Algebra For Capability Based Attack Correlation

ALGEBRA FOR CAPABILITY BASED ATTACK CORRELATIONWISTP 20081

OUTLINE

Introduction Capability Model Algebraic structures of Capability model Alert correlation using Capability model Conclusion

2

INTRODUCTION

Increasing security concern More sensitive data is stored than before

Increasing use of sophisticated attack tools & their automation (CERT’s overview of attack trends (04-18-02))

IDS Mostly used security and surveillance

monitoring tool for the network infrastructure

3

INTRODUCTION

Reasoning type

Rules-basedAttack

Scenarios-based

Uncertainty TemporalNeural

Networks-based

Bayesian-belief

Others

Manual knowledge acquisition

Prolog tools

SEC

ASAX

LAMBDA(MIRADOR

Project)

AdeLe

JIGSAW

Hyper-alerts

Fuzzy Logic techniques

Possibilistic models

Dempster-Shafer Theory

Chronicles

Feed-forward Networks (BP

based algorithms)

Self-Organizing

Maps

CIDS

EMERALD e-Bayes

STAT

M2D2

IMPACT

M-Correlator EMERALD

Automatic Knowledge acquisition

Clustering techniques

Data Mining: (Association

rules, etc)

Log Weaver SPICE

Source:- Pouget, Fabien, and Marc Dacier. Alert correlation: Review of the state of the art. Technical Report EURECOM+1271, Institute Eurecom, France, Dec 2003.

Attack Correlation techniques

4

DRAWBACKS

State based approach can not handle missing alerts

Intermediate redundant step

Attack Variants

5

EXAMPLE

Attack correlation using system state Example

Establish connection Buffer overflow Password File modified

Capability based Example

Can access a host Have credential to use a service Have root privilege

Zhou et. Al., Modeling Network Intrusion Detection Alerts for Correlation, ACM Transactions on Information and System Security, Vol. 10, No. 1, Article 4, February 2007.

6

RELATED WORK

Logical connections among alerts in an intrusion incident? Requires/Provides Model (JIGSAW, Templeton and

Levitt, 2000)

A systematic model to precisely define the logical relationship? Capability Model(Jingmin at el. ( Feb, 2007))

To make a mature capability model need to know basic characteristic of Capability in

context of attack correlation Need identification of Algebraic properties

7

CAPABILITY MODEL

Alerts

Capability of connection Capability is a 6-tuple

“From the source to destination can perform the action with credential (on the property) of the service within a time interval”

Attacker will have Capability set

source DestinationTime

ActionService & Property

8

ServiceService …..………..……File ManagementFile Management

Database ManageDatabase Manage

PropertyFile ManagementProperty

File Management

…..………..……PathPath

PermissionPermission

IntervalInterval …..………..……FromFrom

BetweenBetween

ActionAction …..………..……ReadRead

BlockBlockblock, delay, spoof, pause, abort, unblock

Attributes

CredentialCredential …..………..……UpdatersUpdatersAdministratorAdministrator

root, navneet9

ACTION TYPE

Action Type Action Value

Read read, list, know,

Write create, modify, append, delete,

Communicate send, recv, connect, encrypt, decrypt

Exec invoke, exec ,

Block block(not permitted to run), delay(slow down), spoof( can replace), pause ( can be stopped at any time), abort( forcefully terminate), unbolck

10

Mail Server

INTERNET

External User

Web Server

DNS Sever

Firewall

Router

LAN

DMZ

Intruder

DIRECT & INDIRECT CAPABILITY

Success

Direct Capability• Know file exist• Can open File

Indirect Capability

• Can use credit card• Can send fake mail• Can masquerade as benign user etc….

