Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | jeffrey-russell |
View: | 213 times |
Download: | 0 times |
Formal Specification of Formal Specification of Intrusion Signatures and Intrusion Signatures and
Detection RulesDetection RulesBy Jean-Philippe Pouzol and Mireille DucassBy Jean-Philippe Pouzol and Mireille Ducasséé
1515thth IEEE Computer Security Foundations Workshop IEEE Computer Security Foundations Workshop20022002
Presented by Brian KelloggPresented by Brian Kellogg
CSE914: Formal Methods for Software DevelopmentCSE914: Formal Methods for Software DevelopmentMichigan State UniversityMichigan State University
Introduction to Misuse Intrusion Introduction to Misuse Intrusion Detection Systems (IDS)Detection Systems (IDS)
Two categoriesTwo categories Single event IDSSingle event IDS
Each event is compared with each known signatureEach event is compared with each known signature Specifying signatures simpleSpecifying signatures simple
Multi-event IDSMulti-event IDS Do not have a uniform abstract algorithm because they Do not have a uniform abstract algorithm because they
do not propose the same operators to combine eventsdo not propose the same operators to combine events Can be further split in to two categories (next slide)Can be further split in to two categories (next slide)
Multi-event IDS CategoriesMulti-event IDS Categories Transition basedTransition based
WhatWhat are the significant traces of attacks is hidden by are the significant traces of attacks is hidden by howhow they should be detectedthey should be detected
Very tricky to write signaturesVery tricky to write signatures DeclarativeDeclarative
Signatures only contain Signatures only contain what what are the significant traces of are the significant traces of attacksattacks
How How they are detected is addressed by an alogorithmthey are detected is addressed by an alogorithm Easier to write signaturesEasier to write signatures Problem: algorithm is a black box an detects all instances Problem: algorithm is a black box an detects all instances
of an attack, allowing attackers to choke the IDS by of an attack, allowing attackers to choke the IDS by launching many incomplete instances of an attacklaunching many incomplete instances of an attack
Focus of PaperFocus of Paper
Refine the declarative approachRefine the declarative approach Formally specify the algorithm in two stagesFormally specify the algorithm in two stages
Classify the signature instancesClassify the signature instances Give a set of detection rules which detects in an audit trail a Give a set of detection rules which detects in an audit trail a
representative of each classrepresentative of each class Rules are formally specified using a “parsing schemata”Rules are formally specified using a “parsing schemata” Algorithm defined by the rules are proved sound and Algorithm defined by the rules are proved sound and
completecomplete What What and the and the how how still separated, but security officer can still separated, but security officer can
parameterize the detection by choosing a class for each parameterize the detection by choosing a class for each signaturesignature
Contribution of PaperContribution of Paper
Two main contributionsTwo main contributions Less instances of signatures are trackedLess instances of signatures are tracked
More resistant to choking attacksMore resistant to choking attacks
Detection algorithm is specified in a high level Detection algorithm is specified in a high level formal wayformal way
Easy to understand and reason aboutEasy to understand and reason about Essential operation features are made explicitEssential operation features are made explicit
Specification of SignaturesSpecification of Signatures
Intrusion signatures describe combinations of Intrusion signatures describe combinations of eventsevents
A A filterfilter is a signature on one event is a signature on one event
Complex signatures can be focused on two Complex signatures can be focused on two waysways SequenceSequence ConjunctionConjunction
Specification of SignaturesSpecification of Signatures
Definition 1 (Event): An Definition 1 (Event): An event is a collection of event is a collection of values identified by values identified by field names. We field names. We represent an event as a represent an event as a set of pairs (field_name, set of pairs (field_name, value). We assume that value). We assume that in an event, a field name in an event, a field name belongs to one pair.belongs to one pair.
Specification of SignaturesSpecification of Signatures
Definition 2 (Trail): A trail is a totally ordered Definition 2 (Trail): A trail is a totally ordered sequence of events. Given a trail T, we note sequence of events. Given a trail T, we note T[i] the iT[i] the ith th event in the trail.event in the trail.
Specification of SignaturesSpecification of Signatures
Definition 3 (Filter): A filter Definition 3 (Filter): A filter is a set of constraints is a set of constraints between event field names, between event field names, constant values and variable constant values and variable names. In this paper, we names. In this paper, we consider that constraints consider that constraints involving variable names involving variable names can only be equality can only be equality constraints.constraints.
