Slide 1Overview:Introduction to USTATComparison between USTAT and other intrusion detection systemsState Transition AnalysisState Transition Analysis (cont)Examples:Examples (cont):Slide 9Features of USTATUSTAT inputUSTAT input (cont)USTAT simplifications (cont)USTAT monitoringUSTAT INITIAL state tableDecision EngineStrength and weakness of USTATEvaluation of USTATNSTAT – USTAT for Distributed SystemsCompare!01/14/19USTATA Real-time Intrusion Detection System for UNIXBy: Koral Ilgun01/14/19Overview:Introduction to USTAT -- State Transition Analysis Tool for UnixKey issuesSystem componentsImplementation issuesEvaluation of USTAT01/14/19Introduction to USTATMisuse detectorA penetration is (viewed as) a sequence of signature actions and a corresponding sequence of state changes that lead the computer from some initial state to a target compromised stateBasic Properties of USTATReal-time expert system intrusion detection toolRule-based analysisOnly for known penetrationsTargets abusive insiders01/14/19Comparison between USTAT and other intrusion detection systemsStatistical anomaly detectionthreshold detectionprofile-basedRule-based misuse detectionit is an expert systemMost current intrusion detection tools employ both the anomaly detection and (rule-based) misuse detection components01/14/19State Transition AnalysisView a penetration as a (known) sequence of actions S1, S2, …,Snthat lead from an initial (limited authorized) access state, S1 to a final compromised state, Sn01/14/19State Transition Analysis (cont)State really represents some attribute of the system – not the whole system stateState is generic, e.g. “user is now root”Penetration sequence represented by finite state machinenode is a state arc is an action (or transition)01/14/19Examples:% ln target -x% -xFile ‘target’ is root’s setuid shell script that contains the #!/bin/sh mechanismUser creates link User executes fileeuid(user) = not rooteuid(user) = root01/14/19Examples (cont):1. Attacker creates hard link starting with dash to root’s setuid shell script that contains the #!/bin/sh mechanism2. Attacker executes “-x”Insight: Creating hard link ==> new directory entry is created with target’s original privileges and ownership informationTarget can be accessed via any link to itExecuting shell script containing #!/bin/sh invokes a sub-shellSub-shell becomes interactive (because of the “-”)Attacker is thus executing a setuid file owned by root, so shell has effective ID of root01/14/19Examples (cont):Two actions/transitions: make hardlink execute “-x”Three states:Initial state: euid = user (not root)Intermediate state: hardlink establishedFinal compromise state: not euid = userI.e. a user (non-root) running an interactive shell with an effective user id of root01/14/19Features of USTATPreempts attacks:USTAT monitors state transitionsNote that they can span multiple sessionsIt foresees impending compromise -- at least one transition awayRecognizes cooperative attacksNote that USTAT is not tied to users or processesIt reflects state of the systemSo, it can detect state resulting from actions by multiple users01/14/19USTAT inputAudit records of the form, <subject, action, object>Subject is <real userID, effective userID, groupID>Action is <action, time, processID>Object is <object name, permissions, owner, group owner, inode #, device #, file systemID, target>All information can be obtained directly from Unix audit records01/14/19USTAT input (cont)Unix audits 239 event typesOnly 28 are useful to USTATThey are mapped down to 10 USTAT action typesFilters out all failed command events early, i.e. all the events with a return value of -101/14/19USTAT simplifications (cont)All (audited) actions mapped to a small set: read write create executeexit delete modify-owner renamemodify-permission hardlinkFiles are categorized: E.g. all files that should not be accessed via regular utilities (because they hold sensitive data) are mapped to “Fileset1”5 “filesets”01/14/19USTAT monitoringMonitors for all known penetrations simultaneouslyFinite state machine for each known penetrationMaintains state tablesRow represents instance of not yet completed penetrationColumn represents states in penetration scenarioCell holds detailed info, e.g. userID, actual file names, etc01/14/19USTAT INITIAL state tableOne row for each known penetration, I.e. each possible penetration is in its initial stateInitial action/transition for each is anticipatedInference Engine accepts audit inputFor each row, it asks: does this audit event match the “next transition” anticipated for this row such that the next state is satisfiedIf so, duplicate the row and mark “details” for the now satisfied state01/14/19Decision EngineInforms sys admin about results of the inference engineIs compromise about to occur? Has compromise occurred?Play an active role in preempting the attack! However, note that USTAT input comes from the OS (Unix) audit log01/14/19Strength and weakness of USTATStrength:FlexibilityReal-time -- preempts attack before system is damagedDetects cooperative attacksWeakness - Cannot cope with the following attacks:Manipulation of components outside the system’s execution domain, e.g., wiretappingDenial of service attacksFailures01/14/19Evaluation of USTATMassive amount of data that was collected by the audit daemon limited extensive testingLimiting factor is the transfer rate of the disk that is extensively used by USTAT and the audit daemonUSTAT functionality costs 13% of machinePapers do not indicate number of penetrations that can be described as state transition diagram01/14/19NSTAT – USTAT for Distributed SystemsSimilar “state-based” approachInput: audit data from multiple hostsObjective: detect coordinate attackCentral server processes inputTime – how to deal with skewed clocks?Vulnerability of NSTAT server01/14/19Compare!Tripwire -- Integrity of file dataGrIDs -- graph nodes (or accumulated groups of nodes) with arcs depicting message trafficUSTAT -- monitor for known penetrations, tracking state changes that progress toward
View Full Document