ndss - FTP Directory Listing

standguideNetworking and Communications

Oct 26, 2013 (4 years and 15 days ago)

103 views

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
1

Live Traffic Analysis

of TCP/IP Gateways



Phillip A. Porras Alfonso Valdes


porras@csl.sri.com avaldes@unix.sri.com



http://www.csl.sri.com/intrusion.html

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
2



Overview




Brief Review of EMERALD



Interoperable Service
-
Oriented Intrusion Detection



Architectural Description



Analysis Techniques



Aggregate Analyses/Distributed Correlation



Conclusions

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
3



Scalable network
surveillance



Computationally realistic
coverage



Generality to new event
streams



Generality to broader issues
of


survivability



Distributed correlation and
results


fusion



Interoperability

Project Objectives

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
4

Monitor Interoperability

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
5

Analysis Unit

Transport

Module

Engine Status

Log Manager

Event

Manager

Transport

Module

Engine

Manager

Resolver

Interface

Common API

Analysis Engine Design

Event Transmission

Interface

Results Dissemination

Interface

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
6

Generic Engine

Framework

Analysis

Unit

Event Transmission

Interface

Results Dissemination

Interface



Analysis Engine:

embodies a
specific


intrusion
-
detection methodology



statistical anomaly detection



inference engine (signature
analysis)



decision engine




Common Infrastructure:



interfaces



event queue management



error reporting



secondary storage management



internal data structures



configuration interface

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
7

Apache Server

NCSA Server

SunScreen

Firewall
-
1

SMTP Server

POP Server

FTP Server

SMB Service

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Event Type

Attack Sequences

Profiling Semantics

Event Filters

Subscription List

Responses

Resource Object Library

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
8

Statistical Analysis Overview

Events

Short
-
term Profile

(changes with each event)

Long
-
term Profile

(from persistent storage)

Compare

and Score

Profile

Update

Storage

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
9

Continuous

Measures

Categorical

Measures

Intensity

Measures

Reflect values
that appear

from a discrete

non
-
ordered set

of possibilities

Reflect values
that appear

from continuous

or ordinal sets

Reflect the intensity
(per unit time) of a
given attribute in

the event stream

Statistical Activity Measurements



Commands issued



Malformed packet


disposition



Files accessed



Error status codes



Number of errors



Number of bytes


transferred



Per
-
operation observation


totals







Sudden increases or


decreases in

traffic,


operations or errors

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
10

Something about Signature Analysis

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
11

Aggregate Analyses



Commonalties across independent event analyses
:
results


that don’t warrant individual response, in combination
may


be alarming.


Sequential trends
: correlating distributed results for patterns


of aggression or failure


Commonalties of results from multiple perspectives
:


increasing confidence or contextual data for response


Fault interrelationships
: modeling failure in one module


producing different failure in another


EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
12

Commonalties and Sequential Trends

Enterprise
-
Layer

Domain
-
Layer

Service
-
Layer

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
13

E

A

A

A

Multi
-
Perspective Analyses

Session Analyses
:



anomaly in Subject A
--
>Frequency(Cmd
-
X)

Command Analyses:



anomalies in Cmd
-
X
--
> Outcome


Aggregate
Interpretation
:



Session A, Cmd
-
X,


Outcome of Cmd
-
X

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
14


Non
-
service specific analyses




discarded packet volume and disposition



excessive transport
-
layer connection requests (e.g, syn
-
acks)



traffic floods and famine (specific to ToD, DoW, work shift)



unusual long
-
term traffic patterns to unknown ports



known troublesome packet activity (e.g., address
spoofing,


ICMP abuse, source routing, etc.)


Network Traffic Analysis Experiments

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
15

Network Traffic Analysis Experiments

Network services:



anomalies in the usage of network services



comparisons between sessions (e.g., anonymous
sessions)



excessive errors, traffic volume



sudden drastic drops in usage (availability)



known troublesome service
-
specific activity

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
16

Paper Summary





The application of specific intrusion detection analysis


techniques to network traffic monitoring:



statistical anomaly detection



signature analysis



How live traffic monitoring could provide added control


and insight into traffic flow



Distributed correlation of anomalies and misuse reports



How such efforts could support/complement traffic
filtering

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
17

Event Stream Selection

Task 1
: Isolating Network Traffic Streams

General
-
purpose

Traffic Processor

(E
-
Box)

Generic Engine

Framework

Statistical

Unit

Filtering Capabilities:




Discarded traffic



Pass
-
through traffic



Protocol
-
specific traffic



Unassigned port traffic



Transport management messages



Source address
-
based



Destination address
-
based



Application
-
layer monitoring

Standard API

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
18

Translation to Protocol Transaction

Sep 04 17:21:57 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
PASS 230

Sep 04 17:22:38 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
PASV 227

.

Sep 04 17:22:38 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
RETR 550

README

Sep 04 17:22:45 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
CWD 250

PUB

Sep 04 17:23:06 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
PASV 227

.

Sep 04 17:23:07 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
LIST 226

.

Sep 04 17:25:45 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
PASV 227

.

Sep 04 17:25:45 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
RETR 226

TRLIST.TXT

Sep 04 17:25:53 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
CWD 250

.

Sep 04 17:25:57 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
CWD 250

.

Sep 04 17:26:06 5 4 129.118.1.1 4852 ANON ZWD69@TTACS.TTU.EDU
QUIT 221

.

Sep 04 17:26:06 5 4 129.118.1.1 0 ANON ZWD69@TTACS.TTU.EDU
STATS 290 3 14 3 1 1


<Timestamp> <session ID> <client address/port> <naming info> <command> <reply> <params>

EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
19

Interesting Sessions


19:49:36 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PASS 230


19:49:38 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PWD 257


19:49:39 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM LIST 226


19:49:57 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM
CWD 250 BIN


19:49:57 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PWD 257


19:50:48 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PORT 200 204,255,213,89,7,42


19:50:48 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM
STOR 553 SCRIPT1116.HTML


19:50:49 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PWD 257


19:50:49 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM TYPE 200 A


19:50:49 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PORT 200 204,255,213,89,7,43


19:50:50 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM LIST 226


19:51:03 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PORT 200 204,255,213,89,7,44


19:51:03 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM
STOR 553 SCRIPT1116.HTML


19:51:04 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM PWD 257


19:51:04 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM LIST 226


19:52:16 204.255.213.89 1830 ANON ROTHY@GEOCITIES.COM
MKD 550 SAVEIT


EMERALD

Live Traffic

Analysis of

TCP/IP Gateways


P.A. Porras

and

A. Valdes

Computer Science

Laboratory

ISOC Network and Distributed System Security Conference ‘98

Slide
20

Rule set 1
: Reserved Name Login Requests

Rule set 2
: Destructive Command Requests by Anonymous

Rule set 3
: SITE EXEC Exploits

Rule set 4
: Sensitive File Retrievals

Rule set 5
: Directory Access Requests to Non
-
FTP Paths

Rule set 6
: Abusive NLIST Params

Rule set 7
: Port/Source Mismatches (FTP Bouncing)

Rule set 8
: Anonymous requests to internal systems



FTP Experiment: Signature Analyses