A Stateful Intrustion Detection System for World-wide Web Servers

1
A Stateful Intrustion Detection System for
World-wide Web Servers

• Vigna G, Robertson W, Kher V, Kemmerer R
• Department of Computer Science
• UC, Santa Barabara
• 19th Annual Computer Security Applications
  Conference
• December 08 - 12, 2003 Las Vegas, Nevada

2
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• Motivation
• Large number of web servers
• Continuous disclosure of vulnerabilities in web
  servers popular targets
• 2001-2002 - 23 computer vulnerabilities are web
  related

3
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• Intrusion Detection Systems (IDS)
• Analyse input streams for manifestation of attack
• Stateless
• Examines each event in the input stream
  independently
• Stateful
• Considers relationships between events and detect
  attacks based on event-histories

4
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• IDS
• Network-based
• Monitors network traffic, events
• Do not consider application-level logic
• Cannot detect attacks based on configuration of
  the server-application
• Application-based
• Process different stages of client request
• IDS tightly coupled to web server and visible
• Performance of web server impacted

5
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• IDS
• Anomaly detection
• Models of normal behavior
• Compares log data with normal models to detect
  abnormal pattern/activity
• Detect previously unknown attacks
• Large number of false positives

6
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• IDS (Intrusion Detection System)
• Misuse detection
• Models of attack descriptions
• Compares with audit data with modeled attack for
  evidence of attack
• Detect only attacks that are modeled
• Focused analysis for attack detection
• Less false positives so more popular

7
Stateful IDS for Web Servers Vigna G et al.,
2003

• Introduction
• Current IDS - limitations
• Simple pattern matching of HTTP requests
• Buffer overflows not detected
• Attacks involving multiple steps cannot be
  modeled
• Only detect trends in large sets of web-related
  events
• Focuses on single event stream (network log or
  server application log)
• Do not maintain histories of web requests

8
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT (IDS)
• Based on STAT framework (State-Transition
  Analysis Technique)
• Complex multi-step attacks can be modeled using
  STATL language
• Performs integrated analysis of multiple event
  streams, Network and OS events/logs
• Modular, MultiThreaded
• Application independent runtime with components
  that deal with specific application domains
• More effective detection with less false positives

9
Stateful IDS for Web Servers Vigna G et al.,
2003

• STAT framework
• Models attacks as transitions between security
  states of a system
• Supported by STATL modeling language
• STATL
• Describe Events, Attack Scenarios with relevant
  variables eg source of HTTP request
• Events defined by subclassing specific C
  classes of STAT framework
• Classes encapsulated in language extension
  modules and compiled into DLLs
• Events are then used in Scenario description,
  which again are compiled into DLLs

10
Stateful IDS for Web Servers Vigna G et al.,
2003
STATL
Attack Scenario
Transition
State A
State B
Action/Event
Opening TCP conn. Execution of CGI script
System Snapshot
Transition Assertion eg specify port,
parameters
11
Stateful IDS for Web Servers Vigna G et al.,
2003
Transitions
Non-consuming Both states active
State A
State B
Consuming Only destination state valid
State A
State B
Unwinding Rollback to previous state
State A
State B
12
Stateful IDS for Web Servers Vigna G et al.,
2003

• STATL
• STATcore is the runtime for STATL
• Core implements the concepts of state,
  transition, instance, etc
• Obtains events from logs/audits and matches with
  actions, transitions and attack scenarios

Events/logs
STATcore
Event Provider
incorporate
Convert to STAT events
Translate STATL extension
Attack Scenario Analysis
13
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT
• Language extension module that defines
  web-specific events
• Event provider that parses web server logs and
  generates corresponding events
• Modules for Network, OS events
• A number of STATL scenarios to detect attacks
  against web servers
• Response modules to generate alerts

14
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Class Request public
STAT_Event public string request string
userAgent string encodedRequest
15
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT
16
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT
• Counting scenario pattern
• Integer parameters threshold, alert_freq,
  inactivity_timeout

17
Stateful IDS for Web Servers Vigna G et al.,
2003
18
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT
• Web Crawler Scenario
• file to specify which User-Agents are allowed
• Pattern Matching Scenario
• Detect attacks embedded in URL using pattern
  matching comparing with a list of regular
  expressions
• Repeated Failed Access Scenario
• Checks multiple client errors. Counter records
  number of times a failed request originated from
  a subnet
• Cookie Stealing Scenario
• Records initial use of session cookie by a remote
  client by mapping cookie to an IP address.

19
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT
• Buffer Overflow Scenario
• Presence of binary data in a request or an
  extremely long request are attempts to exploit
  buffer overflow
• Network and application-level buffer overflow
  detection
• Examine Web server logs and actual client
  requests
• If binary data found at network-level and no
  matching entry in server log, attack is
  successful
• Document Root Escape Attack
• Illicit access to a file outside web servers
  root.
• Examine Web server log and OS audit records to
  detect file system access violations

20
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Evaluation Web server pentium IV -
1.8 GHz, OS RedHat 8.0, Apache Clients
pentium IV - 1.8 GHz, OS RedHat 8.0
Network card Intel EtherExpress 10/100 Ethernet
cards 100BaseT full-duplex , cisco catalyst
3500 XL switch Measurement Average
throughput, response times of web servers
with/without WebSTAT on server. With WebSTAT
slightly lower throughput No change in
response time
21
Stateful IDS for Web Servers Vigna G et al.,
2003

• WebSTAT
• CONCLUSIONS
• WebSTAT operates on multiple event streams
• Supports more effective detection of web-based
  attacks, reduced no. of false positives
• IDS can be performed in high performance servers
  in real-time

22
THANKS !