1 / 75

DETECTION OF ATTACKS ON COGNITIVE CHANNELS

DETECTION OF ATTACKS ON COGNITIVE CHANNELS. Annarita Giani Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH. Berkeley, CA October 12, 2006. Outline. Motivation and Terminology Process Query System (PQS) Approach

Download Presentation

DETECTION OF ATTACKS ON COGNITIVE CHANNELS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DETECTION OF ATTACKS ON COGNITIVE CHANNELS Annarita Giani Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH Berkeley, CA October 12, 2006

  2. Outline • Motivation and Terminology • Process Query System (PQS) Approach • Implementation of a PQS detecting • Phishing • Data Exfiltration • Covert Channel • Flow Attribution and Aggregation • Conclusion and Acknowledgments

  3. Outline • Motivation and Terminology • Process Query System (PQS) Approach • Implementation of a PQS detecting • Phishing • Data Exfiltration • Covert Channel • Flow Attribution and Aggregation • Conclusion and Acknowledgments

  4. Malware and Detection FOCUS OF MOST SECURITY WORK THEORETICAL WORK OUR FOCUS Intrusion Detection System (IDS) are mainly based on signature matching and anomaly detection. 70s. System Admins directly monitor user activities 1990s - First Commercial Antivirus Late 70 - early 80s. System Admins review audit logs for evidence of unusual behavior. 1991 – Norton Antivirus released by Symantec 90s. Real time IDS. Programs analyze audit log, usually at night. Phishing Attacks Misinformation Covert Channel Multi Stage Attacks Web Defacements Grace Hopper. MIT - First Computer Bug Penrose: Self- reproducing machines Melissa virus, damage = $80 M Computer viruses on ARPANET Morris worm 1959 1988 1999 1945 1970 now 1951 1990s 2001 ~1960 1982 1940 Von Neumann demonstrated how to create self- reproducing automata Von Neumann studied self reproducing mathematical automata Stahl reproduces Penrose idea in machine code on an IBM 650 Malicious programs exploit vulnerabilities in applications and operating systems Code Red worm, damage = $2 B Covert Channel First virus in the wild Exfiltration of information 1972: J.P. Anderson, Computer Security Technology Planning Study, ESD-TR-73-51, ESD/AFSC, Bedford, MA 1984: D. Denning, An Intrusion Detection Model, IEEE Transaction on Software Engineering, VolSE-13(2) 1988: M. Crosby, Haystack Project, Lawrence Livermore Laboratories 1989: from the Haystack Project. Stalker, a Commercial Product First HIDS 1990: L. Heberlein et al, A Network Security Monitor, Symposium on Research Security and Privacy First NIDS 1994: from ASIM (Air Force) Netranger First Commercial NIDS.

  5. Cognitive Channels Cognitive Channel Network Channel SERVER CLIENT USER A cognitive channel is a communication channel between the user and the technology being used. It conveys what the user sees, reads, hears, types, etc. Focus of the current protection and detection approaches The cognitive channel is the weakest link in the whole framework. Little investigation has been done on detecting attacks on this channel.

  6. Cognitive Attacks Our definition is from an engineering point of view. Cognitive attacks are computer attacks over a cognitive channel. They exploit the attention of the user to manipulate her perception of reality and/or gain advantages. COGNITIVE HACKING. The user’s attention is focused on the channel. The attacker exploits this fact and uses malicious information to mislead her. COVERT CHANNELS. The user is unaware of the channel.The attacker uses a medium not perceived as a communication channel to transfer information. PHISHING.The user's attention is attracted by the exploit.The information is used to lure the victim into using a new channel and then to create a false perception of reality with the goal of exploiting the user’s behavior.

