Research Topics in Network Security, Secure E-Commerce and Temporal Databases Peng Ning CSC 600 Fall 2001 (Friday, 10/26/2001) Web Resource Details can be found at http://www.csc.ncsu.edu/faculty/ning/research.html Outline Intrusion Detection Abstraction-based Intrusion Detection Decentralized Detection of Distributed Attacks Correlating Alerts Using Prerequisites of Intrusions Secure E-Commerce Applications Reliable Fair Exchange Protocols Temporal Databases and Data Mining Calendar Algebra Multiple Granularity Support in Temporal Databases and Data Mining Abstraction-based Intrusion Detection What Is Intrusion Detection Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying and responding to intrusion activities Why Do We Need Intrusion Detection? Approaches to protecting information systems Prevention E.g., Encryption, Authentication, Access control Fail to protect our systems due to flaws in design and development processes Detection A & Response second line of defense Better understanding of the security of information systems. What Is Abstraction By Webster’s New World Dictionary of American English Formation of an idea, as of the qualities or properties of a thing, by mental separation from particular instances or material objects. In intrusion detection, abstraction is important to Hide the difference between heterogeneous systems Hide unnecessary details Current Situation Problems Abstraction as a preparation process Abstraction is an error-prone process Not enough system support What we need Abstraction as a dynamic process System support for abstraction A Hierarchical Framework for Abstraction and Intrusion Detection Essential concepts System What view is the essential information Signature What is the pattern that we care about related to the essential information (i.e., system views) View definition How and what do we provide essential information Make It A Dynamic Process Abstraction is an on-going process. Abstracted attacks TCPDOSAttacks Teardrop Known specific attacks Land SYN flooding Ping of Death Make It A Dynamic Process (Cont’d) A hierarchical framework for event abstraction and attack specification Sig TCPDOSAttacks View Def. 5 View Def. 3 Signature for SYN flooding View Def. 1 Signature for Ping of Death Signature for Land Signature for TCP Packets IPPacket TCPPacket View Def. 4 View Def. 2 Signature for Teardrop Decentralized Detection of Distributed Attacks Centralized Approach • Limited Scalability Hierarchical Approach A Attack B Decentralized Approach A Attack B Dependency between the Events in a Signature younger n1 System view: SysView1 Assignment: var_IP := VictimIP var_Port := VictimPort Timed condition: True equal n2 n3 System view: SysView3 System view: SysView2 Timed condition: Assignment: SrcIP = var_SrcIP and var_SrcIP := SrcIP SrcPort = var_SrcPort and var_SrcPort := SrcPort DstIP = var_DstIP and var_DstIP := DstIP DstPort = var_DstPort var_DstPort := DstPort Timed condition: SrcIP = var_IP and (SrcPort = var_Port or var_Port = -1) and LocalIP[e.begin_time](DstIP) and Trust[e.begin_time](var_IP) Workflow Tree n5 n4 n1 n2 n3 The nodes are all the events in the signature The edges satisfy the following conditions: given two events n1 and n2 in the signature, n2 is a descendant of n1 if n1 requires n2, and there exists a subtree that contains all and only the positive events in the signature. Detecting the Mitnick Attack n3 Variable values and timestamps n2 Network monitor n1 detection task n1 Host B Host A detection task n2 detection task n3 Local TCP connections Local TCP connections Workflow tree TCPDOSAttack Events CARDS – An Experimental System Coordinated Attacks Response & Detection System (CARDS) A prototype system for the abstraction-based intrusion detection. Three kinds of components Signature managers: Generate and decompose specific signatures Monitors: Cooperatively detect attacks Directory Service: System wide information CARDS Architecture Signature Managers retrieve … Directory Service distribute tasks … Monitors Probes Target systems register detect attacks … Correlating Alerts Using Prerequisites of Intrusions Motivation Current IDSs focus on detecting low-level security related events Large number of alerts Large number of false alerts Low-level alerts are presented independently, though there may be logical steps or intrusion strategies behind them. Unable to detect novel or unknown attacks. Observation Attacks are not isolated. Earlier stages of a series of attacks usually prepare for the later stages. Examples: IP sweep: discover what hosts are accessible from the network. Port scanning: discover what services are provided by each host. Network-born buffer overflow attack: try to gain additional privileges (remote to user, user to root, etc.) Installation of Trojan horse program: prepare for later attacks. Modification of system configuration: try to create backdoors for