Intrusion and Fraud Detection Presentation at SWITS-IV Vadstena, June 7-8 2004 Håkan Kvarnström Department of Computer Engineering Chalmers University of Technology
URL: http://www.ce.chalmers.se/staff/hkv
Bildnummer 1
Outline ! ! ! ! ! ! ! ! ! ! !
Why do we need IDS/FDS? Security countermeasures Definitions History of fraud How do we detect intrusions and fraud? Detection mechanisms IDS vs. FDS Attacks against IDS/FDS A fraud detection example Some results from my own research Problems to be solved
Time: approx. 50 minutes
Bildnummer 2
Intrusion and fraud detection
!
Automated analysis of events to detect intrusion and fraud
Bildnummer 3
Bilden uppgjord av Ulf Lindqvist
Similar to a burgular alarm !
Intrusion and fraud detection complements preventive mechanisms such as firewalls and OS-security.
Preventive mechanisms By Ulf Lindqvist Bildnummer 4
Alarm
Why intrusion and fraud detection? Prevention
Detection
Recovery
Response
!
It is hard to design completely secure systems
!
IDS/FDS have the capability to detect unauthorized use of information and resources
!
Even authorized entities may become corrupt
!
Offers early-warning capabilities
Bildnummer 5
Security countermeasures Prevention
Recovery
Detection
Response
Missed attacks Undiscovered Attacks alarm Preventive mechanisms By Emilie Lundin Barse Bildnummer 6
Detection
Affected System
Remaining Recovery attacks Active countermeasures
Detection capabilites
By Ulf Lindqvist
Bildnummer 7
IDS Trivia
Question: There is at least one type of attack that an IDS cannot detect?
Answer: Passive attacks, such as decrypting/breaking an encrypted packet/stream
Bildnummer 8
Definition of ”intrusion”
”An attack in which a vulnerability is exploited, resulting in a violation of the implicit or explicit security policy”
Bildnummer 9
Definition of ”fraud” ”An intentional deception or misrepresentation that an individual knows to be false that results in some unauthorized benefit to himself or another person” !
The definition includes “insiders” ! “Fraud” can be seen as an application specific form of “intrusion”
Bildnummer 10
History of telecom fraud – Celebrities ! John Draper, 1972 ! Used a toy whistle (2600 Hz) from a box of Cap’n Crunch cereal to manipulate AT&T’s phone switches (Blue boxing). He was able to route new calls by signalling the phone system into ”operator mode”
! Kevin Poulsen, 1990 ! Won a Porsche 944 S2 by taking over all incoming phone lines going to LA radio station KIIS-FM. (102nd caller) ! He continued to ”win”… A second Porsche, $22.000, two trips to Hawaii… … and 3 years in prison.
Bildnummer 11
History lesson - Fraud !
Cell phone fraud ! ! ! !
!
Eavesdropping. The NMT-system did not use encryption. Tumbling. Rapidly changing a cell phone’s serial number gave free access to the network. Was common in US. Cloning. Duplication of SIM-cards and terminal serial numbers. The legitimate subscriber is billed for the services used. Subscription fraud. Signing up for a subscription under a false name and address.
Computer related fraud ! ! !
Bildnummer 12
Electronic banking and payment. Not so common… yet Illegal downloading and distribution of digital content. Very common. Phising. Attackers trying to “fish” for private information. Mostly using spam as a vehicle.
Interesting reading !
P. Hoath. Telecoms fraud, the gory details. Computer Fraud & Security 20(1) 1998.
Bildnummer 13
An intrusion/fraud detection system • A formalization of the security policy
• Rule-based • Anomaly-based
Detection policy
Response policy
Decision function
Response function
Raw input events • Network packets(IP) • Application logs • OS-logs
Collection function Raw data
Target
Bildnummer 14
Classification of fraudulent activities
Bildnummer 15
Interesting reading !
H. Debar, M. Dacier and A. Wespi. Towards an Taxonomy of Intrusion Detection Systems. Computer Networks 31(8) 1999
!
L. R. Halme, K. R. Bauer. AINT misbehaving – a taxonomy of anti-intrusion techniques. Proceedings of the 18th National Information Systems Security Conference, 1995.
Bildnummer 16
Rule based (signature) vs. anomali based Normal behaviour
Bildnummer 17
Known Unknown
Fraudulent behaviour
Known
Unknown
• Well-known services • Well-known fraud
• New services • Well-known fraud in similar services
Rule based IDS/FMS • Well-known services • New types of fraud
Anomali based IDS/FMS
• New types of services • New types of fraud
?
Detection mechanisms ! ! ! ! ! ! ! !