  7. Cognitive Hacking The user's attention is focused on the channel. The attacker exploits this fact and uses malicious information in the channel to mislead her. Misleading information from a web site Attacker: Makes a fake web site 1 2 Attacker: Obtains advantages from user actions 3 4 Victim: Acts on the information from the web site

  8. Covert Channels The user's attention is unaware of the channel.The attacker uses a medium not perceived as a communication channel to transfer information. Attacker: Codes data into inter-packet delays, taking care to avoid drawing the attention of the user. User: does not see inter-packet delay as a communication channel and does not notice any communication. 1 data 2

  9. Phishing Visit http://www.cit1zensbank.com First name, Last name Account Number SSN Bogus web site The user's attention is attracted by the exploit. The information is used to lure the victim into using a new channel and then to create a false perception of reality with the goal of exploiting the user’s behavior. Misleading email to get user attention Send a fake email 1 2 4 3 First name, Last name Account # SSN

  10. Why current IDS cannot be applied to attacks on cognitive channels • Sophistication of attack approaches. • Increasing frequency and changing nature of attacks. • Inherent limits of network-based IDS. • Inability to identify attackers’ goals. • Inability to identify new attack strategies. • No guidance for response. • Often simplistic analysis.

  11. Outline • Motivation and Terminology • PQS Approach • Implementation of a PQS detecting • Phishing • Data Exfiltration • Covert Channel • Flow Attribution and Aggregation • Conclusion and Acknowledgments

  12. Process Query System Observable events coming from sensors Hypothesis Models PQS ENGINE Tracking Algorithms

  13. Framework for Process Detection Sample Console FORWARD PROBLEM INVERSE PROBLEM An Environment Indictors and Warnings 6 129.170.46.3 is at high risk 129.170.46.33 is a stepping stone ...... that are used for control that detect complex attacks and anticipate the next steps 5 consists of 1 Hypotheses Multiple Processes Track 1 Track 1 l1 = router failure Track 2 Track 2 Track 3 l2 = worm Track 3 l3 = scan Hypothesis 1 Hypothesis 2 2 that produce that are seen as 4 that PQS resolves into Unlabelled Sensor Reports Events Track Scores ……. ……. Time Time 3 Real World Process Detection (PQS)

  14. Hierarchical PQS Architecture TIER 1 TIER 2 TIER 1 Models TIER 1 Observations TIER 1 Hypothesis TIER 2 Observations TIER 2 Models TIER 2 Hypothesis PQS Scanning Events More Complex Models Snort IP Tables PQS Infection Events Snort Tripwire PQS PQS Data Access Events Samba RESULTS PQS Exfiltration Events Flow and Covert Channel Sensor

  15. Hidden Discrete Event System Models Dynamical systems with discrete state spaces that are: Causal - next state depends only on the past Hidden – states are not directly observed Observable - observations conditioned on hidden state are independent of previous states Example. Hidden Markov Model N States M Observation symbols State transition Probability Matrix, A Observation Symbols Distribution, B Initial State Distribution p HDESM models are general

  16. HDESM Process Detection Problem Identifying and tracking several (casual discrete state) stochastic processes (HDESM’s) that are only partially observable. TWO MAIN CLASSES OF PROBLEMS Hidden State Estimation: Determine the “best” hidden states sequence of a particular process that accounts for a given sequence of observations. Discrete Sources Separation: :Determine the “most likely” process-to-observation association

  17. Catalog of Processes Discrete Source Separation Problem HDESM Example (HMM): 3 states + transition probabilities n observable events: a,b,c,d,e,… Pr( state | observable event ) given/known Observed event sequence: ….abcbbbaaaababbabcccbdddbebdbabcbabe…. Which combination of which process models “best” accounts for the observations? Events not associated with a known process are “ANOMALIES”.

  18. An analogy.... What does hbeolnjouolor mean? Events are: h b e o l n j o u o l o r Models = French + English words (+ grammars!) hbeolnjoulor = hello + bonjour Intermediate hypotheses include tracks: ho + be

  19. PQS applications • Vehicle tracking • Worm propagation detection • Plume detection • Dynamic Social Network Analysis • Cyber Situational Awareness • Fish Tracking • Autonomic Computing • Border and Perimeter Monitoring • First Responder Sensor Network • Protein Folding TRAFEN (TRacking and Fusion ENgine): Software implementation of a PQS

  20. Example – vehicle tracking(Valentino Crespi, Diego Hernando) T T+1 T+2 Continuous Kinematic Model Linear Model with Gaussian noise

  21. T T+1 T+2 Multiple Hypothesis Tracking D. Reid. An algorithm for Tracking Multiple Targets – IEEE Transaction on Automatic Control,1979 Use Kalman Filter Hypotheses Predictions Track = process instance Hypothesis = consistent tracks Given a set of “hypotheses” for an event stream of length k-1, update the hypotheses to length k to explain the new event (based on model description).

