A Stateful Intrustion Detection System for World-wide Web Servers - PowerPoint PPT Presentation

Loading...

PPT – A Stateful Intrustion Detection System for World-wide Web Servers PowerPoint presentation | free to view - id: 79ac31-ODY4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Stateful Intrustion Detection System for World-wide Web Servers

Description:

A Stateful Intrustion Detection System for World-wide Web Servers Vigna G, Robertson W, Kher V, Kemmerer R Department of Computer Science UC, Santa Barabara – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 23
Provided by: Jana229
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Stateful Intrustion Detection System for World-wide Web Servers


1
A Stateful Intrustion Detection System for
World-wide Web Servers
  • Vigna G, Robertson W, Kher V, Kemmerer R
  • Department of Computer Science
  • UC, Santa Barabara
  • 19th Annual Computer Security Applications
    Conference
  • December 08 - 12, 2003 Las Vegas, Nevada

2
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • Motivation
  • Large number of web servers
  • Continuous disclosure of vulnerabilities in web
    servers popular targets
  • 2001-2002 - 23 computer vulnerabilities are web
    related

3
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • Intrusion Detection Systems (IDS)
  • Analyse input streams for manifestation of attack
  • Stateless
  • Examines each event in the input stream
    independently
  • Stateful
  • Considers relationships between events and detect
    attacks based on event-histories

4
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • IDS
  • Network-based
  • Monitors network traffic, events
  • Do not consider application-level logic
  • Cannot detect attacks based on configuration of
    the server-application
  • Application-based
  • Process different stages of client request
  • IDS tightly coupled to web server and visible
  • Performance of web server impacted

5
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • IDS
  • Anomaly detection
  • Models of normal behavior
  • Compares log data with normal models to detect
    abnormal pattern/activity
  • Detect previously unknown attacks
  • Large number of false positives

6
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • IDS (Intrusion Detection System)
  • Misuse detection
  • Models of attack descriptions
  • Compares with audit data with modeled attack for
    evidence of attack
  • Detect only attacks that are modeled
  • Focused analysis for attack detection
  • Less false positives so more popular

7
Stateful IDS for Web Servers Vigna G et al.,
2003
  • Introduction
  • Current IDS - limitations
  • Simple pattern matching of HTTP requests
  • Buffer overflows not detected
  • Attacks involving multiple steps cannot be
    modeled
  • Only detect trends in large sets of web-related
    events
  • Focuses on single event stream (network log or
    server application log)
  • Do not maintain histories of web requests

8
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT (IDS)
  • Based on STAT framework (State-Transition
    Analysis Technique)
  • Complex multi-step attacks can be modeled using
    STATL language
  • Performs integrated analysis of multiple event
    streams, Network and OS events/logs
  • Modular, MultiThreaded
  • Application independent runtime with components
    that deal with specific application domains
  • More effective detection with less false positives

9
Stateful IDS for Web Servers Vigna G et al.,
2003
  • STAT framework
  • Models attacks as transitions between security
    states of a system
  • Supported by STATL modeling language
  • STATL
  • Describe Events, Attack Scenarios with relevant
    variables eg source of HTTP request
  • Events defined by subclassing specific C
    classes of STAT framework
  • Classes encapsulated in language extension
    modules and compiled into DLLs
  • Events are then used in Scenario description,
    which again are compiled into DLLs

10
Stateful IDS for Web Servers Vigna G et al.,
2003
STATL
Attack Scenario
Transition
State A
State B
Action/Event
Opening TCP conn. Execution of CGI script
System Snapshot
Transition Assertion eg specify port,
parameters
11
Stateful IDS for Web Servers Vigna G et al.,
2003
Transitions
Non-consuming Both states active
State A
State B
Consuming Only destination state valid
State A
State B
Unwinding Rollback to previous state
State A
State B
12
Stateful IDS for Web Servers Vigna G et al.,
2003
  • STATL
  • STATcore is the runtime for STATL
  • Core implements the concepts of state,
    transition, instance, etc
  • Obtains events from logs/audits and matches with
    actions, transitions and attack scenarios

Events/logs
STATcore
Event Provider
incorporate
Convert to STAT events
Translate STATL extension
Attack Scenario Analysis
13
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT
  • Language extension module that defines
    web-specific events
  • Event provider that parses web server logs and
    generates corresponding events
  • Modules for Network, OS events
  • A number of STATL scenarios to detect attacks
    against web servers
  • Response modules to generate alerts

14
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Class Request public
STAT_Event public string request string
userAgent string encodedRequest
15
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT
16
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT
  • Counting scenario pattern
  • Integer parameters threshold, alert_freq,
    inactivity_timeout

17
Stateful IDS for Web Servers Vigna G et al.,
2003
18
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT
  • Web Crawler Scenario
  • file to specify which User-Agents are allowed
  • Pattern Matching Scenario
  • Detect attacks embedded in URL using pattern
    matching comparing with a list of regular
    expressions
  • Repeated Failed Access Scenario
  • Checks multiple client errors. Counter records
    number of times a failed request originated from
    a subnet
  • Cookie Stealing Scenario
  • Records initial use of session cookie by a remote
    client by mapping cookie to an IP address.

19
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT
  • Buffer Overflow Scenario
  • Presence of binary data in a request or an
    extremely long request are attempts to exploit
    buffer overflow
  • Network and application-level buffer overflow
    detection
  • Examine Web server logs and actual client
    requests
  • If binary data found at network-level and no
    matching entry in server log, attack is
    successful
  • Document Root Escape Attack
  • Illicit access to a file outside web servers
    root.
  • Examine Web server log and OS audit records to
    detect file system access violations

20
Stateful IDS for Web Servers Vigna G et al.,
2003
WebSTAT Evaluation Web server pentium IV -
1.8 GHz, OS RedHat 8.0, Apache Clients
pentium IV - 1.8 GHz, OS RedHat 8.0
Network card Intel EtherExpress 10/100 Ethernet
cards 100BaseT full-duplex , cisco catalyst
3500 XL switch Measurement Average
throughput, response times of web servers
with/without WebSTAT on server. With WebSTAT
slightly lower throughput No change in
response time
21
Stateful IDS for Web Servers Vigna G et al.,
2003
  • WebSTAT
  • CONCLUSIONS
  • WebSTAT operates on multiple event streams
  • Supports more effective detection of web-based
    attacks, reduced no. of false positives
  • IDS can be performed in high performance servers
    in real-time

22
THANKS !
About PowerShow.com