Raffael Marty: PROJECTS: IDS


	thor.ps.gz

Masters Thesis Computer Science, Winter term 2001/2002

THOR: A Tool to Test Intrusion Detection Systems by Variations of Attacks

Intrusion Detection (ID) is the process of monitoring and collecting system and network information in order to determine if an attack or intrusion has occurred. The problem in ID is that the methods are not perfect and Intrusion Detection Systems (IDS) might miss attacks or report false alarms.

To analyze IDSes, I specified, designed, and implemented a tool called Thor that automatically launches attacks and collects the alarms, reported back from them. Thor uses variations of attacks to make more precise statements about the detection capabilities of an IDS. An important feature of Thor is the possibility of autonomously trying to evade IDSes by varying attacks.

To more reliably detect attacks and incrase the coverage of detected attacks, more than one IDS can be installed in a production environment. Multiple heterogeneous systems will more adequately detect possible attacks. To correlate the alarms from the different IDSes is an important issue in ongoing research and presents some interesting problems. One of them is to understand the reaction of different IDSes to a given attack. For this purpose, Thor can be used to generate so-called correlation tables.

There are two other scenarios, where Thor can be used: First, network devices can be analyzed towards their influences on the reception of an IDS. Therefore, the attacks are routed through those devices and it is observed, what alarms the IDSes generate in comparison to the case where the devices were not present. Second, the tool can be used to assess IDSes in a production environment and see whether they are tuned correctly for that specific environment.

See also IBM Research

References

Dominique Alessandri, Rule-Based Assesment of Intrusion Detection Systems, Ph.D. thesis (in preparation), Newcastle upon Tyne, UK: University of Newcastle upon Tyne, Computing Science Dept., 2002.

Dominique Alessandri, James Riordan, and Andreas Wespi. Intrusion Detection in Data Processing System, European Patent, June 2001.

J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, State of the Practice of Intrusion Detection Technologies, Technical report, Carnegie Mellon University. http://www.cert.org/archive/pdf/99tr028.pdf, January 2000.

Magnus Almgren, Design and Implementation of a Lightweight Tool for Detecting Web Server Attacks, Master's thesis, Uppsala: University of Uppsala, Sweden, Department of Scientific Computing, pp. 60, 1999.

Apache HTTP Server Project, Apache Software Foundation, http://httpd.apache.org/, 2001.

Stefan Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, Chalmers University of Technology, Dept. of Computer Engineering, Göteborg, Sweden, Technical Report 99-15, http://www.ce.chalmers.se/staff/sax/taxonomy.ps, 2000.

Daniel Bauer, Interfacing MSS/AIXSIM, IBM Research Zurich, unpublished, November 2001.

Cert/CC Statistis 1988-2001, Cert Coordination Center, http://www.cert.org/stats/cert_stats.html, 2001.

M. Chung, N. Puketza, R. A. Olsson, and B. Mukherjee, Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions, Proc., 18th National Information Systems Security Conference, Baltimore, MD, pp. 173-183, October 1995.

Fred Cohen, 50 Ways to Defeat Your Intrusion Detection System, http://secinf.net/info/ids/9712.html.

Marc Dacier and Dominique Alessandri, VulDa: A Vulnerability Database, presented at 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, IN, 1999.

Herv\'e Debar, Marc Dacier, and Andreas Wespi, A Revised Taxonomy for Intrusion-Detection Systems, Annals of Telecommunications, vol. 55, no. 7-8, pp. 361-78, August 2000.

Herv\'e Debar, Andreas Wespi, Aggregation and Correlation of Intrusion-Detectoin Alerts, presented at Fourth Intl. Workshop on Recent Advances in Intrusion Detection (RAID2001), published in LNCS, vol 2212, pp. 95--103, 2001.

Jeon DeokJo, Understanding DDOS Attacks, http://rr.sans.org/threats/understanding_ddos.php, 2001.

Renaud Deraison, Nessus, http://www.nessus.org/, 2000.

Dragon IDS, http://www.enterasys.com/ids/, 2001.

Extensible Markup Language, http://www.w3c.org/XML, 2001.

Joshua W. Haines, Lee M. Rossey, Richard P. Lippmann, and Robert K. Cunningham, Extending the DARPA Off-Line Intrusion Detection Evaluations, presented at DARPA Information Survivability Conference \& Exposition II (DISCEX '01), Anaheim, CA, vol. 1, pp. 35-45, 2001.

Kathleen Jackson, Intrusion Detection System Product Survey, LA-UR-99-3883, Los Alamos National Laboratory, Los Alamos, New Mexico, USA, http://lib-www.lanl.gov/la-pubs/00416750.pdf, 1999.

Klaus Julisch, Whitepaper on Handling Large Amounts of Intrusion Detection Alarms, to appear in Proceedings of the 17th ACSAC, New Orleans, December 2001.

horizon, Defeating Sniffers and Intrusion Detection Systems, http://www.phrack.org/show.php?p=54&a=10, 1998.

Intrusion Detection Exchange Format, http://www.ietf.org/html.charters/idwg-charter.html

Intelligent Device Discovery (IDD) http://idd.zurich.ibm.com/, 2002.

Intrusion Vision, http://www.motorola.com/integratedsystems/intrusionvision/.

Ivan Victor Krsul, Software Vulnerability Analysis, Ph.D. Thesis Purdue University, Computer Science Department, 1998.

K2, ADMmutate, http://www.ktwo.ca/security.html, 2001.

Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das, Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation, presented at Third Intl. Workshop on Recent Advances in Intrusion Detection (RAID2000), Toulouse, published in LNCS, vol. 1907, pp. 162--82, 2000.

