Data Driven Security Models and Analysis - January 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Ravi Iyer

Co-PI(s): Zbigniew Kalbarczyk and Adam Slagell

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Predictive security metrics - design, development, and validation
• Resilient architectures - in the end we want to use the metrics to achieve a measurable enhancement in system resiliency, i.e., the ability to withstand attacks
• Human behavior - data contain traces of the steps the attacker took, and hence inherently include some aspects of the human behavior (of both users and miscreants)

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

• Keywhan Chung, Charles A. Kamhoua, Kevin A. Kwiat, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer, "Game Theory with Learning for Cyber Security Monitoring", IEEE High Assurance Systems Engineering Symposium (HASE 2016), January 7 - 9, 2016, Orlando, Florida.

ACCOMPLISHMENT HIGHLIGHTS

This quarter we have continued our work on building a security testbed that provides an execution platform for replaying security attacks in a controlled environment. Specifically, we focused on attack variants generation and production deployment of a honeypot to collect real-world attacks.

Attack variants analysis. To understand commonalities among the attacks, analysis of 116 real-world attacks at NCSA was performed. Most attacks made use of stolen credentials to compromise NCSA networks. Using Longest Common Subsequence analysis, two types of common patterns have been found. Repeated events, for example, ALERT FAILED PASSWORD are often observed because they were attempts to brute-force guess the credential of user in the system. Common subsequence of events is the ordered events in any two attacks. For example, following events were observed in two separated attacks in an attempt to deliver a Remote Administration Toolkits (RAT) binary file into the target system: ALERT ANOMALOUS HOST, ALERT SENSITIVE HTTP URI, ALERT INSTALL BOT. In summary, observed attacks share common patterns of events.

We developed a framework for i) generating variants of known attacks and ii) evaluating detection capabilities of popular techniques for such attack variants. To build the framework we constructed a database of interchangeable events based on the knowledge on the past attacks and capabilities of the security monitors present in a target system. In this context, the interchangeable events correspond to attacker's actions that produce the same outcome, e.g., a code download using different means or protocols. Given a sequence of events in an attack, we replace each event (one at the time) in the sequence with interchangeable events to generate a new sequence, i.e., an attack variant. We extended our security testbed to enable generation and replay of the attack variants. The testbed contains pre-installed system and network security monitors such as Bro IDS, system logs, and network flows collector. To separate the replayed attacks from production network, the testbed is built using Linux Containers (LXC) and Virtual Machines (VM). When a security monitor detects an event, it routs the event to an attack detection backend, where different detection techniques are evaluated. Several techniques have been setup for evaluation, specifically: signature-based detection using file hash of known malicious files, anomaly-based using high frequency of network requests, and factor graph-based tool (i.e., AttackTagger developed earlier in this project).

Honeypot deployment. We have deployed a honeypot at NCSA to attract real-world attacks. The honeypot hosts an OpenSSH server with weak credentials, i.e., guessable username/password. Multiple attacks have been observed during the two-month period (October - December 2015). The majority of them are SSH brute-force attacks, where the attacker enters the honeypot using guessable credentials, for example, using the username root and password root. We have seen consistent scanning and logging in activities from IP addresses overseas, and have collected traces of the attack including commands and binary attack payloads.

The first attack happened within the first 48 hours of the honeypots being deployed. The attacker came from an IP address located in Hong Kong and entered the system using the username and password combination of 'ubuntu' and 'ubuntu', after only 75 failed attempts in just under 4 minutes. The analysis of the malware (using our testbed capabilities) can help to improve monitoring of system misuse. The malware uses the honeypot to initiate bruteforce attacks to remote SSH servers. Although IDS, such as Bro, has policies to detect incoming bruteforce requests, they do not have any policy to detect outgoing bruteforce requests. Therefore, we can enrich existing IDS policies by using an indicator honeypot misuse when observing a high number of outgoing connections to port 22 of external hosts.