Decentralized publish-subscribe system to prevent coordinated - - PowerPoint PPT Presentation

decentralized publish subscribe system to prevent
SMART_READER_LITE
LIVE PREVIEW

Decentralized publish-subscribe system to prevent coordinated - - PowerPoint PPT Presentation

Jan 30, 2023 114 likes •292 views

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J. Garcia, F . Autrel, J. Borrell, S. Castillo, F . Cuppens, G. Navarro { jgarcia,jborrell,scastillo,gnavarro } @ccd.uab.es, {

slide-1
SLIDE 1

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation

  • J. Garcia, F

. Autrel, J. Borrell,

  • S. Castillo, F

. Cuppens, G. Navarro

{jgarcia,jborrell,scastillo,gnavarro}@ccd.uab.es, {fabien.autrel,frederic.cuppens}@enst-bretagne.fr

– p. 1/16

slide-2
SLIDE 2
  • 0. - Content

Main Points

◮ Introduction ◮ Classical architectures ◮ Prevention framework ◮ Current Development ◮ Conclusions

– p. 2/16

slide-3
SLIDE 3
  • 1. - Introduction

Coordinated Attacks

◮ “Combination of actions performed by a malicious adversary to violate the security

policy of a target computer system.”

◮ Networks resources can become an active part of a coordinated attack ◮ E.g. An attack might start with an intrusion

⇒ Nodes have to be monitored

◮ A global view of the whole system is needed for detection

⇒ Collection and combination of events from different nodes

– p. 3/16

slide-4
SLIDE 4
  • 1. - Introduction

Components needed to prevent coordinated attacks

◮ Sensors (host, application or network based) ◮ Analyzers (misuse or anomaly based) ◮ Managers (data consolidation and alert correlation) ◮ Response units (active or passive reaction) ◮ Intrusion Detection Systems use these same components to prevent a node

getting compromised by an attacker ⇒ We use these components to prevent a compromised node becoming an active part of a coordinated attack.

– p. 4/16

slide-5
SLIDE 5
  • 2. - Classical architectures

Centralized event correlation

SENSOR

Data Flow

ANALYZER SENSOR SENSOR SENSOR SENSOR SENSOR

◮ DIDS - University of California, Davis (1991) ◮ STAT - University of California, Santa Barbara (1992)

– p. 5/16

slide-6
SLIDE 6
  • 2. - Classical architectures

Hierarchical event correlation

SENSOR SENSOR SENSOR Domain MASTER ANALYZER DOMAIN ANALYZER SENSOR SENSOR SENSOR Domain DOMAIN ANALYZER

◮ EMERALD - SRI International, California (1997) ◮ AAFID - CERIAS, Purdue University (1998)

– p. 6/16

slide-7
SLIDE 7
  • 3. - Prevention Cells System

Prevention Cell

analyzers sensors response units correlation manager counter measure managers cooperation manager

Prevention Cell Prevention Cell Prevention Cell Prevention Cell

◮ Message passing architecture

⇒ The detection process can be completely distributed

– p. 7/16

slide-8
SLIDE 8
  • 3. - Prevention framework

Sample scenario

Server 192.168.0.2 vm2 192.168.0.1 vm1

SYN flooding DoS 1 2 TCP sequence_numbers prediction 3 IP spoofing echo + + >>/.rhosts 1

192.168.0.3 vm3

DoS

– p. 8/16

slide-9
SLIDE 9
  • 3. - Prevention framework

Detection Process

◮ Find the set of actions which transforms the system from an initial state S0 to a

final state Sn.

