Analyzing and Profiling Attacker Behavior in Multistage
Intrusions 1
Slide 2
Contents Introduction and Background Literature Review
Methodology Implementation Evaluation Contribution Conclusion
References 2
Slide 3
Introduction Increase in technology has brought more
sophisticated intrusions, with which the network security has
become more challenging. Attackers might have different intentions
and each attack might have different level. Understanding their
behavior is important to understand possible risks. In a government
study [7] attackers are classified into 9 different groups
Amateurs, Criminals, Insiders, Phishers, Nations, Hackers,
Terrorists, Bot-network operators, and Spyware/ malware authors.
3
Slide 4
Introduction (Contd..) 4 Amateurs: This group of attackers dont
have much knowledge. They do it for fun. Criminals: seek to attack
systems for monetary gain. They use spam, phishing, and
spyware/malware to commit identity theft and online fraud.
Phishers: Execute phishing schemes in an attempt to steal
identities or information for monetary gain. Terrorists : Seek to
destroy, incapacitate, or exploit critical infrastructures in order
to threaten national security.
Slide 5
Attacker Groups 5 Hackers: Break into networks by gaining
unauthorized access that requires a fair amount of skill or
computer knowledge Insiders: Insiders knowledge of a target system
often allows them to gain unrestricted access to cause damage to
the system or to steal system data. Nations: Use cyber tools as
part of their information-gathering and espionage activities.
Spyware/malware authors: carry out attacks against users by
producing and distributing spyware and malware. Bot-network
operators: Bot-net operators use a network, or bot-net, remotely
controlled systems to coordinate attacks
Slide 6
Problems with IDS (Contd..) It is very important to profile and
predict the attacker intentions to protect the network accordingly.
There is a necessity find an efficient way to identify the type of
attackers. IDS such as Snort [8] helps in detecting single step
intrusions, but not in detecting multistage attack and attacker
behavior. Due to Huge number of alerts Lack of proper model that
can detect multistage attacks Lack of a method that can link
multistage attacks to attacker behavior. 6
Slide 7
Objective Develop a system that can Detect multistage attacks
Analyze the attacker behavior by classifying the activity Discover
the attacker behavior patterns Predict and profile the type of
attacker based on behavior. 7
Slide 8
Literature Review Multilevel alert clustering and intelligent
alert clustering models [2] were well formed techniques for
reducing the number of alerts. Complexity of the above models could
degrade the performance of the system. Mathew et al [1] have made a
good effort to present a technique for understanding multi stage
attacks using attack- track based visualization of heterogeneous
event streams. They used the event correlation which is based on
attack tracks to determine the temporal relationship between the
heterogeneous events. 8
Slide 9
Literature Review (Contd..) The above approach was useful just
to understand the stages in the multistage attack, but not to
predict the user behavior. A user behavior perception model based
on markov process [7] presented a novel user behavior perception
model for intelligent mobile terminals. The model is based on the
Markov process, which introduces also the idea of machine learning
and context-awareness. The user behavior histories were used to
discover users preference, and information gathered from users are
described to perceive the user behaviors. 9
Slide 10
Methodology Processing the raw data Alert grouping Attacker
behavior analysis Preparation of semi-automatic Training the Hidden
Markov Model Profiling and Predicting of attacker behavior 10
Slide 11
Collection and Generalization of Alerts The raw data was
provided by ORNL. It was in pcap format The generated alerts have a
lot of insignificant information, which needs to be eliminated.
Essential details in each alert such as IP Address of source and
destination host, alert type and classification are extracted. [**]
[1:2000537:6] ET SCAN NMAP -sS [**] [Classification: Attempted
Information Leak] [Priority: 2] 07/17-09:30:09.298097
192.168.101.66:33966 -> 192.168.101.53:175 TCP TTL:49 TOS:0x0
ID:27814 IpLen:20 DgmLen:44 S* Seq: 0x3C25204F Ack: 0x0 Win: 0x800
TcpLen: 24 TCP Options (1) => MSS: 1460 11
Slide 12
Collection and Generalization of Alerts The raw data was
provided by ORNL. It was in pcap format The generated alerts have a
lot of insignificant information, which needs to be eliminated.
