ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection - PowerPoint PPT Presentation

ecs236 winter 2007 intrusion detection 2 explanation based anomaly detection n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection PowerPoint Presentation
Download Presentation
ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection

play fullscreen
1 / 75
ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection
207 Views
Download Presentation
sherri
Download Presentation

ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. ecs236 Winter 2007:Intrusion Detection#2: Explanation-based Anomaly Detection Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2007

  2. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2007

  3. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007

  4. What is an anomaly? ecs236 winter 2007

  5. What is an anomaly? • The observation of a target system is inconsistent, somewhat, with the expected conceptual model of the same system ecs236 winter 2007

  6. What is an anomaly? • The observation of a target system is inconsistent, somewhat, with the expected conceptual model of the same system • And, this conceptual model can be ANYTHING. • Statistical, logical, or something else ecs236 winter 2007

  7. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007

  8. raw events Information Visualization Toolkit update decay clean cognitive profile cognitively identify the deviation alarm identification ecs236 winter 2007

  9. Challenge of AND • We know that the detected anomalies can be either true-positive or false-positive. • We try all our best to resolve the puzzle by examining all information available to us. • But, the “ground truth” of these anomalies is very hard to obtain • even with human intelligence • Practically this might or might not be OK… ecs236 winter 2007

  10. What is an anomaly? Anomaly Detection Events Expected Behavior Model ecs236 winter 2007

  11. The Challenge Anomaly Detection False Positives & Negatives Events Expected Behavior Model Knowledge about the Target ecs236 winter 2007

  12. Problems with AND • We are not sure about whatever we want to detect… • We are not sure either when something is caught… • We are still in the dark… at least in many cases… ecs236 winter 2007

  13. What is an anomaly? Anomaly Detection Events Expected Behavior Model Knowledge about the Target ecs236 winter 2007

  14. Model vs. Observation the Model Anomaly Detection Conflicts  Anomalies It could be an attack, but it might well be misunderstanding!! ecs236 winter 2007

  15. Anomaly Explanation the Model Anomaly Detection Anomaly Analysis and Explanation Explaining both the attack and the normal behavior EBL ecs236 winter 2007

  16. Explanation Events: raw, logical, stochastic Real World Model Model (Simulation or Emulation) Conflicts  Anomalies ecs236 winter 2007

  17. EXPAND • Good events go into the Model ecs236 winter 2007

  18. EXPAND • Good events go into the Model • Malicious events also go into the Model as signatures (but with an analysis process) • We want to put as much as ground truth into our model! • And, that means discovering their relationship as well. ecs236 winter 2007

  19. observed system events SBL-based Anomaly Detection model update the Model model-based event analysis Example Selection analysis reports Explanation Based Learning ecs236 winter 2007

  20. AND  EXPAND • Anomaly Detection • Detect • Analysis and Explanation • Application ecs236 winter 2007

  21. Routing Protocol FrameworkInformation Model Routing Information Base OSPF RIPv2 BGP4 RIB RIB RIB Application Layer Network Layer (Dest, NextHop, Routing Metrics) FIB FIB Forwarding Information Base Forwarding Algorithm Forwarding Decision NPDU Header (Network Protocol Data Unit) ecs236 winter 2007

  22. Operation Model Routing Information Exchange Hey, Here is the routing information I got so far Hmm, some of them are obsolete, Here is my update ecs236 winter 2007

  23. Which algorithm should I use?? Distributed Dijikstra’s algorithm or Distributed Bellman-Ford algorithm? Routing Information Base Forwarding Information Base Operation Model Route Generation and Selection application Layer network Layer ecs236 winter 2007

  24. Routing SRC DST I want to know the shortest path or simply “a path” Routers exchange local information! ecs236 winter 2007

  25. Link State A B A B B You A A B C Your Neighbor Flooding ecs236 winter 2007

  26. ecs236 winter 2007

  27. Link State A B A B B You A A B C Your Neighbor Flooding You tell the whole world about your relationship with your neighbor ecs236 winter 2007

  28. Routing Information • Link State: • I let the whole world knows about my relationship with my neighbors. • (Felix, Neighbor-X) is up! • Distance Vector: • I let all my neighbors knows about my relationship with the rest of the world. • (Felix can get to Remote-Y) in 5 hops. ecs236 winter 2007

