Lesson #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam 2007-05-10 / SNE-IDS college 06-07
Outline
Warning. Warning Don t expect to see the topics discussed today be reflected in next year s IDS-product (except perhaps by their marketeers). Consider them a way forward", which will require cooperation and consensus from non-ids vendors.
Outline
Events and alerts.
Events and alerts.
Event correlation vs. and alert correlation.
Definitions. Dan Gorton, 2001: Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building.
Outline
Logging policy. Logging policy: what loggables should be logged? Consider: Guidelines on logging for security purposes Ask thyself: what loggables are relevant to detecting threats? "Best logging practices" Security expert advice Abstraction level Data activity Application activity OS activity Network activity Context Security domain/level, asset value Public vs. non-public infrastructure (churn)
Alerting policy. Alerting policy: what events yield an alert? Consider: Guidelines on alerting Ask thyself: what combination of events indicate an intrusion? "Best alerting practices" Security expert advice Context (again) Security domain/level, asset value Public vs. non-public infrastructure (churn) BUT ALSO: business-specific understanding of threat and intrusion MUST be resolvable to business goals SHOULD be resolvable to IT-goals
Outline
Goals. aims to: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker
process. Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005
Outline
. Syntax AND semantics Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP (next slide) Semantics: under construction - CVE, intrusion alert ontology,... Source: Krueger, Valeur, Vigna - and Correlation", Springer 2005
IDMEF data model. IDMEF = Message Exchange Format
IDXP transport model. IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile
Outline
Alert fusion. Recognize and remove redundancy in alerts from different sensors
Alert verification. Alert verification Passive Verify target s (in)vulnerability in CMDB (and waive OS/2-Warp attacks on MINIX machines :-)) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check config files against known-good hashes
Outline
Two approaches to correlation. "Aha! Alerts seem to match <attack-pattern>." "I don t know what s happening, but these alerts appear (statistically) related."
Alert thread reconstruction. Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread One thread represents one attack (session) Questions to ask: Which attributes should be compared? How is a comparison actually done? What weight is assigned to each attribute? > Similarity matrices, similarity expectations require human knowledge, (re)introducing human fallibility (Ning).
Outline
Predefined attack scenarios. Specification of attack scenarios: Attack Scenario Language (Kruegel) Chronicles formalism (Debar) LAMBA (Cuppens)
Prerequisite-consequence analysis. Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Prerequisite specifies a condition for a successful attack Consequence specifies possible result If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation
Prerequisite-consequence analysis (2). Example hyper-alert correlation graph Source: Ning et al - Techniques and Tools for Analyzing Intrusion Alerts", 2004
Purpose and value of correlation process ad 2005 Not discussed: Bayes and Granger-Causality for behavior-based correlation
Feedback! Question Questions?