A spatiotemporal event correlation approach to computer security

Correlation is a recognized technique in security to improve the effectiveness of threat identification and analysis process. Existing correlation approaches mostly focus on correlating temporally located events, or combining alerts from multiple intrusion detection systems. Such approaches either generate high false alarm rates due to single host activity changes, or fail to detect stealthy attacks that evade detection from local monitors. This thesis explores a new spatiotemporal event correlation approach to capture the abnormal patterns of a wide class of attacks, whose activities, when observed individually, may not seem suspicious or distinguishable from normal activity changes. This approach correlates events across both space and time, identifying aggregated abnormal event patterns to the host state updates. By exploring both the temporal and spatial locality of host state changes, our approach identifies malicious events that are hard to detect in isolation, without foreknowledge of normal changes or system-specific knowledge. To demonstrate the effectiveness of spatiotemporal event correlation, we instantiate the approach in two example security applications: anomaly detection and network forensics. For anomaly detection, we present a "pointillist" method to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. The correlation is performed by clustering points, each representing an individual host state transition, in a multi-dimensional feature space. We implement this approach in a prototype system called Seurat and demonstrate its effectiveness using a combination of real workstation traces, simulated attacks, and manually launched real worms. For network forensics, we present a general forensics framework called Dragnet, and propose a "random moonwalk" technique that can determine both the host responsible for originating a worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims. Our technique exploits the "wide tree" shape of a worm propagation by performing random walks backward in time along paths of flows. Using analysis, simulation, and experiments with real world traces, we show how the technique works against both today's fast propagating worms and a wide class of stealthy worms that attempt to hide their attack flows among background traffic. While the high level idea is the same, the two applications use different types of event data, different data representations, and different correlation algorithms, suggesting that spatiotemporal event correlation will be a general solution to reliably and effectively capture the global abnormal patterns for a wide variety of security applications.

[1]  Srinivasan Seshan,et al.  Mercury: supporting scalable multi-attribute range queries , 2004, SIGCOMM 2004.

[2]  Wenke Lee,et al.  Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[3]  Cristina L. Abad,et al.  Log correlation for intrusion detection: a proof of concept , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[4]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[5]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6]  Allen Gersho,et al.  Vector quantization and signal compression , 1991, The Kluwer international series in engineering and computer science.

[7]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[8]  E. Forgy,et al.  Cluster analysis of multivariate data : efficiency versus interpretability of classifications , 1965 .

[9]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[10]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[11]  Jun Zhang,et al.  Detection of Outbreaks from Time Series Data Using Wavelet Transform , 2003, AMIA.

[12]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[13]  Wei Hong,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Tag: a Tiny Aggregation Service for Ad-hoc Sensor Networks , 2022 .

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[15]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[16]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[17]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[18]  Thomas H. Wonnacott,et al.  Introductory Statistics , 2007, Technometrics.

[19]  Clay Shields,et al.  Providing Process Origin Information to Aid in Network Traceback , 2002, USENIX Annual Technical Conference, General Track.

[20]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[21]  Guy E. Blelloch,et al.  Compact representations of separable graphs , 2003, SODA '03.

[22]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[23]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[24]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[25]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[26]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[27]  Andrew W. Moore,et al.  Finding Underlying Connections: A Fast Graph-Based Method for Link Analysis and Collaboration Queries , 2003, ICML.

[28]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[29]  Brian D. Carrier,et al.  The session token protocol for forensics and traceback , 2004, TSEC.

[30]  Steve Chien,et al.  A First Look at Peer-to-Peer Worms: Threats and Defenses , 2005, IPTPS.

[31]  Christos Gkantsidis,et al.  Spectral analysis of Internet topologies , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[32]  Stuart Barber,et al.  All of Statistics: a Concise Course in Statistical Inference , 2005 .

[33]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[34]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[35]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[36]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[37]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[38]  Helen J. Wang,et al.  Automatic Misconfiguration Troubleshooting with PeerPressure , 2004, OSDI.

