Manifesto of the Dagstuhl PerspectiveWorkshop.docx
《Manifesto of the Dagstuhl PerspectiveWorkshop.docx》由会员分享,可在线阅读,更多相关《Manifesto of the Dagstuhl PerspectiveWorkshop.docx(35页珍藏版)》请在冰豆网上搜索。
ManifestooftheDagstuhlPerspectiveWorkshop
Networkattackdetectionanddefense–
ManifestooftheDagstuhlPerspectiveWorkshop,
March2nd–6th,2008
GeorgCarle·FalkoDressler·RichardA.Kemmerer·HartmutKoenig·
ChristopherKruegel·PavelLaskov
Publishedonline:
24February2009
.TheAuthor(s)2009.ThisarticleispublishedwithopenaccessatS
AbstractThismanifestoistheresultofthePerspective
WorkshopNetworkAttackDetectionandDefenseheldin
SchlossDagstuhl(Germany)fromMarch2nd–6th,2008.
Theparticipantsoftheworkshoprepresentresearchersfrom
Austria,France,Norway,theSwitzerland,theUnitedStates,
andGermanywhoworkactivelyinthefieldofintrusion
detectionandnetworkmonitoring.Theworkshopattendee’s
opinionwasthatintrusiondetectionandflowanalysis,
whichhavebeendevelopedascomplementaryapproaches
forthedetectionofnetworkattacks,shouldmorestrongly
combineeventdetectionandcorrelationtechniquestobetter
meetfuturechallengesinfuturereactivesecurity.
Theworkshopparticipantsconsideredvariousperspectives
toenvisionfuturenetworkattackdetectionanddefense.
Thefollowingtopicsareseenasimportantinthe
future:
thedevelopmentofearlywarningsystems,theintro-
G.Carle
TUMuenchen,
Munich,Germany
F.Dressler
UniversityErlangen-Nuremberg,
Erlangen,Germany
R.A.Kemmerer
UniversityofCalifornia,
SantaBarbara,CAUSA
H.Koenig(_)
BTUCottbus,
LSRNKS,
PF101344,03013Cottbus,Germany
e-mail:
koenig@informatik.tu-cottbus.de
C.Kruegel
TechnicalUniversityofVienna,
Vienna,Austria
P.Laskov
FraunhoferInstituteBerlin,
Berlin,Germany
ductionofsituationawareness,theimprovementofmeasurement
technology,taxonomyofattacks,theapplicationof
intrusionandfrauddetectionforwebservices,andanomaly
detection.
Inordertorealizethosevisionsthestateoftheart,the
challenges,andresearchprioritieswereidentifiedforeach
topicbyworkinggroups.Theoutcomeofthediscussionis
summarizedinworkinggrouppaperswhicharepublishedin
theworkshopproceedings.Thepaperswerecompiledbythe
editorstothismanifesto.
KeywordsIntrusiondetection·Networkmonitoring·
Earlywarningsystems·Situationawareness·
Measurementrequirements
1Rationale
Theincreasingdependenceofhumansocietyoninformation
technology(IT)systemsrequiresappropriatemeasures
tocopewiththeirmisuse.Thegrowingpotentialofthreats,
whichmakethesesystemsmoreandmorevulnerable,is
causedbythecomplexityofthetechnologiesthemselves
andbythegrowingnumberofindividualsthatareableto
abusethesystems.Subversiveinsiders,hackers,andterrorists
getbetterandbetteropportunitiesforattacks.In
industrialcountriesthisconcernsbothnumerouscompanies
andthecriticalinfrastructures,e.g.thehealthcaresystem,
thetrafficsystem,powersupply,trade(inparticular
e-commerce),orthemilitaryprotection.
Reactivemeasurescomprisebesidetheclassicalvirus
scannerintrusiondetectionandflowanalysis.Thedevelopment
ofintrusiondetectionsystemsbeganalreadyinthe
eighties.Intrusiondetectionsystemspossessaprimeimportance
asreactivemeasures.Awiderangeofcommercialintrusion
detectionproductshasbeenofferedmeanwhile;especially
formisusedetection.Thedeploymentofintrusion
13
16Carleetal.
detectiontechnologystillevokesalotofunsolvedproblems.
Theseconcernamongothersthestillhighfalsepositive
rateinpracticaluse,thescalabilityofthesuperviseddomains,
andexplanatorypowerofanomaly-basedintrusion
indications.
Inrecentyearsnetworkmonitoringandflowanalysis
hasbeendevelopedasacomplementaryapproachforthe
detectionofnetworkattacks.Flowanalysisaimsatthe
detectionofnetworkanomaliesbasedontrafficmeasurements.
Theirimportancearosewiththeincreasingappearance
ofdenialofserviceattacksandwormevasions,which
arelessefficienttodetectwithintrusiondetectionsystems.
Theflowanalysiscommunitydevelopedtwoapproaches
forhighspeeddatacollection:
flowmonitoringandpacket
sampling.Flowmonitoringaimstocollectstatisticalinformation
aboutspecificportionsoftheoverallnetworktraffic,
e.g.informationaboutend-to-endtransportlayerconnections.
Ontheotherhand,packetsamplingreducesthetraffic
usingexplicitfiltersorstatisticalsamplingalgorithms.
