An open security defense architecture for open collaborative cyber infrastructures

Xinming (Simon) Ou Kansas State University

The Great Plains Network Annual Meeting 2009 Kansas City, Missouri GPN 2009 May 29, Kansas City, Missouri

Challenges to securing cyber infrastructures

Cyber warfare is asymmetric
Attack only needs to break a few points Defense has to be comprehensive

Attackers have an upper hand in automation

Many automated exploit tools Not so many good defense tools

Openness of academic cyber infrastructures

Unrealistic to have draconic control on access
GPN 2009 May 29, Kansas City, Missouri
1

Multi-step Attacks
Internet
Firewall 1

Demilitarized zone (DMZ) webServer

Firewall 2 sharedBinary
Trojan horse

Corporation
webPages

workStation

fileServer GPN 2009 May 29, Kansas City, Missouri

2

Solution
Information about users

potential attack paths

Linux security behavior; Windows security behavior; Common attack techniques

System admin Network configuration

Reasoning System

Security expert

Host configuration

Apache 1.3.4 bug!

CERT advisory 3

GPN 2009 May 29, Kansas City, Missouri

Suggested configuration change to harden security

High-level security knowledge

Automated analyzer
baseline security status

Security scanning and monitoring

Information collection

OVAL/Nessus Repository

NVD

CVSS

Baseline security knowledge

Enterprise Network Broader Security Community

GPN 2009 May 29, Kansas City, Missouri

User information

Could root be compromised on any of the machines?

MulVAL
Ou, Govindavajhala, and Appel. Usenix Security 2005

Interaction Rules from Security Experts

Vulnerability Information (e.g. NIST NVD) Vulnerability definition (e.g. OVAL, Nessus Scripting Language)
MulVAL Scanner

Analyzer
MulVAL Scanner

Answers

Network reachability information Network Analyzer

GPN 2009 May 29, Kansas City, Missouri

Interaction Rules
Oops! execCode(attacker, webServer, apache).

execCode(Attacker, Host, PrivilegeLevel) :vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Attacker, Host, Protocol, Port).
internet networkAccess(attacker, webServer, tcp, 80). Derived serviceRunning(webServer, httpd, tcp, 80, apache). From MulVAL Scanner webServer vulExists(webServer, httpd, remote, privilegeEscalation). From MulVAL Scanner & OVAL, NVD GPN 2009 May 29, Kansas City, Missouri
6 Firewall 1

dmz

MulVAL Attack-Graph Toolkit

Ou, Boyer, and McQueen. ACM CCS 2006 Security advisories

Datalog representation

Interaction rules MulVAL reasoning engine

Proofs of assertions

Graph Builder

Network configuration
Machine configuration

Logical attack graph

Joint work with Idaho National Laboratory

GPN 2009 May 29, Kansas City, Missouri
7

Test on a Real Network

Used MulVAL to check the configuration of four Linux servers
Reported a potential two-stage attack path due to multiple vulnerabilities on a server. Three local kernel vulnerabilities One buffer overflow bug in libpng Local users are trusted Web browser links libpng
GPN 2009 May 29, Kansas City, Missouri
8

The next challenge: Situation Awareness

system administrator Abnormally high traffic TrendMicro server communicating with known BotNet controllers Seemingly malicious code modules Found open IRC sockets with other TrendMicro servers netflow dump memory dump

Network Monitoring Tools

These TrendMicro Servers are certainly compromised! GPN 2009 May 29, Kansas City, Missouri

High-confidence Conclusions with Evidence

Internal model

Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations

Observations

IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri

10

High-confidence Conclusions with Evidence

Internal model

Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations

Observations

IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri

11

Observation Correspondence
Mapping observations to Internal condition.
what you can see what you want to know

p
obs(anomalyHighTraffic) int(attackerNetActivity)

obs(netflowBlackListFilter(H, BlackListedIP)) obs(memoryDumpMaliciousCode(H)) obs(memoryDumpIRCSocket(H1,H2))

int(compromised(H))

l l

int(compromised(H)) int(exchangeCtlMessage(H1,H2))

