750 likes | 981 Views
ecs236 Winter 2007: Intrusion Detection #2: Explanation-based Anomaly Detection. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com. Intrusion Detection. Model. Input event sequence. Results. Intrusion Detection.
E N D
ecs236 Winter 2007:Intrusion Detection#2: Explanation-based Anomaly Detection Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2007
Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2007
timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007
What is an anomaly? ecs236 winter 2007
What is an anomaly? • The observation of a target system is inconsistent, somewhat, with the expected conceptual model of the same system ecs236 winter 2007
What is an anomaly? • The observation of a target system is inconsistent, somewhat, with the expected conceptual model of the same system • And, this conceptual model can be ANYTHING. • Statistical, logical, or something else ecs236 winter 2007
timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007
raw events Information Visualization Toolkit update decay clean cognitive profile cognitively identify the deviation alarm identification ecs236 winter 2007
Challenge of AND • We know that the detected anomalies can be either true-positive or false-positive. • We try all our best to resolve the puzzle by examining all information available to us. • But, the “ground truth” of these anomalies is very hard to obtain • even with human intelligence • Practically this might or might not be OK… ecs236 winter 2007
What is an anomaly? Anomaly Detection Events Expected Behavior Model ecs236 winter 2007
The Challenge Anomaly Detection False Positives & Negatives Events Expected Behavior Model Knowledge about the Target ecs236 winter 2007
Problems with AND • We are not sure about whatever we want to detect… • We are not sure either when something is caught… • We are still in the dark… at least in many cases… ecs236 winter 2007
What is an anomaly? Anomaly Detection Events Expected Behavior Model Knowledge about the Target ecs236 winter 2007
Model vs. Observation the Model Anomaly Detection Conflicts Anomalies It could be an attack, but it might well be misunderstanding!! ecs236 winter 2007
Anomaly Explanation the Model Anomaly Detection Anomaly Analysis and Explanation Explaining both the attack and the normal behavior EBL ecs236 winter 2007
Explanation Events: raw, logical, stochastic Real World Model Model (Simulation or Emulation) Conflicts Anomalies ecs236 winter 2007
EXPAND • Good events go into the Model ecs236 winter 2007
EXPAND • Good events go into the Model • Malicious events also go into the Model as signatures (but with an analysis process) • We want to put as much as ground truth into our model! • And, that means discovering their relationship as well. ecs236 winter 2007
observed system events SBL-based Anomaly Detection model update the Model model-based event analysis Example Selection analysis reports Explanation Based Learning ecs236 winter 2007
AND EXPAND • Anomaly Detection • Detect • Analysis and Explanation • Application ecs236 winter 2007
Routing Protocol FrameworkInformation Model Routing Information Base OSPF RIPv2 BGP4 RIB RIB RIB Application Layer Network Layer (Dest, NextHop, Routing Metrics) FIB FIB Forwarding Information Base Forwarding Algorithm Forwarding Decision NPDU Header (Network Protocol Data Unit) ecs236 winter 2007
Operation Model Routing Information Exchange Hey, Here is the routing information I got so far Hmm, some of them are obsolete, Here is my update ecs236 winter 2007
Which algorithm should I use?? Distributed Dijikstra’s algorithm or Distributed Bellman-Ford algorithm? Routing Information Base Forwarding Information Base Operation Model Route Generation and Selection application Layer network Layer ecs236 winter 2007
Routing SRC DST I want to know the shortest path or simply “a path” Routers exchange local information! ecs236 winter 2007
