Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information Fusion By Ganesh Godavari Outline of Talk • Problem Definition – Attack Types • Correlation Solutions • OSSIM • Work Status Problem Definition • Fusion of Intrusion Detection Data from Various Sensors distributed over a geographic area. Attacks events are interval based (recall Degrading Denial of Service). • Note: Fusion is possible only if data can be correlated at both the sensor and intermediary nodes. Possible Attack Scenarios Syn Attack • Cause: vulnerability in some TCP/IP stack implementations. • How does it work: The program sends an TCP SYN packet in large number and never completing the TCP handshake. This causes a large backlog and deteriorates the performance of the machine. • Result: Systems performance may slowdown. Contd.. Ping Flood • Cause: vulnerability in some Operating Systems. • How does it work: An attacker can use a scanner that pings a system to find out more information about the network, or the attacker can use a tool to send a large number of pings in an attempt to "flood" the network and create a denial of service condition. • Result: Systems performance may slowdown. Contd.. UDP Flood Attack • Cause: Connectionless nature of UDP protocol • How does it work: Attacker sends a UDP packet to a random port on the victim system. On receiving a UDP packet, OS will determine which application is waiting on the destination port. If there is no application that is waiting on the port, an ICMP (destination unreachable) packet is generated of to the source address. • Result: Systems performance may slowdown. Correlation Techniques • Correlation of attacks – Similarities between the event attributes • E.g. srcIP, dstIP • Cannot detect non obvious attacks (need to check for temporal relationships!!) – Known attack Scenarios • E.g. “gesundheit!” signature of Stacheldraht DoS tool – Preconditions and consequences of individual attack • E.g. “port-scan is performed on a machine to check for venerable ports, before an attack is launched on the ports” Qualitative Temporal Relationships • Non obvious patterns among events can be represented using Temporal relationships between interval-based events. • Listed in the next side are the twenty-four relationships between intervals and 11 relationships between semi-intervals [1] [2][3] 24 relations between Events Relation Meaning e1 equal e2 Inverse Relation equal e1 before e2 after e1.end_time < e2.begin_time e1 meets e2 inv-meets e1.end_time == e2.begin_time e1 overlaps e2 inv-overlaps e1 during e2 inv-during e1.begin_time < e2.begin_time and e1.end_time < e2.end_time and e1.end_time > e2.begin_time e1.begin_time > e2.begin_time and e1.end_time < e2.end_time e1 starts e2 inv-starts e1 finishes e2 inv-finishes e1 older (than) e2 younger (than) e1.begin_time < e2.begin_time e1 head-to-head e2 e1 survives e2 e1 tail-to-tail e2 head-to-head survived-by tail-to-tail e1.begin_time == e2.begin_time e1.end_time < e2.end_time e1.end_time > e2.end_time e1 precedes e2 e1 contemporary e2 succeeds contemporary e1.end_time <= e2.begin_time e1.begin_time < e2.end_time and e2.begin_time < e1.end_time e1 born-before-death e2 die-after-birth e1.begin_time < e2.end_time e1.begin_time == e2.begin_time and e1.end_time == e2.end_time e1.begin_time == e2.begin_time and e1.end_time < e2.end_time e1.begin_time > e2.begin_time and e1.end_time == e2.end_time Open Source Security Information Management • OSSIM project Combines tools like – snort, Spade, Ntop, mrtg … – To provide a global picture of the IDS • Correlation – Sequence of events • Create rules: if (recv event A then event B then event C) do { Action } – Heuristic Algorithm • State variable – “c” – level of compromise, probability that the machine is compromised – “a” – level of attack the system is subjected to Correlation contd.. • A value is assigned to the C or A variable for a machine on the network according to three rules: – machine 1 attacks machine 2 will increase the A of machine 2 and the C of machine 1. – If Attack is successful then value of C will increase for machines 1 and 2. – If events are internal then C increases for the originating machine. Current Project Status • Created a test-bed of 3 machines. • Able to parse Snort Alerts. • Need to correlate/fuse the alerts generated during an hour before sending to the intermediary nodes. References • • • ALLEN, J. F. 1983. Maintaining Knowledge about Temporal Intervals. Commun. ACM, 26, 11: 832–843, November 1983. FREKSA, C. 1992. Temporal reasoning based on semi-intervals. Artifi. Intell. 54, 199– 227. PENG NING, SUSHIL JAJODIA and XIAOYANG SEAN WANG. 2001. Abstractionbased intrusion detection in distributed environments. ACM Trans. on Info. and System Security (TISSEC) 4, 407 – 452.