Bildnummer 18
Signatures Visualization Thresholds Clustering and classification Statistical analysis Bayesian networks Neural networks Markov models
A
Commercial User
B
Domestic User
C
Low Income
D
Customer churn
E
Propensity to Fraud
F
Bad Debt
G
Profile Change
H
‘Hot’ Destinations
I
Revenue Loss
Pr{A}
= 0.76
Pr{B}
= 0.24
Pr{C}
= 0.74
Pr{D|¬A}
= 0.27
Pr{D|A}
= 0.73
Pr{E|¬A,¬B,x}
= 0.01
Pr{E|¬A,B,¬C}
= 0.02
Pr{E|¬A,B,C}
= 0.04
Pr{E|A,x,x}
= 0.03
Pr{F|¬B,x}
= 0.00
Pr{F|B,¬C}
= 0.01
Pr{F|B,C}
= 0.04
Pr{G|¬D,¬E}
= 0.03
Pr{G|¬D,E}
= 0.72
Pr{G|¬D,E}
= 0.84
Pr{G|D,E}
= 0.96
Pr{H|¬E}
= 0.58
Pr{H|E}
= 0.42
Pr{I|¬E,¬F}
= 0.02
Pr{I|¬E,F}
= 0.98
Pr{I|E,¬F}
=1
Pr{I|E,F}
=1
Visualization Service Users
!
Find patterns and deviating behavior ! Use the power of the brain!
Suspects Premium Rate Services
Bildnummer 19
FDS vs. IDS Telecom fraud management systems (FMS)
Intrusion detection systems (IDS)
Input: • Call Detail Records (CDR)
A-number, B-number, Duration, Call Path, Timestamps, … (>40 parameters)
• OS and application log files
• Network traffic
Detection: • Thresholds
• Customer profiles
Bildnummer 20
• Signatures
• Anomaly detection
FDS vs. IDS Telecom fraud management systems (FMS)
Intrusion detection systems (IDS)
Post processing: • Case building
• Correlation of alarms
Response: • Identify fraud case • Many people involved in investigation process • Not interested in low-cost frauds
Bildnummer 21
• Identification of known attack or description of suspicious event, active response • Small resources for investigation -> limit number of alarms • Difficult to sort out “insignificant” attacks
Attacks against signature based IDS !
The IDS and the target system interpret the input data stream differently! ! Possible to avoid detection of an attack by crafting packets/data carefully Hacker Raaa^h^h^hoot
IDS Raaa^h^h^hoot Harmless string
Bildnummer 22
Target system Raaa^h^h^hoot
root
Attacks against signature based IDS !
Insertion attack
Bildnummer 23
Attacks against signature based IDS !
IP Fragmentation reassembly behavior (Overlaps)
Bildnummer 24
Operating System
Overlap Behavior
WindowsNT
Always Favors Old Data
4.4BSD
Favors New Data for Forward Overlap Linux Favors New Data for Forward Overlap
Solaris 2.6
Always Favors Old Data
HP-UX 9.01
Favors New Data for Forward Overlap
Irix 5.3
Favors New Data for Forward Overlap
Attacks against anomaly based IDS !
Slow changes in user behavior can be hard to detect! ! Wait for a time-slot where an event would be considered “normal behavior”
Bildnummer 25
Interesting reading !
T. Ptacek and T. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. 1998 ! M. Handley, Vern Paxson and C. Kreibich. Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. USENIX security symposium 2001. ! D. Wagner and P. Soto. Mimicry attacks on host based Intrusion detection systems. Proceedings of the Ninth ACM Conference of Computer and Communications Security. 2002.
Bildnummer 26
FDS - Video-on-demand example !
Log data: ! ! ! ! !
User
Settop-box logins Movie orders Delivery notifications Router statistics per IP-addr. DHCP Requests
router DHCP server
Internet Provider
database video-on-demand- applicationserver server
Bildnummer 27
Neural network detector !
Neuralt nätverk ! !
! !
Bildnummer 28
One net per fraud type 7 input nodes 1. Sum of successful login attempt 2. Sum of failed login attempt 3. Sum of successful movie orders 4. Sum of failed movie orders 5. Sum of movie delivery notifications 6. Sum of billing notifications 7. Upload/Download ratio 1 output node ! Likelihood (0-1) of fraud An exponential trace memory was used to model temporal sequences of input
1 2 3 4 5 6 7
Synthetic data generation 1.
Data collection
Papers B, C 1.
Authentic data
2. 2.
Data analysis
3. Statistics
3.
Profile generation
4.
User and attack modelling
5.
System modelling
Bildnummer 29
4.
Data generation:
User profiles
User simulator
Attacker simulator
Target system simulator
5.
