, New York, 14260 October 2000 (Research Supported by AFOSR, AFRL). Focus of the Talk. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-1
Towards an Integrated Real-Time Intrusion Assessment and Recovery
Framework for Network Management
Shambhu J. Upadhyaya
Dept. of Computer Science & Eng.
SUNY at Buffalo
Buffalo, New York, 14260
October 2000
(Research Supported by AFOSR, AFRL)
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-2
Focus of the Talk• Network Management Framework
– Intrusion detection, response and recovery • Key Components
– Assertions, data mining, profiling for intrusion assessment and analysis
– Reasoning for security management– Undo/redo type recovery
• Concurrent intrusion detection by encapsulation of user intent (Joint work with Kevin Kwiat, AFRL)
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-6
Outline of the Talk• Introduction• Traditional Approaches• Concurrent Intrusion Detection
– Subject - A superID (loginID, IP address, tty no.)
– Action - Operation performed (login, read, execute..)
– Object - Receptor of action (files, programs, messages, records..)
– Period - Time of usage of a command (absolute or relative)
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-19
Definitions• Sprint-Plan
– Signature powered Revised Instruction Table is a collection of verifiable assertions
– Also includes temporal sequences of operations
• Attack– Actions whose purpose is to compromise the integrity,
confidentiality, or availability of a resource
• Intrusion– Deviations resulting in violation of security policy – Very difficult to judge
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-20
Flow Diagram of CID
SessionScope
Plan Generator
SprintPlan
User
One-time effort
Run-time monitoring
Run-timeCommands
Filter
Intrusion Signal
Run-timeWatchdogMonitor
AssertionGenerator Tolerance
limits, counters,Thresholds
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-21
Overall Architecture of Network Management
Master Monitor
Host 1
UserMonitor
1
Task 1
UserMonitor
2
Task 2
UserMonitor
n
Task n
User level Profiler
Master Monitor
Host N
UserMonitor
1
Task 1
UserMonitor
2
Task 2
UserMonitor
n
Task n
File Server
User level Profiler User level Profiler
Master Monitor
Host 1
UserMonitor
1
Task 1
UserMonitor
2
Task 2
UserMonitor
n
Task n
Network level Profiler
Secure File Monitor
Recovery Module
Files Files
Local Area Network
Gateway, Router Bridge
To Other Networks
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-22
Block Schematic of the Watchdog
User CommandBuffer
OperatingSystem
Atomic OperationGenerator
Inclusion Checker
PreviouslyGeneratedTable of
VerifiableAssertions
PatternMatching Unit
Buffer Register
Counter andDialog
Initiator
ExceptionGenerator
To User
Intrusion Signal to Master Watchdog
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-24
Algorithm • Two phases -- Initialization and Runtime op.• Steps of On-line Monitoring
1. Set monitor_rate, tolerance_rate, counter;
2. For all user_command_line do
3. Decode user_command_line into atomic operations;
4. If each atomic_operation in sprint_plan then
a. No_Error, go to Step 3;
5. else
a. If subject_ID_violation then
i. Set intrusion_signal, exit;
b. Else
i. Counter++; /* increase count on non-permissible commands */
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-25
Algorithm (Contd.) ii. If counter > tolerance_limit then
A. If provision_for_future_changes in session_scope then
B. Reset counter, go to Step 3;
C. Else Issue message to user to update session_scope;
D. If user_response YES then
E. Compare new session_scope with original one;
F. If criteria not met then /* see explanation below */
G. Issue intrusion_signal, exit;
H. Else Reset counter, go to Step 3;
I. Else Issue intrusion_signal, exit;
iii. Else
A. Go to Step 3;
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-26
Observations • Technique doesn’t require huge audit data
• Flagging subjectID violation is straightforward
• Submission of session-scope requested at 1st login
• Session-scope once submitted is secure and not accessible to user
• Session-scope can be updated in later
• Revised session-scope is updated for certain criteria
– Reasonableness check
– Comparison of old and new session-scope files
– Careful examination may reveal user intentions
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-27
Illustration (Intrusion Scenarios)• Detectable Situations• Case 1: Both logins are legitimate
– User is expected to include the intent– If no intent expressed, terminate as a security measure
• Case 2: 1st login legitimate, 2nd one intrusive – If user doesn’t indicate multiple logins, intrusion flagged– If multiple logins admitted initially, break-in becomes successful– Intruder oblivious of the watchdog is likely to deviate from the
legitimate user’s session-scope and detection becomes imminent
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-28
Illustration (Contd.)