Link State A B A B B You A A B C Your Neighbor Flooding ecs236 winter 2007
Link State A B A B B You A A B C Your Neighbor Flooding You tell the whole world about your relationship with your neighbor ecs236 winter 2007
Routing Information • Link State: • I let the whole world knows about my relationship with my neighbors. • (Felix, Neighbor-X) is up! • Distance Vector: • I let all my neighbors knows about my relationship with the rest of the world. • (Felix can get to Remote-Y) in 5 hops. ecs236 winter 2007
Link-State ecs236 winter 2007
LSA and an LSA instance • An LSA is associated with a particular link of network, which is identified by its LS type, LS ID, Advertising Router ID. • An LSA instance gives the state of a particular LSA at a particular time, which can be differentiated by LS sequence number, LS age, LS checksum. 0x80000000 0x80000001 0x7FFFFFFF ecs236 winter 2007
LSA Format • Type (Hello, Link, Networ, Summary) • Advertizing Router ID (Originator) • Advertized Link or Network. • Sequence Number • smallest: 0x 80000001 • largest: 0x7FFFFFFF • Age (0, 60 minutes) ecs236 winter 2007
RIB - OSPF LSA-ID ADV Seq# Checksum Age A=B A 0x850012a7 0x452b 20:13 A=B B 0x84230b41 0x3729 13:12 A=D A 0x9012000e 0x2567 01:22 … ecs236 winter 2007
OSPF LSA Flooding, I Router ACK If I have not received this LSA (Link State Advertisement). ecs236 winter 2007
OSPF LSA Flooding, II Router ACK If I have received this LSA (Link State Advertisement). ecs236 winter 2007
OSPF LSA Flooding, III Sequence Number Comparison. Router my newer copy If I have something better/fresher/newer.. ecs236 winter 2007
How to decide “freshness”?? ecs236 winter 2007
Sequence # Seq# ATM ecs236 winter 2007
Sequence #: old vs. new LSAs 0x80000001 ATM Next: 0x80000002 Only accept LSAs with newer/larger Seq#. ecs236 winter 2007
Sequence # Self-Stabilization (1). 0x90001112 (2). router crashes. (3). 0x80000001. ATM (5). 0x90001113 (4). 0x90001112 an old copy still exists! ecs236 winter 2007
Sequence #: Counter Flushing (1) 0x7FFFFFFF MaxSeq# ATM (2) 0x7FFFFFF with MaxAge to purge this entry. (3) 0x80000001. ecs236 winter 2007
Fresher LSA? B < Seq#A ? Seq#B > A = ChS:A ? ChS:B B < > A = B 15 AgeA-AgeB -15 A otherwise A, B are treated the same. Three parameters for LSA: - Sequence Number - Checksum - Age ecs236 winter 2007
Malicious Intermediate Routers Flooding up dm EVIL! All the links can be attacked. up dm ecs236 winter 2007
How to Attack OSPF? • Think… • Try it!! • What is the objective? • How to accomplish your goal? ecs236 winter 2007
Problem • Prevent/Detect compromised intermediate router(s) from tampering “Link State Advertisements (LSAs)” originated from some other routers. down This Link is UP! ecs236 winter 2007
Defense?? • Crypto-based • Non-crypto-based ecs236 winter 2007
LSA Digital Signature • PKS private key public key This Link is UP! This Link is UP! ecs236 winter 2007
Advantages for PKS • One compromised router will not be able to affect others about other links. • With only key-MD5, one compromised router can disable all the crypto. ecs236 winter 2007
Public Key is Expensive • At least, in software. • Experiments on Pentium/133, Linux 2.027: • HMAC MD5: 78.37 usec • RSA/MD5 (verify): 88.00 msec • RSA/MD5 (sign): 166.00 msec • RSA Hardware available, where MD5 is inherently hard to parallelize. ecs236 winter 2007
Prevention • LSA Originator Digital Signature (Perlman, Murphy/Badger, Smith/JJ) • Debatable Concerns: (OSPF wk-group) • RSA is too expensive (about 1,000 times worse in signature verification with 512 bit keys) • PKI Certificate is expensive. • There are otherrouting infrastructure attacks that can not be prevented by LSA Digital Signatures. (Cost/Market concern) • Political and Technical. ecs236 winter 2007
Can we do it without PKI? • Preventing compromised intermediate routers??? ecs236 winter 2007