Transcript Slides (PowerPoint97)

Application Intrusion Detection
Robert S. Sielken
In Fulfillment Of
Master of Computer Science Degree
School of Engineering and Applied Science
University of Virginia
May 4, 1999
Application Intrusion Detection
1
Outline
•
•
•
•
•
Introduction
State of Practice - OS IDS
Case Studies
Application Intrusion Detection
Construction of an Application Intrusion
Detection System (AppIDS)
• Conclusion
May 4, 1999
Application Intrusion Detection
2
Introduction
• Intrusion Detection
– determining whether or
not some entity, the
intruder, has attempted
to gain, or worse, has
gained unauthorized
access to the system
• Intruders
– Internal
– External
May 4, 1999
• Objectives
–
–
–
–
Confidentiality
Integrity
Availability
Accountability
• Current State
– done at the OS level,
but diminishing returns
– opportunities and
limits of utilizing
application semantics?
Application Intrusion Detection
3
State of Practice - OS IDS
• Audit records
• Threat Categories
– operating system
generated collections
of the events that have
happened in the system
over a period of time
• Events
– results of actions taken
by users, processes, or
devices that may be
related to a potential
intrusion
May 4, 1999
–
–
–
–
–
–
–
Denial of Service
Disclosure
Manipulation
Masqueraders
Replay
Repudiation
Physical
Impossibilities
– Device Malfunctions
Application Intrusion Detection
4
OS IDS - Approaches
• Anomaly Detection
– Static
• Extensions - Networks
– Centralized
• Tripwire, Self-Nonself
– Dynamic
• DIDS, NADIR, NSTAT
– Decentralized
• NIDES, Pattern
Matching (UNM)
• GrIDS, EMERALD
• Misuse Detection
• NIDES, MIDAS, STAT
May 4, 1999
Application Intrusion Detection
5
OS IDS - Generic Characteristics
• Relation - expression of how two or more values
are associated
– Statistical
– Rule-Based
• Observable Entities - any object (user, system
device, etc.) that has or produces a value in the
monitored system that can be used in defining a
relation
• Thresholds - determine how the result of the
relation will be interpreted
May 4, 1999
Application Intrusion Detection
6
OS IDS - Generic Characteristics
• Effectiveness
–
–
–
–
fine-tuning of thresholds
frequency of relation evaluation
number of correlated values
hierarchy
May 4, 1999
Application Intrusion Detection
7
AppIDS
• Guiding Questions
– Opportunity – what types of intrusions can be
detected by an AppIDS?
– Effectiveness – how well can those intrusions
be detected by an AppIDS?
– Cooperation – how can an AppIDS cooperate
with the OS IDS to be more effective than
either alone?
May 4, 1999
Application Intrusion Detection
8
Case Studies
• Electronic Toll
Collection
• Health Record
Management
– numerous devices
distributed
– complementary device
values
– hierarchical
– gathers data about
monitored external
behavior
– accounting component
May 4, 1999
– non-hierarchical
– no devices beyond
controlling computer
– no financial component
– limited access
– contains physical
realities
– data collection and
scheduling components
Application Intrusion Detection
9
Electronic Toll Collection (ETC)
• Devices
– Toll Lane
•
•
•
•
•
•
•
•
Tag Sensor
Automated Coin Basket
Toll Booth Attendant
Loop Sensor
Axle Reader
Weigh-In-Motion Scale
Traffic Signal
Video Camera
– Vehicle
• Tag (Active/Passive)
May 4, 1999
Application Intrusion Detection
10
ETC - Hierarchy
Toll Management Center
Toll Plaza
Toll Lane
May 4, 1999
Toll Lane
Toll Plaza
Toll Lane
Toll Plaza
Toll Lane
Application Intrusion Detection
Other Devices
Toll Lane
11
ETC - Application Specific
Intrusions
Threat
Categories
•
•
•
•
•