Specification of SignaturesSpecification of Signatures
Definition 4 (Signatures): A signature is defined by a Definition 4 (Signatures): A signature is defined by a 5-tuple (V, F, N5-tuple (V, F, NTT, S, P) , S, P) V is a set of variables V is a set of variables F is a set of filters that use variables in V, F is a set of filters that use variables in V, NNTT, is a set of non-terminal elements , is a set of non-terminal elements SSNNT T is the axiom, is the axiom, P is a set of production rules NP is a set of production rules NTTProd, where pProd, where pProd can Prod can
be:be: Filter(f) where fFilter(f) where fFF Seq(A,B) where (A,B)Seq(A,B) where (A,B) N NTTx Nx NTT
And(A,B) where (A,B)And(A,B) where (A,B) N NTTx Nx NTT
Specification of SignatureSpecification of Signature
Example of SignatureExample of Signature
Semantics of SignatureSemantics of Signature A A concrete instanceconcrete instance of a signature is a collection of of a signature is a collection of
events thatevents that Fulfill the constraints in filtersFulfill the constraints in filters With respect to the correlation specified by the logical With respect to the correlation specified by the logical
variablesvariables And are in a correct order according to temporal constraintsAnd are in a correct order according to temporal constraints
This is denoted {pThis is denoted {p11,…,p,…,pnn} where p} where pii are positions in are positions in the trailthe trail
Proposed semantics:Proposed semantics: ((ΘΘ, i, j) where , i, j) where ΘΘ is a signature valuation, i is the position of is a signature valuation, i is the position of
the first event of the instances, and j is the position of the the first event of the instances, and j is the position of the last event of the instancelast event of the instance
Semantics of SignaturesSemantics of Signatures(Signature Constraints)(Signature Constraints)
Definition 5 (Signature Definition 5 (Signature constraints): A constraints): A signature signature constraintconstraint is a set of is a set of constraints that force some constraints that force some properties on the possible properties on the possible values of the variables used values of the variables used in a signature. Can not in a signature. Can not contain reference to a field contain reference to a field name.name.
Semantics of SignaturesSemantics of Signatures(Signature Valuation)(Signature Valuation)
Definition 6 (Signature Definition 6 (Signature valuation): A signature valuation): A signature constraint is said to be a constraint is said to be a signature valuationsignature valuation if it if it forces a unique value forces a unique value for each variable that for each variable that appears in the signature.appears in the signature.
Semantics of SignaturesSemantics of Signatures(Event Matching)(Event Matching)
Definition 7 (Event Matching): Definition 7 (Event Matching): We define the predicate match(E, F, We define the predicate match(E, F, ΘΘ) where E is ) where E is
an event, F is a filter, and an event, F is a filter, and ΘΘ is a valuation of F is a valuation of F This predicate holds iff the constraint set (FThis predicate holds iff the constraint set (FEEUUΘΘ) )
admits at least one solution admits at least one solution It does not hold if an event field name used in F is It does not hold if an event field name used in F is
not present in Enot present in E
Semantics of SignatureSemantics of Signature
Semantics of the Semantics of the language given by language given by means of the relation means of the relation ‡. Given a signature ‡. Given a signature S, a trail T, and an S, a trail T, and an abstract instance abstract instance I=(I=(ΘΘ, i, j), I is an , i, j), I is an instance of S in T iff instance of S in T iff T, T, ΘΘ,I ,j ‡ S.,I ,j ‡ S.
