leorio bthesis

Size: px

Start display at page:

Download "leorio bthesis"

せせらかやぬま
5 years ago
Views:

1 IDS Doan Viet Tung Rodney D. Van Meter III

2 ( 22 ) IDS IDS IDS IDS : 1, 2., 3., 4,

3 Abstract of Bachelor s Thesis - Academic Year 2010 Anomaly Detection System using Statistical Analysis of IDS logs Nowadays, with the spread of computer networks, information systems are more open to the Internet. Therefore, the importance of secured networks is tremendously increased. There has been an increasing need for security systems against the external attacks from the hackers. One important type is the Intrusion Detection System (IDS). Intrusion Detection System tries to detect malicious activities such as denial of service attacks or even attempts to crack into computers by monitoring network traffic. IDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. However, IDS generally generates many false positives (corresponding to a false alert) and false negatives (corresponding to a non-detected attack). As a result, it s a heavy workload for the network manager to check all the detected events. This thesis presents an anomaly detection system using statistical analysis of IDS logs. Based on tendency of IDS alert events, this system can cluster, analyze and then classify alerts into normal alerts and abnormal alerts. Keywords : 1. Security, 2.Intrusion Detection System, 3.Anomaly Detection, 4.Statistical analysis Keio University, Faculty of Environment and Information Studies Doan Viet Tung

4 Intrusion Detection System IDS IDS T p iii

5 T p t s a s th

6 2.1 NIDS & HIDS HIDS NIDS /01/ /01/ CRIM ALAC t T p portscan Open Port SNMP trap UDP portscan Open Port SNMP trap UDP T p

7 vi

8 IDS NIDS & HIDS t t

9 1 1.1 IPA [1] ,392 13, : DOS [2] % 28% index index.html index.php 1

10 DOS : JavaScript[3] xxx.js ID ID DoS : Intrusion Detection System - IDS 2

12 2 IDS IDS 2.1 Intrusion Detection System IDS Intrusion Detection System IDS IDS IDS IDS 2 IDS IDS 2 HIDS NIDS HIDS NIDS 2.1 NIDS NIDS Misuse Detection Anomaly Detection RFC 4

13 2 2.1: NIDS & HIDS CIDF Common Intrusion Detection Framework[4] [5] Event generator E-box Event analyzer A-box Event database D-box Response unit R-box 5

14 2 2.2: IDS false positive false negative IDS IDS IDS 2.3 6

15 2 2.3: IDS 1. Host-based Intrusion Detection System - HIDS HIDS HIDS OS 2. Network-based Intrusion Detection System - NIDS NIDS 7

16 2 2.4: HIDS NIDS 2 NIDS NIDS HTTPS [6] SSL [7] NIDS NIDS IPS[8] [9] 8

17 2 2.5: NIDS SQL [10] IDS NIDS [11] 2.1 NIDS HIDS 2.2 NIDS IDS NIDS 9

18 2 NIDS HIDS SNMP Syslog TCP RST UDP, ICMP ICMP port unreachable ACL 2.1: IDS 10

19 2 2.2: NIDS & HIDS NIDS HIDS BOF DoS SQL Web 11

2 2.1.3 Misuse Detection Anomaly Detection 2 1.

20 Misuse Detection Anomaly Detection 2 1. Anomaly Detection 1 5MB 1 10MB IDS : zero-day attack[12] DoS [2] 12

21 2 2. Misuse Detection 2.7 EXEC ALERT 13

$contains (e.exec args, ˆ\\ ) == 1] 7 [? e.header size> NORMAL LENGTH] 8 ==> 9 [! printf( ALERT: Buffer overrun attack \ 10 on command %s\n, e.header command)] 11 ] 2.7: 2.$

22 2 1 rule[bsm LONG SUID EXEC(*): 2 [+e:bsm event] 3 [? e.header event type == AUE EXEC 4 e.header event type == AUE EXECVE] 5 [? e.subject euid!= e.subject ruid] 6 [? contains (e.exec args, ˆ\\ ) == 1] 7 [? e.header size> NORMAL LENGTH] 8 ==> 9 [! printf( ALERT: Buffer overrun attack \ 10 on command %s\n, e.header command)] 11 ] 2.7: : 14

23 2 OS BOF [13] IDS EOI EOI EOI 15

24 2 2.2 IDS IDS IDS NIDS IDS 500 IPv4 Snort[14] [15] Snort

25 : 17

26 2 2.9: 2010/01/ : 2010/01/02 NIDS 18

27 NIDS NIDS

28 3 IDS 3.1 Frederic Cuppens Alexandre Miege Alert Correlation in a Cooperative Intrusion Detection Framework[16] CRIM IDS CRIM : CRIM IDS 1 20

29 3 IDS 3.2 Tadeusz Pietraszek [17] ALAC Adaptive Learner for Alert Classification ALAC ALAC : ALAC [18] root cause analysis[19] [20] ALAC 21

