a depts adaptive intrusion response using attack graphs
play

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an - PowerPoint PPT Presentation

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford Purdue University Dependable Computing Systems Lab (http://shay.ecn.purdue.edu/~dcsl)


  1. A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford Purdue University Dependable Computing Systems Lab (http://shay.ecn.purdue.edu/~dcsl) Dependable Computing Systems Lab Slide 1/19

  2. Outline • Intrusion Response for Distributed System • A DEPTS • System Design • Experiments & Results • Conclusions Dependable Computing Systems Lab Slide 2/19

  3. Intrusion Response for Distributed System • eCommerce System – Interconnected entities and services (customers, bank, warehouse, database, web applications, and etc.) – A favorable target of cyber attacks (intrusions) – Denial-of-service, Vandalizing, Stealing information, Illegal transactions • Intrusion Detection for distributed system (eCommerce System) – Comparably abundant existing work – Snort, Tripwire, Buffer overflow detector, application-level detectors • Intrusion Response for distributed system (eCommerce System) – Typically requires the administrator to check the detection log files, identify the compromised region, and enforce the containment • Not automatic. Long reaction time. – Local Response : some IDS (e.g. Snort, Libsafe) provides basic response capability. Anti-Virus software disabling access to infected files • Function Locally. Fight the fire at the fire station. Dependable Computing Systems Lab Slide 3/19

  4. A DEPTS : High Level Approach • A general framework for automatic & systematic intrusion response • Incorporate detectors and response agents, which are deployed across the protected payload • Use Attack Graph (I-GRAPH) to model the causal relations among intrusion goals • Upon an intrusion, ADEPTS firstly estimates the compromised region (achieved intrusion goals) • Systematically deploys a set of preferred responses to contain the affected region (prevent more intrusion goals from being achieved) • Feedback mechanism for evaluating effectiveness of deployed responses and adjusting response preference Dependable Computing Systems Lab Slide 4/19

  5. Process Flow & Architecture View of A DEPTS 1. Detection Protected Payload framework flags alerts 2. I-GRAPH Vulnerability parameters SNet of the Response Cmd via Description Detector Alerts via Protected System SSH updated MessageQ 3. Determine locations to take Portable I- GRAPH responses Translate Generation 4. Available alerts into Events. responses Evaluation determined Deciding of Reordering Response Retrieve Operands based on attack Flag Nodes Events responses parameters and I-GRAPH 5. Best responses On the fly Cycle breaking chosen and deployed CCI Update Candidate 6. Evaluation of Response Labeling Repository deployed ADEPTS Control Center responses Dependable Computing Systems Lab Slide 5/19

  6. I-GRAPH 13. MySQL 13. MySQL information leak information leak AND AND OR OR 11. DoS webstore 11. DoS webstore 12. Execute 12. Execute arbitrary code on arbitrary code on n n 10. DoS of 10. DoS of MySQL host MySQL host QUORUM QUORUM MySQL MySQL 2 2 9. MySQL 9. MySQL 3. Illegal access to 3. Illegal access to buffer overflow buffer overflow http document root http document root 7. DoS of Apache 7. DoS of Apache 8. DoS of Apache 8. DoS of Apache 2.Execute 2.Execute host 1 host 1 host 2 host 2 arbitrary code on arbitrary code on Apache host 1 Apache host 1 6. Chunk handling 6. Chunk handling buffer overflow buffer overflow 1. SSL module 1. SSL module on Apache host 1 on Apache host 1 buffer overflow in buffer overflow in Apache host 1 Apache host 1 4. Send malicious 4. Send malicious 5. C library code 5. C library code chunk encoded chunk encoded buffer overflowed buffer overflowed packet packet Dependable Computing Systems Lab Slide 6/19

  7. Determining how likely a node is compromised • The Compromised Confidence Index (CCI) of a node in the I-GRAPH is the measure of the likelihood that an attacker has reached that node   alert confidence , nodes with no children   = CCI f (CCI ) , nodes with no detectors   i   ave( f (CCI ), alert confidence ) , otherwise   i CCI 0.7 CCI 0.7     max( CCI ) , OR edges i CCI 0.8   = f min(CCI ) , AND edges   i   >  , quorum met Mean(CCI | CCI τ ) i i N CCI 0.6    , quorum not met 0    where CCI i corresponds to the CCI of the i th child and τ N is a per node threshold Dependable Computing Systems Lab Slide 7/19