  22. Model vehicle Kinematics States: State of target at time Prediction Matrix Precision Matrix Sequence of normal r.v. with Zero mean and covariance: Model Measurement Observe State of target through a noisy measurement: Measure (observation) “Observable” Matrix: extracts observable information from state. Sequence of normal r.v. with Zero mean and covariance R State Estimation Kalman filters are used for predictions.

  23. Kalman Filters Correct the estimation given the new obs Estimation given obs before tk Prediction Noisy observation KF Error Covariance Estimation Estimation output Error Covariance Prediction Prediction KF Estimate state

  24. Kalman Equations System’sstate: (Normal Multivariate) (output) Estimation K is the Kalman Gain: minimizes updated error covariance matrix (mean-square error) New Prediction

  25. Real time Fish Tracking (Alex Jordan ) • Track the fish in the fish tank • Very strong example of the power of PQS • Fish swim very quickly and erratically • Lots of missed observations • Lots of noise • Classical Kalman filters don’t work (non-linear movement and acceleration) • “Easier” than getting permission to track people (we mistakenly thought)

  26. Fish Tracking Details • 5 Gallon tank with 2 red Platys named Bubble and Squeak • Camera generates a stream of “centroids”: For each frame a series of (X,Y) pairs is generated. • Model describes the kinematics of a fish: The model evaluates if new (X,Y) pairs could belong to the same fish, based on measured position, momentum, and predicted next position. This way, multiple “tracks” are formed. One for each object. • Model was built in under 3 days!!! Infrared Camera Detect and differentiate people by behavior not appearance Cybenko

  27. Autonomic Server Monitoring (Chris Roblee) • Objective: Detect and predict deteriorating service situations • Hundreds of servers and services • Various non-intrusive sensors check for: • CPU load • Memory footprint • Process table (forking behavior) • Disk I/O • Network I/O • Service query response times • Suspicious network activities (i.e.. Snort) • Models describe the kinematics of failures and attacks: The model evaluates load balancing problems, memory leaks, suspicious forking behavior (like /bin/sh), service hiccups correlated with network attacks… Cybenko

  28. 2. 3. Monitored host sensor output (system level) PQS Tracker Output Current system record for host 10.0.0.24 (10 records): Average memory over previous 10 samples: 251.000 Average CPU over previous 10 samples: 0.970 | time | mem used | CPU load | num procs | flag | ---------------------------------------------------------------------------------- | 1101094903 | 251 | 0.970 | 64 | | | 1101094911 | 252 | 0.820 | 64 | | | 1101094920 | 251 | 0.920 | 64 | | | 1101094928 | 251 | 0.930 | 64 | | | 1101094937 | 251 | 0.870 | 65 | | | 1101094946 | 251 | 0.970 | 65 | | | 1101094955 | 251 | 0.820 | 65 | | | 1101094964 | 253 | 1.220 | 65 | ! | | 1101094973 | 255 | 1.810 | 65 | ! | | 1101094982 | 258 | 2.470 | 65 | ! | Last Modified: Mon Nov 21 21:01:03 Model Name: server_compromise1 Likelihood: 0.9182 Target: 10.0.0.24 Optimal Response: SIGKILL proc 6992 o1 o2 o3 o1 1. Snort NIDS sensor output . . . Nov 21 20:57:16 [10.0.0.6] snort: [1:613:7] SCAN myscan [Classification: attempted-recon] [Priority: 2]: {TCP} 212.175.64.248-> 10.0.0.24 . . . SIGKILL Server Compromise Model: Integration of host CPU load sensors and IDS sensor allows detection of attacks not possible with different sensors t0 t1 t2 t3 t4 Observations Response Cybenko

  29. Airborne Plume Tracking (Glenn Nofsinger) Airborne agent sensor on DC Mall Forward Problem - drift and diffusion Inverse Problem - locate sources and types of releases

