Network Intrusion Detection with SemanticsAware Capability - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Network Intrusion Detection with SemanticsAware Capability

Description:

Automated attacks have been prevalent for years. Polymorphic threats are real ... popular toolkits for polymorphic exploit generation, and the Code Red II worm. ... – PowerPoint PPT presentation

Number of Views:153
Avg rating:3.0/5.0
Slides: 27
Provided by: walters70
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection with SemanticsAware Capability


1
Network Intrusion Detection with Semantics-Aware
Capability
  • Walter J. Scheirer Mooi C. Chuah
  • Lehigh University
  • Department of Computer Science and Engineering

2
Motivation
  • Computer intrusion is costly
  • Automated attacks have been prevalent for years
  • Polymorphic threats are real
  • Shortcomings in popular intrusion detection
    systems (IDS)

3
Whats wrong with snort?
  • Signature based IDS requires human intervention
  • Original threat recognition
  • Signature generation
  • Signatures match a specific instance of a threat
  • Can be extended with regexps
  • Easily defeated with polymorphic code

4
Polymorphism
  • Traditional polymorphism has taken the form of an
    encrypted body of code with an attached
    decryption routine
  • Decryption routine is often obfuscated
  • We term this metamorphism
  • Code transpositions, equivalent instruction
    substitution, jump insertion, NOP insertion,
    garbage instruction insertion, and register
    reassignment

5
Polymorphism
6
Dynamic IDS
  • Early work focused on sliding-window based
    approaches
  • CMUs Autograph and Polygraph system
  • UCSDs Earlybird system
  • Premise Some portion of code between
    polymorphic/metamorphic instances will be
    invariant
  • Shortcomings too many signatures generated
  • Too many false positives

7
Initial Thoughts
  • Syntactic approaches (signatures based on
    regexps, content blocks coupled with sliding
    window schemes, etc.) are inadequate
  • What if we examine the meaning of the code
    instead?
  • Semantics!

8
Inspiration
  • M. Christodorescu, S. Jha, S. Seshia, D. Song and
    R. Bryant. Semantics-aware malware detection.
    IEEE Security and Privacy Symposium, May 2005.
  • reduces the problem of semantic equivalency to a
    template matching problem

9
Inspiration
  • Stated formally
  • A program P satisfies a template T (denoted
    as P ? T) iff P contains an instruction sequence
    I such that I contains a behavior specified by
    T.
  • A template will consist of a sequence of
    instructions, along with its associated variables
    and symbolic constants.

10
Templates
11
Bringing Semantics to NIDS
  • While the initial work formalizes the template
    matching problem rather nicely, it presents a
    somewhat limited engineering approach to
    intrusion detection.
  • assumes that malware samples are available as
    inputs
  • Prone to false positives (Crypkey, ASProtect)
  • Essentially limited to end-host virus detection
  • We can improve reliability by adding more to this
    process.

12
The Semantics-Aware NIDS Architecture
13
Bringing Semantics to NIDS
  • Added features
  • smart traffic classifier
  • binary data identification and extraction module
  • We are extending the semantic detection idea to
    incorporate the network scenario.

14
Traffic Classification
  • Honeypot scheme
  • Widespread scanning scheme
  • If a host sends an initial packet to an un-used
    address, a count n is initialized. If we continue
    to observe this host sending additional packets
    to other un-used addresses, the count will be
    incremented until it reaches a threshold t
  • When t is reached, packets emanating from that
    suspicious host will be considered for further
    analysis

15
Binary Detection and Classification
  • Many binary threats are common buffer overflow
    exploits
  • In practice, we observe network buffer overflow
    exploits to consist of a well-formed initial
    application layer protocol request, with exploit
    content usually resembling (but not necessarily
    matching exactly) the above encapsulated within
    it.

16
Binary Detection and Classification
  • By noting what is expected in a protocol request,
    and what is abnormal, we can often locate
    malicious binary content.
  • Our module has the ability to distinguish between
    acceptable protocol usage and suspicious
    repetition.

17
Semantic Analysis
  • IDA Pro
  • Currently limited to x86
  • Prune the code to include only the instructions
    we are interested in. Any excess code from the
    program frame is discarded.
  • The templates that we built have the ability to
    handle out of order code, NOP insertion, junk
    instruction insertion, and register reassignment.
  • If a piece of code matches one of our templates,
    an alert is generated, and further action may be
    taken against the offending IP address.

18
Evaluation
  • We have conducted an extensive evaluation of our
    semantic NIDS, against captured network traffic.
  • Intel P4 2.8Ghz system with 512MB
  • Tested against many stock buffer overflow
    exploits, two popular toolkits for polymorphic
    exploit generation, and the Code Red II worm.
  • False positive test a months worth of benign
    traffic, with classification disabled

19
Linux Shell Spawning
  • The running time for these eight instances ranges
    from 2.36 seconds to 3.27 seconds.
  • The average binary code size is less than
    10Kbytes for these exploits.

20
Polymorphic Shellcode Detection
21
Polymorphic Shellcode Detection
22
Code Red II
  • Tested 12 5-minute traces collected from two
    Class B production networks, each with a total
    packet count of over 200,000.
  • Before evaluation, we noted the correct number of
    instances of Code Red II within each capture.

23
Code Red II
24
False Positive Evaluation
  • Disabled traffic classification on the NIDS
  • Tested a months worth of traffic captured from
    two Class C networks (a total capture of 566MB).
  • Most normal web traffic
  • Templates used decryption routines, shell
    spawning, Code Red II memory addressing
  • No false positives!

25
Conclusion
  • We have designed and built a NIDS with semantic
    analysis capability.
  • Extensive testing shows highly accurate detection
    and no false positives
  • Improvements
  • Traffic classification
  • Processing Speed
  • More architectures?

26
Questions?
Write a Comment
User Comments (0)
About PowerShow.com