Frédéric Majorczyk

COTS diversity based intrusion detection and application to web servers

It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has been widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.

ELVIS: Extensible Log VISualization

In this article, we propose ELVIS, a security-oriented log visualization tool that allows security experts to visually explore numerous types of log files through relevant representations. When a log file is loaded into ELVIS, a summary view is displayed. This view is the starting point for exploring the log. The analyst can then choose to explore certain fields or sets of fields from the dataset. To that end, ELVIS selects relevant representations according to the fields chosen by the analyst for display.

Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

Detecting Illegal System Calls Using a Data-Oriented Detection Model

The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhance such detection mechanisms, we propose an approach to detect in the application the corruption of data items that have an influence on the system calls. This approach consists in building automatically a data-oriented behaviour model of an application by static analysis of its source code. The proposed approach is illustrated on various examples, and an injection method is experimented to obtain an approximation of the detection coverage of the generated mechanisms.

CORGI: combination, organization and reconstruction through graphical interactions

In this article, we present CORGI, a security-oriented log visualization tool that allows security experts to visually explore and link numerous types of log files through relevant representations and global filtering. The analyst can mark values as values of interest and then use these values to pursue the exploration in other log files, allowing him to better understand events and reconstruct attack scenarios. We present the user interface and interactions that ensure these capabilities and provide two use cases based on challenges from VAST and from the Honeynet project.

Automatic generation of correlation rules to detect complex attack scenarios

In large distributed information systems, alert correlation systems are necessary to handle the huge amount of elementary security alerts and to identify complex multi-step attacks within the flow of low level events and alerts. In this paper, we show that, once a human expert has provided an action tree derived from an attack tree, a fully automated transformation process can generate exhaustive correlation rules that would be tedious and error prone to enumerate by hand. The transformation relies on a detailed description of various aspects of the real execution environment (topology of the system, deployed services, etc.). Consequently, the generated correlation rules are tightly linked to the characteristics of the monitored information system. The proposed transformation process has been implemented in a prototype that generates correlation rules expressed in an attack description language.

A dependable intrusion detection architecture based on agreement services

In this paper, we show that the use of diversified COTS servers allows to detect intrusions corresponding to unknown attacks. We present an architecture that ensures both confidentiality and integrity at the COTS server level and we extend it to enhance availability. Replication techniques implemented on top of agreement services are used to avoid any single point of failure. On the one hand we assume that COTS servers are complex softwares that contain some vulnerabilities and thus may exhibit arbitrary behaviors. While on the other hand other basic components of the proposed architecture are simple enough to be exhaustively verified. Thats why we assume that they can only suffer from crash failures. The whole system is assumed to be asynchronous and furthermore messages can be lost. In the particular case of Web servers connected to databases, we identify the properties that have to be maintained and the alarms that have to be raised. We describe in details how the different replicated levels interact together and, for each level, we precise the reasons that have led us to use a particular agreement service. Performance evaluations are conducted to measure the quality of service of the Intrusion Detection System (quantity of false positives and lack of false negatives) and the additional cost induced by the mechanisms used to ensure the availability of this secure architecture.

Automated Instruction-Set Randomization for Web Applications in Diversified Redundant Systems

The use of diversity and redundancy in the security domain is an interesting approach to prevent or detect intrusions. Many researchers have proposed architectures based on those concepts where diversity is either natural or artificial. These architectures are based on the architecture of N-version programming and were often instantiated for web servers without taking into account the web application(s) running on those. In this article, we present a solution to protect the web applications running on this kind of architectures in order to detect and tolerate code injection intrusions. Our solution consists in creating diversity in the web application scripts by randomizing the language understood by the interpreter so that an injected code can not be executed by all the servers. We also present the issues related to the automatization of our solution and present some solutions to tackle these issues.

VEGAS: Visualizing, exploring and grouping alerts

The large quantities of alerts generated by intrusion detection systems (IDS) make very difficult to distinguish on a network real threats from noise. To help solving this problem, we propose VEGAS, an alerts visualization and classification tool that allows first line security operators to group alerts visually based on their principal component analysis (PCA) representation. VEGAS is included in a workflow in such a way that once a set of similar alerts has been collected and diagnosed, a filter is generated that redirects forthcoming similar alerts to other security analysts that are specifically in charge of this set of alerts, in effect reducing the flow of raw undiagnosed alerts.

Assessment of an Automatic Correlation Rules Generator

Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack scenario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or implicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate no false positive and no false negative. Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.