An Architecture for Generating Semantics-Aware Signatures

An Architecture for Generating Semantics-Aware Signatures

An Architecture for Generating Semantics-Aware Signatures Vinod Yegneswaran Jonathon T. Giffin Paul Barford Somesh Jha Computer Sciences Department University of Wisconsin, Madison {vinod,giffin,jha,pb}@cs.wisc.edu Abstract mented attack profiles [3, 18]. While the effectiveness of a misuse-detector is tightly linked to the quality of its Identifying new intrusions and developing effective sig- signature database, competing requirements make gen- natures that detect them is essential for protecting com- erating and maintaining NIDS signatures difficult. On puter networks. We present Nemean, a system for au- one hand, signatures should be specific: they should only tomatic generation of intrusion signatures from honeynet identify the characteristics of specific attack profiles. The packet traces. Our architecture is distinguished by its em- lack of specificity leads to false alarms—one of the ma- phasis on a modular design framework that encourages jor problems for NIDS today. For example, Sommer independent development and modification of system and Paxson argue that including context, such as the vic- components and protocol semantics awareness which al- tim’s response, in NIDS signatures reduces false alarm lows for construction of signatures that greatly reduce rates [28]. On the other hand, signatures should be gen- false alarms. The building blocks of our architecture eral so that they match variants of specific attack pro- include transport and service normalization, intrusion files. For example, a signature that does not account for profile clustering and automata learning that generates transport or application-level semantics can lead to false connection and session aware signatures. We demon- alarms [6,22,32]. Thus, a balance between specificity strate the potential of Nemean’s semantics-aware, re- and generality is an important objective for signatures. silient signatures through a prototype implementation. We present the design and implementation of an ar- We use two datasets to evaluate the system: (i) a pro- chitecture called Nemean1 for automatic generation of duction dataset for false-alarm evaluation and (ii) a hon- signatures for misuse-detection. Nemean aims to create eynet dataset for measuring detection rates. Signatures signatures that result in lower false-alarm rates by bal- generated by Nemean for NetBIOS exploits had a 0% ancing specificity and generality. We achieve this bal- false-positive rate and a 0.04% false-negative rate. ance by including semantics awareness, or the ability to understand session-layer and application-layer protocol 1 Introduction semantics. Examples of session layer protocols include NetBIOS and RPC, and application layer protocols in- Computer network security is a multidimensional activ- clude SMB, TELNET, NTP and HTTP.Increasingly, pre- ity that continues to grow in importance. The preva- processors for these protocols have become integral parts lence of attacks in the Internet and the ability of self- of NIDS. We arguethat these capabilities are essential for propagating worms to infect millions of Internet hosts automatic signature generation systems for the following has been well documented [30, 34]. Developing tech- reasons: niques and tools that enable more precise and more rapid 1. Semantics awareness enables signatures to be gen- detection of such attacks presents significant challenges erated for attacks in which the exploit is a small part for both the research and operational communities. of the entire payload. Network-security architectures often include network intrusion detection systems (NIDS) that monitor packet 2. Semantics awareness enables signatures to be gen- traffic between networks and raise alarms when mali- erated for multi-step attacks in which the exploit cious activity is observed. NIDS that employ misuse- does not occur until the last step. detection compare traffic against a hand-built database of signatures or patterns that identify previously docu- 3. Semantics awareness allows weights to be assigned to different portions of the payload (e.g., times- packet traces collected at two unused /19 address ranges tamps, sequence numbers, or proxy-cache headers) (16K total IP addresses) from two distinct Class B net- based upon their significance. works allocated to our campus. We collected session- level data for exploits targeting ports 80 (HTTP), 139 4. Semantics awareness helps produce generalized and 445 (NetBIOS/SMB). Section 6 describes the data signatures from a small number of input samples. collection environment. We use this packet trace data as input to Nemean to produce a comprehensive signature 5. Semantics awareness results in signatures that are set for the three target ports. In Section 7, we describe