• Case 3: Intruder logs in first, user joins later• If intruder did not allow multiple logins, legitimate user
denied service
• If multiple logins allowed, absence of a query may raise suspicion for cognizant user
• Non-cognizant user operation may result in deviation of masquerades session-scope and intrusion will be flagged
• Case 4: Both logins correspond to intrusions• Intruder himself initiates multiple logins
• Two logins are due to different intruders
• The probability of this happening is small, but is similar to case 3
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-29
Enhancements
• Monitoring Sequences of Operations– Compare assertion sequences with predetermined
patterns for indication of possible abuse
• Voluntary Input of Updates to Scope file– The user can submit changes to his plan on a need
basis
– Too many update requests may be indicative of a problem
• On-the-fly Admittance of Multiple Logins• Multi-level Counters
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-31
Implementation Objectives
• CIDS should not impact system performance
• Should not lead to poor quality of service to users
• Mapping of session-scope into a reasonable sprint plan
• Minimize false alarms• CIDS itself should be hack proof
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-32
Watchdog Complex
User
Watchdog/User Interface
SessionScope
Converter
Formatter
Sprint Plan
SoftwareAgent
Inclusion Checker
Watchdog/OS Interface
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-33
Design of Submodules
• Converter– Session-scope Verifiable assertions– Written in C
• Formatter– Output of converter is given to the formatter– Identifies and groups the individual parts of the subject,
action, object and period– Can also be used to generate sequences of operations of
known intrusion scenarios
– Written in C
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-34
Software Agent
Watchdog/Agent Interface
Parser
AgentDatabase
Execution Module
Agent/Agent Interface
Sprint Plan To
Formatter
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-35
Inclusion Checker
User Activity
Monitoring Unit Preprocessor
SPRINTPlan
Comparator
Comparison Unit
Logic Unit
Site-specific details
Violation Flag
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-36
Run-time Monitoring Setup
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-38
Two Test Environments• University Research Environment
– Test cases can be derived from published descriptions of well known attacks– Site specific test cases can be designed– Both sequential and concurrent intrusions can be considered
• Bank Teller Usage– User intent encapsulation is easy– Expected to know what programs will be executed– What files will be accessed, created, destroyed– What time users will log off– Whether users will require multiple sessions
• Traditional Approaches • Concurrent Intrusion Detection
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-53
Discussion • Features and Limitation
– Leveraging of successful concepts from elsewhere
– Potential for low latency detection
– Better assessment and faster restoration of service
– Not a replacement to other ID tools, but complementary
• Future Plans– Network related issues, profiling, pattern generation
– Implementation in an isolated network
– Integration with EMERALD-like tools as a third party security module
• Scope file selected is specific to the intrusion scenario being simulated• Misuse intrusions are the main focus• All Intrusive activities are detected in all cases• The counter values are arbitrarily chosen
Oct. 24, 2000 Univ. at Buffalo, CSE Dept. S. Upadhyaya-54
Current Status • Interrogation-based detection• Quality of Service Vs. Security• Pattern generation using the concept of fault trees
(top-down approach)• Developing a reasonableness check framework
– To assist in automating the sprint-plan generation
– To resolve ambiguity regions in intrusion detection
– Mathematical models using statistical methods
• Graduate Students– Ram Chinchani, Suranjan Pramanik, Min Xu