R. Lippmann, et al., Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation, presented at DISCEX'00 -DARPA Information Survivability Conference \& Exposition, Hilton Head, SC, vol. 2, pp. 12-26, 2000.

MAFTIA Consortium, Architecture and revised model of MAFTIA, R. Stroud, Ed. Malicious- and Accidental- Fault Tolearance for Internet Applications, Newcastle upon Type, UK, MAFTIA project deliverable D2, (in preparation), 2001.

MAFTIA Consortium, Towards a Taxonomy of Intrusion Detection Systems and Attacks, D. Alessandri, Ed. Malicious- and Accidental- Fault Tolerance for Internet Applications, Zurich, CH, MAFTIA project deliverable D3, 2001.

John McHugh, The 1998 Lincoln Laboratory IDS Evaluation: A Critique, presented at Third Intl. Workshop on Recent Advances in Intrusion Detection (RAID2000), Toulouse, published in LNCS, vol. 1907, 2000, pp. 143-61.

Jeffrey McKay, Basics of CGI Security: Common Gateway Interface, CGI, at a Glance, http://www.sans.org/infosecFAQ/threats/CGI_basics.htm, April 2001

The MITRE Corporation, Common Vulnerabilities and Exposures, http://cve.mitre.org/, 1999.

Network Mapper (NMAP), Stealth Port Scanner, http://www.nmap.org/.

Network Service Auditor (NSA), http://dr.watson.ibm.com/nsa/.

NSS Group, Intrusion Detection Systems Group Test, Edition 2, December 2001.

Thomas H. Ptacek and Timothy N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks Inc., 1998.

Purdue Directory Service, ftp://ftp.purdue.edu/.

NFR Network Intrusion Detection, http://www.nfr.com/products/NID/, 2001.

CERT Advisory CA-1996-06, Cert Coordination Center, http://www.cert.org/advisories/CA-1996-06.html, 1996.

NCSA HTTPd, NCSA HTTPd Development Team, ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd, 1996.

Nicholas Puketza, Mandz Chung, Ronald A. Olsson, and Biswanath Mukherjee, A Software Platfrom for Testing Intrusion Detection Systems, IEEE Software, vol. 14, pp. 43-51. http://seclab.cs.ucdavis.edu/papers/pdfs/np-mc-97.pdf, 1997.

NIST Net, National Institute of Standards and Technology, http://antd.nist.gov/nistnet/, 2001.

PROTOS Test-Suit: c06-snmpv1, http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/

Rain Forrest Puppy, Whisker, http://www.wiretrip.net/rfp/bins/whisker/v2.0/whisker-pr2.0.tar.gz, 2002.

Rain Forest Puppy, A look at whisker's anti-IDS tactics - Just how bad can we ruin a good thing?, http://www.securityfocus.com/templates/forum_message.html?forum=2&head=6 70&id=670, 2000.

Real Secure, http://www.iss.net/, 2002.

Request for Comments: 791, Internet Protocol, http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/7xx/791, September 1981.

Request for Comments: 793, Transmission Control Protocol, http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/7xx/793, September 1981.

Request for Comments: 959, File Transfer Protocol, http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/9xx/959, October 1985.

Request for Comments: 1858, Security Considerations for IP Fragment Filtering, http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/18xx/1858, October 1995.

Request for Comments: 2616, Hypertext Transfer Protocol -- HTTP/1.1, http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/26xx/2616, June 1999.

Marty Roesch, Snort - The Lightweight Open Source Network Intrusion Detection System, http://www.snort.org/, 1999.

Lee M. Rossey, Robert K. Cunningham, David J. Fried, Jesse C. Rabek, Richard P. Lippmann, and Joshua W. Haines, LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed, presented at Fourth International Workshop on Recent Advances in Intrusion Detection (RAID2000), UC Davis, CA, http://www.raid-symposium.org/raid2001/program.html, 2001.

Sean Rooney, Chris Giblin, Anthony Bussani, Remote Code Browsing - a network based computation utility - , IBM Research Zurich, unpublished, 2002.

Steve Schupp, Limitations of Network Intrusion Detection, http://rr.sans.org/intrusion/net_id.php, December 2000.

SecurityFocus Inc., SecurityFocus, http://www.securityfocus.com/, 1999.

Michael Sobirey, Michael Sobirey's Intrusion Detection Systems page, http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html, 2000.

Dug Song, Fragrouter, http://www.anzen.com/research/nidsbench/, 1999.

W. Richard Stevens, TCP/IP Illustrated, Volume 1, Addison Wesley, 1994, ISBN: 0-201-63346-9.

Andrew S. Tanenbaum, Computer Networks, Prentice Hall, 1996, ISBN: 0-13-394248-1 .

Tivoli Enterprise Console (TEC), http://www.tivoli.com/products/index/tec, 2001.

Tivoli Risk Manager (TRM), http://www.tivoli.com/products/index/secureway_risk_mgr, 2001.

Tripwire v1.2, Tripwire Security Systems Inc., http://www.tripwiresecurity.com/, 1999.

Unified Modeling Language, http://www.uml.org/, 2001.

Unicode Home Page, http://www.unicode.org/, 2001.

VMware, VMware Inc., http://www.vmware.com/, 2001.

Weld, Netcat, http://www.l0pht.com/research/tools/index.html, 1996.

Ian Whalley et al., An Environment for Controlled Worm Replication and Analysis, published at the Virus Bulletin Conference, Orlando, Florida, 2000.

Michal Zalewski, NetSed, http://freshmeat.net/projects/netsed/, 2001.