SSCI #1301
DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001
Intelligent Active Profiling for Detection and Intent
Inference of Insider Threat in Information Systems
Joao B. D. Cabrera and Raman K. Mehra
Scientific Systems Company, Inc.
Lundy Lewis
Aprisma Inc.
Wenke Lee
North Carolina State Univ.
SBIR Phase I
Topic No. SB002-039
Contract No. DAAH01-00-C-R027
Scientific Systems
Motivation
Network Management Systems and Security
* Large infrastructure already in place to perform
Network, System, and Applications Management.
* Building blocks: SNMP Management, RMON –
Standardized tools, widely utilized.
* COTS NMSs available that automate several functions:
Aprisma’s SPECTRUM Platform, HP’s OpenView, …
* Vendors offer NMS solutions integrated with Firewalls,
IDSs, Security Scanners, PKI Infrastructure, Anti-Virus
Software, etc.
Scientific Systems
Motivation (cont.)
* Management: Fault, Configuration, Accounting,
Performance, Security (FCAPS).
* NMSs provide a powerful capability for data collection
at several levels and time scales.
* Lot of emphasis on Fault, Configuration and
Performance – Several tools already available.
* Utilization of NMSs for Security not fully realized …
* Faults, Performance and Security cannot be studied
separately …
Scientific Systems
Motivation (cont.)
* A security breach may deteriorate performance and cause a
fault …
* A fault may render the system vulnerable to attacks …
* Deterioration of performance may make users impatient, and
more willing to violate security policies to get their jobs done.
Scientific Systems
Motivation (cont.)
* Many of the tools designed for Fault Management and
Security Monitoring can be adapted for Security
Management.
* Alarm Infrastructure already available – Tools to
monitor Information Systems and set Alarms
* The SSCI/Aprisma/NCSU team has investigated the use
of COTS NMS for the Detection of Precursors of
Distributed Denial-of-Service Attacks; Precursors were
found at the level of MIB traffic variables – Paper
available upon request.
Scientific Systems
Objective
Detecting and Responding to Insider Threats
* Objective: Investigate the application of NMSs for the
monitoring, detection and response of Security Violations
carried out by Insiders.
* Misuse/Intrusion Tolerance is achieved by having an
adequate and timely response.
* Technology: Statistical Pattern Recognition and AI for
the design of detectors and classifiers; Network
Management Systems for data collection and response
coordination.
* Approach: Utilize the Benchmark Problem for proof-ofconcept studies; examine the applicability of NMSs and
peripherals for response.
Scientific Systems
Towards Adequate and Timely Response
Adequate:
1. High Accuracy – Few False Alarms, Lots of Detections.
2. Distinguish among attacks – Different attacks elicit
different types of response.
3. Distinguish faults from attacks.
Timely:
Detect the Attack before it is too late to respond.
Scientific Systems
Question 1: What threats/attacks are your project considering ?
* Insider Attacks: Password stealing, unauthorized
database access, email snooping, etc.
* For proof-of-concept purposes, we will be
investigating the Benchmark Problem of System Calls
made by Privileged Processes.
* However, the technologies and tools we are
developing are applicable to any situation in which the
observables are sequences of possibly correlated
categorical variables.
Scientific Systems
Question 2: What assumptions does your project make ?
1. Data sets corresponding to normal, malicious and faulty
behavior are available for the construction and testing of
detection schemes – Training Stage and Testing Stage.
2. The observables for normal, malicious and faulty
behavior are sequences of categorical variables.
3. Patterns of malicious activity exist, are detectable, and
are learnable by special purpose algorithms – to
investigate.
4. If 3. is possible, there is time to take preventive action
when malicious activity is detected – to investigate: we
may need to redesign the Alarming Infrastructure to
enable timely response.
Scientific Systems
Question 3: What policies can your project enforce ?
* If the detection system accuses the presence of
malicious activity, a response will be triggered.
* For the specific case of the Benchmark Problem
typical responses would be to kill the process, or delay
its execution till time out.
* If the Intent Inference capability is achieved, the
response will be suited to the type and gravity of the
attack.
Scientific Systems
Benchmark Problem
Detect malicious activity by monitoring System
Calls made by Privileged Processes in Unix
* Originally suggested by C. Ko, G. Fink, and K. Levitt –
1994.
* Extensively studied by the UNM Group (S. Forrest and
others), starting with “A Sense of Self for Unix
Processes” – 1996.
* Programs: sendmail, lpr, ls, ftp, finger …
* Data sets are available for downloading.
* These data sets can be used for proof-of-concept studies
in the Phase I effort – there is data corresponding to faults
and data corresponding to multiple types of malicious
activities.
Scientific Systems
Benchmark Problem (cont.)
*Process: The sequence of calls –
Example: open, read, mmap, mmap, getrlimit, …
*Problem: Given data sets corresponding to normal processes
and abnormal processes, produce a scheme to distinguish
normal from abnormal.