  8. Picking Responses • After determining a set of likely-compromised nodes, the response decision module will search the response repository for the responses whose opcodes and operands are applicable to the intrusions on these compromised nodes • Each response command has an associated RI (response index) value, with a larger RI value indicating a more preferred response RI=EI-DI EI: Effectiveness Index DI: Disruptivety Index Repository iptables -A INPUT -s ip_address -j DROP Snort 1807 WEB-MISC iptables -A INPUT -s a.b.c.d -j DROP Chunked-Encoding transfer attempt from source IP a.b.c.d The response command with the highest RI value Dependable Computing Systems Lab Slide 8/19

  9. Response Repository Command Commands Explanation type Opcode Operands ( opr1 And opr2 And …) General KILL_PROCESS PROCESS_ID Kill process SHUT_DOWN SERVICE_NAME / HOST Shut down/restart a service/host RESTART/REBOOT SERVICE_NAME / HOST DISABLE USER_ACCOUNT Freeze a user account File DENY_FILE_ACESS FILE_NAME Disable read, write, and execute access to a file, valid for the super user. DISABLE_READ FILE_NAME Disable read/write access to a file, valid for the super user. DISABLE _WRITE FILE_NAME BLOCK_INPUT REMOTE_IP Network Blocking incoming packets associated with the command operands. REMOTE_IP LOCAL_PORT REMOTE_PORT PROTOCOL LOCAL_PORT BLOCK_OUPUT REMOTE_IP Blocking outgoing packets associated with the command operands. REMOTE_IP LOCAL_PORT REMOTE_PORT PROTOCOL LOCAL_PORT BLOCK_FORWARD SOURCE_IP DESTINATION_IP Blocking forwarding packets associated with command operands. LIMIT_RATE SYN DoS Limiting rates of a type of packets ICMP_ECHO ICMP_HOST_UNREACHABLE SYN_ACK UDP_PACKET Dependable Computing Systems Lab Slide 9/19

  10. Feedback Mechanism • After responses are deployed, we can judge whether the deployed responses are effective or not by checking if intrusions are still propagating (higher level nodes in the I-GRAPH keep getting flagged). ADEPTS will then adjust the EI values of the responses so that effective responses will be more preferable in a future run. B B B A Decrease A A Increase EI EI Dependable Computing Systems Lab Slide 10/19

  11. Testbed Payload Apache Bank Firewall PHP Data mining Applications Warehouse / MySQL Shipping Data backup Apache Firewall PHP Load Detectors : Clients Applications Balancer 1. Libsafe 2. Snort 3. File Access Monitor ADEPTS-payload Response Detector Alerts via interaction Command via SSH Message Queue 4. Transaction Intra-host communication Response Time Monitor Inter-host communication 5. Bank Abnormal ADEPTS Control Center Account Activity Detector Dependable Computing Systems Lab Slide 11/19

  12. Experiments & Results • Attack Scenarios Steps Scenario 0 Scenario 1 Scenario 8 0 Exploit Apache Use php_mime_split (CVE-2002- ModSSL Buffer overflow in mod_ssl buffer 0081) buffer overflow to insert Apache. overflow. malicious code into Apache. 1 'ls' to list webstore document root and Insert malicious A shell is created with identify the script code informing the code. Apache privilege. warehouse to do shipments. 2 Send shipping request to warehouse Issue crontab command to Ip/port scanning and craft the request form so that a exploit a vunerability in cron to find vulnerable warehouse side buffer overrrun bug fills daemon for creating a root SQL server. the form with a victim's credit card privilage shell. number. 3 Buffer overflow Root privilege shell created out MYSQL to create a Unauthorized orders are made. of the vulnerable cron daemon. shell (/bin/sh). 4 Use malicious shell Corrupt the data stored in web to steal information server document root. stored in MySQL. Dependable Computing Systems Lab Slide 12/19

  13. Experiments and Results • Survivability Metric – We define a set of transactions and a set of security goals. We use the survivability metric in the experiment to demonstrate the benefit of adopting ADEPTS in terms of maintaining the survivability of the underlying e-Commerce system. ∑ ∑ = − − Survivability 1000 unavailable transactions failed security goals Name Weight 20 Illegal read of file 30 Illegal write to file Browse webstore 10 50 Illegal process being run Add merchandise to 10 shopping cart 70 Corruption of MySQL database Place order 10 Confidentiality leak of customer information stored in 100 MySQL database Charge credit card 5 80 Unauthorized orders created or shipped Admin work 10 80 Unauthorized credit card charges 90 Cracked administrator password Dependable Computing Systems Lab Slide 13/19

Recommend


More recommend