GPN 2009 May 29, Kansas City, Missouri

12

High-confidence Conclusions with Evidence

Internal model

Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations

Observations

IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri

13

Internal Model
Logical relation among internal conditions.
Condition1

m1 m2

leads to relation i.e. Condition1 may cause Condition2

Condition2

pc
int(compromised(H1)) int(probeOtherMachine(H1,H2))

pc
int(compromised(H1)) int(sendExploit(H1,H2)) int(compromised(H1)), int(compromised(H2)) int(sendExploit(H1,H2))

l p pc

int(compromised(H2))

int(exchangeCtlMessage(H1,H2))
14

GPN 2009 May 29, Kansas City, Missouri

Proof Strengthening
f is certainly true
proof strengthening

f is likely true

f is likely true

Observations:

O1

O2

O3

GPN 2009 May 29, Kansas City, Missouri

15

The SnIPS system

Done only once

Snort Rule Repository

Observation Correspondence

Internal Model

High-confidence answers with evidence

Reasoning Engine

User query, e.g. which machines are certainly compromised?

(summarized tuples)
pre-processing

Snort alerts

GPN 2009 May 29, Kansas City, Missouri

16

Automate Model Building for Snort

Internal predicate mapped from classtype
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access;uricontent:"/guestbook.pl; classtype:attempted-recon; sid:1140;)

obsMap(obsRuleId_3615, obs(snort(1:1140, FromHost, ToHost, _Time)),

int(probeOtherMachine(FromHost, ToHost)), ?).

GPN 2009 May 29, Kansas City, Missouri

17

Automate Model Building for Snort

Hints from natural-language description of Snort rules
Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server. Possible execution of arbitrary code of the attackers choosing in some cases. Ease of Attack: Exploits exists

obsMap(obsRuleId_3615, obs(snort(1:1140, FromHost, ToHost, _Time)), int(probeOtherMachine(FromHost, ToHost)), ). obsMap(obsRuleId_3614, obs(snort(1:1140, FromHost, ToHost, _Time)), int(compromised(ToHost)), p) GPN 2009 May 29, Kansas City, Missouri

l ?

18

Coverage
Internal Predicate Predicates Handled by the internal model Suspicious % of rules 59% 41%

Snort has about 9000 rules. This is just a base-line and needs to be fine-tuned.

Would make more sense for the rule writer to define the observation correspondence relation when writing a rule.
GPN 2009 May 29, Kansas City, Missouri
19

Experiment on Treasure Hunt data

Data collected during a graduate-level course exercise Data set contains multistage attacks as in real world scenario A large variety of monitoring data
GPN 2009 May 29, Kansas City, Missouri
20

Some Results
192.168.10.90 was certainly | ?- show_trace(int(compromised(H), c)). compromised! int(compromised(192.168.10.90),c) strengthenedPf A probe int(compromised(192.168.10.90),l) intRule_1was sent from 192.168.10.90 int(probeOtherMachine(192.168.10.90,192.168.70.49),l) obsRulePre_1 obs(snort(122:1,192.168.10.90,192.168.70.49,_h272)) An exploit int(compromised(192.168.10.90),l) intRule_3 was sent to 192.168.10.90 int(sendExploit(128.111.49.46,192.168.10.90),c) obsRuleId_3749 obs(snort(1:1807,128.111.49.46,192.168.10.90,_h336)) GPN 2009 May 29, Kansas City, Missouri

21

Summary
Open knowledge sharing and automated knowledge reuse is key in effective cyber defense Advantages of logic-based techniques
Publishing and incorporation of knowledge/information through well-understood logical semantics Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems

GPN 2009 May 29, Kansas City, Missouri

22

Who We Are
Argus: Cyber Security Research Group at Kansas State University http://people.cis.ksu.edu/~xou/argus/ Contact me: Simon Ou xou@ksu.edu

GPN 2009 May 29, Kansas City, Missouri

23

Thank You!
Questions?

GPN 2009 May 29, Kansas City, Missouri