Specification of Signature InstancesSpecification of Signature Instances
Many approaches to ID strive to be both sound and Many approaches to ID strive to be both sound and completecomplete
Authors argue that completeness is not necessary and Authors argue that completeness is not necessary and is sometimes a drawbackis sometimes a drawback
Authors propose an approach to specify what Authors propose an approach to specify what instances are relevant for detectioninstances are relevant for detection Specifications are expressed as equivalence relations Specifications are expressed as equivalence relations
between instances of each signaturebetween instances of each signature Once classified, the IDS can report only a particular Once classified, the IDS can report only a particular
instance of each classinstance of each class
Specification of Signature InstancesSpecification of Signature Instances
Given a signature, Given a signature, equivalence relation is equivalence relation is specified by choosing an specified by choosing an element in the lattice of all element in the lattice of all the subsets of variable of the the subsets of variable of the signaturesignature
Two instances are Two instances are equivalent if they contain equivalent if they contain the same values for the the same values for the variables in this subsetvariables in this subset
Specification of Signature InstancesSpecification of Signature Instances
Each element e in this lattice corresponds to an equivalence R(e) between instancesEach element e in this lattice corresponds to an equivalence R(e) between instances
Specification of Signature InstancesSpecification of Signature Instances
Two motivations:Two motivations: Want to be able to prune search paths on the flyWant to be able to prune search paths on the fly Don’t want to miss relevant instancesDon’t want to miss relevant instances
Specification of Signature InstancesSpecification of Signature Instances
After instances are classified, must decide which instance to After instances are classified, must decide which instance to report to the IDSreport to the IDS
Three strategies (Chakravarthy et al.):Three strategies (Chakravarthy et al.): Report the instance that starts first and ends firstReport the instance that starts first and ends first Report the one that starts last among all the ones that end firstReport the one that starts last among all the ones that end first Report the shortest instance for each event that starts an instanceReport the shortest instance for each event that starts an instance
This paper selected the first strategy:This paper selected the first strategy: Finding the instance that ends first is required for analyzing an infinite Finding the instance that ends first is required for analyzing an infinite
trailtrail Easier to constrain further search as opposed to canceling previous Easier to constrain further search as opposed to canceling previous
resultsresults
First StrategyFirst Strategy
The predicate First is define asThe predicate First is define as First(S, First(S, ρρ, T, , T, αα, (i, j, , (i, j, ΘΘ))
S is a signatureS is a signature ρρ is an equivalence relation between instances of S is an equivalence relation between instances of S T is a trailT is a trail αα is a position in T is a position in T (i, j, (i, j, ΘΘ) is an instance in S) is an instance in S
Given an instance I = (Given an instance I = (ΘΘ, i, j) with , i, j) with αα ≤ I, this predicate ≤ I, this predicate holds iff, among all instances equivalent to I according to holds iff, among all instances equivalent to I according to ρρ that start after that start after αα, I is the one that starts first and ends first, I is the one that starts first and ends first
First AlgorithmFirst Algorithm
Implements the First strategyImplements the First strategy Described with a formalism called Described with a formalism called parsing schemataparsing schemata
Specifies algorithms using a set of deduction rulesSpecifies algorithms using a set of deduction rules Gives a formal framework to describe and prove propertiesGives a formal framework to describe and prove properties Modular description (i.e. one does need to know the whole Modular description (i.e. one does need to know the whole
specification to understand how a particular construct is specification to understand how a particular construct is searched for in the language)searched for in the language)
Parsing SchemataParsing Schemata
Parsing algorithm is described as set of Parsing algorithm is described as set of deduction stepsdeduction steps Hypothesis and conclusion of these steps are called Hypothesis and conclusion of these steps are called
parsing itemsparsing items Parsing items Parsing items are partial or complete parsing treesare partial or complete parsing trees
Deduction starts with an item representing an Deduction starts with an item representing an empty parsing treeempty parsing tree
Deduction ends when an item representing a Deduction ends when an item representing a complete parsing tree of the axiom grammar is complete parsing tree of the axiom grammar is producedproduced
Parsing Schemata Parsing Schemata (Defining the Domain of Items)(Defining the Domain of Items)
Uses the form:Uses the form: [i, [i, α●βα●β, j], j]ΘΘ
(i, j) are positions in the trail(i, j) are positions in the trail α●βα●β is the right hand side of a grammar production where a is the right hand side of a grammar production where a●● has been has been
insertedinserted ΘΘ is a signature constraint is a signature constraint
Description of First AlgorithmDescription of First Algorithm
Assumptions on specifications:Assumptions on specifications: Signatures that use the [] notation have to be Signatures that use the [] notation have to be
