1 / 53

FSM based Algorithms for IDS Design:

FSM based Algorithms for IDS Design: An Active Discrete Event System Approach to Intrusion Detection System for ARP Attacks. Outline. Agenda. Overview of IDSs Address Resolution Protocol (ARP) Overview Security issues in ARP Existing ARP Attack Detection Mechanisms and Motivation

piera
Download Presentation

FSM based Algorithms for IDS Design:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FSM based Algorithms for IDS Design: An Active Discrete Event System Approach to Intrusion Detection System for ARP Attacks

  2. Outline Agenda • Overview of IDSs • Address Resolution Protocol (ARP) • Overview • Security issues in ARP • Existing ARP Attack Detection Mechanisms and Motivation • Active Discrete Event Systems (DES) • FDD theory of DES for Detecting ARP attacks • Modeling and Attack Detection

  3. What is IDS? • Intrusion • A set of actions aimed to compromise the security goals, namely • Integrity, confidentiality, or availability, of a computing and networking resource • Intrusion detection • The process of identifying and responding to intrusion activities

  4. IDS: Taxonomy • Location of Deployment • Host based • Monitor Computer Processes • File Integrity Checkers (system files, checksum e.g. hash value) • Log File Analysis (attack s are encoded in terms of regular exp.) • Statistical Approach (session duration, CPU uses, no. of files open) • System Call Monitoring (any deviation is compared with normal seq.) • Network based • Monitor Network Traffic • Packet Signatures • Anomalous Activity

  5. IDS: Taxonomy • Detection Methodology • Signature based • Detects known attacks whose syntax and behavior is known • Can not detects new or novel attacks • Generate large number of False Positive Alarms

  6. Signature based Misuse Detection pattern matching Intrusion Patterns intrusion activities Example: if (src_ip == dst_ip) then “land attack” alert ip any any − > any any (msg : ”BAD TRAFFIC sameSRC/DST”; sameip; reference : cve,CVE−1999−0016; url,www.cert.org/advisories/CA−1997−28.html; classtype : bad − unknown; sid : 527; rev : 3; )

  7. IDS: Taxonomy • Detection Methodology • Anomaly based • Can detects both known and unknown attacks • Create normal (and/or attack) profile from training data set • Require pure training dataset for profile generation • Network packets are classified as Normal and Anomalous based on the profile • Detects patterns that do not confirm expected or normal behavior • Generate large number of False Positive Alarms

  8. Anomaly Based Detection probable intrusion activity measures

  9. IDS: Taxonomy • Detection Methodology • Event based • Detects known attacks for which a signature can not be generated • These attacks do not change the syntax and sequence of network traffic under normal and compromised situation • Detection is through monitoring the difference in sequence of events (i.e. network packets) under normal and compromised situations

  10. What is ARP? Agenda • Address Resolution Protocol maps IP address to MAC address Purpose of ARP 32-bit Internet address ARP RARP 48-bit Ethernet address • ARP CACHE : IP – MAC Bindings

  11. How ARP works? Agenda • ARP Request is Broadcasted to all the hosts in LAN Who has IP 10.0.0.2? 10.0.0.2 ARP Request 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 10.0.0.3 ARP Request 00:00:00:00:00:03

  12. How ARP works? Agenda • Unicast Reply from concerned host I have IP 10.0.0.2 My MAC is 00:00:00:00:00:02 10.0.0.2 00:00:00:00:00:02 ARP Reply 10.0.0.1 00:00:00:00:00:01 10.0.0.3 00:00:00:00:00:03

  13. What is ARP cache? Agenda • ARP cache : updated 10.0.0.2 ARP Reply 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 10.0.0.3 00:00:00:00:00:03

  14. ARP Packet Agenda Ethernet : 1 IP : 0X800 OPCODE 1: ARP Request 2: ARP Reply Size : 28 bytes

  15. Why is ARP vulnerable? Agenda • ARP is a stateless protocol • Hosts cache all ARP replies sent to them even if they had not sent an explicit ARP request for it. • No mechanism to authenticate their peer

  16. ARP Spoofing Agenda • Attacker sends forged ARP packets to the victim I have IP 10.0.0.3 My MAC is 00:00:00:00:00:02 Victim 10.0.0.1 ARPReply 10.0.0.2 00:00:00:00:00:01 00:00:00:00:00:02 Attacker

  17. Man-in-the-Middle Attack Agenda 10.0.0.2 ARP Reply 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 Attacker ARP Reply 10.0.0.3 00:00:00:00:00:03

  18. EXISTING TOOLS AND TECHNIQUES

  19. EXISTING TOOLS AND TECHNIQUES Agenda • Static ARP Cache entries—Fixed IP-MAC pairs • Huge administrative effort • Does not scale on a large dynamic network • One new/changed host affects all the hosts • Port Security -- Bind switch port to specified MAC address and shut down pot in case of change in MAC address of a transmitter IP. • If the first packet sent has spoofed IP-MAC pair, then genuine packets may be dropped.

  20. Agenda EXISTING TOOLS AND TECHNIQUES • ARPWATCH • maintains a database with IP-MAC mappings • any change detected is reported to administrator using syslog/email • ARP Defender • Hardware device running ARPWATCH • ArpGuard • keeps track of a MAC-IP mappings and alerts changes and invalid mappings If the first packet sent has spoofed IP-MAC pair, then genuine packets may be dropped.