Collection of logdata from real users Analyze collected data (statistics) Create profiles Model users and attackers Model the target systems
Training and detection tests Authentic data
Synthetic data
Detection results - Billing fraud in authentic data 1
Detection results - Billing fraud in synthetic data 1.2
Detected Fraud Actual Fraud
1
Fraud likelihood
Fraud likelihood
0.8
Billing fraud
Detected Fraud Fraudulent period
0.6 0.4 0.2
0.8 0.6 0.4 0.2
0
0 0
10
20
30
40
50
60
20
30
40
Days since epoch Detection results - Breakin fraud in authentic data 1.2
0.8 0.6 0.4 0.2
80
0.8 0.6 0.4 0.2
0
0 0
10
20
30
40
50
60
Days since epoch Bildnummer 30
70
Detected Fraud Fraudulent period
1
Fraud likelihood
Fraud likelihood
Break-in fraud
60
Detection results - Breakin fraud in synthetic data 1.2
Detected Fraud Actual Fraud
1
50
Days since epoch
70
80
90
0
10
20
30
40
50
60
Days since epoch
70
80
90
Confidentiality of input events
Confidentiality issues in different architectures
?
D
A
High
A
A
D
D
Our research problem!
A D
D
A
A
Low A D
D A
Low
D
D
High
Confidentiality of the detection policy Bildnummer 31
D = Data collection
A
= Analysis
= Security domain
Detection policy protection ♦ A mechanism for protecting the confidentiality of security policies, such as: ♦A detection policy in an IDS ♦A filtering policy in a firewall ♦…
♦ We do this by encoding the policy as a finite state machine (DFA) which then is obfuscated using one-way functions
Bildnummer 32
Why is this useful? IDS example
♦ Heavily distributed intrusion detection architectures impose a threat on the target systems ♦Parts of the detection policy needs to be confidential to prevent disclosure of target specific weaknesses and oddities.
♦ Loss of confidentiality is irreversible. Loss of availability is not! Deploying IDS in highly distributed environments may result in a vast number of entities having knowledge about the policy, Hence we need security mechanisms to allow distribution of policies without risk of compromising its confidentiality
Bildnummer 33
Benefits to an IDS ♦ An intruder can learn only what he can observe ♦ Exhaustive search is possible, but computationally intractable for reasonably sized input data.
♦ Prevents reverse engineering of the detection system ♦ Does the hacker community know about attack XYZ ? ♦ A conventional IDS would reveal XYZ if confidentiality is broken
♦ The knowledge of the attack is the key to unlocking the policy
Bildnummer 34
Some related techniques ♦ Prevention against reverse engineering ♦ Sander & Tschudin (1998, 1999)
Encrypted evaluation of polynomial functions
♦ Barak et. al (2001) Showed the (im)possibility of achieving program obfuscation
♦ Policy encryption
♦Neumann (1995) NIDES
♦ Secure multi-party computation ♦Goldreich et.al (1987)
How to play any mental game Bildnummer 35
How does it work? ♦ A set of valid state-machines are hidden in a possible large and random state-space
♦ Transitions to the next state is controlled by:
♦The current state ♦ The recursive sum of previous inputs (using a 1-way fkn)
♦ Only the knowledge of the correct sequence of inputs will results in the traversal of a valid state machine
♦ A state-matrix is used to hold the transition functions
Bildnummer 36
Simple state machine
L( M ) = {x ∈ Σ* ABBA is a substring of x}
Bildnummer 37
Traversal X1=32 X2=226 X3=114 X4=43 X5=93 X6=148 X7=7 X8=148 X9=12
Bildnummer 38
The state-matrix
Bildnummer 39
Calculating the state-matrix
The state value is a function of the current and all previous input The state value is a random number
Bildnummer 40
Some problems to be solved… !
Find a correlation between log-data and the attacks that can be found !
!
How to design a detection system that combines the advantages of signature-based and anomaly-based systems !
!
! !
A conflict between the user’s privacy and the system owner’s interest in identifying “bad guys”
How can we provide a tighter integration with other countermeasures? !
Bildnummer 41
Reduce the false alarm rate Automated “risk analysis” Understanding advanced attack scenarios
How can we ensure user privacy? !
!
Less false alarms and the capability to find new attacks
Efficient and reliable correlation of event sources and alarms !
!
What should we log?
Response and recovery is still a highly manual process
Recent dissertations and licentiate thesis !
Jaakko Hollmén. User Profiling and Classification for fraud detection in mobile communications networks. PhD thesis 2000, Helsinki University of Technology
!
Dan Gorton. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance. Licentiate thesis 2003, Chalmers University of Technology
!
Håkan Kvarnström. On the Implementation and Protection of Fraud Detection Systems. PhD thesis 2004, Chalmers University of Technology
Soon in a library near you… ! Emilie Lundin Barse. Logging for intrusion and fraud detection. PhD thesis 2004, Chalmers University of Technology.
Bildnummer 42
Contact info Håkan Kvarnström URL: http://ww.ce.chalmers.se/staff/hkv Mail:
[email protected] Chalmers Computer Security Group: URL: http://www.ce.chalmers.se/research/Security
Bildnummer 43