2Objectives
TheobjectiveofthePerspectiveWorkshopNetworkAttack
DetectionandDefensewastodiscussfuturechallengesin
reactivesecurity,inparticularinintrusiondetectionandflow
analysis.Newchallengesariseasthefunctionalityofnetwork
monitoring,attackdetectionandmitigationmustbe
suitableforalargevarietyofattacks,andhastobescalable
forhighdataratesandnumberofflows.Eventcorrelation
techniquescanbeusedtocombineresultsfrom
bothworlds.Theworkshopwasthefirstonedevotedtothis
topicinDagstuhl.Aparticularobjectiveofthisworkshop
wastobringtogetherboththeintrusiondetectionandnetwork
monitoringcommunities,whichstilldotheirresearch
relativelyseparatedandareorganizedindifferentcommunities
(e.g.WGsSIDARandKUVSintheGermanSociety
ofInformatics(GI)forreactivesecurityandcommunication
systems,respectively).Theseminarwassupposedto
fosterthecoordinationoftheresearchactivitiesinboth
communities.
3Deliverables
Theoutcomeoftheworkshopisawrittenmanifesto,detailing
theopenissuesandpossibleresearchperspectives
forthecoming5–10yearsaccordingtotheobjectivesgiven
above.Themanifestowascompiledbytheeditorslistedat
thefrontpagebasedontheworkinggrouppapers.Pavel
Laskovkindlyaddedasectiononanomalydetection.The
seminarparticipantsandthecompositionoftheworking
groupsarelistedintheappendix.
4Scoping
4.1Intrusiondetection
Thesecurityfunctionintrusiondetectiondealswiththe
monitoringofITsystemstodetectsecurityviolations.The
decisionwhichactivitieshavetobeconsideredassecurity
violationsinagivencontextisdefinedbytheapplied
securitypolicy.Twomaincomplementaryapproachesare
applied:
anomalyandmisusedetection.Anomalydetection
aimsattheexposureofabnormalsystemand/ornetworkbehavior.
Itrequiresacomprehensivesetofdatadescribingthe
normalsystemandnetworkbehavior.Althoughmuchresearch
hasbeendoneinthisarea,itisdifficulttoachieve
sothatanomalydetectionhascurrentlystillalimitedpractical
importance.Misusedetectionfocusesonthe(automated)
detectionofknownattacksdescribedbypatterns,calledsignatures.
Thesepatternsareusedtoidentifyanattackinan
auditdatastream.Thisapproachisappliedbythemajority
ofthesystemsusedinpractice.Theireffectiveness,however,
isalsostilllimited.Intrusiondetectionsystemsare
furtherclassifiedinnetwork-andhost-basedsystems.Network
intrusiondetectionsystemsanalyzethenetworktraffic
tofindsuspiciousattackpatterns.Theyhaveproventoberobust
andarepreferablyappliedintoday’scommercialproducts.
Thedevelopmentoffieldprovenhost-basedsystems
seemstobemoredifficult.Today’ssolutionsaremostlyonly
abletocapturesimpleattacks,especiallybymatchingsingle
stepsignaturesinauditdatastreams,whichhavetobe
generatedbyspecialauditfunctionsafterasecurityrelevant
eventtookplace.
Thesuccessfuldeploymentofintrusiondetectionsystems
inpracticestillhastocopewithanumberofchallenges.
Oneproblemistheaccuracyofthedetectionmodels
(suchassignaturesorspecifications).Whendetection
modelsareoverlyrestrictive,falsenegativesarepossible.
Thisisparticularlyproblematicformisusedetectionsystems
thatspecifythepropertiesofaparticularattack.Here,
caremustbetakenthatthepropertiesarenottoospecific
andonlyvalidforaverynarrowsetofinstancesofthe
completeclassofattacks.Whenattackmodelsareoverly
permissive,ontheotherhand,theywillalsomatchbenign
traffic.Thisisoftenthecasewithanomaly-basedsystems.
Aresultofmatchingbenigntrafficisalargenumberoffalse
positives.Falsepositivesunderminethetrustintheintrusion
detectionsystemastheyoftencauselengthyinvestigations
ofvalidnetworktraffic.Asecondproblemfacedbyintrusion
detectionsystemsisthelargenumberofalertsthat
theyproduce.Networkpacketsareataverylowlevel,and
asingleattackscenariorunbyanadversary(whichincludes
scans,brute-forceattacksagainstmultipleservices,etc.)can
quicklygeneratehundredsoreventhousandsofindividual
packetsthatmatchanattackspecification.Theresultishun-
13
Networkattackdetectionanddefense17
dredsorthousandsofverysimilaralertsthatactuallyreferto
asinglerootcause.Alertcorrelationwasproposedtoinfer
high-levelattackscenariosfromastreamoflow-levelalerts.
Unfortunately,thedifferentalertformatsandthedifficulty
ofinferringstrategiesfromlow-leveleventsmakethisproblem
challenging.
Themainmeritofanomaly-basedintrusiondetection
techniquesistheirabilitytodetectpreviouslyunknownattacks.
Onemightthinkthatthecollectiveexpertiseamassed
inthecomputersecuritycommunityandasophisticated
infrastructurefordisseminationofsecurity-relatedadvice
(e.g.vulnerabilitytrackingsystemsandsignaturedatabase)
ruleoutmajoroutbreaksof“genuinelynovel”exploits.Unfortunately,
signsareappearingthatawide-scaledeployment
ofefficienttoolsforobfuscation,mutation,andsimple
encryptionofattacksgenerateahugevariabilityof,strictly
speaking,only“marginallynovel”