  30. Dynamic Social Network Analysis(Wayne Chung) New member activeintroducing others Largegroupjoining A B A A B B A asks B to join a project B accepts A adds B to a list of recipientsAB, C, … join question/ accept invite not join “Static” Analysis “Dynamic” Analysis Detect "business" and "social" processes, not static artifacts. Sensors...communication events Models...social processes

  31. PQS in Computer Security (Alex Barsamian, Vincent Berk, Ian De Souza, Annarita Giani) SaMBa DIB:s BGP IPTables Snort Tripwire Models 5 1 2 8 7 Internet 12 BRIDGE Worm Exfiltration Phishing DMZ PQS ENGINE WWW Mail observations WS WinXP LINUX

  32. Sensors and Models Snort, Dragon Signature Matching IDS 1 2 IPtables Linux Netfilter firewall, log based DIB:s Dartmouth ICMP-T3 Bcc: System 3 Samba SMB server - file access reporting 4 Flow sensor Network analysis 5 Unauthorized Insider Document Access – insider information theft Email Virus Propagation – hosts aggressively send emails Multistage Attack – several penetrations, inside our network TIER 2 models Low&Slow Stealthy Scans – of our entire network Noisy Internet Worm Propagation – fast scanning DATA movement ClamAV Virus scanner 6 7 Tripwire Host filesystem integrity checker 1 2 3 4 5 6 7

  33. Outline • Motivation and Terminology • PQS Approach • Implementation of a PQS detecting • Phishing • Data Exfiltration • Covert Channel • Flow Attribution and Aggregation • Conclusion and Acknowledgments

  34. Phishing Attack The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information. The e-mail directs the user to visit a web site where they are asked to update personal information. Visit http://www.cit1zensbank.com First name, Last name Account Number SSN First name, Last name Account number SSN 1 2 Bogus web site 3

  35. Web page, Madame X Stepping stone … as usual browses the web and … …. visits a web page. inserts username and password. (the same used to access his machine) 1 100.20.3.127 accesses user machine using username and password 2 5 165.17.8.126 records username and password attacks the victim uploads some code Victim 3 4 downloads some data Attacker 6 100.10.20.9 51.251.22.183 Complex Phishing Attack Steps

  36. Stepping stone Web Server used- Madame X Attacker 1.RECON SNORT: KICKASS_PORN DRAGON: PORN HARDCORE SOURCE DEST 100.20.3.127 DEST DEST DEST Username password 165.17.8.126 4.ATTEMPT (ATTACK RESPONSE) SNORT POTENTIAL BAD TRAFFIC 2. ATTEMPTSNORT SSH (Policy Violation) NON-STANDARD-PROTOCOL 3.DATA UPLOAD FLOW SENSOR Victim SOURCE SOURCE SOURCE Attacker 5.DATA DOWNLOAD FLOW SENSOR SOURCE DEST 100.10.20.9 51.251.22.183 Complex Phishing Attack Observables Sept 29 11:17:09 Sept 29 11:23:56 Sept 29 11:23:56 Sept 29 11:24:06 Sept 29 11:24:07

  37. Flow Sensor • Based on the libpcap interface for packet capturing. • Packets with the same source IP, destination IP, source port, destination port, protocol are aggregated into the same flow. • Timestamp of the last packet • # packets from Source to Destination • # packets from Destination to Source • # bytes from Source to Destination • # bytes from Destination to Source • Array containing delays in microseconds between packets in the flow We did not use Netflow only because itdoes not have all the fields that we need.

  38. Two Models Based on the Flow Sensor Low and Slow UPLOAD UPLOAD

  39. Phishing Attack Model 1 – very specific ATTEMPT UPLOAD 2 4 UPLOAD DOWNLOAD ATTEMPT ATTEMPT ATTEMPT 1 6 7 RECON DOWNLOAD UPLOAD UPLOAD ATTEMPT RECON 3 5 ATTEMPT ATTEMPT UPLOAD

