How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler
Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an IDS? GENESIDS 2 ▶ Anomaly based NIDS ▶ Have a model of ’normal’ traffjc ▶ Detect and alert deviations from ’normal’ traffjc ▶ Signature based NIDS ▶ Have rule-set of known attacks and incidents ▶ Detect rule patterns in analyzed network traffjc → Example: Snort
How to test a NIDS? Manually creating attack traffjc? time intensive cumbersome SUMMARY: traces do not contain enough unique attacks Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks
SUMMARY: traces do not contain enough unique attacks How to test a NIDS? Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks ▶ Manually creating attack traffjc? ▶ time intensive ▶ cumbersome
SUMMARY: traces do not contain enough unique attacks How to test a NIDS? Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks ▶ Manually creating attack traffjc? ▶ time intensive ▶ cumbersome
How to test a NIDS! GENESIDS: Generating Events for Signature-based Intrusion Detection Systems Felix Erlacher: How to Test an IDS? GENESIDS 4 ▶ INPUT: Set of attack descriptions ▶ Snort syntax ▶ HTTP attacks ▶ OUTPUT: Stateful network traffjc containing attack patterns ▶ One fmow per attack ▶ Annotated with an attack ID
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST";http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6
GENESIDS Evaluation: Goals & Rules All supported Snort rules from: Snort.org subscriber rule-set Snort.org community rule-set Emerging Threats rule-set TOTAL 8101 difgerent rules Felix Erlacher: How to Test an IDS? GENESIDS 7 ▶ Ability to generate a variety of difgerent attacks ▶ Generated attacks trigger expected event
GENESIDS Evaluation: Goals & Rules All supported Snort rules from: TOTAL 8101 difgerent rules Felix Erlacher: How to Test an IDS? GENESIDS 7 ▶ Ability to generate a variety of difgerent attacks ▶ Generated attacks trigger expected event ▶ Snort.org subscriber rule-set ▶ Snort.org community rule-set ▶ Emerging Threats rule-set
GENESIDS Evaluation steps Felix Erlacher: How to Test an IDS? GENESIDS 8 TCP Connection HTTP Server Step 1 GENESIDS Signatures Signatures tcpdump 00101100101 Network 01001010010 00001110111 Trace 11100110100 10111010010 01010111111 Rules
GENESIDS Evaluation steps Felix Erlacher: How to Test an IDS? GENESIDS 8 TCP Connection HTTP Server Step 1 GENESIDS tcpdump 00101100101 00101100101 Network Network 01001010010 01001010010 00001110111 00001110111 Trace Trace 11100110100 11100110100 10111010010 10111010010 Snort 01010111111 01010111111 Signatures Step 2 Alerts Rules Rules
Evaluation results: Generated attacks Felix Erlacher: How to Test an IDS? GENESIDS 9 10000 Attacks Sent 8000 Attacks 6000 4000 2000 0 0 20 40 60 80 100 Experiment Run ▶ GENESIDS: 8101 attacks generated (out of 8101 rules)
Evaluation results: True positives Felix Erlacher: How to Test an IDS? GENESIDS 10 10000 Attacks Sent 8000 Snort True Pos. Alerts Attacks 6000 4000 2000 0 0 20 40 60 80 100 Experiment Run ▶ Snort: 7877 (avg) true positive alerts triggered (out of 8101)
Evaluation results: False positives triggered by 3 rules) Felix Erlacher: How to Test an IDS? GENESIDS 11 10000 Attacks Sent Snort True Pos. Alerts 5000 Snort False Pos. Alerts 2000 Attacks 1000 500 200 100 0 20 40 60 80 100 Experiment Run ▶ Snort: 2847 (avg) false positive alerts triggered (62%
Evaluation results: False negatives not trigger the corresponding alert) Felix Erlacher: How to Test an IDS? GENESIDS once (out of 100) 12 10000 Attacks Sent Snort True Pos. Alerts 5000 Snort False Pos. Alerts 2000 Attacks 1000 500 200 Snort False Negatives 100 0 20 40 60 80 100 Experiment Run ▶ Snort: 223 (avg) false negatives (generated attacks that did ▶ Total of 363 rules generated attack not triggering at least
Conclusion GENESIDS: Generating attack traffjc for NIDS testing defjnitions Felix Erlacher: How to Test an IDS? GENESIDS 13 ▶ Accepting Snort syntax → thousands of up-to-date attack ▶ 97% of generated attacks triggered corresponding alert ▶ Less than 3% failed to trigger corresponding alert
Recommend
More recommend