Network Intrusion Detection with SemanticsAware Capability

1
Network Intrusion Detection with Semantics-Aware
Capability

• Walter J. Scheirer Mooi C. Chuah
• Lehigh University
• Department of Computer Science and Engineering

2
Motivation

• Computer intrusion is costly
• Automated attacks have been prevalent for years
• Polymorphic threats are real
• Shortcomings in popular intrusion detection
  systems (IDS)

3
Whats wrong with snort?

• Signature based IDS requires human intervention
• Original threat recognition
• Signature generation
• Signatures match a specific instance of a threat
• Can be extended with regexps
• Easily defeated with polymorphic code

4
Polymorphism

• Traditional polymorphism has taken the form of an
  encrypted body of code with an attached
  decryption routine
• Decryption routine is often obfuscated
• We term this metamorphism
• Code transpositions, equivalent instruction
  substitution, jump insertion, NOP insertion,
  garbage instruction insertion, and register
  reassignment

5
Polymorphism
6
Dynamic IDS

• Early work focused on sliding-window based
  approaches
• CMUs Autograph and Polygraph system
• UCSDs Earlybird system
• Premise Some portion of code between
  polymorphic/metamorphic instances will be
  invariant
• Shortcomings too many signatures generated
• Too many false positives

7
Initial Thoughts

• Syntactic approaches (signatures based on
  regexps, content blocks coupled with sliding
  window schemes, etc.) are inadequate
• What if we examine the meaning of the code
  instead?
• Semantics!

8
Inspiration

• M. Christodorescu, S. Jha, S. Seshia, D. Song and
  R. Bryant. Semantics-aware malware detection.
  IEEE Security and Privacy Symposium, May 2005.
• reduces the problem of semantic equivalency to a
  template matching problem

9
Inspiration

• Stated formally
• A program P satisfies a template T (denoted
  as P ? T) iff P contains an instruction sequence
  I such that I contains a behavior specified by
  T.
• A template will consist of a sequence of
  instructions, along with its associated variables
  and symbolic constants.

10
Templates
11
Bringing Semantics to NIDS

• While the initial work formalizes the template
  matching problem rather nicely, it presents a
  somewhat limited engineering approach to
  intrusion detection.
• assumes that malware samples are available as
  inputs
• Prone to false positives (Crypkey, ASProtect)
• Essentially limited to end-host virus detection
• We can improve reliability by adding more to this
  process.

12
The Semantics-Aware NIDS Architecture
13
Bringing Semantics to NIDS

• Added features
• smart traffic classifier
• binary data identification and extraction module
• We are extending the semantic detection idea to
  incorporate the network scenario.

14
Traffic Classification

• Honeypot scheme
• Widespread scanning scheme
• If a host sends an initial packet to an un-used
  address, a count n is initialized. If we continue
  to observe this host sending additional packets
  to other un-used addresses, the count will be
  incremented until it reaches a threshold t
• When t is reached, packets emanating from that
  suspicious host will be considered for further
  analysis

15
Binary Detection and Classification

• Many binary threats are common buffer overflow
  exploits
• In practice, we observe network buffer overflow
  exploits to consist of a well-formed initial
  application layer protocol request, with exploit
  content usually resembling (but not necessarily
  matching exactly) the above encapsulated within
  it.

16
Binary Detection and Classification

• By noting what is expected in a protocol request,
  and what is abnormal, we can often locate
  malicious binary content.
• Our module has the ability to distinguish between
  acceptable protocol usage and suspicious
  repetition.

17
Semantic Analysis

• IDA Pro
• Currently limited to x86
• Prune the code to include only the instructions
  we are interested in. Any excess code from the
  program frame is discarded.
• The templates that we built have the ability to
  handle out of order code, NOP insertion, junk
  instruction insertion, and register reassignment.
• If a piece of code matches one of our templates,
  an alert is generated, and further action may be
  taken against the offending IP address.

18
Evaluation

• We have conducted an extensive evaluation of our
  semantic NIDS, against captured network traffic.
• Intel P4 2.8Ghz system with 512MB
• Tested against many stock buffer overflow
  exploits, two popular toolkits for polymorphic
  exploit generation, and the Code Red II worm.
• False positive test a months worth of benign
  traffic, with classification disabled

19
Linux Shell Spawning

• The running time for these eight instances ranges
  from 2.36 seconds to 3.27 seconds.
• The average binary code size is less than
  10Kbytes for these exploits.

20
Polymorphic Shellcode Detection
21
Polymorphic Shellcode Detection
22
Code Red II

• Tested 12 5-minute traces collected from two
  Class B production networks, each with a total
  packet count of over 200,000.
• Before evaluation, we noted the correct number of
  instances of Code Red II within each capture.

23
Code Red II
24
False Positive Evaluation

• Disabled traffic classification on the NIDS
• Tested a months worth of traffic captured from
  two Class C networks (a total capture of 566MB).
• Most normal web traffic
• Templates used decryption routines, shell
  spawning, Code Red II memory addressing
• No false positives!

25
Conclusion

• We have designed and built a NIDS with semantic
  analysis capability.
• Extensive testing shows highly accurate detection
  and no false positives
• Improvements
• Traffic classification
• Processing Speed
• More architectures?

26
Questions?