Enriching intrusion alerts through multi-host causality
description
Transcript of Enriching intrusion alerts through multi-host causality
Enriching intrusion alerts through multi-host
causalitySam King
Morley MaoDominic Lucchetti
Peter Chen
University of Michigan
2
Motivation
• IDS alerts highlight suspicious activity– Network and host level
• Alerts lack context– How did this activity happen?– What were the effects of this activity?
4
Causality to connect alerts
Remotesocket
ProcessFileSocket
Detection pointFork eventRead/write event
httpd
wget
rootkits.combash
getroot.exe rootproc
5
Overview
• Causality: BackTracker• Bi-directional distributed
BackTracker• Correlating IDS alerts• Conclusions
6
BackTracker
• Help figure out what application was exploited
• Show chain of events between exploit and detection point
• Track causal operating system events and objects
7
BackTracker Example
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
httpdremotesocket
/tmp/xploit/backdoor
bash
wget
remotesocket
8
BackTracker
• Objects: processes, files• Events: read/write, fork, exec, mmap…
• Online component logs events, objects• Offline component generates graphs
• Causality effective technique for highlighting actions of attacker
9
Extending BackTracker
• Use send/receive events to connect hosts on separate hosts– identify packets by source/destination
IP address and TCP sequence number
• Forward tracking
10
Bi-directional distributed BackTracker (BDB)
• Common configuration: firewall• Given a single infected host, track
attack
• Tracking multi-host attacks– Follow attack “upstream”
• Find original source of intrusion• Patch vulnerable server, fix infected laptop
– Follow attack “downstream”• Find other compromised hosts
11
Prioritize Packets
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
/tmp/xploit/backdoor
bashwget
remotesocket
httpd
rc
init
remotesocket
12
Highest process, most recent packet
ProcessFileSocket
Detection pointFork eventRead/write eventbackdoor
/tmp/xploit/backdoor
bashwget
remotesocket
httpd
rc
init
remotesocket
13
Guess and check
• Follow all packets, examine other host• Search for causally linked “intrusions”
Host BHost A
spread_worm
backdoor
bash
httpd
backdoor
/tmp/xploit/backdoor
bash wget
sockethttpd
14
Use NIDS to highlight packets
backdoor
/tmp/xploit/backdoor
bash wget
socketsmbd
smb socket
15
Multi-host attacks• Examined Slapper worm and manual
attack on local network• Significant background noise
– 12 hosts, all connected, 4 ftpd, 4 httpd, 4 smbd
• All hosts both clients and servers– Download source code, compile
– Gigabytes of network traffic– Millions of events and objects
• 20 minute experiments, break in after 10• Goal: given a single infected host find
source of attack and all infected hosts
16
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
17
ProcessFileSocket
Detection pointCausal event
18
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
19
ProcessFileSocket
Detection pointCausal event
20
Tracking Slapper Forward
ProcessFileSocket
Detection pointCausal event
21
Slapper Worm
Host A
Host D
Host C
Host B
External Network
Slapper worm
Firewall
22
Multi-host manual attack
• Highest process, most recent packet does not always work
• Use Snort to highlight suspicious packets
• Stealthy attack, difficult to detect– Attack one host at a time
• Wait for next target to communicate with current host
– Break into various services– Services under heavy legitimate use– Use previously “unknown” attacks– Perform different tasks on each host
23
Multi-host manual attack
Host A
Host I
Host CHost BExternal Network
Host E
Host D
Host GHost F Host H
Host KHost J Host L
24
Correlating IDS alerts• Many independent sources of IDS alerts
– Host/network– Host/host
• Correlate multiple sources, reduce false positives – correlate through syntactic or timing
relationships– correlate through manually specified
semantic relationships
• BDB can correlate IDS alerts through causal relationships
25
Zero Configuration Snort
• Difficult to configure– False positives
• Services not used• Failed exploit attempts• New rules developed frequently
• Setup system with all default Snort rules– Also enabled several other rules
• Use causality to verify Snort alerts– Detect any processes running as root
26
Zero Configuration Snort Results
• Ran honeypot for two days
• Without correlating alerts– 39 Snort alerts– Many processes run as root
• Zero Configuration Snort– Zero false positives– One true positive
27
ProcessFileSocket
Detection pointCausal event
28
Conclusions
• Can use causality to provide context for intrusion alerts– Follow multi-host attacks– Correlate IDS alerts
• Causality effective mechanism for adding context to intrusion alerts
29
Questions