30 3 ALAC ALAC 30% 3.3 [21] IDS IDS IDS IDS IDS IDS 3.4 IDS IDS 1 22

31 4 IDS 4.1 t 2.3 t t 4.1: t 23

32 t t Date Time Signature Occurence times Signature A 2011/01/01 00:00:00-23:59:59 Signature B b Signature C 4.1: t 1 a c Date Time Signature Occurence times Signature A a 1 00:00:00-05:59:59 Signature B b 1 Signature C c 1 Signature C c 2 06:00:00-11:59:59 Signature D d /01/01 Signature E e 1 Signature A a 2 12:00:00-17:59:59 Signature B b 2 Signature F f Signature B b 3 18:00:00-23:59:59 Signature D d 2 Signature E e 2 4.2: t

33 T p T p T p t t 1 T p : T p 3 T p

4 4.3: 3 4.3 68% 1 95% 2 ( 99.7%) 3 X N(, 2 ) 1 X 68.26% 2 95.44% 3 99.74% 2.

34 4 4.3: % 1 95% 2 ( 99.7%) 3 X N(, 2 ) 1 X 68.26% % % Snort portscan SNMP trap UDP

35 4 portscan Open Port SNMP trap UDP 2010/12/ /12/ /12/ /12/ /12/ /12/ /12/ : 2 27

36 4 4.4: portscan Open Port 4.5: SNMP trap UDP

37 4 4.6: portscan Open Port 4.7: SNMP trap UDP

38 t x T p s a : : 4.10: s a s a < % 1 <s a < a 2 b 27% 2 <s a a 3 b 5% 30

39 4 4.11: s a s a s a 3 4.4:

40 s a s t h 4.5 s a s th s a s th 4.5:

41 Snort Snort MySQL[22] MySQL

42 5 5.1: 5.2: 34

3 ログ分析部分は MySQL から過去期間 Tp において集約期間 t の警告イベントをシグネチャ名にクラスタリングし過去の検知数の分布を調べることにしたがって

43 第 5 章実環境における提案手法の適用と評価不正アクセスを検出する時に Snort は警告をすることと同時に MySQL にログを書き込むことである管理者はログを見たい時刻過去期間 Tp 学習期間集約期間 t を入力した後で図 5.3 ログ分析部分は MySQL から過去期間 Tp において集約期間 t の警告イベントをシグネチャ名にクラスタリングし過去の検知数の分布を調べることにしたがって警告イベントごとにアノマリスコアとアノマリラベルを付ける順番を決めた結果は図 5.4 のように示す図 5.3: 入力する情報図 5.4: 分析した警告しきい値を入力した後でしきい値より大きいアノマリスコアがある警告イベントだけを見せる図 5.5 と図 5.6 のように示す 35

44 5 5.5: 1 5.6: 2 36

45 T p T p T p T p T p T p T p 5.7: T p 37

46 t t t s a ?? 5.8:?? s th s th 38

47 5 5.9:

49 6 t 41

50 Rodney D.Van Meter III Pham Van Hung Vu Xuan Duong Do Thi Thuy Van Nguyen Hung Long 42

51 [1] (IPA) [2] Carnegie Mellon University s Computer Emergency Response Team (CERT). Denial of Service Attacks, html. [3] Mozilla Developer Network. JavaScript, en/javascript. [4] CIDF working group. Common Intrustion Detection Framework. edu/cidf/. [5] and., pages , [6] E.Rescorla. HTTP over TLS. Internet RFC 2818, [7] Chad W. Engelgau and Sanjeet Singh. Overview of SSL Acceleration Implementations. Dell Power Solutions, global.aspx/power/en/ps1q02_ssl. [8]. IDS IPS, /246798/. [9] (IPA). Web Application Firewall, [10] Microsoft TechCenter. SQL, [11]., pages , [12] Tony Bradley. Zero Day Exploits. About.com Guide. com/od/newsandeditorial1/a/aazeroday.htm. 43

52 [13] Maciej Ogorkiewicz and Piotr Frej. Analysis of Buffer Overflow Attacks. Windows OS Security, Buffer_Overflow_Attacks.html. [14] Sourcefire Inc. Snort. [15]. NIDS, [16] Frederic Cuppens and Alexandre Miege. Alert Correlation in a Cooperative Intrusion Detection Framework. IEEE Symposium on Research in Security and Privacy, [17] Tadeusz Pietraszek. Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), pages Springer, [18] biz/datamining.html. [19] Klaus Julisch. Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD thesis, University of Dortmund, [20] Stefanos Manganaris, Marvin Christensen, Dan Zerkle, and Keith Hermiz. A Data Mining Analysis of RTID Alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking, 34: , [21].. In, [22] Oracle Corporation. MySQL.