1 / 28

Enriching intrusion alerts through multi-host causality

Enriching intrusion alerts through multi-host causality. Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan. Motivation. IDS alerts highlight suspicious activity Network and host level Alerts lack context How did this activity happen?

damian
Download Presentation

Enriching intrusion alerts through multi-host causality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enriching intrusion alerts through multi-host causality Sam King Morley Mao Dominic Lucchetti Peter Chen University of Michigan

  2. Motivation • IDS alerts highlight suspicious activity • Network and host level • Alerts lack context • How did this activity happen? • What were the effects of this activity?

  3. httpd rootkits.com Process bash File Socket wget Detection point Fork event getroot.exe rootproc Read/write event Causality to connect alerts Remote socket

  4. Overview • Causality: BackTracker • Bi-directional distributed BackTracker • Correlating IDS alerts • Conclusions

  5. BackTracker • Help figure out what application was exploited • Show chain of events between exploit and detection point • Track causal operating system events and objects

  6. remote socket httpd remote socket bash wget Process File /tmp/xploit/backdoor Socket Detection point Fork event Read/write event BackTracker Example backdoor

  7. BackTracker • Objects: processes, files • Events: read/write, fork, exec, mmap… • Online component logs events, objects • Offline component generates graphs • Causality effective technique for highlighting actions of attacker

  8. Extending BackTracker • Use send/receive events to connect hosts on separate hosts • identify packets by source/destination IP address and TCP sequence number • Forward tracking

  9. Bi-directional distributed BackTracker (BDB) • Common configuration: firewall • Given a single infected host, track attack • Tracking multi-host attacks • Follow attack “upstream” • Find original source of intrusion • Patch vulnerable server, fix infected laptop • Follow attack “downstream” • Find other compromised hosts

  10. Process File Socket Detection point Fork event Read/write event Prioritize Packets init remote socket rc remote socket httpd wget bash /tmp/xploit/backdoor backdoor

  11. Process File Socket Detection point Fork event Read/write event Highest process, most recent packet init remote socket rc remote socket httpd wget bash /tmp/xploit/backdoor backdoor

  12. socket httpd bash wget /tmp/xploit/backdoor backdoor Guess and check • Follow all packets, examine other host • Search for causally linked “intrusions” Host B Host A httpd bash backdoor spread_worm

  13. Use NIDS to highlight packets smb socket socket smbd bash wget /tmp/xploit/backdoor backdoor

  14. Multi-host attacks • Examined Slapper worm and manual attack on local network • Significant background noise • 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd • All hosts both clients and servers • Download source code, compile • Gigabytes of network traffic • Millions of events and objects • 20 minute experiments, break in after 10 • Goal: given a single infected host find source of attack and all infected hosts

  15. Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D

  16. Process File Socket Detection point Causal event

  17. Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D

  18. Process File Socket Detection point Causal event

  19. Process File Socket Detection point Causal event Tracking Slapper Forward

  20. Slapper worm Slapper Worm Firewall Host B Host A Host C External Network Host D

  21. Multi-host manual attack • Highest process, most recent packet does not always work • Use Snort to highlight suspicious packets • Stealthy attack, difficult to detect • Attack one host at a time • Wait for next target to communicate with current host • Break into various services • Services under heavy legitimate use • Use previously “unknown” attacks • Perform different tasks on each host

  22. Multi-host manual attack External Network Host A Host B Host C Host D Host E Host F Host G Host H Host I Host J Host K Host L

  23. Correlating IDS alerts • Many independent sources of IDS alerts • Host/network • Host/host • Correlate multiple sources, reduce false positives • correlate through syntactic or timing relationships • correlate through manually specified semantic relationships • BDB can correlate IDS alerts through causal relationships

  24. Zero Configuration Snort • Difficult to configure • False positives • Services not used • Failed exploit attempts • New rules developed frequently • Setup system with all default Snort rules • Also enabled several other rules • Use causality to verify Snort alerts • Detect any processes running as root

  25. Zero Configuration Snort Results • Ran honeypot for two days • Without correlating alerts • 39 Snort alerts • Many processes run as root • Zero Configuration Snort • Zero false positives • One true positive

  26. Process File Socket Detection point Causal event

  27. Conclusions • Can use causality to provide context for intrusion alerts • Follow multi-host attacks • Correlate IDS alerts • Causality effective mechanism for adding context to intrusion alerts

  28. Questions

More Related