S0 S1 A1 S2 A2 . . . Sn-1 Sn An

action syn-flood(A,H1,ns) pre: remote-access(A,H1) send-multiple-tcp-syns(A,H1,ns) post: deny-of-service(H1) detection: source(Alert,A) target(Alert,H1) classification(Alert,’SynFlooding’) additional-data(Alert,ns)

S0 S1

– p. 9/16

slide-10
SLIDE 10
  • 3. - Prevention framework

Detection process via alert correlation

◮ Two actions A and B can be correlated when the realization of A has a positive

influence over the realization of B (given that A occurred before B):

⊲ (Ea ∈ post(A) ∧ Eb ∈ pre(B)) ∨ (not(Ea) ∈ post(A) ∧ not(Eb) ∈ pre(B)) ⊲ Ea and Eb are unifiable through a unifier θ

action spoofed-remote-login(A,U,H1,H2,n) pre : remote-access(A,H2) knows(A,following-tcp-sequence(H2,n)) deny-of-service(H1) spoof-address(A,H1,n,remote-login-connection(U,H2)) post: remote-login(A,U,H2)

B A

action tcp-sequence-prediction(A,H2,n) pre : remote-access(A,H2)

  • btain(A,following-tcp-sequence(H2,n))

post: knows(A,following-tcp-sequence(H2,n))

– p. 10/16

slide-11
SLIDE 11
  • 3. - Prevention framework

Reaction process via anti-correlation

◮ Two actions A and B are anti-correlated when the realization of A has a negative

influence over the realization of B (given that A occurred before B):

⊲ (not(Ea) ∈ post(A) ∧ Eb ∈ pre(B)) ∨ (Ea ∈ post(A) ∧ not(Eb) ∈ pre(B)) ⊲ Ea and Eb are unifiable through a unifier θ

action spoofed-remote-login(A,U,H1,H2,n) pre : remote-access(A,H2) knows(A,following-tcp-sequence(H2,n)) deny-of-service(H1) spoof-address(A,H1,n,remote-login-connection(U,H2)) post: remote-login(A,U,H2) action undo-deny-of-service(A,H1,ns) pre : deny-of-service(H1) send-multiple-tcp-resets(A,H1,ns) post: not(deny-of-service(H1))

B A

– p. 11/16

slide-12
SLIDE 12
  • 3. - Prevention framework

Detection and reaction graph for the sample scenario

attack syn-flood(A,H1,ns) pre : remote-access(A,H1) send-multiple-tcp-syns(A,H1,ns) post: deny-of-service(H1) attack tcp-sequence-prediction(A,H2,n) pre : remote-access(A,H2)

  • btain(A,following-tcp-sequence(H2,n))

post: knows(A,following-tcp-sequence(H2,n)) attack spoofed-remote-login(A,U,H1,H2,n) pre : remote-access(A,H2) knows(A,following-tcp-sequence(H2,n)) deny-of-service(H1) spoof-address(A,H1,n,remote-login-connection(U,H2)) post: remote-login(A,U,H2)

  • bjective ilegal-remote-login(A,U,H2)

state : remote-login(A,U,,H2) not(authorized(remote-login(A,U,H2))) counter-measure kill-remote-login(A,U,H2) pre : remote-login(A,U,H2) post: not(remote-login(A,U,H2)) counter-measure undo-deny-of-service(A,H1,ns) pre : deny-of-service(H1) send-multiple-tcp-resets(A,H1,ns) post: not(deny-of-service(H1) ) Correlation Anti-correlation

– p. 12/16

slide-13
SLIDE 13
  • 4. - Current Development

Current Development

cm-manager

syns_s

ps-manager

alerts

Linux 2.4.x modules

kill_ru pfilter_ru

response units

spoof_s conn_s flood_s

ewatcher netlink sockets interface events responses

execve_s

Elvin publish-subscribe federated multicast channel

Elvin publish-subscribe system

Correlation Manager CRIM

alerts alerts sensors Kernel space User space – p. 13/16

slide-14
SLIDE 14
  • 4. - Current Development

– p. 13/16

slide-15
SLIDE 15
  • 5. - Summary

Results of our work

◮ State of the art about coordinated attack prevention ◮ Study about alert correlation mechanisms ◮ Development of a generic framework avoiding bottleneck of centralized

architectures using a distributed approach

◮ Both detection and reaction are performed by using the same formalism

– p. 14/16

slide-16
SLIDE 16
  • 5. - Summary

Future work

◮ Incorporate fault tolerant mechanisms ◮ Make a more in-depth study of the format used for alerts ◮ Incorporate other information about the environment

– p. 15/16

slide-17
SLIDE 17
  • 6. - [C-x C-c]

Thank you! Questions?

– p. 16/16