[39]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[40]  Michael K. Reiter,et al.  A secure distributed search system , 2002, Proceedings 11th IEEE International Symposium on High Performance Distributed Computing.

[41]  Andrew W. Moore,et al.  K-means and Hierarchical Clustering , 2004 .

[42]  Michael K. Reiter,et al.  Protecting Privacy in Key-Value Search Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[43]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[44]  Steven R. Snapp,et al.  The DIDS (Distributed Intrusion Detection System) Prototype , 1992, USENIX Summer.

[45]  L. A. BREYER,et al.  MARKOVIAN PAGE RANKING DISTRIBUTIONS: SOME THEORY AND SIMULATIONS , 2002 .

[46]  I. T. Jolliffe,et al.  Generalizations and Adaptations of Principal Component Analysis , 1986 .

[47]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[48]  David A. Maltz,et al.  Toward a Framework for Internet Forensic Analysis , 2004 .

[49]  Jintao Xiong,et al.  ACT: attachment chain tracing scheme for email virus detection and control , 2004, WORM '04.

[50]  Bruce Schneier,et al.  Cryptographic Support for Secure Logs on Untrusted Machines , 1998, USENIX Security Symposium.

[51]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[52]  K. V. Bury,et al.  On Probabilistic Design , 1974 .

[53]  Matthew Richardson,et al.  Mining knowledge-sharing sites for viral marketing , 2002, KDD.

[54]  David F. Gleich,et al.  Fast Parallel PageRank: A Linear System Approach , 2004 .

[55]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[56]  Elizabeth R. Jessup,et al.  Matrices, Vector Spaces, and Information Retrieval , 1999, SIAM Rev..

[57]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[58]  H. Deutsch Principle Component Analysis , 2004 .

[59]  Dennis J. Turner,et al.  Symantec Internet Security Threat Report Trends for July 04-December 04 , 2005 .

[60]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[61]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[62]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[63]  Anup K. Ghosh,et al.  A Study in Using Neural Networks for Anomaly and Misuse Detection , 1999, USENIX Security Symposium.

[64]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[65]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[66]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[67]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[68]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[69]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[70]  Bruce Schneier,et al.  Attack Trends: 2004 and 2005 , 2005, ACM Queue.

[71]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[72]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[73]  Michael K. Reiter,et al.  Seurat: A Pointillist Approach to Anomaly Detection , 2004, RAID.

[74]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[75]  Karl N. Levitt,et al.  The Design of GrIDS: A Graph-Based Intrusion Detection System , 2007 .

[76]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[77]  Donald F. Towsley,et al.  Locating network monitors: complexity, heuristics, and coverage , 2005, INFOCOM.

[78]  Konstantin Avrachenkov,et al.  Monte Carlo Methods in PageRank Computation: When One Iteration is Sufficient , 2007, SIAM J. Numer. Anal..

[79]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[80]  Jianbo Shi,et al.  A Random Walks View of Spectral Segmentation , 2001, AISTATS.

[81]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[82]  Srinivasan Seshan,et al.  Mercury: supporting scalable multi-attribute range queries , 2004, SIGCOMM '04.

[83]  Fan Chung,et al.  Spectral Graph Theory , 1996 .

[84]  Barbara Gengler Reports: Trusted Computing Platform Alliance , 2001 .

[85]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[86]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[87]  Andrei Z. Broder,et al.  Efficient pagerank approximation via graph aggregation , 2004, WWW Alt. '04.

[88]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[89]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[90]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[91]  Helen J. Wang,et al.  Friends Troubleshooting Network: Towards Privacy-Preserving, Automatic Troubleshooting , 2004, IPTPS.

[92]  Jiawei Han,et al.  Data Mining: Concepts and Techniques , 2000 .

[93]  Taher H. Haveliwala Efficient Computation of PageRank , 1999 .

[94]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[95]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[96]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[97]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[98]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[99]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[100]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[101]  Srinivasan Seshan,et al.  Synopsis diffusion for robust aggregation in sensor networks , 2004, SenSys '04.

[102]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[103]  Dan Andersson,et al.  Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis , 2001 .