Second Line Intrusion Detection Using Personalization

1
Second Line Intrusion DetectionUsing
Personalization

• DISA Sponsored
• GWU-CS

2
Content

1. Introduction
2. Examples and Analysis
3. Prototype Design
4. More to come
5. Conclusion

3
Introduction

• Penetration into computer systems continues at a
  high rate despite substantial progress in
  security research and technology
• No reason to assume that this level of
  insecurity will change
• Most penetrations are done by individuals or
  small teams
• Only lately has personalization entered into
  security consideration

4

• Our research into personalization in areas such
  as
• User command lines behavior (e.g., UNIX)
• User browser patterns as reflected by URL
  sequences
• User work habits
• Provides a basis for
• User classification
• Abnormality observation
• Detection of deviation from regular behavior
• Changes in patterns

5
Examples and Analysis

• www.fada.com
• www.fada.com/address.html
• www.fada.com/cline.html
• www.fada.com/cline-bisttram.html
• www.fada.com/cline-stella2.html
• www.fada.com/karges.html
• www.fada.com/karges1.html
• www.fada.com/karges3.html
• www.fada.com/karges8.html
• www.fada.com/mmfa.html
• www.fada.com/mmfa1.html
• www.fada.com/mmfa9.html

6
Comments on Example 1

• Assumptions
• Access to server is through home page
  www.fada.com
• Knowledge of structure and content of server
  pages www.fada.com
• Provides the following
• Detailed access starts from server page
  address.html
• Page cline.html leads to two links
• Cline-bisttrom.html and
• Cline-stella.html
• The example demonstrates reasonable behavior

7
Example 2

• www.fada.com/mmfa9.html
• www.fada.com/rehs10.html
• www.fada.com/stern3.html
• www.fada.com/address.html
• www.fada.com/trotter41.html
• www.fada.com/cantor8.html

8
Comments on Example 2

• Access starts straight from a couple of internal
  pages (i.e., nodes of the tree)
• It continues by a visit to a link off the home
  page
• Summary
• The behavior does not follow regular access
  patterns
• The behavior is difficult to explain
• This access may indicate suspicious behavior

9
Other Types of Entry Modes

• In addition to URLs, one should watch out for
• FTP access
• E-mail
• Potential Logins
• Other protocols access e.g., port scanning
• On a sound server
• FTPs port are predefined
• E-mail, except for bugs, can be protected against
• Port scanning is already trapped by IDS

10
Prototype Design

• We face suspicious behavior with two tools
• Automatic recognition
• Machine Learning
• Data Mining
• Automatic recognition may be trained on regular
  access patterns and attempt detection of
  irregular access patterns
• So far, results are good, but not great enough
  penetration is undetected

11
Behavior Analysis Application

• A JAVA application that classifies behavior is
  partially done and operational
• It shows a high level of detection of irregular
  behavior
• The approach is promising and has a proven track
  record
• Web Browser communication performance improved by
  20 by changing cache to use Next URL Prediction
• Prediction is based on the underlining assumption
  of regularity of behavior

12
Observation

• URL, IP packets, and Port scanning look like an
  algorithm (or a program) without termination
• Example 1 can be written as
• Initialize www.fada.com
• Initialize www.fada.com/address.html
• Loop rest of URLs
• The loop is a while that selects links in
  www.fada.com/address.html for viewing
• The selection criterion is personal
• Example 2 seems as an unordered set of program
  statements
• Therefore Example 2 does not seem to be a
  regular access pattern

13
Prototype Design Details

• STEPS
• Analyze Server pages hierarchy
• Analyze each page for links and sources (i.e.
  src) files
• Build an identification engine based on
• Behavior categorization
• Page hierarchy
• Isolation of individual users to identifying
  agents
• Construct input benchmarks
• Continue work on Other Types of Entry Modes

14
More to come

• Examples of more complex relationships to be
  explored
• Server pages link to other servers pages
• Same source (IP) for different communication
  types
• Accessing different locations on tree
  concurrently
• Can be done by using two copies of the browser
• The two sessions will have different Ids but may
  be cooperating
• The agents monitoring the two browsers must
  collaborate
• URLs and FTPs from same source at the same time
• Multiple FTPs
• Similar case to multiple browsers
• ...

15
Conclusion

• A substantial prototype will be completed by end
  of Summer
• Complex relationships will be explored
• Threats will be enumerated
• Potential detection will be proposed
• Prototype will include some of these results
• Open areas will be reported on in detail