expandedexpanded Non-terminal elements can be used only once in all Non-terminal elements can be used only once in all
grammar rulesgrammar rules All filters must be labeled with the equivalence All filters must be labeled with the equivalence
relation associated to the signature (Ex. Filterrelation associated to the signature (Ex. Filterρρ(F) (F)
where where ρρ is an equivalence relation) is an equivalence relation)
Operators (Propag)Operators (Propag)
Propag operator unifies the variables in the signature Propag operator unifies the variables in the signature constraint with the values of an event (Definition 8)constraint with the values of an event (Definition 8) Denoted as Propag(E, F, Denoted as Propag(E, F, ΘΘ))
E is an eventE is an event F is a filterF is a filter ΘΘ is a signature constraint is a signature constraint
This constraint is obtained by:This constraint is obtained by: Copying F in to F’ and removing all constraints with no variable in Copying F in to F’ and removing all constraints with no variable in
F’F’ Substituting all field names if F’ according to ESubstituting all field names if F’ according to E Making the union of F’ and Making the union of F’ and ΘΘ
Operators (Restrict)Operators (Restrict)
The Restrict operator creates a new constraint which The Restrict operator creates a new constraint which causes some paths in the search to be pruned causes some paths in the search to be pruned (Definition 9)(Definition 9) Denoted as Restrict(Denoted as Restrict(ρρ, , ΘΘ))
ΘΘ is a valuation of a given signature S is a valuation of a given signature S ΡΡ is an equivalence relation is an equivalence relation Defined as:Defined as:
Operators (Constraint Comparison)Operators (Constraint Comparison)
≥≥s compares signature constraintss compares signature constraints Given a signature S and two signature constraints Given a signature S and two signature constraints ΘΘ1 1 and and ΘΘ2 2
ΘΘ1 1 ≥s ≥s ΘΘ2 2 iff the set of possible values for each element of iff the set of possible values for each element of
Var(S) described by Var(S) described by ΘΘ1 1 includes the one described by includes the one described by ΘΘ2 2
Deduction Rules for FiltersDeduction Rules for Filters Rule FilterRule Filter11 specifies that if event T[i] cannot be used to match the filter, specifies that if event T[i] cannot be used to match the filter,
then the algorithm goes one step forward in the trailthen the algorithm goes one step forward in the trail
Rule FilterRule Filter22 handles the other case. The first item memorizes an instance of handles the other case. The first item memorizes an instance of F is found in position i. Propag takes in to account that some variables can F is found in position i. Propag takes in to account that some variables can be instantiated here. The second item starts the search for a new instance be instantiated here. The second item starts the search for a new instance of F in the remaining part of trail. Can be more constrained than the one of F in the remaining part of trail. Can be more constrained than the one that produced this item according to the result provided by Restrict. that produced this item according to the result provided by Restrict.
Deduction Rules for SequenceDeduction Rules for Sequence
Rule SeqRule Seq1 1 starts the search for the first part of the starts the search for the first part of the
sequencesequence Rule SeqRule Seq2 2 shows that once an instance of the first part shows that once an instance of the first part
is found, that item is replaced to find the next item. is found, that item is replaced to find the next item. The second item added starts the search for BThe second item added starts the search for B
Deduction Rules for SequenceDeduction Rules for Sequence
Rule SeqRule Seq3 3 triggers once B is found triggers once B is found Checks that B is found after A (j Checks that B is found after A (j ≤ k)≤ k) The constraint of the second part must refine The constraint of the second part must refine
the constraint of the first part the constraint of the first part Does not remove first item, because it may be needed laterDoes not remove first item, because it may be needed later Second item added showing that it found an instance of Second item added showing that it found an instance of
Seq(AB)Seq(AB)
Deduction Rules for ConjunctionDeduction Rules for Conjunction
Rule AndRule And1 1 starts the search of both parts of the starts the search of both parts of the conjunctionconjunction
Rule AndRule And2 2 states that when two parts of a conjunction states that when two parts of a conjunction are found, if their respective constraints are are found, if their respective constraints are compatible, then a new item is created to notify that compatible, then a new item is created to notify that an instance of the conjunction is foundan instance of the conjunction is found
ConclusionConclusion Described how to specify signatures with sequences and Described how to specify signatures with sequences and
conjunctions of events correlated with logical variablesconjunctions of events correlated with logical variables
Presented a declarative semantics to these signaturesPresented a declarative semantics to these signatures
Introduced signature instance classes based on the valuation of Introduced signature instance classes based on the valuation of variables of interestvariables of interest
Given a formal description of a detection algorithmGiven a formal description of a detection algorithm
Parsing schemata makes it easy to understand and reason Parsing schemata makes it easy to understand and reason about while essential features are made explicitabout while essential features are made explicit