Intrusion Detection Systems

1
Intrusion Detection Systems

• CS 8803 Spring 03

2
Host-Based IDSs

• Using OS auditing mechanisms
• E.G., BSM on Solaris logs all direct or indirect
  events generated by a user
• strace for system calls made by a program
• Monitoring user activities
• E.G., Analyze shell commands
• Monitoring executions of system programs
• E.G., Analyze system calls made by sendmail

3
Network IDSs

• Deploying sensors at strategic locations
• E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
• Watch for violations of protocols and unusual
  connection patterns
• Monitoring user activities
• Look into the data portions of the packets for
  malicious command sequences
• May be easily defeated by encryption
• Data portions and some header information can be
  encrypted
• Other problems

4
Architecture of Network IDS
Alerts/notifications
Policy script
Policy Script Interpreter
Event control
Event stream
Event Engine
tcpdump filters
Filtered packet stream
libpcap
Packet stream
Network
5
Firewall Versus Network IDS

• Firewall
• Active filtering
• Fail-close
• Network IDS
• Passive monitoring
• Fail-open

IDS
FW
6
Requirements of Network IDS

• High-speed, large volume monitoring
• No packet filter drops
• Real-time notification
• Mechanism separate from policy
• Extensible
• Broad detection coverage
• Economy in resource usage
• Resilience to stress
• Resilience to attacks upon the IDS itself!

7
Eluding Network IDS

• What the IDS sees may not be what the end system
  gets.
• Insertion and evasion attacks.
• IDS needs to perform full reassembly of packets.
• But there are still ambiguities in protocols and
  operating systems
• E.G. TTL, fragments.
• Need to normalize the packets.

8
Insertion Attack
IDS sees
End-System sees
C
K
A
T
T
A
X
Attackers data stream
Examples bad checksum, TTL.
A
K
T
X
C
A
T
9
Evasion Attack
IDS sees
End-System sees
A
C
K
T
T
Attackers data stream
Example fragmentation overlap
K
T
T
A
A
C
10
DoS Attacks on Network IDS

• Resource exhaustion
• CPU resources
• Memory
• Network bandwidth
• Abusing reactive IDS
• False positives
• Nuisance attacks or error packets/connections

11
High Speed and High FidelityIntrusion Detection
System

• Wenke Lee (CoC), David Schimmel (ECE), and Didier
  Contis (ECE)

12
Problem Statement

• Implement intrusion detection system (IDS) as an
  inherent and reliable network function
• A high-speed, highly scalable, and high-fidelity
  IDS architecture
• Integration of network security, QoS, fault
  tolerance and distributed collaboration
  mechanisms on the network interface card
• Make possible the deployment of a security policy
  enforceable and secure
• Defeat evasion and tempering

13
Solution Approach

• Distributed network node IDS
• IDS on end-host to unambiguously monitor traffic,
  share work load, and scale with network
• IDS implemented on network processor to integrate
  with other network functions and allow the host
  to remain a productivity node
• Layered and pipelined architecture
• Optimize performance to handle high-speed traffic
• Improve Bayesian detection rate

14
Layered Architecture
Alerts
Policy script
Detection Engine
Event control
Event stream
Event Engine
Filtered packet stream
tcpdump filters
Libpcap
Packet stream
Network
15
Implementation on Intel IXP
Alert messages
Strong Arm Matching Snort rules (OTNs)
Filtering, IP fragmentation reassembly, port-scan
Result Vectors
uEng
UDP/ICMP Packets
Ethernet Packets
uEng
uEng
uEng
TCP Packets
Matching Snort Rule Headers (RTNs)
TCP stream Reassembly
Telnet Decode, Http Decode
16
FPGA Based Pattern Matching

• Pattern matching is slow in software, but fast in
  hardware
• FPGA compares a packet to all signatures
  simultaneously
• Current implementation using Virtex-1000
• Capacity 200 Snort rules (2200 chars)
• Performance exceeds that of high-end PC

Rule 1, Pattern 1
Match Vector returned to IXP after each packet
Input packets from IXP
H A C K E R
Match_R1_P1 0
W O R M
. . .
R1 0
Match_R1 0
W O R M
AND
Match_R1_P2 0
Rule 1, Pattern 2
R2 1
Match_R2 1
R O O T
W O R M
Rule 2, Pattern 1
W O R M
W O R M
Rn
17
Implication of Results

• IDS can be implemented on network processor/card
• Integrated IDS on NIC is more tamper resistant
  because it does not depend on the host operating
  system
• Integration of IDS and firewall functions on NIC
  provides better basis for a security policy
  deployment
• Implementation of active response mechanisms
  (traffic rate limiting, attack blocking )
• Design of an all-in-one network/security
  processor for mobile devices

