1 / 37

Algebra For Capability Based Attack Correlation

Algebra For Capability Based Attack Correlation. WISTP 2008. Outline. Introduction Capability Model Algebraic structures of Capability model Alert correlation using Capability model Conclusion. Introduction. Increasing security concern More sensitive data is stored than before

noah
Download Presentation

Algebra For Capability Based Attack Correlation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Algebra For Capability Based Attack Correlation WISTP 2008

  2. Outline • Introduction • Capability Model • Algebraic structures of Capability model • Alert correlation using Capability model • Conclusion

  3. Introduction • Increasing security concern • More sensitive data is stored than before • Increasing use of sophisticated attack tools & their automation • (CERT’s overview of attack trends (04-18-02)) • IDS • Mostly used security and surveillance monitoring toolfor the network infrastructure

  4. Introduction Attack Correlation techniques Source:- Pouget, Fabien, and Marc Dacier. Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institute Eurecom, France, Dec 2003.

  5. Drawbacks State based approach can not handle missing alerts Intermediate redundant step Attack Variants

  6. Example • Attack correlation using system state • Example • Establish connection • Buffer overflow • Password File modified • Capability based • Example • Can access a host • Have credential to use a service • Have root privilege Zhou et. Al., Modeling Network Intrusion Detection Alerts for Correlation, ACM Transactions on Information and System Security, Vol. 10, No. 1, Article 4, February 2007.

  7. Related Work • Logical connections among alerts in an intrusion incident? • Requires/Provides Model (JIGSAW, Templeton and Levitt, 2000) • A systematic model to precisely define the logical relationship? • Capability Model(Jingmin at el. ( Feb, 2007)) • To make a mature capability model • need to know basic characteristic of Capability in context of attack correlation • Need identification of Algebraic properties

  8. Capability model Alerts • Capability of connection • Capability is a 6-tuple • “From the source to destination can perform the action with credential(on the property) of the service within a time interval” • Attacker will have Capability set Service & Property Action Destination Time source

  9. Attributes …..…… …..…… …..…… …..…… …..…… Service Property File Management Interval Credential Action Read From File Management Updaters Path Between Block Permission Database Manage Administrator block, delay, spoof, pause, abort, unblock root, navneet

  10. Action type

  11. Direct & Indirect Capability INTERNET Intruder External User http://www.xyz.com/mydb/passwd Router DMZ Firewall Web Server DNS Sever Mail Server LAN

  12. Direct and Indirect Capability Success Failure Direct Capability Direct Capability Direct Capability Indirect Capability • Know file exist • Can open File • Know file does • not exist • Know file exist • File has not read • permission • Can use credit card • Can send fake mail • Can masquerade as • benign user • etc….

  13. Why time notion Attacker A can read any file of machine M from his machine H using credential labUser Unbounded validation period Capability :- { source-H, destination-M, labUser, read, (file(all),content)} bounded validation period i.e. [10AM-11AM]] User U has opened his email account between 10AM to 11 AM Capability :- { source-H, destination-M, labUser, read, (file(email), content)}

  14. Algebraic structures Operation Inference Relations Join Comparable Inference Overlapped Resultant Inference Mutually Exclusive Split Reduce Compromise Inference Independent Subtract External Inference

  15. Operations

  16. Join IP:10.20.5.2 IP:10.20.5.2 IP:10.20.5.2 IP:10.20.1.1 IP:10.20.1.1 IP:10.20.1.1 root root root receive send communicate IIS IIS IIS ftp ftp ftp Time Time Time

  17. Join

  18. Split IP:10.20.5.2 IP:10.20.5.2 IP:10.20.5.2 IP:10.20.1.1 IP:10.20.1.1 IP:10.20.1.1 root root root write read read and write /etc/password /etc/password /etc/password content content content Tmp Tmp Tmp

  19. Reduce Reduce C1 C2 Example:- Cap1=(SLab,Dlab, W,/home/Bob/xyz, content, root,Between:1997-07-16T19:20:30+01:00[+1H]) Cap2=(SLab,Dlab, W, /home/Bob/xyz, content, Bob,Between:1997-07-16T19:20:30+01:00[+1H])

  20. Subtract

  21. Algebraic structures Algebra Operation Inference Relation Join Comparable Inference Overlapped Resultant Inference Mutually Exclusive Split Reduce Compromise Inference Independent Subtract External Inference

  22. Capability Relation • Contain ship • Overlapped vs Independent • Mutually Exclusive C1 C2 C1 C2 Overlapped C1 C2 Contain ship Independent

  23. Algebraic structures Algebra Operation Inference Relation Join Comparable Inference Overlapped Resultant Inference Mutually Exclusive Split Reduce Compromise Inference Independent Subtract External Inference

  24. Comparable Two capabilities are comparable if they have • Same value of source, destination, action • Same type of service, property • Within same time interval Example • C1 = (pushpa, dblab, read, /etc/passwd, content, user1,at:1997-07-16T19:20:30+01:00) • C2 = (pushpa, dblab, read, All files, content, user1, at:1997-07-16T19:20:30+01:00)

  25. Comparable inference One cap. can be logically inferred from another cap. • C1 = (src, dst, read, (/etc/passwd), content, user1,t1) • C2 = (src, dst, read, (All files, content,) user1,t2) C1 can be logically inferred from C2 if t1,t2 belongs to same time window • C3 = (src, dst, know, All accounts, name, user1,t1) • C4 = (src, dst, read, /etc/passwd, content, user1,t2) C3 can be logically inferred from C4 if t1,t2 belongs to same time window

  26. External Inference If C1 and C2 is two Capability then • c2.dest=c1.source • c2 has capability to run arbitrary program

  27. Capability Model based Correlation

  28. Correlating alert using modified capability model • H-alert • M-Attack • Correlation Algorithm

  29. H-alert IDS H-alert H-alert i1 H-alert i1 H-alert i1 Require Provide Raw Timestamp M-attack [2007-12-06T18 : 13 :30 + 05 :30] • Time • Direction • . . . haset capset

  30. Correlation Algorithm

  31. pros • Join • Benefit • minimize the number of comparison • Pitfall • Costly due to recursive • Split • Benefit • Only need direct inference while corr. • Pitfall • Redundancy • Unnecessary split increase no. of comparison

  32. Alternate ways • Way1 :- Only join • Way2:- Only split • Way 3:- Join and split both

  33. Conclusion • Defined modified capability model and logical association between capabilities. • Added semantic notion to avoid false correlation • Identified and defined relations between capabilities and derived Inference rules along with semantic that have been used in correlation

  34. Future Work • Develop language for whole framework Other • Optimize algorithms and to achieve better performance. • Optimize the algorithm of join operation and to use that in given alternate correlation algorithm. This would help in making whole system real time with low false rate. • To model the defence capability of security administrator

  35. Thank You

  36. Question?

More Related