Lesson #8: Correlation. Matthijs Koot / SNE-IDS college 06-07

Transcription

1 Lesson #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam / SNE-IDS college 06-07

2 Outline

3 Warning. Warning Don t expect to see the topics discussed today be reflected in next year s IDS-product (except perhaps by their marketeers). Consider them a way forward", which will require cooperation and consensus from non-ids vendors.

4 Outline

5 Events and alerts.

6 Events and alerts.

7 Event correlation vs. and alert correlation.

8 Definitions. Dan Gorton, 2001: Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building.

9 Outline

10 Logging policy. Logging policy: what loggables should be logged? Consider: Guidelines on logging for security purposes Ask thyself: what loggables are relevant to detecting threats? "Best logging practices" Security expert advice Abstraction level Data activity Application activity OS activity Network activity Context Security domain/level, asset value Public vs. non-public infrastructure (churn)

11 Alerting policy. Alerting policy: what events yield an alert? Consider: Guidelines on alerting Ask thyself: what combination of events indicate an intrusion? "Best alerting practices" Security expert advice Context (again) Security domain/level, asset value Public vs. non-public infrastructure (churn) BUT ALSO: business-specific understanding of threat and intrusion MUST be resolvable to business goals SHOULD be resolvable to IT-goals

12 Outline

13 Goals. aims to: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker

14 process. Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

15 Outline

16 . Syntax AND semantics Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP (next slide) Semantics: under construction - CVE, intrusion alert ontology,... Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005

17 IDMEF data model. IDMEF = Message Exchange Format

18 IDXP transport model. IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile

19 Outline

20 Alert fusion. Recognize and remove redundancy in alerts from different sensors

21 Alert verification. Alert verification Passive Verify target s (in)vulnerability in CMDB (and waive OS/2-Warp attacks on MINIX machines :-)) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check config files against known-good hashes

22 Outline

23 Two approaches to correlation. "Aha! Alerts seem to match <attack-pattern>." "I don t know what s happening, but these alerts appear (statistically) related."

24 Alert thread reconstruction. Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread One thread represents one attack (session) Questions to ask: Which attributes should be compared? How is a comparison actually done? What weight is assigned to each attribute? > Similarity matrices, similarity expectations require human knowledge, (re)introducing human fallibility (Ning).

25 Outline

26 Predefined attack scenarios. Specification of attack scenarios: Attack Scenario Language (Kruegel) Chronicles formalism (Debar) LAMBA (Cuppens)

27 Prerequisite-consequence analysis. Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Prerequisite specifies a condition for a successful attack Consequence specifies possible result If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation

28 Prerequisite-consequence analysis (2). Example hyper-alert correlation graph Source: Ning et al - Techniques and Tools for Analyzing Intrusion Alerts", 2004

29 Purpose and value of correlation process ad 2005 Not discussed: Bayes and Granger-Causality for behavior-based correlation

30 Feedback! Question Questions?