From Declarative Signatures to Misuse IDS 4th International - PowerPoint PPT Presentation

From Declarative Signatures to Misuse IDS 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) October 10-12, 2001 - Davis, CA, USA Jean-Philippe P OUZOL Mireille D UCASSÉ IRISA / INSA de Rennes (France) Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium

Outline of this talk Rule-based languages Specifying multi-event signatures is complex Not well suited to maintain a signature database Declarative specifications Sutekh : a declarative signature language An example of specification Automatic rule generation Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 2

Misuse IDS Signatures • Sun BSM • Tcpdump logs Misuse IDS Alerts Events • Web server logs Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 3

IDS in distributed environments local probes IDS = + alert correlation • No global time in distributed environments : sequences must be detected in probes • Data reduction is more efficient if performed as soon as possible Mono-event signatures in probes is insufficient Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 4

Rule-based IDS and pattern matching • Rule-based IDS perform pattern matching . Kumar distinguished 4 class of patterns [Kumar, PhD, 95] a) Existence c) Regular Expression b) Sequence (interval, duration) d) Other (e.g.: negation) • Kumar also proposed a model of rule-based IDS based on Colored Petri Nets with variables – All the above patterns can be recognized within this model. • Signatures in this model can be translated into other rule-based IDS languages Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 5

Rule Based IDS Signatures (rules) • Sun BSM • Tcpdump logs Rule Based IDS Alerts Events • Web server logs • ASAX [Habra et al., ESORICS 92] • P-BEST (Emerald) [Lindqvist et al., Secur & Priv 99] • STAT [Vigna et al, DISCEX 00] Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 6

Specification vs. Matching ≠ Pattern Specification Algorithm to language search patterns Regular expressions Finite State automata Algebraic languages Push-down automata Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 7

Rules are not well suited for specification Signatures are scattered in many rules Rule construction is complex and error prone – Non trivial graph construction if rule coding is performed "by hand". e.g. : searching a conjunction of events with a system which does not provide this construct – Transition can easily be forgotten, or set between wrong states Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 8

Rules are not well suited for specification Signatures are scattered in many rules Rule readability is low, debugging is difficult – One need to "simulate" the evolution of the transition system to extract the underlying pattern Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 9

Rules are not well suited for specification Signatures are scattered in many rules Signature evolution can be "expensive" – Adding a feature to the pattern can generate important changes in the whole transition system Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 10

Example : encoding negation in rules • Signature in STAT [Eckmann,ACM Wrkshp on ID, 00] create_file read_rhost login another_one 2 3 4 5 1 delete_1 logout logout_2 delete_3 delete_2 Several transitions for a single idea 3 transitions for delete / 2 transitions for logout Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 11

Building et maintaining rule-based signature databases is too tedious and error prone This cannot be done by hand Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 12

Declarative Signatures Declarative layer Declarative Signature Compiler Signatures Rules Rule Based IDS Alerts Events Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 13

Declarative Languages for IDS Signature languages • MuSigs [Lin et al., IEEE Comp Sec Fund Wrkshp 98] • Logweaver [Roger et al., IEEE Comp Sec Fund Wrshp 01] Dedicated and optimized algorithms Languages for attack databases • LAMBDA [Cuppens et al., RAID'00] • ADeLe [Michel et al., Intl Conf on Inform Sec 01] More expressive signature languages No implementation has been proposed • Expressive language ⇒ Sutekh Our • Implementation ⇒ Compiling Sutekh into rules contribution Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 14

Example of Attack Target Exploit • CERT (CA-1996-16) • admintool (Solaris) • Build a "fake" package • Front-end for package with an overflow string installation • Install the fake package • suid-root in several with admintool Solaris distributions ⇒ gain root acces • A package contains 2 files : • Source code available pkgmap / pkginfo on the Internet Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 15

Example of Signature in Sutekh (1/2) Basic blocks : Filters Conjunction of constraints on an event • System calls for file creation createFile(Regexp, File, UserId) = [ … ]. Path name must match Regexp Path name is unified with File Real user ID is unified with UserId • System calls for program execution execProg(ProgName, UserId) = [ … ]. Path name is unified with ProgName Real user ID is unified with UserId Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 16

Example of Signature in Sutekh (2/2) admintool() = ( ( ( createFile("*/pkginfo", File1, User) and createFile("*/pkgmap", File2, User) ) such that same_dir(File1, File2) ) then execProg("/usr/bin/admintool", User) ) trigger admitool_alert(User) Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 17

Declarative semantics of Sutekh • People do not need to know the operational layer • People need to know the exact meaning of Sutekh expression S 1 = E a then E b S = S 1 then S 2 S 2 = E b then E c . . . <E a> . . . <E b > . . . <E c > . . . Is this an instance of S ? No ! Sutekh formal S 1 S 2 semantics < α 1 ≤ α 2 α 3 ≤ α 4 Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 18

From declarative signatures to rules • We re-use existing rule-based research – Many research has been done in AI context – Efficient algorithms exist (e.g. : RETE) – Several IDS rely on this paradigm • We prefer compiling to embedding – To ensure independence of the specification language and the implementation – To adapt compilation strategy from one specification language to an other Keep as much independence as possible from source and target languages Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 19

Compiling Sutekh into rules • Four steps algorithm – Build a state/transition diagram corresponding to the temporal constraints on events – Statically analyze the evolution of variable binding along paths of the diagram – Use this analysis to optimize the placement of constraint verifications – Generate code for the target rule-based language Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 20

Compiling Sutekh into rules ([ f 1 = A, f 2 != B ] then [ f 1 = A, f 3 = B ]) such_that (pred(A)). [f 1 = A, f 3 = B ] [ f 1 = A, f 2 != B ] pred(A) pred(A) 1 3 2 Variable {} {A} {A,B} binding Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 21

Compiling Sutekh into rules ([ f 1 = A, f 2 != B ] then [ f 1 = A, f 3 = B ]) such_that (pred(A)). [f 1 = A, f 3 = B ] [ f 1 = A, f 2 = X ] B != X B != X pred(A) pred(A) 1 3 2 Variable {A,X} {} {A,X,B} binding Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 22

Conclusion • In the current trend of declarative specification – Sutekh is as expressive as fragments of LAMBDA or ADeLe dedicated to signatures – We add a precise semantics to the language – We propose a first approach to implement the specification • Further work – Specification of repetitive (counting) patterns by adding inductive signatures Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium 23

From Declarative Signatures to Misuse IDS 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) October 10-12, 2001 - Davis, CA, USA Jean-Philippe P OUZOL Mireille D UCASSÉ IRISA / INSA de Rennes (France) Jean-Philippe POUZOL / Mireille DUCASSÉ RAID'01 Symposium