Specific
Intrusions
Methods
Relations
Annoyance (3 methods)
Steal Electronic Money (10 methods)
Steal Vehicle (4 methods)
Device Failure (1 method)
Surveillance (2 methods)
May 4, 1999
Application Intrusion Detection
12
ETC - Steal Service
Rel
#
Relation
Relation
Description
Execution
Location
Steal Service
No tag
and
cover
plate
1
4
5
9
25
Tag vs. Historical (Time)
Tag vs. Historical (Sites)
Tag vs. Time
Tag vs. Axles
Unreadable Tags
May 4, 1999
(stat)
(stat)
(rule)
(rule)
(stat)
TBP/TMC
TMC
TMC
TBL
TBP/TMC
Application Intrusion Detection
X
X
Copy
tag
X
X
X
X
Packet filter
that discards
all a tag's
packets
X
13
Application Intrusion Detection
• Similarities
• Differences
– detect intrusions by
evaluating relations to
differentiate between
anomalous and normal
behavior
– centralized or
decentralized
(hierarchical)
– same threat categories
May 4, 1999
– anomaly detection
using statistical and
rule-based relations
– internal intruders
– event causing entity
– resolution
– tightness of thresholds
– event records
• periodic
• code triggers
Application Intrusion Detection
14
AppID (cont’d)
• Dependencies
• Cooperation
– OS IDS on AppIDS
• None
– AppIDS on OS IDS
• basic security services
• prevention of bypassing
application to access
application components
– audit/event record
correlation
– communication
• bi-directional
• request-response
bundles
– complications
• terms of communication
• resource usage - lowest
common denominator
May 4, 1999
Application Intrusion Detection
15
Construction of an AppIDS
Relation
Specifier
Relations
Relation
Evaluato
r
Relation
– Code
Connecto
r
Observable Entity
Locations in the
Application
Event
Record
Manage
r
Event
Record
Specifier
Event Record
Structure
Timings
GENERIC
COMPONENTS
TOOLS
May 4, 1999
Anomal
y Alarm
Handler
Application Intrusion Detection
16
Conclusion
• Opportunity
• Cooperation
– internal intruders
(abusers)
– anomaly with
statistical and
rule-based relations
– same threat categories
– detection
• Construction
– tools
– generic components
• Effectiveness
– resolution
– tightness of thresholds
May 4, 1999
Application Intrusion Detection
17
Health Record Management (HRM)
• Components
– Patient Records
– Orders – lists of all requests for drugs, tests, or
procedures
– Schedule – schedule for rooms for patient
occupancy, laboratory tests, or surgical
procedures (does not include personnel)
• Users
– doctors, laboratory technicians, and nurses
May 4, 1999
Application Intrusion Detection
18
HRM - Application Specific
Intrusions
Threat
Categories
•
•
•
•
Specific
Intrusions
Methods
Relations
Annoyance (4 methods)
Steal Drugs (1 method)
Patient Harm (6 methods)
Surveillance (2 methods)
May 4, 1999
Application Intrusion Detection
19
HRM - Patient Harm
Rel
#
Relation
Relation
Description
2
Drug vs. Allergy
(rule)
X
5
Drug vs. Diet
(rule)
X
8
Drug vs. Historical (dosage)
(stat)
X
X
24
Patient Test Results vs. Test
Results (Historical)
(stat)
X
X
May 4, 1999
Application Intrusion Detection
Order Needless
Drugs
Perform Needless
Procedure
Admin. Improper
Diet
Admin. an Allergic
Drug
Admin. Too Much
of Drug
Admin. Wrong
Drug
Patient Harm
X
X
X
X
20
ETC - Steal Service
Rel
#
Relation
Relation Description
Execution
Location
Steal Service
No tag
and
cover
plate
1
2
3
4
Tag vs.
Historical (Time)
Tag vs.
Historical (Day)
Tag vs.
Historical
(Frequency)
Tag vs.
Historical (Sites)
5
Tag vs. Time
6
Tag vs. Parking
7
9
10
11
12
13
Tag vs. Report
of Stolen Tag
Tag vs. Axles
Tag vs. Scale
Tag + Toll +
Coin Toll vs.
Traffic Signal
Tag + Toll +
Coin Toll vs.
Video
Tag + Toll +
Coin Toll vs.
