collaborating against common enemies l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Collaborating Against Common Enemies PowerPoint Presentation
Download Presentation
Collaborating Against Common Enemies

Loading in 2 Seconds...

play fullscreen
1 / 30

Collaborating Against Common Enemies - PowerPoint PPT Presentation


  • 250 Views
  • Uploaded on

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL Current Intrusion Detection Uses Rules  Alerts Network 5 Network 1 Network 4 Network 2 Network 3 How about collaborating?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Collaborating Against Common Enemies' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
collaborating against common enemies

Collaborating Against Common Enemies

Sachin Katti

Balachander Krishnamurthy and Dina Katabi

AT&T Labs-Research & MIT CSAIL

current intrusion detection
Current Intrusion Detection

Uses Rules  Alerts

Network 5

Network 1

Network 4

Network 2

Network 3

How about collaborating?

slide3
Potential reasons for collaboration:
  • Provides global picture of attack
  • Detecting low rate distributed attackers
  • Detecting stepping stones

But benefit depends on networks/IDSs seeing Correlated Attacks?

talk is about correlated attacks
Talk Is About Correlated Attacks

Define Correlated Attacks: as attacks from the same sources IP on different IDSs/networks

talk is about correlated attacks5
Talk Is About Correlated Attacks

Define Correlated Attacks: as attacks from the same source IP on different IDSs/networks

Correlated Attacks

Correlated IDS

this talk
This Talk

Logs from 1700 IDSs show:

 Collaboration is useful

  • Realtime

 Collaborate with a few IDSs

  • 40% of alerts are correlated
  • Correlated attacks within 10min
  • An IDS sees correlated attacks with 8 IDSs (out of 1700), and the group does not change

Collaboration with correlated IDSs increases detection by 75% and as good as collaborating with all.

dataset
Dataset

Full packet headers, unanonymized src/dest addresses

Anonymized dest IP; no packet headers or alert type

method
Method
  • Correlation is based on sharing the same source IP
    • Adding info about attack type and dest port did not matter
  • Correlated IDSs – IDSs for which more than 10% of their attacks are correlated
do idss see correlated attacks
Do IDSs see Correlated Attacks?

YES, Many

  • 20% of attacking IPs are common attackers
  • 40% of the attacks are correlated
  • On average, 1500 correlated attackers/ day/IDS
interarrival of correlated attacks
Interarrival of Correlated Attacks

1.0

0.8

0.6

75% of correlated attacks happen

within 10 minutes of each other

CDF

0.4

0.2

0.0

0.1

1

10

100

1000

10000

100000

Interarrival time in mins

Correlated attacks within a few minutes

 Need realtime collaboration!

size of correlation groups
Size of Correlation Groups

For each IDS compute the # of IDSs with which it is correlated

1.0

0.8

90% of IDS are correlated

with less than 8 IDS (out of 1700)

0.6

CDF

0.4

0.2

IDS correlation

0.0

1

2

4

8

16

32

# IDSs in Correlation Group

IDS correlate within small groups!

 Scalable collaboration

do correlation groups change
Do Correlation Groups Change?

If an IDS is correlated with 4 other IDS and the group changes by one, the percentage change is 25%

0.08

0.07

Avg. Change in

Correlation Group

0.06

0.05

0.04

Change

0.03

0.02

0.01

0

10

15

20

25

30

5

No. of days

Correlation is persistent!

 Establish trust out of band

why ids correlate
Why IDS correlate?
  • Is it proximity in IP space?
is proximity in ip space the reason
Is Proximity in IP Space the Reason?
  • Compute cross correlation between proximity in IP space and correlated IDS

Complete positive correlation

1.0

Cross correlation with IP space

distance hovers around 0

0.5

Cross Correlation

0

-0.5

No correlation

Distance in

IP space

-1.0

0

5

10

15

20

25

30

35

40

IDS ID

Attack Correlation is independent of

proximity in IP space

why ids correlate15
Why IDS correlate?
  • Is it proximity in IP space?
  • Is it because attackers target sites with similar software and services (e.g., Santy worm) ?

More than 60% of attacks in a correlation group target particular service (e.g. SMTP groups, IBM Tivoli, IIS servers)

is similarity in software the reason
Is Similarity in Software the Reason?
  • Compute cross correlation between similarity in software & attack correlation

Complete positive correlation

1.0

0.5

No correlation

Similarity in software is

positively correlated

Cross Correlation

0

-0.5

Similarity distance

-1.0

0

5

10

15

20

25

30

35

40

IDS ID

Decreasing similarity Decreasing correlation

issues for ids collaboration across networks
Issues for IDS collaboration across networks
  • Is it useful?
  • How often should IDS exchange information?
  • How to make it scale?
  • How does an IDS trust its collaborators to protect the privacy of its information and not lie?
exploiting correlation for collaboration
Exploiting Correlation for collaboration

 Collaboration is useful

  • Realtime

 Scale by collaborating with IDS in same correlation group

 Check trust out-of band

  • 40% of alerts are correlated
  • Correlated attacks within 10min
  • An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS)
  • The correlation group does not change
correlation based collaboration cbc
Correlation Based Collaboration (CBC)
  • Attack Correlation Detector (ACD) for finding correlation groups (e.g., DShield)
  • Since groups persist for months  ACD computation scale
  • It is up to each network to decide whether to collaborate or not
correlation based collaboration cbc21
Correlation Based Collaboration (CBC)

IDS send logs to ACD

ACD

ACD tells each IDS its correlation group

evaluation of cbc blacklisting
Evaluation of CBC Blacklisting
  • Flag an attacking IP address if # alerts cross a threshold
  • Compare with
    • Local detection
    • Collaborating with all IDSs
    • Random Collaboration - Collaborating with the same sized random subset as the correlation group
evaluation method
Evaluation Method
  • IDS queries its collaborators when # alerts from an IP exceeds Querying Threshold
  • IDS blacklists IP if aggregate # alerts exceeds Blacklisting Threshold
  • Thresholds picked to minimize false positives (for ISP dataset)
speed
Speed!
  • Compute time taken to blacklist a source in each scheme

100000

10000

1000

Local

Detection Time in mins

100

10

0

0

4000

8000

12000

16000

Attacking IP addresses

speed25
Speed!
  • Compute time taken to blacklist a source in each scheme

100000

10000

Random

1000

Local detection and random

collaboration are almost identical

Local

Detection Time in mins

100

10

0

0

4000

8000

12000

16000

Attacking IP addresses

speed26
Speed!
  • Compute time taken to blacklist a source in each scheme

100000

All IDS

10000

Random

Local

800 mins

1000

Detection Time in mins

100

150 mins

10

0

0

4000

8000

12000

16000

Attacking IP addresses

speed27
Speed!
  • Compute time taken to blacklist a source in each scheme

100000

All IDS

10000

CBC

Random

1000

Local

Detection Time in mins

100

CBC speeds up detection for 75%

of the studied sources

10

No difference for fast attackers

0

0

4000

8000

12000

16000

Attacking IP addresses

CBC performs almost as well as collaborating

with all IDS

significant reduction in alert volume
Significant Reduction in Alert Volume

CBC halves the volume of the alert logs a

network administrator has to examine!

low overhead
Low Overhead

CBC requires orders of magnitude less

querying overhead for the same benefits!

conclusions
Conclusions

 Collaboration is useful

  • Realtime

 Scale by collaborating with IDS in same correlation group

 Check trust out-of band

  • 40% of alerts are correlated
  • Correlated attacks within 10min
  • An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS)
  • The correlation group does not change

CBC exploits the above; is as good as collaborating with all but with 0.3% of the overhead.