  29. Link-State ecs236 winter 2007

  30. LSA and an LSA instance • An LSA is associated with a particular link of network, which is identified by its LS type, LS ID, Advertising Router ID. • An LSA instance gives the state of a particular LSA at a particular time, which can be differentiated by LS sequence number, LS age, LS checksum. 0x80000000 0x80000001  0x7FFFFFFF ecs236 winter 2007

  31. LSA Format • Type (Hello, Link, Networ, Summary) • Advertizing Router ID (Originator) • Advertized Link or Network. • Sequence Number • smallest: 0x 80000001 • largest: 0x7FFFFFFF • Age (0, 60 minutes) ecs236 winter 2007

  32. RIB - OSPF LSA-ID ADV Seq# Checksum Age A=B A 0x850012a7 0x452b 20:13 A=B B 0x84230b41 0x3729 13:12 A=D A 0x9012000e 0x2567 01:22 … ecs236 winter 2007

  33. OSPF LSA Flooding, I Router ACK If I have not received this LSA (Link State Advertisement). ecs236 winter 2007

  34. OSPF LSA Flooding, II Router ACK If I have received this LSA (Link State Advertisement). ecs236 winter 2007

  35. OSPF LSA Flooding, III Sequence Number Comparison. Router my newer copy If I have something better/fresher/newer.. ecs236 winter 2007

  36. How to decide “freshness”?? ecs236 winter 2007

  37. Sequence # Seq# ATM ecs236 winter 2007

  38. Sequence #: old vs. new LSAs 0x80000001 ATM Next: 0x80000002 Only accept LSAs with newer/larger Seq#. ecs236 winter 2007

  39. Sequence # Self-Stabilization (1). 0x90001112 (2). router crashes. (3). 0x80000001. ATM (5). 0x90001113 (4). 0x90001112 an old copy still exists! ecs236 winter 2007

  40. Sequence #: Counter Flushing (1) 0x7FFFFFFF MaxSeq# ATM (2) 0x7FFFFFF with MaxAge to purge this entry. (3) 0x80000001. ecs236 winter 2007

  41. Fresher LSA? B < Seq#A ? Seq#B > A = ChS:A ? ChS:B B < > A = B 15 AgeA-AgeB -15 A otherwise A, B are treated the same. Three parameters for LSA: - Sequence Number - Checksum - Age ecs236 winter 2007

  42. Malicious Intermediate Routers Flooding up dm EVIL! All the links can be attacked. up dm ecs236 winter 2007

  43. How to Attack OSPF? • Think… • Try it!! • What is the objective? • How to accomplish your goal? ecs236 winter 2007

  44. Problem • Prevent/Detect compromised intermediate router(s) from tampering “Link State Advertisements (LSAs)” originated from some other routers. down This Link is UP! ecs236 winter 2007

  45. Defense?? • Crypto-based • Non-crypto-based ecs236 winter 2007

  46. LSA Digital Signature • PKS private key public key This Link is UP! This Link is UP! ecs236 winter 2007

  47. Advantages for PKS • One compromised router will not be able to affect others about other links. • With only key-MD5, one compromised router can disable all the crypto. ecs236 winter 2007

  48. Public Key is Expensive • At least, in software. • Experiments on Pentium/133, Linux 2.027: • HMAC MD5: 78.37 usec • RSA/MD5 (verify): 88.00 msec • RSA/MD5 (sign): 166.00 msec • RSA Hardware available, where MD5 is inherently hard to parallelize. ecs236 winter 2007

  49. Prevention • LSA Originator Digital Signature (Perlman, Murphy/Badger, Smith/JJ) • Debatable Concerns: (OSPF wk-group) • RSA is too expensive (about 1,000 times worse in signature verification with 512 bit keys) • PKI Certificate is expensive. • There are otherrouting infrastructure attacks that can not be prevented by LSA Digital Signatures. (Cost/Market concern) • Political and Technical. ecs236 winter 2007

  50. Can we do it without PKI? • Preventing compromised intermediate routers??? ecs236 winter 2007