Loops
May 4, 1999
Tag (Time of Day) should match Historical Time (of
Day) (stat)
Tag (Day of Week) should match Historical Time
(Day of Week) (stat)
Tag (Frequency (per day)) should match Historical
Frequency (per day) (stat)
Copy
tag
TBP/TMC
X
TBP/TMC
X
TBP/TMC
X
TMC
X
TMC
X
TMC
X
TMC
X
Tag (Sites) should match Historical sites (stat)
Tag should not be reread within x minutes any other
toll both (rule)
Tag (Identity) should not be listed as being in a
parking facility (Parking) (rule)
Tag should not match that of a reported lost/stolen
vehicle (rule)
Tag (Axles) should match Axles (rule)
Tag (Weight) should match Scale (rule)
TBL
TBL
X
X
X
X
Packet filter
that discards
all a tag's
packets
X
X
# of tolls paid (tag/toll/coin-toll) equals number of
signals given (green) (rule)
TBL
# of tolls paid (tag/toll/coin-toll) equals number of
vehicles seen by camera (rule)
TBL
X
X
# of tolls paid (tag/toll/coin-toll) equals number of
vehicles seen by loops (rule)
TMC
X
X
Application Intrusion Detection
X
21
Steal Service (cont’d)
Rel
#
Relation
Relation Description
Execution
Location
Steal Service
No tag
and
cover
plate
15
16
18
Axles vs. Scale
Axles vs. Toll
Axles vs. CoinToll
Toll vs. Scale
19
Toll vs. Video
17
20
21
22
23
Coin-Toll vs.
Scale
Coin-Toll vs.
Video
Traffic Signal vs.
Video
Traffic Signal vs.
Loops
24
Video vs. Loops
25
Unreadable
Tags
May 4, 1999
Copy
tag
Packet filter
that discards
all a tag's
packets
# of Axles should match Scale reading (rule)
Axles (cost) should match Toll collected (rule)
TBL
TBL
X
X
X
X
Axles (cost) should match Toll (coin) paid (rule)
TBL
X
X
X
Toll collected should match Scale based fare (rule)
Toll collected should match Video vehicle
determination (rule)
TBL
X
X
X
TBL
X
X
X
Toll (coin) paid should match Scale based fare (rule)
TBL
X
X
X
TBL
X
X
X
TBL
X
TMC
X
TMC
X
TBP/TMC
X
Toll (coin) paid should match Video vehicle
determination (rule)
# of signals (green) equals # of vehicles seen by
video camera (rule)
# of signals (green) equals # of vehicles seen by
loops (rule)
# of vehicles seen by video camera equals # of
vehicles seen by loops (rule)
# of unreadable tags should be fairly evenly
distributed between lanes and toll booths (stat)
Application Intrusion Detection
22
HRM - Patient Harm
Patient Harm
Perform Needless
Procedure
2
3
4
5
6
Test results should be related to previous test results for
that patient (stat)
X
X
X
X
Test results should be related to previous test results
across all patients (stat)
X
X
X
X
Certain drugs cannot be taken in conjunction with other
drugs (rule)
Certain drugs cannot be taken when a person has certain
Drug vs. Allergy
allergies (rule)
Certain drugs cannot be taken by one sex or the other
Drug vs. Sex
(rule)
Certain drugs prescriptions are based on the patient's
Drug vs. Weight
weight (rule)
Certain drugs cannot be taken while consuming certain
Drug vs. Diet
foods (rule)
Drug vs. Lethal Dosage Drug dosage should not exceed the lethal dosage (rule)
Drug vs. Drug
7
Drug vs. Time
8
Drug vs. Historical
(dosage)
12
Procedure vs. Diet
18
24
25
Language vs.
Language
Patient Test Results
vs. Test Results
(Historical)
Test Results vs. Test
Results (Historical)
May 4, 1999
Drugs have a minimum time between doses (such as 4
hours) (rule)
Drug dosage should be fairly similar to other prescriptions
of the drug in either dosage amount or frequency (stat)
Some procedures may have a special dietary preparation
requirement (rule)
Anything outside of the restricted language is not allowed
(rule)
Application Intrusion Detection
Admin. Improper
Diet
Order Needless
Drugs
1
Admin. an Allergic
Drug
Relation Description
Admin. Wrong
Drug
Relation
Admin. Too Much
of Drug
Rel
#
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
23