Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J. Garcia, F . Autrel, J. Borrell, S. Castillo, F . Cuppens, G. Navarro { jgarcia,jborrell,scastillo,gnavarro } @ccd.uab.es, { fabien.autrel,frederic.cuppens } @enst-bretagne.fr – p. 1/16
0. - Content Main Points ◮ Introduction ◮ Classical architectures ◮ Prevention framework ◮ Current Development ◮ Conclusions – p. 2/16
1. - Introduction Coordinated Attacks ◮ “ Combination of actions performed by a malicious adversary to violate the security policy of a target computer system. ” ◮ Networks resources can become an active part of a coordinated attack ◮ E.g. An attack might start with an intrusion ⇒ Nodes have to be monitored ◮ A global view of the whole system is needed for detection ⇒ Collection and combination of events from different nodes – p. 3/16
1. - Introduction Components needed to prevent coordinated attacks ◮ Sensors (host, application or network based) ◮ Analyzers (misuse or anomaly based) ◮ Managers (data consolidation and alert correlation) ◮ Response units (active or passive reaction) ◮ Intrusion Detection Systems use these same components to prevent a node getting compromised by an attacker ⇒ We use these components to prevent a compromised node becoming an active part of a coordinated attack. – p. 4/16
2. - Classical architectures Centralized event correlation SENSOR SENSOR SENSOR ANALYZER Data Flow SENSOR SENSOR SENSOR ◮ DIDS - University of California, Davis (1991) ◮ STAT - University of California, Santa Barbara (1992) – p. 5/16
2. - Classical architectures Hierarchical event correlation Domain SENSOR SENSOR SENSOR DOMAIN ANALYZER DOMAIN SENSOR ANALYZER SENSOR SENSOR Domain MASTER ANALYZER ◮ EMERALD - SRI International, California (1997) ◮ AAFID - CERIAS, Purdue University (1998) – p. 6/16
3. - Prevention Cells System Prevention Cell Prevention Cell cooperation correlation manager manager Prevention Cell counter measure analyzers managers Prevention Cell Prevention Cell response sensors units ◮ Message passing architecture ⇒ The detection process can be completely distributed – p. 7/16
3. - Prevention framework Sample scenario 192.168.0.2 vm2 192.168.0.3 IP spoofing vm3 echo + + >>/.rhosts 1 DoS 3 Server 2 1 TCP SYN flooding DoS sequence_numbers prediction 192.168.0.1 vm1 – p. 8/16
3. - Prevention framework Detection Process ◮ Find the set of actions which transforms the system from an initial state S 0 to a final state S n . A 2 A 1 A n . . . S n-1 S 2 S 0 S 1 S n action syn-flood(A,H 1 ,n s ) pre : remote-access(A,H 1 ) S 0 S 1 send-multiple-tcp-syns(A,H 1 ,n s ) post : deny-of-service(H 1 ) detection : source(Alert,A) target(Alert,H 1 ) classification(Alert,’SynFlooding’) additional-data(Alert,n s ) – p. 9/16
3. - Prevention framework Detection process via alert correlation ◮ Two actions A and B can be correlated when the realization of A has a positive influence over the realization of B (given that A occurred before B ): ⊲ ( E a ∈ post ( A ) ∧ E b ∈ pre ( B )) ∨ ( not ( E a ) ∈ post ( A ) ∧ not ( E b ) ∈ pre ( B )) ⊲ E a and E b are unifiable through a unifier θ action tcp-sequence-prediction(A,H 2 ,n) A pre : remote-access(A,H 2 ) obtain(A,following-tcp-sequence(H 2 ,n)) post: knows(A,following-tcp-sequence(H 2 ,n)) action spoofed-remote-login(A,U,H 1, H 2 ,n) pre : remote-access(A,H 2 ) knows(A,following-tcp-sequence(H 2 ,n)) B deny-of-service(H 1 ) spoof-address(A,H 1 ,n,remote-login-connection(U,H 2 )) post: remote-login(A,U,H 2 ) – p. 10/16
3. - Prevention framework Reaction process via anti-correlation ◮ Two actions A and B are anti-correlated when the realization of A has a negative influence over the realization of B (given that A occurred before B ): ⊲ ( not ( E a ) ∈ post ( A ) ∧ E b ∈ pre ( B )) ∨ ( E a ∈ post ( A ) ∧ not ( E b ) ∈ pre ( B )) ⊲ E a and E b are unifiable through a unifier θ action undo-deny-of-service(A,H 1 ,n s ) A pre : deny-of-service(H 1 ) send-multiple-tcp-resets(A,H 1 ,n s ) post: not(deny-of-service(H 1 )) action spoofed-remote-login(A,U,H 1, H 2 ,n) pre : remote-access(A,H 2 ) knows(A,following-tcp-sequence(H 2 ,n)) deny-of-service(H 1 ) spoof-address(A,H 1 ,n,remote-login-connection(U,H 2 )) B post: remote-login(A,U,H 2 ) – p. 11/16
3. - Prevention framework Detection and reaction graph for the sample scenario attack syn-flood(A,H 1 ,n s ) pre : remote-access(A,H 1 ) send-multiple-tcp-syns(A,H 1 ,n s ) counter-measure undo-deny-of-service(A,H 1 ,n s ) post: deny-of-service(H 1 ) pre : deny-of-service(H 1 ) send-multiple-tcp-resets(A,H 1 ,n s ) attack tcp-sequence-prediction(A,H 2 ,n) post: not(deny-of-service(H 1 ) ) pre : remote-access(A,H 2 ) obtain(A,following-tcp-sequence(H 2 ,n)) post: knows(A,following-tcp-sequence(H 2 ,n)) attack spoofed-remote-login(A,U,H 1, H 2 ,n) counter-measure kill-remote-login(A,U,H 2 ) pre : remote-access(A,H 2 ) pre : remote-login(A,U,H 2 ) knows(A,following-tcp-sequence(H 2 ,n)) post: not(remote-login(A,U,H 2 )) deny-of-service(H 1 ) spoof-address(A,H 1 ,n,remote-login-connection(U,H 2 )) post: remote-login(A,U,H 2 ) Correlation objective ilegal-remote-login(A,U,H 2 ) state : remote-login(A,U, , H 2 ) Anti-correlation not(authorized(remote-login(A,U,H 2 ))) – p. 12/16
4. - Current Development Current Development Elvin alerts Elvin publish-subscribe ps-manager publish-subscribe federated multicast channel alerts system alerts ewatcher cm-manager CRIM User space Correlation Manager events responses netlink sockets interface Kernel space Linux 2.4.x modules syns_s spoof_s conn_s flood_s execve_s kill_ru pfilter_ru response units sensors – p. 13/16
4. - Current Development – p. 13/16
5. - Summary Results of our work ◮ State of the art about coordinated attack prevention ◮ Study about alert correlation mechanisms ◮ Development of a generic framework avoiding bottleneck of centralized architectures using a distributed approach ◮ Both detection and reaction are performed by using the same formalism – p. 14/16
5. - Summary Future work ◮ Incorporate fault tolerant mechanisms ◮ Make a more in-depth study of the format used for alerts ◮ Incorporate other information about the environment – p. 15/16
6. - [C-x C-c] Thank you! Questions? – p. 16/16
Recommend
More recommend
