11-08-2011, 11:56 AM
[attachment=15212]
Introduction
Most organizations today depend on networked computer systems as an essential infrastructure for doing business. Billions of dollars are transferred around the world over computer networks. Increased connectivity and the use of the Internet have exposed the organizations to subversion. The loss to an organization due to lack of availability of critical computing resources or theft of intellectual property because of malicious actions can be significant. It has therefore become critical to protect an organization's information systems and communication networks from malicious attacks and unauthorized access.
An Intrusion Detection System (IDS) is used to inspect data for malicious or anomalous activities and detect attacks or unauthorized use of systems, networks, and related resources. It seeks to increase the security and hence the availability, integrity, and confidentiality of computer systems by providing information that would enable the system administrator to take necessary actions.
There are broadly two types of Intrusion Detection Systems. These are host- based IDS and network-based IDS. Host-based IDS uses system and audit logs as its data source, while network-based IDS uses network traffic as its data source. A host-based Intrusion Detection System consists of an agent on a host which identi¬fies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, etc.), and other host activities. In a network-based Intru¬sion Detection System, sensors are placed at strategic points within the network to capture all network traffic flows and analyze the content of individual packets for malicious activities such as denial of service attacks, buffer overflow attacks, etc. Each approach has its respective strengths and weaknesses. Some of the attacks can be detected only by host-based or only by network-based IDS. For example, certain types of encryption present challenges to network-based IDS. Depending on where the encryption resides within the protocol stack, it may leave a network-based sys¬tem blind to certain attacks which a host-based IDS can detect. Similarly, there are some attacks which can only be detected by examining packet headers for sign of malicious and suspicious activities. Host-based IDS do not see the packet header, so they cannot detect these type of attacks while network-based IDS can detect them.
The two main techniques used by Intrusion Detection Systems for detecting at-tacks are Misuse Detection and Anomaly Detection. In a Misuse Detection system, also known as signature-based system, well known attacks are represented by sig-natures. A signature is a pattern of activity which corresponds to the intrusion it represents. The IDS identifies intrusions by looking for these patterns in the data being analyzed. The accuracy of such a system depends on its signature database. Misuse Detection systems cannot detect novel attacks as well as slight variations of known attacks.
An anomaly-based IDS examines ongoing traffic, activity, transactions, or behav¬ior for anomalies on networks or systems that may indicate attack. The underlying principle is the notion that attack behavior differs enough from normal user behav¬ior that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly-based IDS systems can observe when current behavior deviates statistically from the norm. This capability theoret¬ically gives anomaly-based IDS ability to detect new attacks for which the signatures have not been created. The disadvantage of this approach is that there is no clear cut method for defining normal behavior. Therefore, such an IDS can report an intrusion, even when the activity is legitimate.
Intrusion Detection Systems trigger thousands of alarms per day [7]. Evaluating intrusion detection alarms and conceiving an appropriate response is a challenging task. From a security administrator's point of view, it is important to reduce the redundancy of alarms, intelligently integrate and correlate security alerts, construct attack scenarios (defined as a sequence of related attack steps) and present high- level aggregated information. Correlating alerts to identify an attack scenario can also help forensic analysis, response and recovery and even prediction of forthcoming attacks. One of the current areas of research in Intrusion Detection Systems is to develop methodologies to give a succinct and high level view of attempted intrusions to the system administrator. Various approaches have been developed to correlate and aggregate alerts.
1.1 Problem Statement and Approach
Traditional Intrusion Detection Systems focus on low level attacks or anomalies and raise alerts. In situations where there are intensive attacks, the amount of alerts become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Moreover, most of the alerts are not isolated. They are usually steps in multi-stage attacks which try to compromise the security of a system.
The approaches to correlate and aggregate alerts fall into three broad categories: Alert Fusion, Attack Scenario Construction, and Alert Clustering. In Alert Fusion, alerts that are generatted by different IDS in response to a single attack are identified and merged. The aim of Attack Scenario Construction is to identify multi-step attacks that represent a sequence of actions performed by the same attacker. Alert Clustering groups alerts in a cluster based on similarities between alert attributes and constructs a generalized attribute from the cluster, where 'similarity' can be defined in various ways.
In this thesis, we describe the design and implementation of Attack Scenario Construction scheme and Automated Report Generation for Sachet - A distributed, real-time, network-based intrusion detection system with centralized control, de-veloped at IIT Kanpur [14, 11], Sachet IDS employs both misuse detection and anomaly detection. The architecture of Sachet IDS is explained in Chapter 3.
The aim of Attack Scenario Construction is to identify logical relations among low level alerts, correlate them and to provide the system administrator with a condensed view of reported security issues known as Attack Scenarios. Most intrusions are not isolated, but related as different stages of a series of attacks, with the early stages preparing for the later ones. For example, attackers need to know what vulnerable services are running on a host before they can take advantage of these services. Thus, they typically scan for vulnerable services before they break into the system. As another example, in the Distributed Denial of Service (DDOS) attacks, the attacker has to install the DDOS daemon programs in vulnerable hosts before he instructs the daemons to launch an attack against another system. Therefore, in a series of attacks, one or more previous attacks usually prepare for the following attacks, and the success of the previous steps affects the success of the following ones. In other words, there are often logical steps or strategies behind a series of attacks.