Essential details in each alert such as IP Address of source and
destination host, alert type and classification are extracted.
(portscan)TCPPortscan, 07/17-10:03:27.114495, 192.168.101.66,3387,
192.168.101.54,4497. Source Destination Time stamp Alert type
12
Slide 13
Alert Grouping Snort[8] generates thousands of alerts each day
many of them might be false alarms. With large number of alerts it
is not possible to profile and predict the attacker behavior. On an
average an alert is generated for every 2 milliseconds, therefore,
we need to group them. Alerts that generated from same source and
targeted to same destination for the same purpose ( i.e. with same
alert type) and generated within one second of time difference are
grouped together. 192.168.101.56, 192.168.72.1, 07/17- 10:59:06,
ETSCANNMAP, 70, 50 Source Destination Time stampAlert type Count
Behavior code 13
Slide 14
Attacker Behavior Analysis 14 Based on a government study in
2010 [7] the attackers are divided in to different groups such as
amateurs, criminals, insiders, terrorists, and hackers. To predict
the attacker behavior we have used Hidden Markov Model (HMM) [9], A
machine learning algorithm, to analyze these attackers behavior by
defining some rules for each type of attacker.
Slide 15
Hidden Markov Model = (A, B, , N) (N is number of states) State
probabilities Transition probabilities Emission or Observation
probabilities 15
Slide 16
Attacker Behavior Analysis (Contd..) We have defined five
stages, which are also hidden states in HMM Scanning Enumeration
Access attempt Malware attempt Denial of service 16
Slide 17
Stages in the multistage attack Scanning: Attacker tries to
gather the information about the target system Observation: ICMP
PING Enumeration : Attacker tries to find the vulnerabilities of
the target system Observation: CHAT_MSN Access attempt: Attacker
tries to gain the access to the target systems resources.
Observation: SQL version overflow attempt Denial of service :
Attacker tries deny service to other users. Observation: NETBIOS
SMB-DS Trans Max Param DOS attempt Malware attempt : Attacker tries
to execute own code on the target system. Observation:
SHELLCODE_x86_NOOP 17
Slide 18
Preparation of Semi-Automatic HMM Training 18
Slide 19
Preparation of Semi-Automatic HMM Training (Contd..) Maps
alerts (Observations) into one of the five hidden states For
example an alert of ICMP PING type is usually considered as a
scanning type and an alert of SHELLCODE X86 INC EXC NOOP is
considered as exploitation malware attempt type. As of now we have
around 88 rules to train our model. Once the rule set is defined,
we map the state name to each alert by applying rules.
07/14-13:12:54.775367 [**] [1:384:5] ICMP PING [**]
[Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.24
-> 192.168.1.1 Alert type Attacker Victim Time stamp 19
Slide 20
Preparation of Semi-Automatic HMM Training (Contd..) We have
classified all the alerts into five different sets same as states
in our model depending upon on the type of alert. For example an
alert of ICMP PING type is usually considered as a scanning type
and an alert of SHELLCODE X86 INC EXC NOOP is considered as
exploitation malware attempt type. As of now we have around 88
rules to train our model. Once the rule set is defined, we have
assigned the state name to each alert by applying rules. Scanning,
07/14-13:12:54.775367, Misc activity, 192.168.1.24, 192.168.1.1
Time stamp Attacker Victim State 20
Slide 21
Training the Hidden Markov Model Steps Initialization : This
step initializes the state, transition, and observation
probabilities. Forward algorithm: This step calculates the
observation probabilities based on the occurred observation
sequence. Backward algorithm: This step calculates the state and
transition probabilities based on observation probabilities and
sequence. Re-estimation of probabilities : This step re-estimated