later attacks. Correlating Alerts Using Prerequisites of Attacks The approach Identify the prerequisites and the impacts of attacks Example: Sadmind Buffer Overflow attack Prerequisites: Exist vulnerabilities in Sadmind service Impact: The attacker may gain root access Correlate attacks by matching prerequisites of later attacks with impacts of earlier ones. Challenges The attackers do not have to get all the information by attacks. The intrusion detection systems may miss some attacks. There are false alarms. Identifying prerequisites and impacts of attacks is a knowledge engineering process and requires substantial work. Reliable Fair Exchange Protocols What Is Fair Exchange Data exchange is usually the crux of an etransaction Applications electronic payment systems certified mail contract signing non-repudiation of message transmission What Is Fair Exchange (Cont’d) Fair Exchange: Problem: Exchange items between mutually distrusted parties. An exchange is fair if at the end of the exchange, either each player receives the item it expects or neither player receives any additional information about the other's item. Popular Fair Exchange Protocols Exchange protocols that use a Trusted Third Party (TTP) TTP the trusted channel A B the normal channel Exchange with on-line TTPs Exchange with off-line TTPs Gradual exchange protocols What Is the Current Problem? System failure Fairness cannot be assured if there is a system failure during an exchange. Our goal is to systematically survive system failures Our Solutions Distributed Transaction processing A transaction is a sequence of operations that either commits or aborts Atomicity can mask all the failures that may happen during the execution of a transaction Message logging Pessimistic message logging: ensures fairness, but costs too much Optimistic message logging: cheaper, but cannot ensure fairness Semantics-based message logging: exploits exchange semantics to reduce logging costs without losing fairness Point of no return Calendar Algebra Why Do We Need Calendar Algebra Applications need flexible way to represent and reason about time granularities Examples A manager wants to know the sales data for this business month (or this Christmas season). A secretary needs to arrange a meeting on the first business day next month. Thanksgiving day is the fourth Thursday in November. Calendar Algebra Goals Can generate granularities from a single “bottom granularity” Reflect the ways that people construct new granularities from existing ones Provide the ability for people to add/change granularities in the system Calendar Algebra By Examples Grouping operation week Group7 (day) Group size week day …0 1 … -1 0 1 2 … anchor 2 78 9 … … 14 … Calendar Algebra By Examples (cont’d) Altering Tick operation period WeirdWeek Alter23, 1 (day, week ) alteration anchor week day WeirdWeek day … 1 …01 … … 1 …01 … 2 78 … 3 14 15 2 78 … … 3 1314 … … 21 … … 20 21 … Examples To define month on the basis of day (9 operations) Group granularity day into 31-day groups For every 12 groups, shrink the 2nd by 3 days For every 12 groups, shrink the 4th by 1 day … Calendar Algebra By Examples (cont’d) Shifting operation USEast Hour Shift 5(GMT Hour ) USEast-Hour GMT-Hour …0 1 … 5 … 10 … 15 … …56 … 10 … 15 … 20 … Calendar Algebra By Examples (cont’d) Combing operation Business month can be formed by combining all business days within each month. b - month Combine(month, b - day ) b-month month b-day Calendar Algebra By Examples (cont’d) Anchored grouping operation Each academic year starts from the last Monday of August and ends the day before the next academic year. AcademicYear Anchored - group (day, lastMondayOfAugust ) AcademicYear day lastMondayOfAugust Calendar Algebra By Examples (cont’d) Subset operation years in the 20th century are the years from 1900 to 1999. The 1999 20CenturyYear Subset1900 ( year ) 20CenturyYear year 1900 … 1999 1899 1900 … 1999 2000 Calendar Algebra By Examples (cont’d) Selecting operations Select-down Select-up Select-by-intersect USThanksgiving Select down (Thursday , November) 1 4 ThanxWeek Select up( week ,USThanksgiving) FirstWeekOfMonth Select by intersect ( week , month) 1 1 Calendar Algebra By Examples (cont’d) Set operations WeekendDay Sunday Saturday BlackFriday 13thDayofMonth Friday BusinessDa y Weekday FederalHol iday Temporal Data Mining Calendar-based Patterns Calendar-based patterns are patterns described in terms of calendar units (e.g., year, month, day, etc.) Examples: Every Monday and Tuesday Every first Monday of every month Every Thanksgiving day Applications of Calendar Patterns to Data Mining Discovery of event patterns Can be directly described by calendar-based patterns. Temporal Association Rule Example: Turkey and pumpkin pie are frequently sold together in the week before Thanksgiving. Web Resources http://www.csc.ncsu.edu/faculty/ning/
© Copyright 2026 Paperzz