Information Technology Reference
In-Depth Information
relevant data is output for further analysis. Since most signatures have less than
10 criteria, this may not be effective in all cases, due to the anticipated diculty
in selecting good matching thresholds.
4
Experimental Results
In order to test the algorithm it is important to know how greatly the set of
candidate packets for novel attack variations can be reduced. We perform a
simple experiment to validate the algorithm in this way. We chose to prototype
the algorithm inside Firestorm[14], a signature matching IDS which uses the
de-facto standard snort[15] signatures.
A circa 2000 wu-ftpd[11] exploit called “autowux” is to be our novel variation
on the snort “FTP EXPLOIT format string” signature (figure 2). These exploits
share the same attack methodology, namely exploiting format string overflows
in the File Transfer Protocol (FTP) “SITE EXEC” command.
alert tcp $EXTERNAL NET any -> $HOME NET 21 (msg:''FTP EXPLOIT format
string''; flow:to server,established; content: ''SITE EXEC |25 30 32 30
64 7C 25 2E 66 25 2E 66 7C 0A|''; depth: 32; nocase;)
Fig. 2.
Generic snort signature for FTP format string exploits
The IDS is loaded with a full signature set and is tested to make sure that
the autowux exploit packets are not already detected. A contrived attack graph
with 3 exploits is also created (see figure 3). An nmap scan is the prerequisite
and vulnerability to rootkit installation is the consequence of our “novel” FTP
exploit.
The attack scenario is successfully played out across an otherwise quiet test
network (run #1). The attack contains on the order of three thousand packets
and the problem should be fairly simple because in the absence of background
noise a high proportion of the packets are part of the FTP attack (975 of them
to be precise). To make things more realistic, a second run of the experiment
is carried out in which there is background FTP trac to our vulnerable host.
The background trac is from the Lincoln Labs FTP data-set[16].
The two data sets were merged based on time deltas between packets, the
start packets are synchronised. This provides a realistic and repeatable mix of
benign and attack trac (run #2).
The table below gives initial results for the prototype implementation based
on a number of uncontrolled experiments. Total packets is the total number of
packets in the merged data set, Ag packets refers to candidate packets in the DC
and output packets refers to the final results - ie. those packets in which there is
a suspected novel variation of an attack. False positive (FP) and false negative
(FN) rates are calculated through manual analysis of the output. In this case,
there is one true positive in each data set so all candidate output packets that
are not true positives are false positives, so the rate is calculated with
n−
1
n
.
