CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerCSE 543 - Computer Security(Fall 2006)Lecture 20 - Intrusion DetectionNovember 14, 2006URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/1CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerIntrusion Detection (def. by Forrest)•An IDS system find anomalies•“The IDS approach to security is based on the assumption that a system will not be secure, but that violations of security policy (intrusions) can be detected by monitoring and analyzing system behavior.” [Forrest 98]•However you do it, it requires•Training the IDS (training)•Looking for anomalies (detection)•This is an explosive area in computer security, that has led to lots of new tools, applications, industry2CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerIntrusion Detection Systems•IDS systems claim to detect adversary when they are in the act of attack•Monitor operation•Trigger mitigation technique on detection•Monitor: Network, Host, or Application events•A tool that discovers intrusions “after the fact” are called forensic analysis tools•E.g., from system logfiles•IDS systems really refer to two kinds of detection technologies•Anomaly Detection •Misuse Detection3CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerAnomaly Detection•Compares profile of normal systems operation to monitored state•Hypothesis: any attack causes enough deviation from profile (generally true?)•Q: How do you derive normal operation?•AI: learn operational behavior from training data•Expert: construct profile from domain knowledge•Black-box analysis (vs. white or grey?)•Q: Will a profile from one environment be good for others?•Pitfall: false learning4CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerSequences of System Calls•Forrest et al. in early-mid 90s, understand the characteristics of an intrusion•Idea: match sequence of system calls with profiles–n-grams of system call sequences (learned)•Match sliding windows of sequences•If not found, then trigger anomaly•Use n-grams of length 5, 6, 11.•If found, then it is normal (w.r.t. learned sequences)5WRITE READ WRITE SEND SENDREAD WRITE SENDEvent StreamAttack ProfileCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerAnalyzing IDS EffectivenessTruePositiveFalsePositiveFalseNegativeTrueNegativeFTTFDetection ResultReality•! What constitutes a intrusion/anomaly is really just a matter of definition–! A system can exhibit all sorts of behavior•! Quality determined by consistency with a given definition–! context sensitive6AbnormalNormalLegalCSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerEvaluating Forrest et al.•The qualitative measure of detection is the departure of the trace from the database of n-grams•Further they measure how far a particular n-gram i departs by computing the minimum Hamming distance of the sample from the databasedmin = min( d(i,j) | for all normal j in n-gram database) this is called the anomaly signal.•Result: on lpr, sendmail, etc. •About .05-.07% false positive rates•And SA = maximum dmin =~ .04•Is this good?7CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerSpecification Based Policy•Really, an subset of anomaly detection•Twist: program must adhere to policy (e.g., n-grams)•E.g., systrace, where n-grams are singletons [Provos 2003]8CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerMisuse Detection•Profile signatures of known attacks•Monitor operational state for signature•Hypothesis: attacks of the same kind has enough similarity to distinguish from normal behavior•Q: Where do these signatures come from?•Record: recorded progression of known attacks•Expert: domain knowledge•AI: Learn by negative and positive feedback9CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerIntrusion Detection•Monitor for illegal or inappropriate access or use of resources•Reading, writing, or forwarding of data•DOS•Hypothesis: resources are not adequately protected by infrastructure•Often less effective at detecting attacks•Buttress existing infrastructure with checks•Validating/debugging policy•Detects inadvertent, often catastrophic, human errors•“rm -rf /” issue•Q: Who is the intruder?10CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger"gedanken experiment”•Assume a very good anomaly detector (99%)•And a pretty constant attack rate, where you can observe 1 out of 10000 events are malicious•Are you going to detect the adversary well?11CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger•Pr(x) function, probability of event x•Pr(sunny) = .8 (80% of sunny day)•Pr(x|y), probability of x given y•Conditional probability•Pr(cavity|toothache) = .6 •60% chance of cavity given you have a toothache•Bayes’ Rule (of conditional probability)•Now: Pr(cavity) = .5, Pr(toothache) = .1Bayes’ RulePr(B|A) =Pr(A|B) Pr(B)Pr(A)12CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe (base-rate) Bayesian Fallacy•Setup•Pr(T) is attack probability, 1/10,000•Pr(T) = .0001•Pr(F) is probability of event flagging, unknown•Pr(F|T) is 99% accurate (much higher than most known techniques•Pr(F|T) = .99•Deriving Pr(F)•Pr(F) = Pr(F|T)*Pr(T) + Pr(F|!T)*Pr(!T)•Pr(F) = (.99)(.0001) + (.01)(.9999) = .010098•Now, what’s Pr(T|F)?13CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerThe Bayesian Fallacy (cont.)•Now plug it in to Bayes Rule•So, a 99% accurate detector leads to …•1% accurate detection.•With 99 false positives per true positive•This is a central problem with ID•Suppression of false positives real issue•Open question, makes some systems unusable14!"#$%&'!"#&%$' !"#$'!"#&'(!"#)**'!"#)+++,'!"#)+,++*-'(( )++*-CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWhere is Anomaly Detection Useful?15SystemAttack DensityP(T)Detector FlaggingPr(F)Detector AccuracyPr(F|T)True PositivesP(T|F)A0.10.65B0.0010.99C0.10.99D0.000010.99999Pr(B|A) =Pr(A|B) Pr(B)Pr(A)CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerWhere is Anomaly Detection Useful?16SystemAttack DensityP(T)Detector FlaggingPr(F)Detector AccuracyPr(F|T)True
View Full Document
Unlocking...