1 / 22

A Stateful Intrustion Detection System for World-wide Web Servers

A Stateful Intrustion Detection System for World-wide Web Servers. Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada.

lesley-levy
Download Presentation

A Stateful Intrustion Detection System for World-wide Web Servers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Stateful Intrustion Detection System for World-wide Web Servers Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada

  2. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction Motivation • Large number of web servers • Continuous disclosure of vulnerabilities in web servers – popular targets • 2001-2002 - 23% computer vulnerabilities are web related

  3. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction • Intrusion Detection Systems (IDS) • Analyse input streams for manifestation of attack • Stateless: • Examines each event in the input stream independently • Stateful: • Considers relationships between events and detect attacks based on event-histories

  4. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction • IDS • Network-based: • Monitors network traffic, events • Do not consider application-level logic • Cannot detect attacks based on configuration of the server-application • Application-based: • Process different stages of client request • IDS tightly coupled to web server and visible • Performance of web server impacted

  5. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction IDS • Anomaly detection: • Models of normal behavior • Compares log data with normal models to detect abnormal pattern/activity • Detect previously unknown attacks • Large number of false positives

  6. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction IDS (Intrusion Detection System) • Misuse detection: • Models of attack descriptions • Compares with audit data with modeled attack for evidence of attack • Detect only attacks that are modeled • Focused analysis for attack detection • Less false positives so more popular

  7. Stateful IDS for Web Servers – Vigna G et al., 2003 • Introduction Current IDS - limitations • Simple pattern matching of HTTP requests • Buffer overflows not detected • Attacks involving multiple steps cannot be modeled • Only detect trends in large sets of web-related events • Focuses on single event stream (network log or server application log) • Do not maintain histories of web requests

  8. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT (IDS) • Based on STAT framework (State-Transition Analysis Technique) • Complex multi-step attacks can be modeled using STATL language • Performs integrated analysis of multiple event streams, Network and OS events/logs • Modular, MultiThreaded • Application independent runtime with components that deal with specific application domains • More effective detection with less false positives

  9. Stateful IDS for Web Servers – Vigna G et al., 2003 STAT framework • Models attacks as transitions between security states of a system • Supported by STATL modeling language STATL • Describe Events, Attack Scenarios with relevant variables eg: source of HTTP request • Events defined by subclassing specific C++ classes of STAT framework • Classes encapsulated in language extension modules and compiled into DLLs • Events are then used in Scenario description, which again are compiled into DLLs

  10. Stateful IDS for Web Servers – Vigna G et al., 2003 STATL Attack Scenario: Transition State A State B Action/Event Opening TCP conn. Execution of CGI script System Snapshot Transition Assertion: eg: specify port, parameters

  11. Stateful IDS for Web Servers – Vigna G et al., 2003 Transitions Non-consuming Both states active State A State B Consuming Only destination state valid State A State B Unwinding Rollback to previous state State A State B

  12. Stateful IDS for Web Servers – Vigna G et al., 2003 STATL • STATcore is the runtime for STATL • Core implements the concepts of state, transition, instance, etc • Obtains events from logs/audits and matches with actions, transitions and attack scenarios Events/logs STATcore Event Provider incorporate Convert to STAT events Translate STATL extension Attack Scenario Analysis

  13. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Language extension module that defines web-specific events • Event provider that parses web server logs and generates corresponding events • Modules for Network, OS events • A number of STATL scenarios to detect attacks against web servers • Response modules to generate alerts

  14. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Class Request : public STAT_Event { public: string request; string userAgent; string encodedRequest; …… }

  15. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT

  16. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Counting scenario pattern: • Integer parameters: threshold, alert_freq, inactivity_timeout

  17. Stateful IDS for Web Servers – Vigna G et al., 2003

  18. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Web Crawler Scenario: • file to specify which User-Agents are allowed • Pattern Matching Scenario: • Detect attacks embedded in URL using pattern matching comparing with a list of regular expressions • Repeated Failed Access Scenario: • Checks multiple client errors. Counter records number of times a failed request originated from a subnet • Cookie Stealing Scenario: • Records initial use of session cookie by a remote client by mapping cookie to an IP address.

  19. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT • Buffer Overflow Scenario: • Presence of binary data in a request or an extremely long request are attempts to exploit buffer overflow • Network and application-level buffer overflow detection: • Examine Web server logs and actual client requests • If binary data found at network-level and no matching entry in server log, attack is successful • Document Root Escape Attack: • Illicit access to a file outside web server’s root. • Examine Web server log and OS audit records to detect file system access violations

  20. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Evaluation: Web server: pentium IV - 1.8 GHz, OS: RedHat 8.0, Apache Clients: pentium IV - 1.8 GHz, OS: RedHat 8.0 Network card: Intel EtherExpress 10/100 Ethernet cards 100BaseT full-duplex , cisco catalyst 3500 XL switch Measurement:Average throughput, response times of web servers with/without WebSTAT on server. With WebSTAT: slightly lower throughput No change in response time

  21. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT CONCLUSIONS: • WebSTAT operates on multiple event streams • Supports more effective detection of web-based attacks, reduced no. of false positives • IDS can be performed in high performance servers in real-time

  22. THANKS !

More Related