Introduction
Most organizations today depend on networked computer systems as an essential infrastructure for doing business. Billions of dollars are transferred around the world over computer networks. Increased connectivity and the use of the Internet have exposed the organizations to subversion. The loss to an organization due to lack of availability of critical computing resources or theft of intellectual property because of malicious actions can be significant. It has therefore become critical to protect an organization's information systems and communication networks from malicious attacks and unauthorized access.
An Intrusion Detection System (IDS) is used to inspect data for malicious or anomalous activities and detect attacks or unauthorized use of systems, networks, and related resources. It seeks to increase the security and hence the availability, integrity, and confidentiality of computer systems by providing information that would enable the system administrator to take necessary actions.
There are broadly two types of Intrusion Detection Systems. These are host- based IDS and network-based IDS. Host-based IDS uses system and audit logs as its data source, while network-based IDS uses network traffic as its data source. A host-based Intrusion Detection System consists of an agent on a host which identi¬fies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, etc.), and other host activities. In a network-based Intru¬sion Detection System, sensors are placed at strategic points within the network to capture all network traffic flows and analyze the content of individual packets for malicious activities such as denial of service attacks, buffer overflow attacks, etc. Each approach has its respective strengths and weaknesses. Some of the attacks can be detected only by host-based or only by network-based IDS. For example, certain types of encryption present challenges to network-based IDS. Depending on where the encryption resides within the protocol stack, it may leave a network-based sys¬tem blind to certain attacks which a host-based IDS can detect. Similarly, there are some attacks which can only be detected by examining packet headers for sign of malicious and suspicious activities. Host-based IDS do not see the packet header, so they cannot detect these type of attacks while network-based IDS can detect them.
The two main techniques used by Intrusion Detection Systems for detecting at-tacks are Misuse Detection and Anomaly Detection. In a Misuse Detection system, also known as signature-based system, well known attacks are represented by sig-natures. A signature is a pattern of activity which corresponds to the intrusion it represents. The IDS identifies intrusions by looking for these patterns in the data being analyzed. The accuracy of such a system depends on its signature database. Misuse Detection systems cannot detect novel attacks as well as slight variations of known attacks.
An anomaly-based IDS examines ongoing traffic, activity, transactions, or behav¬ior for anomalies on networks or systems that may indicate attack. The underlying principle is the notion that attack behavior differs enough from normal user behav¬ior that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly-based IDS systems can observe when current behavior deviates statistically from the norm. This capability theoret¬ically gives anomaly-based IDS ability to detect new attacks for which the signatures have not been created. The disadvantage of this approach is that there is no clear cut method for defining normal behavior. Therefore, such an IDS can report an intrusion, even when the activity is legitimate.
Intrusion Detection Systems trigger thousands of alarms per day [7]. Evaluating intrusion detection alarms and conceiving an appropriate response is a challenging task. From a security administrator's point of view, it is important to reduce the redundancy of alarms, intelligently integrate and correlate security alerts, construct attack scenarios (defined as a sequence of related attack steps) and present high- level aggregated information. Correlating alerts to identify an attack scenario can also help forensic analysis, response and recovery and even prediction of forthcoming attacks. One of the current areas of research in Intrusion Detection Systems is to develop methodologies to give a succinct and high level view of attempted intrusions to the system administrator. Various approaches have been developed to correlate and aggregate alerts.
1.1 Problem Statement and Approach
Traditional Intrusion Detection Systems focus on low level attacks or anomalies and raise alerts. In situations where there are intensive attacks, the amount of alerts become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Moreover, most of the alerts are not isolated. They are usually steps in multi-stage attacks which try to compromise the security of a system.
The approaches to correlate and aggregate alerts fall into three broad categories: Alert Fusion, Attack Scenario Construction, and Alert Clustering. In Alert Fusion, alerts that are generatted by different IDS in response to a single attack are identified and merged. The aim of Attack Scenario Construction is to identify multi-step attacks that represent a sequence of actions performed by the same attacker. Alert Clustering groups alerts in a cluster based on similarities between alert attributes and constructs a generalized attribute from the cluster, where 'similarity' can be defined in various ways.
In this thesis, we describe the design and implementation of Attack Scenario Construction scheme and Automated Report Generation for Sachet - A distributed, real-time, network-based intrusion detection system with centralized control, de-veloped at IIT Kanpur [14, 11], Sachet IDS employs both misuse detection and anomaly detection. The architecture of Sachet IDS is explained in Chapter 3.
The aim of Attack Scenario Construction is to identify logical relations among low level alerts, correlate them and to provide the system administrator with a condensed view of reported security issues known as Attack Scenarios. Most intrusions are not isolated, but related as different stages of a series of attacks, with the early stages preparing for the later ones. For example, attackers need to know what vulnerable services are running on a host before they can take advantage of these services. Thus, they typically scan for vulnerable services before they break into the system. As another example, in the Distributed Denial of Service (DDOS) attacks, the attacker has to install the DDOS daemon programs in vulnerable hosts before he instructs the daemons to launch an attack against another system. Therefore, in a series of attacks, one or more previous attacks usually prepare for the following attacks, and the success of the previous steps affects the success of the following ones. In other words, there are often logical steps or strategies behind a series of attacks.
