provenance based intrusion detection
play

Provenance-based Intrusion Detection Thomas Pasquier University of - PowerPoint PPT Presentation

Dec 01, 2023 •220 likes •635 views

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1 Talk loosely based on following publications Han et al. SIGL: Securing Software Installations Through Deep Graph Learning ,

  1. Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1

  2. Talk loosely based on following publications ● Han et al. “ SIGL: Securing Software Installations Through Deep Graph Learning” , USENIX Security 2021 ● Han et al. “UNICORN: Revisiting Host-Based Intrusion Detection in the Age of Data Provenance” , NDSS 2020 ● Pasquier et al. “Runtime Analysis of Whole-System Provenance” , ACM CCS 2018 ● Pasquier et al. “Practical Whole-System Provenance Capture” , ACM SoCC 2017 2

  3. Motivation: System call based intrusion detection System Calls 3

  4. Motivation: System call based intrusion detection System Calls Identify abnormal patterns 4

  5. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions 5

  6. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions Masquerading as benign action 6

  7. Motivation: System call based intrusion detection System Calls [...] Identify abnormal patterns Hidden among benign actions Masquerading as benign action [...] Over a long period of time 7

  8. What is provenance? 8

  9. What is provenance? - From the French “provenir” meaning “coming from” - Formal set of documents describing the origin of an art piece - Sequence of - Formal ownership - Custody - Places of storage - Used for authentication 9

  10. What is data-provenance? - Represent interactions between objects of different types - Data-items ( entities ) - Processing ( activities ) - Individuals and Organisations ( agents ) - Represented as a directed acyclic graph (think information flows) - Edges represent interactions between objects’ states as dependencies - It is a representation of history of a system execution - Immutable (unless it’s 1984) - No dependency to the future 10

  11. How is this useful? 11

  12. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 12

  13. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 13

  14. Provenance-based intrusion detection Related events are connected even across long period of time ▪ 14

  15. How to perform detection? 15

  16. Assumptions (and limitations) Runtime detection - We target environment with minimal human intervention - - relatively consistent behaviour - e.g. web servers, CI pipelines etc... Build a model of system behaviour (unsupervised training) - - in a controlled environment - from a representative workload (this is hard!) Detect deviation from the model - Several approaches being explored… - 16

  17. Example: UNICORN ▪ Han et al. “UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats” , NDSS 2020 17

  18. Example: UNICORN Graph streamed in, converted to histogram, labelled using (modified) 1) struct2vec 18

  19. Example: UNICORN 2) At regular interval, histogram converted to a fixed size vector using similarity preserving graph sketching 19

  20. Example: UNICORN 3) Feature vectors are clustered 20

  21. Example: UNICORN 4) Cluster forms “ meta-state ”, transitions are modelled In deployment, anomaly detected via clustering and “meta-state” model 21

  22. Relatively simple Labelled directed acyclic graph ▪ – node/edge types – security context (when available) Modification and combination of existing algorithms ▪ – struct2vec – similarity preserving hashing – clustering Right combination + domain knowledge ▪ 22

  23. Some insights from this work 23

  24. We can build practical provenance-based IDSs We can detect intrusion out of graph structure with little metadata ▪ – Vertex type (thread, file, socket etc…) – Edge type (read, write, connect etc…) Processing speed ▪ – Current prototype – Data generation speed < processing speed! 24

  25. Proper evaluation is hard! - Dataset are hard to generate - What is a good quality dataset? - Hard to compare across papers, a lot is not available - Experiments (i.e. attacks) - Capture Mechanisms - Analysis pipelines - Leads to unsatisfactory evaluation - I may be able to compare to similar techniques (may reuse dataset) - … very hard for unrelated one (i.e. ingest different data type) - Adversarial ML? 25

  26. Identifying threats: explainability is a problem There is a problem within the last batch of X graph elements ▪ – 2,000 in previous figures Good luck finding out what went wrong ▪ Provenance forensic is an active field of research ▪ – Promising work out of the DARPA programme … but could we do better during detection? ▪ 26

  27. Ongoing projects 27

  28. Towards more interpretable provenance-based IDSs ● PhD student project ( Xueyuan “Michael” Ha n) ● Collaborators ○ Harvard University ○ UBC ○ NEC Labs America ● Deep graph learning techniques ● Precisely identifying attacks within a provenance-graph ● Generating actionable reports 28

  29. A framework for Provenance-based forensics ● PhD student project ( Priyanka Badva ) ● Collaborators ○ SRI International ● Provenance graphs are large and complex (several millions nodes) ● Designing tools and techniques to identify/explain attacks ● Working with my colleague Ryan 29

  30. Distributed IDS - Edge network - Collaboration with Toshiba (£4M) - Exploring distributed learning - Poisoning - Mechanism - Etc. - Large testbed planned (work starting January) - Hiring 2 postdocs at Bristol - Money available for an intern short term (+-covid) 30

  31. Kernel partitioning ● PhD student project ( Soo Yee Lim ) ● Collaborators ○ HP Labs Bristol ○ Royal Holloway, University of London ○ University of Otago ● Leveraging CHERI/ARM Morello hardware ○ Hardware capabilities ● Implement kernel partitioning in the Linux OS 31

  32. Thank you! Questions? https://tfjmp.org thomas.pasquier@bristol.ac.uk 32

  33. How to evaluate? 33

  34. Comparison state of the art Manzoor et al. " Fast memory-efficient anomaly detection in streaming heterogeneous graphs " ACM KDD, 2016. R -> neighborhood size for struct2vec algorithm 34

  35. Evaluation with DARPA datasets 35

  36. Evaluation with DARPA datasets SUCH GOOD RESULTS ARE NOT NORMAL 36

  37. Building our own dataset ▪ Attack designed to look similar to background activity 37

  38. Building our own dataset ▪ Attack designed to look similar to background activity ▪ Is that enough? 38

  39. Runtime performance 39

  40. Runtime performance 40

  41. Runtime performance Memory usage: ~500MB CPU usage 15% on 1 core 41

Recommend

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

509 views • 33 slides
Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Ph.D. Thesis Defense December 17th, 2019 1 HP Labs (ronny.chevalier@hp.com) 2 CIDRE Team, CentraleSuplec/Inria/CNRS/IRISA

1.66k views • 140 slides
A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tlle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg,

641 views • 15 slides
Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides

More recommend