Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Second Line Intrusion DetectionUsing Personalization DISA Sponsored GWU-CS
Content • Introduction • Examples and Analysis • Prototype Design • More to come • Conclusion
Introduction • Penetration into computer systems continues at a high rate despite substantial progress in security research and technology • No reason to assume that this level of “insecurity” will change • Most penetrations are done by individuals or small teams • Only lately has personalization entered into security consideration
Our research into personalization in areas such as: • User command lines behavior (e.g., UNIX) • User browser patterns as reflected by URL sequences • User work habits • Provides a basis for: • User classification • Abnormality observation • Detection of deviation from regular behavior • Changes in patterns
Examples and Analysis www.fada.com www.fada.com/address.html www.fada.com/cline.html www.fada.com/cline-bisttram.html www.fada.com/cline-stella2.html www.fada.com/karges.html www.fada.com/karges1.html www.fada.com/karges3.html www.fada.com/karges8.html www.fada.com/mmfa.html www.fada.com/mmfa1.html www.fada.com/mmfa9.html
Comments on Example 1 • Assumptions: • Access to server is through home page www.fada.com • Knowledge of structure and content of server pages www.fada.com • Provides the following: • Detailed access starts from server page address.html • Page cline.html leads to two links: • Cline-bisttrom.html and • Cline-stella.html • The example demonstrates “reasonable” behavior
Example 2 www.fada.com/mmfa9.html www.fada.com/rehs10.html www.fada.com/stern3.html www.fada.com/address.html www.fada.com/trotter41.html www.fada.com/cantor8.html
Comments on Example 2 • Access starts straight from a couple of internal pages (i.e., nodes of the tree) • It continues by a visit to a link off the home page • Summary: • The behavior does not follow regular access patterns • The behavior is difficult to explain • This access may indicate suspicious behavior
Other Types of Entry Modes • In addition to URLs, one should watch out for: • FTP access • E-mail • Potential Logins • Other protocols access: e.g., port scanning • On a “sound” server: • FTPs port are predefined • E-mail, except for bugs, can be protected against • Port scanning is already trapped by IDS
Prototype Design • We face suspicious behavior with two tools • Automatic recognition • Machine Learning • Data Mining • Automatic recognition may be trained on “regular’ access patterns and attempt detection of “irregular” access patterns • So far, results are good, but not great – enough penetration is undetected
Behavior Analysis Application • A JAVA application that classifies behavior is partially done and operational • It shows a high level of detection of irregular behavior • The approach is promising and has a proven track record • Web Browser communication performance improved by 20% by changing cache to use Next URL Prediction • Prediction is based on the underlining assumption of “regularity” of behavior
Observation • URL, IP packets, and Port scanning look like an algorithm (or a program) without termination • Example 1 can be written as: Initialize; www.fada.com Initialize; www.fada.com/address.html Loop; rest of URLs • The loop is a while that selects links in www.fada.com/address.html for viewing • The selection criterion is personal • Example 2 seems as an unordered set of program statements • Therefore Example 2 does not seem to be a “regular” access pattern
Prototype Design Details STEPS • Analyze Server pages hierarchy • Analyze each page for links and sources (i.e. src) files • Build an identification engine based on • Behavior categorization • Page hierarchy • Isolation of individual users to identifying agents • Construct input benchmarks • Continue work on Other Types of Entry Modes
More to come • Examples of more complex relationships to be explored • Server pages link to other servers pages • Same source (IP) for different communication types • Accessing different locations on tree concurrently • Can be done by using two copies of the browser • The two sessions will have different Ids but may be cooperating • The agents monitoring the two browsers must collaborate • URLs and FTPs from same source at the same time • Multiple FTPs • Similar case to multiple browsers • ...
Conclusion • A substantial prototype will be completed by end of Summer • Complex relationships will be explored: • Threats will be enumerated • Potential detection will be proposed • Prototype will include some of these results • Open areas will be reported on in detail