Failure

Direct and Indirect Capability

12

WHY TIME NOTION

Attacker A can read any file of machine M from his machine H using credential labUser

Capability :- { source-H, destination-M, labUser, read, (file(all),content)}

User U has opened his email account between 10AM to 11 AM

Capability :- { source-H, destination-M, labUser, read, (file(email), content)}

Unbounded validation period

bounded validation period

i.e. [10AM-11AM]]

13

Algebraic structuresAlgebraic structures

RelationsRelations

OverlappedOverlapped

Mutually ExclusiveMutually Exclusive

IndependentIndependent

OperationOperation

JoinJoin

SplitSplit

ReduceReduce

SubtractSubtract

InferenceInference

Comparable Inference


Resultant InferenceResultant Inference

Compromise Inference


External InferenceExternal

Inference

14

OPERATIONS

15

JOIN

IP:10.20.5.2IP:10.20.1.1root

send

IIS

ftp

Time

IP:10.20.5.2IP:10.20.1.1root

receiveIIS

ftp

Time

IP:10.20.5.2IP:10.20.1.1

root

communicate

IIS

ftp

Time

16

JOIN

17

SPLIT

IP:10.20.5.2IP:10.20.1.1root

read and write /etc/password

content

Tmp

IP:10.20.5.2IP:10.20.1.1root

read

/etc/password

content

Tmp

IP:10.20.5.2IP:10.20.1.1

root

write

/etc/password

content

Tmp

18

REDUCE

Reduce

C2C1

Example:-

Cap1=(SLab,Dlab, W,/home/Bob/xyz, content, root,Between:1997-07-16T19:20:30+01:00[+1H])Cap2=(SLab,Dlab, W, /home/Bob/xyz, content, Bob,Between:1997-07-16T19:20:30+01:00[+1H])

19

SUBTRACT

20

AlgebraAlgebra

RelationRelation




OperationOperation

JoinJoin

SplitSplit

ReduceReduce

SubtractSubtract

InferenceInference







Inference

21


CAPABILITY RELATION

Contain ship Overlapped vs Independent Mutually Exclusive

C1

C2

Contain ship

C1 C2

C1 C2

Overlapped

Independent

22

AlgebraAlgebra

RelationRelation InferenceInference







Inference




OperationOperation

JoinJoin

SplitSplit

ReduceReduce

SubtractSubtract

23


COMPARABLE

Two capabilities are comparable if they have Same value of source, destination, action Same type of service, property Within same time interval

Example C1 = (pushpa, dblab, read, /etc/passwd,

content, user1,at:1997-07-16T19:20:30+01:00)

C2 = (pushpa, dblab, read, All files, content, user1, at:1997-07-16T19:20:30+01:00) 24

COMPARABLE INFERENCE

One cap. can be logically inferred from another cap.

C1 = (src, dst, read, (/etc/passwd), content, user1,t1) C2 = (src, dst, read, (All files, content,) user1,t2)C1 can be logically inferred from C2 if t1,t2 belongs to

same time window

C3 = (src, dst, know, All accounts, name, user1,t1) C4 = (src, dst, read, /etc/passwd, content, user1,t2)C3 can be logically inferred from C4 if t1,t2 belongs to

same time window 25

EXTERNAL INFERENCE

If C1 and C2 is two Capability then

c2.dest=c1.source c2 has capability to run arbitrary program

26

CAPABILITY MODEL BASED CORRELATION

27

CORRELATING ALERT USING MODIFIED CAPABILITY MODEL

H-alert M-Attack Correlation Algorithm

28

H-ALERT

IDS

H-alert

Require Provide Raw

•Time•Direction . . .

capsethaset

H-alert i1

H-alert i1H-alert i1

Timestamp M-attack[2007-12-06T18 : 13 :30 + 05 :30]

29

CORRELATION ALGORITHM

30

31

PROS

Join Benefit

minimize the number of comparison Pitfall

Costly due to recursive

Split Benefit

Only need direct inference while corr. Pitfall

Redundancy Unnecessary split increase no. of comparison

32

ALTERNATE WAYS

Way1 :- Only join Way2:- Only split Way 3:- Join and split both

33

CONCLUSION

Defined modified capability model and logical association between capabilities.

Added semantic notion to avoid false correlation

Identified and defined relations between capabilities and derived Inference rules along with semantic that have been used in correlation

34

FUTURE WORK

Develop language for whole framework

Other Optimize algorithms and to achieve better

performance. Optimize the algorithm of join operation and

to use that in given alternate correlation algorithm. This would help in making whole system real time with low false rate.

To model the defence capability of security administrator 35

THANK YOU

36

QUESTION?

37

Documents

Algebra For Capability Based Attack Correlation