* Sequences of correlated categorical variables –
representative of other problems in computer security – user
profiling, alarm correlations, etc.
* There are 182 possible system calls in the SunOS 4.1.x …
*“Typical” sendmail processes make about 1,000 to 50,000
calls …
Scientific Systems
Benchmark Problem (cont.)
*UNM Finding: A relatively small dictionary of short
sequences (1318 sequences of length 10 for sendmail)
provides a very good characterization of normality for
several Unix processes.
* The dictionary is constructed using a Training Set of
Normal behavior.
* Sequences not belonging to this dictionary are called
abnormal sequences.
* Intrusions are detected if a process contains “too many”
abnormal sequences on a given interval – the Locality
Frame.
Scientific Systems
Benchmark Problem (cont.)
* A process is flagged as containing an intrusion if the
number of abnormal sequences inside at least one
Locality Frame is above a threshold.
Scientific Systems
Benchmark Problem (cont.)
* UNM approach is very simple; However, other methods:
- Data Mining (RIPPER)
-Hidden Markov Models
lead to roughly the same results.
* Recent work by Lee and others – 2001 IEEE Symposium
on Security and Privacy – have associated this finding
with the regularity of normal processes.
* The first n-1 calls on a sequence determines the last call
with high accuracy – Normal processes are highly
predictable.
Scientific Systems
Benchmark Problem (cont.)
* Additionally, experiments by Lee and others – 2001
IEEE Symposium on Security and Privacy - with the 1999
DARPA Intrusion Detection Dataset have shown that
classification accuracy is not improved by adding other
features …
* Main Message: These short sequences are the “right”
patterns to look when constructing classifiers for these
types of programs.
* It is still a matter of investigation if this same approach
works for other types of programs.
Scientific Systems
Benchmark Problem (cont.)
* There is still a lot of room for improvement and
investigations – Important issues for having an
Adequate and Timely Response:
1. Fusion of classifiers – Can accuracy be improved by
fusing multiple classifiers ?
2. Intent Inference – Can we distinguish among attacks ?
3. Distinguishing attacks from faults.
Scientific Systems
Fusion of Classifiers
* Combine several classifiers or anomaly detectors,
designed using different methods and/or different features.
* Features: Anomaly Counts corresponding to different
sequence lengths and different Locality Frame sizes.
* Each individual anomaly detector announces a GOF –
Goodness of Fit – to the normal data.
* These GOFs need to be combined in some way – Simplest
solution: Voting Scheme. We utilize a Probabilistic
Approach which was shown to be successful for Automatic
Target Recognition.
Scientific Systems
Fusion of Classifiers (cont.)
Scientific Systems
Intent Inference
* We pose the problem of Intent Inference as distinguishing
between types of attacks using the sequences of system calls.
* From the statistical point of view, this is a classification
problem. The main issue is to determine if there are features that
cluster the different types of attacks.
Scientific Systems
Distinguishing Attacks from Faults
* It is conceptually the same problem as Intent
Inference.
* Faults represent one class, while Attacks represent
another class.
Scientific Systems
Summary and Conclusions
* We plan to investigate the application of NMSs for the
Monitoring, Detection and Response of Security Violations
carried out by Insiders.
* Intrusion/Misuse Tolerance is achieved by having an
adequate and timely response.
* Statistical Pattern Recognition and AI will be used for the
design of anomaly detectors and classifiers.
* We will investigate schemes capable of discriminating among
types of attacks and distinguishing faults from attacks.
* Classifier Fusion will be investigated, as a tool for
increasing accuracy.
Scientific Systems
SPECTRUM Security Manager
Lundy Lewis
Director of Research
January 17, 2001
Scientific Systems
Solution Functionality
• Provides distributed multi-vendor management of
Firewalls, Intrusion Detection Systems (IDSs),
Security Scanners, PKI, Directories, Packet
Sniffers, and Anti-Virus to create a cohesive
security solution
• Monitors information from security devices.
– correlates all information
– executes commands such as setting filters in Firewalls,
revoking account or PKI certificate, etc. to protect the
infrastructure
Scientific Systems
Response to Intrusion:
• SSM correlates security events
• SSM automatically starts audit trail
• SSM provides alarm notification through
SPECTRUM
• SSM provides probable cause/solution and
can provide automated responses
• SSM provides decision support
Scientific Systems
SSM Architecture
• Acts as a knowledge hub
• Accepts information from any source because
XML is the standard for communication
• Adopts a “plug-in” approach that is the basis for
extensibility
• Selection of components based on specific needs
Scientific Systems
Contact
Joao Cabrera
Lundy Lewis
Scientific Systems Company
Aprisma Inc.
500 W. Cummings Park, Suite 3000
486 Amherst Street
Woburn, MA 01801
Nashua, NH 03063
[email protected]
[email protected]
Scientific Systems