Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Web of trust wikipedia , lookup
Mobile security wikipedia , lookup
Proxy server wikipedia , lookup
Computer and network surveillance wikipedia , lookup
A Stateful Intrustion Detection System for World-wide Web Servers Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara 19th Annual Computer Security Applications Conference December 08 - 12, 2003 Las Vegas, Nevada Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction Motivation Large number of web servers Continuous disclosure of vulnerabilities in web servers – popular targets 2001-2002 - 23% computer vulnerabilities are web related Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction Intrusion Detection Systems (IDS) Analyse input streams for manifestation of attack Stateless: Examines each event in the input stream independently Stateful: Considers relationships between events and detect attacks based on event-histories Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction IDS Network-based: Monitors network traffic, events Do not consider application-level logic Cannot detect attacks based on configuration of the server-application Application-based: Process different stages of client request IDS tightly coupled to web server and visible Performance of web server impacted Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction IDS Anomaly detection: Models of normal behavior Compares log data with normal models to detect abnormal pattern/activity Detect previously unknown attacks Large number of false positives Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction IDS (Intrusion Detection System) Misuse detection: Models of attack descriptions Compares with audit data with modeled attack for evidence of attack Detect only attacks that are modeled Focused analysis for attack detection Less false positives so more popular Stateful IDS for Web Servers – Vigna G et al., 2003 Introduction Current IDS - limitations Simple pattern matching of HTTP requests Buffer overflows not detected Attacks involving multiple steps cannot be modeled Only detect trends in large sets of web-related events Focuses on single event stream (network log or server application log) Do not maintain histories of web requests Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT (IDS) Based on STAT framework (State-Transition Analysis Technique) Complex multi-step attacks can be modeled using STATL language Performs integrated analysis of multiple event streams, Network and OS events/logs Modular, MultiThreaded Application independent runtime with components that deal with specific application domains More effective detection with less false positives Stateful IDS for Web Servers – Vigna G et al., 2003 STAT framework Models attacks as transitions between security states of a system Supported by STATL modeling language STATL Describe Events, Attack Scenarios with relevant variables eg: source of HTTP request Events defined by subclassing specific C++ classes of STAT framework Classes encapsulated in language extension modules and compiled into DLLs Events are then used in Scenario description, which again are compiled into DLLs Stateful IDS for Web Servers – Vigna G et al., 2003 STATL Attack Scenario: Transition State A Action/Event System Snapshot State B Opening TCP conn. Execution of CGI script Transition Assertion: eg: specify port, parameters Stateful IDS for Web Servers – Vigna G et al., 2003 Transitions Non-consuming Both states active State A State B Consuming Only destination state valid State A State A State B Unwinding Rollback to previous state State B Stateful IDS for Web Servers – Vigna G et al., 2003 STATL STATcore is the runtime for STATL Core implements the concepts of state, transition, instance, etc Obtains events from logs/audits and matches with actions, transitions and attack scenarios Events/logs Event Provider Translate STATL extension Convert to STAT events incorporate STATcore Attack Scenario Analysis Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Language extension module that defines webspecific events Event provider that parses web server logs and generates corresponding events Modules for Network, OS events A number of STATL scenarios to detect attacks against web servers Response modules to generate alerts Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Class Request : public STAT_Event { public: string request; string userAgent; string encodedRequest; …… } Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Counting scenario pattern: Integer parameters: threshold, alert_freq, inactivity_timeout Stateful IDS for Web Servers – Vigna G et al., 2003 Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Web Crawler Scenario: file to specify which User-Agents are allowed Pattern Matching Scenario: Detect attacks embedded in URL using pattern matching comparing with a list of regular expressions Repeated Failed Access Scenario: Checks multiple client errors. Counter records number of times a failed request originated from a subnet Cookie Stealing Scenario: Records initial use of session cookie by a remote client by mapping cookie to an IP address. Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Buffer Overflow Scenario: Presence of binary data in a request or an extremely long request are attempts to exploit buffer overflow Network and application-level buffer overflow detection: Examine Web server logs and actual client requests If binary data found at network-level and no matching entry in server log, attack is successful Document Root Escape Attack: Illicit access to a file outside web server’s root. Examine Web server log and OS audit records to detect file system access violations Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT Evaluation: Web server: pentium IV - 1.8 GHz, OS: RedHat 8.0, Apache Clients: pentium IV - 1.8 GHz, OS: RedHat 8.0 Network card: Intel EtherExpress 10/100 Ethernet cards 100BaseT full-duplex , cisco catalyst 3500 XL switch Measurement: Average throughput, response times of web servers with/without WebSTAT on server. With WebSTAT: slightly lower throughput No change in response time Stateful IDS for Web Servers – Vigna G et al., 2003 WebSTAT CONCLUSIONS: WebSTAT operates on multiple event streams Supports more effective detection of web-based attacks, reduced no. of false positives IDS can be performed in high performance servers in realtime THANKS !