  40. Phishing Attack Model 2 – less specific ATTEMPT dst,src UPLOAD dst,src 2 4 UPLOAD dst,src DOWNLOAD src RECON or ATTEMPT or COMPROMISE ATTEMPT dst, ! src RECON or ATTEMPT or COMPROMISE dst ATTEMPT dst, src 1 6 7 UPLOAD dst, src DOWNLOAD src UPLOAD dst ATTEMPT dst, !src RECON or ATTEMPT or COMPROMISE 3 5 ATTEMPT dst, !src ATTEMPT dst,A UPLOAD dst, src ATTEMPTdst,src

  41. Phishing AttackModel 3 – more general UPLOAD dst,src RECON or ATTEMPT or COMPROMISE dst, src UPLOAD dst,src 2 4 DOWNLOAD src RECON or ATTEMPT or COMP dst, ! src RECON or ATTEMPT or COMPROMISE RECON or ATTEMPT or COMPROMISE dst RECON or ATTEMPT or COMP dst, src 1 6 7 UPLOAD dst, src DOWNLOAD src UPLOAD dst RECON or ATTEMPT or COMP dst, !src 3 5 RECON or ATTEMPT or COMPROMISE RECON or ATTEMPT or COMP dst,! src RECON or ATTEMPT or COMP dst UPLOAD dst, src RECON or ATTEMPT or COMP dst, src

  42. Phishing AttackModel 3 – Most general ATTEMPT or UPLOAD ATTEMPT DOWNLOAD ATTEMPT or UPLOAD 1 2 3 4 RECON ATTEMPT DOWNLOAD RECON Stricter models reduce false positives, but less strict models can detect unknown attack sequences

  43. Air Force Rome Lab Blind Test December 12-14, 2005 The collected data is an anonymized stream of network traffic, collected using tcpdump.It resulted in hundreds of gigabytes of raw network traffic. • Valuable feedback on performance and design • Strengths: • Number of sensors integrated • Number of models • Easy of sensor integration • Ease of model building • Drawback: • System is real-time (results time-out)

  44. Complex Phishing Attack Results No observations coming from Dragon sensor and Flow sensor Using Dragon and Flow observations

  45. Threshold Values: 0.0 0.5 0.75 Summary of Results Precision Fragmentation GOAL: > AVERAGE GOAL: < AVERAGE Mis-Associations Scenario 4s14: Phishing attack GOAL: < AVERAGE

  46. Outline • Motivation and Terminology • PQS Approach • Implementation of a PQS detecting • Phishing • Data Exfiltration • Covert Channel • Flow Attribution and Aggregation • Conclusion and Acknowledgments

  47. Data Exfiltration CNN.COM Sunday, June 19, 2005 Posted: 0238 GMT (1038 HKT) NEW YORK (AP) -- The names, banks and account numbers of up to 40 million credit card holders may have been accessed by an unauthorized user, MasterCard International Inc. said. The Problem: PQS Approach: Tier 1 models monitor outbound data. They are based on flow analysis. Tier 2models correlate outbound data within a context to infer if it is a normal systems and user behavior or ongoing attacks

  48. Basic Ideas: An Example Scanning Infection Data Access Normal activity Low Likelihood of Malicious Exfiltration High Likelihood of Malicious Exfiltration Increased outbound data • Exfiltration modes: • SSH • HTTP • FTP • Email • Covert channel • Phishing • Spyware • Pharming • Writing to media • paper • drives • etc nfs2.pqsnet.net 600000 IN OUT 500000 400000 300000 bytes 200000 100000 50 100 150 200 250 300 350 Time x 15 sec

  49. Hierarchical PQS Architecture TIER 1 TIER 2 TIER 1 Models TIER 1 Observations TIER 1 Hypothesis TIER 2 Observations TIER 2 Models TIER 2 Hypothesis PQS Scanning Events More Complex Models Snort IP Tables PQS Infection Events Snort Tripwire PQS PQS Data Access Events Samba RESULTS PQS Exfiltration Events Flow and Covert Channel Sensor

  50. Example PQS model: Macro in word document for exfiltration Balanced Flow 2 Data Exfiltration Balanced Flow 1 4 TIER 1 VIRUS Data Exfiltration Balanced Flow RECON 3 Balanced Flow or Data Exfiltration Data Exfiltration Word virus opens up a ftp connection with a server and upload documents.

More Related