  21. EXISTING TOOLS AND TECHNIQUES Agenda • Signature and Anomaly based IDS • High number of false alarms • Modifying ARP using Cryptographic Techniques • Secure-ARP - Digital Signature for authentication • Ticket-based ARP – Tickets from Ticket-issuing Agents Calls for Replacement of entire Network Stack Additional overhead of cryptographic calculations Change Standard ARP

  22. EXISTING TOOLS AND TECHNIQUES Agenda • Active Spoof Detection Engine • Send TCP SYN packets to probe IP-MAC pairs • Receive SYN/ACK if port is open or RST if closed • No response => malicious host Violation of network layering architecture • Active Man in the Middle Attack Detector • IDS finds Systems with IP forwarding enabled • Spoof the ARP cache of all such systems: Now all traffic forwarded by such systems reach IDS Additional network Traffic Difficulty in poisoning ARP cache of the attacker

  23. Agenda Motivation: What is Required in an IDS for ARP attacks • Should not modify the standard ARP • Should generate minimal extra traffic in the network • Should not require patching, installation of extra software in all the systems • Should detect a large set of LAN based attacks • Use a state-transition based framework with “active” component

  24. ARP ATTACK DETECTION USING ACTIVE DISCRETE EVENT SYSTEM

  25. Agenda Assumptions of the LAN • 1. Non-compromised hosts will send a response to an ARP request within a specific interval Treq • 2. IDS is running on a trusted machine with fixed IP • 3. Port mirroring is enabled at the switch • The IDS has two network interfaces – one is used for data collection in the LAN through port mirroring and the other is exclusively used for sending/receiving ARP probes requests/replies.

  26. Agenda IDS Monitor Port A C E Probe Port Switch B D Attacker Network Architecture • Port Mirroring is enabled at the switch • E is working as IDS

  27. Terminology Agenda • RQP: Request Packet • RSP: Response Packet • PRQP: Probe Request • PRSP: Probe Response • IPS: Source IP • IPD: Destination IP • MACS: Source MAC • IPD: Destination MAC • RQPIPS : Source IP address of the Request Packet (RQP) • Similarly for all cases…..

  28. Agenda Process Model Diagnostic results Signal from sensors DES model and Failure Detection A DES is characterized by a discrete state space and some event driven dynamics. The diagnosis problem for a DES model is to determine the fault status of the states within a finite number of observations after the occurrence of a fault along all possible traces of the system • Simplicity of both the model and the associated algorithms. • Most of the dynamic systems can be viewed as DESs at some level of abstraction.

  29. Agenda DES Model Requirements (in addition to Sampath et al. [6]) • Requires Timing Information • Need to note time of arrival of packets • Size of domains of variables involved in DES modeling for IDS is very large compared to systems usually handled by model • Model variables are also incorporated –extended automata [sekar et al.]

  30. Agenda Active DES Model

  31. Agenda Active DES Model: Transitions

  32. Agenda Active DES Model: Traces

  33. Agenda Active DES Model: Measurability

  34. Agenda Active DES Model: Measurability

  35. Agenda Active DES Model: Measurability

  36. Agenda Active DES Model: Controllability Not a possible scenario

  37. Agenda Active DES Model: Failures

  38. An Example An Example

  39. Agenda s t Active DES Model: Fi-Diagnosable A DES model is Fi-Diagnosable for failure Fi under a measurement limitation if: • trace s ends with in a failure state • trace t is a sufficiently long continuation of trace s • “any trace of the system that looks like st must contain a failure state of same type as fi”

  40. Agenda Diagnoser • Daignoser is represented as a directed graph O = < Z, A > • Z set of detector states called O-states • A set of detector transitions called O-transitions • Each O-statezZ comprises a subset of equivalent model states representing uncertainty about the actual states • Each O-transitionaA is set of equivalent model transitions representing uncertainty about actual transition that occurs

  41. Agenda Fi–Diagnosability Conditions

  42. Example (Contd..)

  43. Example (Contd..): Active Diagnosis Active Diagnosability

  44. Agenda Active DES for Modeling ARP Attacks

  45. Agenda Active DES for Modeling ARP Attacks • Attacks Considered: Request Spoofing • S= { RQP, RSP, PRQP, PRSP, failure } • States with • no primes correspond to normal situation • single prime ( ’ ) correspond to request spoofing • Model Variable set V = { IPS, MACS } • IPS has the domain as D1 = { x.x.x.x | x  {1, 2, · · · , 255 } } • MACS has the domain as D2 = { hh−hh−hh−hh−hh−hh | h  Hex } • Clock variable y determines if the probe responses have arrived within Treq time of sending the corresponding request.

  46. Agenda DES model: Normal Condition

  47. Agenda DES model: Request Spoofing

  48. Agenda Normal/Attack certain O-state • Normal certain O-state : An O state which contains only model states corresponding to normal situation (N-O node) • Attack Certain O-state : An O-state which contains only model states corresponding to attacks (Fi-certain O-node) • Normal/Attack certain O-states denote that the current model state estimate comprises only normal/attack states, thereby, making a decision (Fi-uncertain O-node)

  49. Agenda Daignoser for ARP Spoofing Attacks Two Indeterminate cycles: z1-z2: Avoided by sending PRQP z1-z2-z3-z4: May not be avoided, depends on response for PRQP 1. IP address of the IP-MAC pair being verified is not up 2. IP address of the IP-MAC pair being verified is that of attacker

  50. Agenda DES model: Request Spoofing

More Related