18
Intrusion Detection Systems (II)

• CS 8803 Spring 03

19
STAT/USTAT

• State transition analysis a rule-based intrusion
  detection approach
• USTAT for Unix real-time intrusion detection
• Misuse detection
• Modeling intrusion signature
• Initial state the state of the system prior to
  execution of the attack
• Compromised state the state of the system
  resulting from the completion of the attack
• Intermediate states and transitions attack steps

20
An Example
user ln ltfilegt -ltany stringgt user -ltany
stringgt root
User Create File1
User Execute File1
S2
S3
S1
1. File Set 1 ! empty 2. Files are suid
privileged
1. access (user,euid) root
1. name(File1) 2. typeof(File1)
link 3. owner(link_to(File1)) ! user 4.
name(link_to(File1)) exists_in File Set 1
21
A Sense of Self - Immunology Approach

• Prof. Forrest at University of New Mexico
• Anomaly detection
• Simple and short sequences of events to
  distinguish self from not
• Currently looking at system calls (strace)
• Apply to detection of lpr and sendmail

22
Some Details

• Anomaly detection for Unix processes
• Short sequences of system calls as normal
  profile (Forrest et al. UNM)

,open,read,mmap,mmap,open,getrlimit,mmap,close,
23
Problems with Current IDSs

• Knowledge and signature-based
• We have the largest knowledge/signature base
• Ineffective against new attacks
• Individual attack-based
• Intrusion A detected Intrusion B detected
• No long-term proactive detection/prediction
• Statistical accuracy-based
• x detection rate and y false alarm rate
• Are the most damaging intrusions detected?
• Statically configured.

24
Next Generation IDSs

• Adaptive
• Detect new intrusions
• Scenario-based
• Correlate (multiple sources of) audit data and
  attack information
• Cost-sensitive
• Model cost factors related to intrusion detection
• Dynamically configure IDS components for best
  protection/cost performance

25
Adaptive IDSs
ID Modeling Engine
IDS
anomaly detection
semiautomatic
IDS
IDS
26
Semi-automatic Generation of ID Models
models
Learning
features
patterns
connection/ session records
Data mining
packets/ events (ASCII)
raw audit data
27
ID as a Classification Problem
use features with high information gain
reduction in entropy
lower entropy (purer)
28
The Feature Construction Problem
How? Use temporal and statistical patterns, e.g.,
a lot of S0 connections to same service/host
within a short time window
29
Mining Patterns

• Associations of features
• e.g. (servicehttp, flagS0)
• Basic algorithm association rules
• Sequential patterns in activity records
• e.g. (servicehttp, flagS0), (servicehttp,
  flagS0) ? (servicehttp, flagS0) 0.8,2s
• Basic algorithm frequent episodes

30
Feature Construction from Patterns
31
Feature Construction Example

• An example syn flood patterns (dst_host is
  reference attribute)
• (flag S0, service http), (flag S0, service
  http) ? (flag S0, service http) 0.6, 2s
• add features
• count the connections to the same dst_host in the
  past 2 seconds, and among these connections,
• the percentage with the same service,
• the percentage with S0

32
The Nuggets

• Feature extraction and construction
• The key to producing effective ID models
• Better pay-off than just applying another model
  learning algorithm
• How to semi-automate the feature discovery
  process (by incorporating domain knowledge)?

33
Feature Construction an Example

• Search through the feature space through
  iterations, at each iteration
• Use different heuristics to compute patterns
  (e.g., per-host service patterns) and construct
  features accordingly
• Limitations
• Connection level only
• Within-connection contents are not structured,
  and much more challenging!

34
The Nuggets (continued)

• Efficiency
• Training
• Huge amount of audit data
• Sampling?
• Always retrain from scratch or incrementally?
• Execution of output model in real-time
• Consider feature cost (time)
• Trade-off of cost vs. accuracy

35
Cost-sensitive Modeling an Example

• A multiple-model approach
• Build multiple rule-sets, each with features of
  different cost levels
• Use cheaper rule-sets first, costlier ones later
  only for required accuracy.
• 3 cost levels for features
• Level 1 beginning of an event, cost 1
• Level 2 middle to end of an event, cost 10
• Level 3 multiple events in a time window, cost
  100.

36
The Nuggets (continued)

• Anomaly detection
• What is a general approach?
• Taxonomy and specialized algorithm for each type?
• Theoretical foundations?