the state, transition, and observation probabilities by iterating
the above three steps number of times 21
Slide 22
Training the Hidden Markov Model(Contd..) Table 3.1 Behavior
Classification 22 Attacker GroupsBehavior AmateurScanning +
Enumeration Insider, Phisher, Spyware/Malware, Botnet (ISBN) Access
attempt + Denial of service + Malware attempt Criminal groups,
Terrorists, Hackers, Nations (CTHN) Scanning + enumeration + access
attempt + Malware attempt Terrorists, Hackers (TH) Scanning +
enumeration + Denial of service Terrorists, Hackers, Criminal
groups (THC)Scanning + enumeration + access attempt + Denial of
service + Malware attempt
Slide 23
Prediction of Attacker Behavior As we have trained our system
and stored probabilities in our database, our next step is to match
the set of incoming alerts with one of our stored behavior. To find
the closest behavior for a set of alerts, we have used Kullback
Leibler Distance Calculator [6]. The Kullback-Leibler distance
(K-L) [6] is a measure of the similarity between two completely
determined probability distributions. Attacker Behavior Analysis
23
Slide 24
The Kullback-Leibler distance (K-L) Definition: Let p 1 (x) and
p2(x) be two continuous probability distributions. By definition,
the K-L distance D (p 1, p 2 ) between p 1 (x) and p 2 (x) is:
Basic Properties D (p 1, p 2 ) is the mean of the quantity log
[p1(x)/p 2 (x)], with p 1 (x) being the reference distribution. The
K-L distance is always nonnegative. It is zero only when the two
distributions are identical. It is common to encounter the
symmetric version of the K-L distance between p 1 and p 2 : D s (p
1, p 2 ) = [D(p 1, p 2 ) + D(p 2, p 1 )] / 2 24
Slide 25
Implementation Technologies we used Clustering and
Generalization -- Java Attacker Behavior Analysis -- Java C#.net
API used: Hidden Markov Model Jahmm[10] KL-Distance calculator -
Jahmm [10] 25
Slide 26
Implementation (Contd..) State Probability Transition
Probability Observation Probability Figure 1 Probability
Distribution 26
Contribution 30 Grouping alerts Build HMM model for each of the
attacker groups. Profile the 5 HMM models Predict Attacker behavior
by calculating KL distance [3].
Slide 31
Conclusion In our study we achieved most of the expected
results. Over all we had over 300 types of alerts generated through
this process. This made our system to be able to detect most of the
known attacks. Attacker behavior analysis is very efficient way of
finding the possible behavior of an attacker, which allows us to
take action according to the intentions of the attacker. 31
Slide 32
Demo 32
Slide 33
References 1. S. Mathew, D. Britt, R. Giomundo, S. Upadhyaya,
S. Sudit, Real-time Multistage Attack Awareness Through Enhanced
Intrusion Alert Clustering, In Situation Management Workshop (SIMA
2005), MILCOM 2005, Atlantic City, NJ, October, 2005. 2. Siraj,
Vaughn, Multilevel Alert Clustering for Intrusion Detection Sensor
Data, Fuzzy Information Processing Society, USA, 2005. 3.
Kullback-Leibler distance
http://www.aiaccess.net/English/Glossaries/GlosMod/e_gm_kullbak.htm
http://www.aiaccess.net/English/Glossaries/GlosMod/e_gm_kullbak.htm
4. Yang, Gasior, Katipally,Cui, Alerts Analysis and Visualization
in Network-based Intrusion Detection Systems, The Second IEEE
International Conference on Information Privacy, Security, Risk and
Trust (PASSAT2010), 2010, USA. 5. Yang, Katipally, Gasior, Cui,
Multistage attack detection system for network administrators,
CSIIRW -6, 2010, USA. 6. Manavogulu, parlov, Giles, Probabilistic
User Behavior Models, Proceedings of the Third IEEE International
Conference on Data Mining (ICDM03), 2003 USA. 7. CYBERSPACE: United
States Faces Challenges in Addressing Global Cybersecurity and
Governance, July 2010. 8. http://www.snort.org http://www.snort.org
9. Mark Stamp, A Revealing Introduction to Hidden Markov
Models,2008 33
