I I 3YSTEMS AND NTERNET NFRASTRUCTURE 3ECURITY ETWORK AND 3ECURITY 2ESEARCH ENTER EPARTMENT OF OMPUTER 3CIENCE AND NGINEERING 0ENNSYLVANIA 3TATE 5NIVERSITY 5NIVERSITY 0ARK 0 CMPSC443 Introduction to Computer and Network Security Module Intrusion Detection Professor Patrick McDaniel Spring 2009 CMPSC443 Introduction to Computer and Network Security Page 1 Intrusion An Authorized Action That Can Lead to a Vulnerability That Turns into a Compromise And an Attack Authentication and Access Control Are No Help CMPSC443 Introduction to Computer and Network Security Page 2 Types of Intrusions Network Malformed and unauthenticated packet Let through the firewall Reaches the network facing daemon Can we detect intrusions from packet contents Host Input to daemon Triggers a vulnerability buffer overflow Injects attacker code Performs malicious action Can we detect intrusions from process behavior CMPSC443 Introduction to Computer and Network Security Page 3 Intrusion Detection def by Forrest An IDS system find anomalies The IDS approach to security is based on the assumption that a system will not be secure but that violations of security policy intrusions can be detected by monitoring and analyzing system behavior Forrest 98 However you do it it requires Training the IDS training Looking for anomalies detection This is an explosive area in computer security that has led to lots of new tools applications industry CMPSC443 Introduction to Computer and Network Security Page 4 Intrusion Detection Systems IDS s claim to detect adversary when they are in the act of attack Monitor operation Trigger mitigation technique on detection Monitor Network or Host Application events A tool that discovers intrusions after the fact are called forensic analysis tools E g from system logfiles IDS s really refer to two kinds of detection technologies Anomaly Detection Misuse Detection CMPSC443 Introduction to Computer and Network Security Page 5 Anomaly Detection Compares profile of normal systems operation to monitored state Hypothesis any attack causes enough deviation from profile generally true Q How do you derive normal operation AI learn operational behavior from training data Expert construct profile from domain knowledge Black box analysis vs white or grey Q Will a profile from one environment be good for others Pitfall false learning CMPSC443 Introduction to Computer and Network Security Page 6 Misuse Detection Profile signatures of known attacks Monitor operational state for signature Hypothesis attacks of the same kind has enough similarity to distinguish from normal behavior Q Where do these signatures come from Record recorded progression of known attacks Expert domain knowledge AI Learn by negative and positive feedback CMPSC443 Introduction to Computer and Network Security Page 7 The confusion matrix Detection Result T F What constitutes a intrusion anomaly is really just a matter of definition Abnormal Normal Legal Reality A system can exhibit all sorts of behavior True False T Positive Negative False True F Positive Negative Quality determined by consistency with a given definition context sensitive CMPSC443 Introduction to Computer and Network Security Page 8 Sequences of System Calls Forrest et al in early mid 90s understand the characteristics of an intrusion Event Stream WRITE READ WRITE SEND Attack Profile READ WRITE SEND SEND Idea match sequence of system calls with profiles n grams of system call sequences learned Match sliding windows of sequences If not found then trigger anomaly Use n grams of length 5 6 11 If found then it is normal w r t learned sequences CMPSC443 Introduction to Computer and Network Security Page 9 Evaluating Forrest et al The qualitative measure of detection is the departure of the trace from the database of n grams Further they measure how far a particular n gram i departs by computing the minimum Hamming distance of the sample from the database dmin min d i j for all normal j in n gram database this is called the anomaly signal Result on lpr sendmail etc About 05 07 false positive rates And SA maximum dmin 04 Is this good CMPSC443 Introduction to Computer and Network Security Page 10 gedanken experiment Assume a very good anomaly detector 99 And a pretty constant attack rate where you can observe 1 out of 10000 events are malicious Are you going to detect the adversary well CMPSC443 Introduction to Computer and Network Security Page 11 Bayes Rule Pr x function probability of event x Pr sunny 8 80 of sunny day Pr x y probability of x given y Conditional probability Pr cavity toothache 6 60 chance of cavity given you have a toothache Bayes Rule of conditional probability Pr A B Pr B Pr B A Pr A CMPSC443 Introduction to Computer and Network Security Page 12 The base rate Bayesian Fallacy Setup Pr T is attack probability 1 10 000 Pr T 0001 Pr F is probability of event flagging unknown Pr F T is 99 accurate higher than most techniques Pr F T 99 Pr F T 01 Pr F T 01 Pr F T 99 Deriving Pr F Pr F Pr F T Pr T Pr F T Pr T Pr F 99 0001 01 9999 010098 Now what s Pr T F CMPSC443 Introduction to Computer and Network Security Page 13 The Bayesian Fallacy Now plug it in to Bayes Rule So a 99 accurate detector leads to 1 accurate detection With 99 false positives per true positive This is a central problem with ID Suppression of false positives real issue Open question makes some systems unusable CMPSC443 Introduction to Computer and Network Security Page 14 Where is Anomaly Detection Useful System Attack Density P T A 0 1 0 65 B 0 001 0 99 C 0 1 0 99 D 0 00001 0 99999 Detector Flagging Pr F Detector Accuracy Pr F T True Positives P T F Pr A B Pr B Pr B A Pr A CMPSC443 Introduction to Computer and Network Security Page 15 Where is Anomaly Detection Useful True Positives P T F System Attack Density P T Detector Flagging Pr F Detector Accuracy Pr F T A 0 1 0 38 0 65 0 171 B 0 001 0 01098 0 99 0 090164 C 0 1 0 108 0 99 0 911667 D 0 00001 0 00002 0 99999 0 5 Pr A B Pr B Pr B A Pr A CMPSC443 Introduction to Computer and Network Security Page 16 The ROC curve Receiver operating characteristic Curve that shows that detection false positive ratio Ideal Axelsson talks about the real problem with some authority and shows how this is not unique to CS Medical criminology think super bowl financial CMPSC443 Introduction to Computer and Network Security Page 17 Example ROC Curve You are told to design an intrusion detection algorithm that identifies vulnerabilities by solely looking at