Behaviorbased Computer Security Sal Stolfo Columbia University

1
Behavior-based Computer SecuritySal
StolfoColumbia University

• March 7, 2005
• US Treasury/NSF WRFIS

2
Current Paradigm Prevent/Detect the Enemy
attempting to getting in, but
Insider

• Vulnerability-free software
• Firewalls
• Authentication (psswd, biometrics)
• VPNs
• Crypto
• Intrusion Detection (IDS)

3
You are only hurt by the ones you trust(80 of
the time)
4
Background Research Topics since 1996

• Machine Learning/KDD
• Application to Fraud, IDS, etc.
• Meta-learning algorithms
• Cost-sensitive ML algorithms
• Correlation of multiple sensors
• Anomaly Detection Algorithms (Holy Grail)
• Architectures/systems for Distributed ML applied
  to Fraud (transactions) - JAM
• Architecture/systems for DM-based IDS
• Plug and play DM workbench
• Behavior-based Security (eg. MET)

5
Paradigm ShiftIN COMPUTER SECURITY IDS
BEHAVIOR-BASED COMPUTER SECURITY
6
Data Mining Machine Learning
Internet
User activity
Host activity
Local network activity
Real-time attack recognition
Analyst
Knowledge Base of Signatures
Audit data
Alert on known attacks
Model Evaluation
System activity
Alert on new attacks
Step 4A Integrate new model with existing IDS
Step 5 Detect new attacks with enhanced IDS
Predictive Detection Model
Online
Step 1 Log system behavior in data warehouse
Offline
Step 2 Mine data offline
Step 3 Produce predictive detection model.
Step 4B Produce new signature models.
Data Warehouse
Data Mining
7
CA
CA
8
Adaptive Model Generation
Adaptive Learning creation of models
representing expected behavior, reflecting unique
characteristics and changes over time
Automated Detection identification of behavior
exceptions, recognition of patterns in behavior
Core technologies deliver a unique capability to
identify errant and unexpected behavior in key
applications and processes -
9
Email Misuse and Stealthy Surveillance

• Malicious Email Tracking
• An online tool for detecting new viruses, SPAM
  and misuse
• Behavior-based detection of abnormal traffic
• Email Mining Toolkit
• Forensic analysis of email logs for profile and
  model generation
• Comparison of profiles/models
• Detect malicious users/groups and aliases
• Surveillance Detector
• Orders of magnitude improvements over COTS IDS
  scan/probe detection

Funded by DARPA, NSF. others
10
Detecting Anomalous Behavior
Analysts can quickly review, study unexpected
activity - detecting new threats
11
Payload Anomaly Detection

• Abnormal payload detection in high bandwidth
  environments
• Examples of network traffic payload analysis,
  1-gram distributions

12
The Worminator Project

• Distributed SD sensor net (enclave and peering
  points)
• CU/GATech/FIT/Brookings
• Stealthy recon activities across critical
  industry sites
• Early Worm detection (NOT just scans)

13
Concluding Remarks

• Attackers continue to improve techniques
  undeterred
• Present COTS security defenses are porous and
  suffer from the false negative problem
• There is no one monolithic security solution
  security is a design criteria at all layers of
  the stack
• Behavior-based computer security will
  substantially raise the bar