easy to understand and validate. the major clusters and the signatures produced from this Our architecture contains two components: a data ab- data set. Leave-out testing results indicate that our sys- straction component that normalizes packets from indi- tem generates accurate signatures for most common in- vidual sessions and renders semantic context and a sig- trusions, including Code Red, Nimda, and other popular nature generation component that groups similar ses- exploits. We detected 100% of the HTTP exploits and sions and uses machine-learning techniques to gener- 99.96% of the NetBIOS exploits with 0 misdiagnoses. ate signatures for each cluster. The signatures produced Next, we validated our signatures by testing for false are suitable for deployment in a NIDS [3,18,31]. We alarms using packet traces of all HTTP traffic collected address specificity by producing both connection-level from our department’s border router. Nemean produced and session-level signatures. We address generality by 0 false alarms for this data set. By comparison, Snort [3] learning signatures from transport-normalized data and generated over 1,000 false alarms on the same data set. consideration of application-level semantics that enables These results suggest that even with a much smaller sig- variants of attacks to be detected. Therefore, we argue nature set, Nemean achieves detectability rates on par that Nemean generates balanced signatures. At present, with Snort while identifying attacks with superior pre- Nemean’s goal is to provide an automated mechanism cision and far fewer false alarms. to build accurate signatures that keep pace with exploits and network viruses released everyday and is not meant 2 Related Work to “automate real-time deployment” of signatures. We discuss this issue in greater detail in Section 3.3. Sommer and Paxson [28] proposed adding connection- The input to Nemean is a set of packet traces collected level context to signatures to reduce false positives in from a honeynetdeployed on an unused IP address space. misuse-detection. Handley et al. described transport- Any data observed at a honeynet [7]2 is anomalous, thus level evasion techniques designed to elude a NIDS as mitigating both the problem of privacy and the problem well as normalization methods that disambiguate data of separating malicious and normal traffic.3 We assume before comparison against a signature [6]. Similar work that the honeynet is subject to the same attack traffic as described common HTTP evasion techniques and stan- standard hosts and discuss the ramifications of this as- dard URL morphing attacks [22]. Vigna et al. [32] sumption in Section 8. described several mutations and demonstrated that two To evaluate Nemean’s architecture, we developed a widely deployed misuse-detectors were susceptible to prototype implementation of each component. This im- such mutations. The works of Handley et al. and Vigna plementation enables automated generation of signatures et al. highlight the importance of incorporating seman- from honeynet packet traces. We also developed a sim- tics into the signature generation process. ple alert generation tool for off-line analysis, which com- Honeypots are an excellent source of data for intrusion pares packet traces against signatures. While we demon- and attack analysis. Levin et al. described how honey- strate that our current implementation is extremely effec- pots extract details of worm exploits that can be analyzed tive, the modular design of the architecture enables any to generate detection signatures [13]. Their signatures of the individual components to be easily replaced. We were generated manually. expect that further developments will tune and expand Several automated signature generation systems have individual components resulting in more timely, precise been proposed. Table 1 summarizes the differences be- and effective signatures. From a broader perspective, tween Nemean and the other signature-generation sys- we believe that our results demonstrate the importance tems. One of the first systems proposed was Honey- of Nemean’s capability in a comprehensive security ar- comb developed by Kreibich and Crowcroft [11]. Like chitecture. Section 3 describes the architecture and Sec- Nemean, Honeycomb generated signatures from traffic tions 4 and 5 present our prototype implementation of observed at a honeypot via its implementation as a Hon- Nemean. eyd [20]4 plugin. At the heart of Honeycomb is the We performed two evaluations of our prototype. First, longest common substring (LCS) algorithm that looks for we calculated detection and misdiagnosis counts using the longest shared byte sequences across pairs of con- Traffic source Generates Contextual Semantics Signature Generation Target Signatures Aware Algorithm Attack Class

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us