Generating signatures for zero-day network attacks Pascal Gamper Daniela Brauckhoff Bernhard Tellenbach Saturday, May 17, 2008 Outline Motivation Problem Statement Automated Signature Generation – Overview The NoAH approach Attack Detection Attack Analysis Signature Generation Saturday, May 17, 2008 Pascal Gamper 2 Motivation: The dynamics of (In)security 90 % probability for available 0-day exploits Source: “The Dynamics of (In)Security“, Stefan Frei, ETH Zurich, BlackHat 2006 Saturday, May 17, 2008 Pascal Gamper 3 Problem Statement Defending against 0-day attacks: Intrusion Detection System (IDS) Separate benign and malicious network traffic Host- or Network-based signatures Most signatures for IDS are hand-craftet by professionals Zero-day exploits make manual signature generation useless Problem: Manual signature generation is too slow! Options? Saturday, May 17, 2008 Pascal Gamper 4 Overview Techniques for automated signature generation Saturday, May 17, 2008 Pascal Gamper 5 Building Blocks of an ASG System attack vector information raw data Attack Detector Site 1 Analysis Engine refined attack vector information Correlator Site N Attack Detector Signature Generator Analysis Engine transformed attack vector information Saturday, May 17, 2008 Pascal Gamper 6 The NoAH Approach EU Project NoAH (Network of Affined Honeypots) Saturday, May 17, 2008 Pascal Gamper 7 Goals NoAH aims at automated detection of unknown attacks generation of signatures to counter 0-day attacks Generate signatures for common IDS Install full-scale infrastructure across Europe Target audience: ISP‘s, NREN‘s, researchers Saturday, May 17, 2008 Pascal Gamper 8 Attack Detection Saturday, May 17, 2008 Pascal Gamper 9 NoAH Architecture: Attack Detector Argos Detection technique (Argos): OS independent memory tainting (x86 emulator) Guest OS Emulated Hardware NIC Network RAM CPU 0xAAA Exec Host OS > Scope of NoAH: Remote attacks that do not require a human in the loop Saturday, May 17, 2008 Pascal Gamper 10 Attack Analysis Saturday, May 17, 2008 Pascal Gamper 11 Combining Analysis Engines Different analysis engines (Extractors) which Analyse attack information from different sources Extractors can depend on each other Meta-signature describes entire set of available attack information Quality estimation of meta-signature based on Which extractors succeeded Value and amount of extracted information Saturday, May 17, 2008 Pascal Gamper 12 Combining host- and network-based analysis Extractor #1: Host-based information from Argos Identifies memory content relevant for the attack Identifies OS and attacked process Identifies network traffic bytes involved Extractor #2: Network-based information from Protocol State Tracker Protocol field(s) containing network bytes involved Communication/Protocol state history Saturday, May 17, 2008 Pascal Gamper 13 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Extractor Thread MySQL Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 14 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Extractor Thread MySQL Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 15 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Extractor Thread MySQL Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 16 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Extractor Thread MySQL Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 17 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Extractor Thread MySQL Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 18 Basic Architecture of the entire ASG System Network Honeypot Argos Control Socket Socket IPC Snitch Perl Script Main process Meta-signature Extractor Thread Database Argos Extractor Snitch Thread Saturday, May 17, 2008 Argos.csi.x Signature Generator File I/O Network Argos.netlog Tracker Extractor Network Protocol State Tracker Pascal Gamper TrackerOutput.dat TrackerDump.dat 19 Network Protocol State Tracker Tracks the network connections towards one or more honeypot systems Logs protocol states for each packet User-defined packet and connection analysis possible Is highly configurable by relying on various libraries State machine configurations currently available for IP, TCP/UDP, FTP Saturday, May 17, 2008 Pascal Gamper 20 Libraries NetBee library Developed by NetGroup at Politecnico di Torino Components for different types of packet processing We integrated Packet Decoding functionality into Tracker Netprotofsm Finite state machine library for describing network protocols Our approach is based on work by J. van Gurp and J. Bosch Features: - Protocol state machines defined by XML files - Resource-gentle - Flexible timer mechanism (schedule events, define timeouts) - Implement custom actions Saturday, May 17, 2008 Pascal Gamper 21 Architecture Network Capturing LogReader PacketDecoder Replayer Connection State Log File Network Pcap library EventData NetBee library netprotofsm library State Machine (libnetprotofsm) LogAction Protocol Specification File ReplayAction Connection State Log File State Tracker Saturday, May 17, 2008 Network Pascal Gamper Replayer 22 Example: Attack information extracted Extractor #2 Information Protocol Connection State: TCP: Connection established FTP: Login, User identification Network Packet Argos I IP Memory Dump Src Address Dest Address 04 F2 A6 00 TCP Src Port Argos II Snitch perl script FTP USER Payload data 04 F2 A6 00 -Operating system: Win2000 -Attacked service / program: WAR-FTPD Saturday, May 17, 2008 Tainted data which is about to be used in instruction execution Dest Port Position in network packet Extractor #1 Information Packet Field Decoding: FTP: bytes in USER field Pascal Gamper 23 Signature Generation Saturday, May 17, 2008 Pascal Gamper 24 Signature Generation Flow 1. Generate meta-signature 2. Determine signature quality 4. Save to database 5. Use Adapters to create specific signatures 6. Store, (correlate and/or distribute) adapted signatures Saturday, May 17, 2008 Pascal Gamper 25 Snort as Signature Format SNORT for Proof-of-Concept SNORT is open source and well-known Simple signature format Implications Only a part of extracted attack information can be used, for example - We cannot include information about attacked program Saturday, May 17, 2008 Pascal Gamper 26 Generated signature (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Saturday, May 17, 2008 Pascal Gamper 27 Signature Properties (WAR-FTPD example) Connection state information alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Saturday, May 17, 2008 Pascal Gamper 28 Signature Properties (WAR-FTPD example) State transition trigger alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Saturday, May 17, 2008 Pascal Gamper 29 Signature Properties (WAR-FTPD example) alert tcp any any-> any 21 (msg: “(NoAH) RET via FTP protocol, USER command in war-ftpd.exe(win2k)”; flow: established, from_client; content:"USER"; content:!"|0D 0A|"; offset: 5; depth: 465;) Vulnerable field(s) Saturday, May 17, 2008 Pascal Gamper 30 Conclusion Our ASG system generates signatures with almost zero false positives For remote code injection attacks If full amount of attack information is extracted Signature describes the vulnerability of the application Protect server applications from buffer overflows in arbitrary protocols and fields > Our signatures can compete with other approaches including manually created reference signatures Saturday, May 17, 2008 Pascal Gamper 31 Questions? Saturday, May 17, 2008 Pascal Gamper 32 Evaluation Prototype implementation IP, TCP, UDP, FTP protocol state machines Examplary signature generation tests Protocol context aware signatures: Average total generation time: 1,64 s Few false positives LCS signatures (fallback strategy): Average total generation time: 3,46 s High rate of false positives depending on strings Saturday, May 17, 2008 Pascal Gamper 33
© Copyright 2024