Title: A Stateful Intrustion Detection System for World-wide Web Servers
1A Stateful Intrustion Detection System for
World-wide Web Servers
- Vigna G, Robertson W, Kher V, Kemmerer R
- Department of Computer Science
- UC, Santa Barabara
- 19th Annual Computer Security Applications
Conference - December 08 - 12, 2003 Las Vegas, Nevada
2Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- Motivation
- Large number of web servers
- Continuous disclosure of vulnerabilities in web
servers popular targets - 2001-2002 - 23 computer vulnerabilities are web
related
3Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- Intrusion Detection Systems (IDS)
- Analyse input streams for manifestation of attack
- Stateless
- Examines each event in the input stream
independently - Stateful
- Considers relationships between events and detect
attacks based on event-histories
4Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- IDS
- Network-based
- Monitors network traffic, events
- Do not consider application-level logic
- Cannot detect attacks based on configuration of
the server-application - Application-based
- Process different stages of client request
- IDS tightly coupled to web server and visible
- Performance of web server impacted
5Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- IDS
- Anomaly detection
- Models of normal behavior
- Compares log data with normal models to detect
abnormal pattern/activity - Detect previously unknown attacks
- Large number of false positives
6Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- IDS (Intrusion Detection System)
- Misuse detection
- Models of attack descriptions
- Compares with audit data with modeled attack for
evidence of attack - Detect only attacks that are modeled
- Focused analysis for attack detection
- Less false positives so more popular
7Stateful IDS for Web Servers Vigna G et al.,
2003
- Introduction
- Current IDS - limitations
- Simple pattern matching of HTTP requests
- Buffer overflows not detected
- Attacks involving multiple steps cannot be
modeled - Only detect trends in large sets of web-related
events - Focuses on single event stream (network log or
server application log) - Do not maintain histories of web requests
8Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT (IDS)
- Based on STAT framework (State-Transition
Analysis Technique) - Complex multi-step attacks can be modeled using
STATL language - Performs integrated analysis of multiple event
streams, Network and OS events/logs - Modular, MultiThreaded
- Application independent runtime with components
that deal with specific application domains - More effective detection with less false positives
9Stateful IDS for Web Servers Vigna G et al.,
2003
- STAT framework
- Models attacks as transitions between security
states of a system - Supported by STATL modeling language
- STATL
- Describe Events, Attack Scenarios with relevant
variables eg source of HTTP request - Events defined by subclassing specific C
classes of STAT framework - Classes encapsulated in language extension
modules and compiled into DLLs - Events are then used in Scenario description,
which again are compiled into DLLs
10Stateful IDS for Web Servers Vigna G et al.,
2003
STATL
Attack Scenario
Transition
State A
State B
Action/Event
Opening TCP conn. Execution of CGI script
System Snapshot
Transition Assertion eg specify port,
parameters
11Stateful IDS for Web Servers Vigna G et al.,
2003
Transitions
Non-consuming Both states active
State A
State B
Consuming Only destination state valid
State A
State B
Unwinding Rollback to previous state
State A
State B
12Stateful IDS for Web Servers Vigna G et al.,
2003
- STATL
- STATcore is the runtime for STATL
- Core implements the concepts of state,
transition, instance, etc - Obtains events from logs/audits and matches with
actions, transitions and attack scenarios
Events/logs
STATcore
Event Provider
incorporate
Convert to STAT events
Translate STATL extension
Attack Scenario Analysis
13Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT
- Language extension module that defines
web-specific events - Event provider that parses web server logs and
generates corresponding events - Modules for Network, OS events
- A number of STATL scenarios to detect attacks
against web servers - Response modules to generate alerts
14Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Class Request public
STAT_Event public string request string
userAgent string encodedRequest
15Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT
16Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT
- Counting scenario pattern
- Integer parameters threshold, alert_freq,
inactivity_timeout
17Stateful IDS for Web Servers Vigna G et al.,
2003
18Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT
- Web Crawler Scenario
- file to specify which User-Agents are allowed
- Pattern Matching Scenario
- Detect attacks embedded in URL using pattern
matching comparing with a list of regular
expressions - Repeated Failed Access Scenario
- Checks multiple client errors. Counter records
number of times a failed request originated from
a subnet - Cookie Stealing Scenario
- Records initial use of session cookie by a remote
client by mapping cookie to an IP address.
19Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT
- Buffer Overflow Scenario
- Presence of binary data in a request or an
extremely long request are attempts to exploit
buffer overflow - Network and application-level buffer overflow
detection - Examine Web server logs and actual client
requests - If binary data found at network-level and no
matching entry in server log, attack is
successful - Document Root Escape Attack
- Illicit access to a file outside web servers
root. - Examine Web server log and OS audit records to
detect file system access violations
20Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Evaluation Web server pentium IV -
1.8 GHz, OS RedHat 8.0, Apache Clients
pentium IV - 1.8 GHz, OS RedHat 8.0
Network card Intel EtherExpress 10/100 Ethernet
cards 100BaseT full-duplex , cisco catalyst
3500 XL switch Measurement Average
throughput, response times of web servers
with/without WebSTAT on server. With WebSTAT
slightly lower throughput No change in
response time
21Stateful IDS for Web Servers Vigna G et al.,
2003
- WebSTAT
- CONCLUSIONS
- WebSTAT operates on multiple event streams
- Supports more effective detection of web-based
attacks, reduced no. of false positives - IDS can be performed in high performance servers
in real-time
22THANKS !