37
An Anomaly Detection Approach

• Hypothesis
• Regularity of normal data for model construction
• Predictability of (future) activity
• Use information-theoretic measures
• Entropy and conditional entropy
• Regularity measure of normal data
• The lower the entropy the more accurate the
  anomaly detection model on normal data (lower
  false alarm rate)
• Also (hope/conjecture), the more obvious
  intrusion activities will show distinct evidence
  (higher detection rate)
• Following work by Maxion and Tan (2000)

38
A Multiple Model Cost-Sensitive Approach for
Intrusion Detection

• Wei Fan, Wenke Lee, Sal Stolfo, Matt Miller
• Computer Science Department,
• Columbia University

39
Performance Metrics Expected Value

• For each attack Aij, the corresponding data
  preprocessing tasks and detection rule Rij
  provides the expected value
• Default configuration P that attempts to cover
  all attacks

40
The Need for Cost-Sensitive IDSs

• Real-time IDS passive monitoring
• Must keep up with the throughput of data streams
• Subject to overload attack
• Response team can be overwhelmed.
• Constraints on time and resources
• Accuracy not the only consideration
• Limited resources for the more damaging attacks.
• A cost-sensitive IDS
• Costs less than the expected loss from
  intrusions
• Considers the trade-off among all cost factors.

41
Cost Factors of IDSs

• Development cost
• Damage cost (DCost)
• The amount of damage when ID is not available or
  ineffective.
• Response cost (RCost)
• The cost of acting upon an alarm of potential
  intrusion.
• Operational cost (OpCost)
• The cost of processing audit data and analyzing
  the activities
• Mainly the computational costs of the features.

42
Cost Models of IDSs

• The total cost of an IDS over a set of events
• CumulativeCost(E) ? e?E (CCost(e) OpCost(e))
• CCost(e), the consequential cost, depends on
  prediction on event e

43
Consequential Cost (CCost)

• For event e

44
Cost-sensitive Modeling Objectives

• Reducing operational costs
• Use cheap features in ID models.
• Reducing consequential costs
• Do not respond to an intrusion if RCost gt DCost.

45
Cost-sensitive Modeling Approaches

• Reducing operational costs
• A multiple-model approach
• Build multiple rule-sets, each with features of
  different cost levels
• Use cheaper rule-sets first, costlier ones later
  only for required accuracy.
• Feature-Cost-Sensitive Rule Induction
• Search heuristic considers information gain AND
  feature cost.

46
Cost-sensitive Modeling Approaches (continued)

• Reducing consequential costs
• MetaCost
• Purposely re-label intrusions with Rcost gt DCost
  as normal.
• Post-Detection decision
• Action depends on comparison of RCost and DCost.

47
A Multiple Model Approach Details

• 3 cost levels for features
• Level 1 beginning of an event
• Cost 1 or 5.
• Level 2 middle to end of an event
• Cost 10.
• Level 3 multiple events in a time window
• Cost 100.

48
A Multiple Model Approach Details (continued)

• Ordering of a rule-set
• Ordered rule-set
• if rule1 then class1 elseif else classn
• Succinct rules, sequential checking
• Order class by /- frequency
• -frequency is more efficient normal most
  frequent
• Unordered rule-set
• if rule1 then class1 if rulen then classn
• Less efficient but more accurate rules parallel
  rule checking.

49
A Multiple Model Approach Details (continued)

• 4 rule-sets with different feature cost levels
• R1 cost 1 features R2 cost 1 and 5 R3 cost
  1, 5, and 10 R4 cost 1, 5, 10, and 100
• R1-3 unordered rule-sets R4 ordered
• pr the precision of each rule r in R1-3
• tc the precision threshold for each class c.

50
Execution of Multiple Models
Compute features in Ri
Evaluate Ri
Predict c
Y
i4
Final
N
Y
pr ? tc
Final
N
ii1
51
Experiments

• Data
• 1998 DARPA Intrusion Detection Evaluation
  data-set
• Collected by MIT Lincoln Lab
• Processed connection records (with features) used
  for 1999 KDD Cup.
• 80 for training 20 for testing and measuring.

52
Experiments (continued)

• Measurements
• OpCost
• total cost of all unique features used until
  final
• average per class and per connection
• CCost
• sum over the test data-set
• rdc (maximal - CCost) / (maximal - minimal)
• Maximal always predicting normal ID not
  available
• Minimal 100 prediction accuracy and respond to
  an intrusion only when DCost ? RCost.

53
Latest Results

• OpCost
• Compare the multiple-model approach with
  single-model approach
• rdc (single - multiple)/single
• range 57 to 79.

54
Latest Results (continued)

• CCost using a post-detection cost-sensitive
  decision module
• rdc range 75 to 95
• Compared with single model slightly better rdc
• Compared with cost-insensitive models 25 higher
  rdc.

55
Conclusion

• Cost-Sensitive analysis and modeling for ID is
  important.
• Machine learning techniques can be applied.
• Our multiple model approach achieves significant
  reduction in operational cost.
• Our cost-sensitive decision module achieves much
  higher reduction in consequential cost.

56
Limitations and Future Work

• Assume a given/fixed cost metrics
• Cost measurements are updated whenever the
  environments/policies change
• Will study how to build cost-sensitive models
  that use run-time cost metrics.
• Cost analysis is often imprecise and incomplete
• Will study how to incorporate uncertainty in
  cost-sensitive modeling
• Especially for anomaly detection the nature of
  the anomaly/intrusion is not clear.