Event Recognition Beyond Signature and Anomaly

Notions of signature and anomaly have formed the basis of useful methods in cyber defense, but even in combination provide only weak evidence for recognizing many events of interest. One can recognize many important events without requiring signatures of specific ways the events can take place and without treating every anomalous behavior as an event. We describe an approach to event recognition that subsumes and extends signature and anomaly methods by starting from a richer language for characterizing events. This paper explains how recognition methods based on this richer event-characterization language offer means for overcoming the limitations constraining signature and anomaly methods. I. Signature and anomaly methods NOTIONS of signature and anomaly form the backbone of current methods for intrusion detection and cyber defense. Signature-based methods examine the operations performed by processes or requests received by hosts to find a sequence of operations or requests that match a specified pattern. Matching patterns of operations that constitute illegitimate access provides evidence for an attack having taken place. Sometimes failing to match expected patterns of legal operations may also signal an attack. Anomaly-based methods compare usage statistics for some current period against statistical norms developed from previous periods or other considerations. Periods for which the statistics vary too much from the norms constitute anomalies. Anomalous behavior, in turn, constitutes evidence, though possibly weak evidence, for an attack having taken place. A. Strengths and weaknesses While both signature and anomaly methods provide evidence to guide intrusion assessments, their most common forms suffer limitations in the quality of the evidence they can provide. Signature methods are too special. Attackers can use many different patterns of operations to achieve the same Jon Doyle, William Long, and Peter Szolovits are with the Massachusetts Institute of Technology Laboratory for Computer Science, Cambridge, Massachusetts 02139, USA. E-mail: {doyle,wjl,psz}@mit.edu. Isaac Kohane is with Childrens’ Hospital, Boston, Massachusetts 02115, USA. E-mail: isaac [email protected]. Howard Shrobe is with the Massachusetts Institute of Technology Artificial Intelligence Laboratory, Cambridge, Massachusetts 02139, USA. E-mail: [email protected] end. For example, an attack might involve conducting several concurrent trains of operations. When the attacker can vary freely the interleaving of the steps of these concurrent trains of operations, a defender depending on sequence recognition must stand ready to recognize a large number of possible sequences as instances of the attack. In other cases, the attackers can expand the variety of alternative methods indefinitely by introducing additional detours in the main attack sequence, so going far beyond the multiplicity involved in mere interleaving. More importantly, the defender always has interest in identifying the compromise that has occurred, for responding to the compromise in an effective way requires such knowledge. Apart from law enforcement, however, the defender generally cares less about correctly identifying the particular method used to effect the compromise. Correct identification of the attack method can prove helpful in warning other sites, but such warnings might hinder defense when attackers vary their methods from site to site. Anomaly methods are too general. The most dangerous attackers generally know how to hide their activities in the noise, working through scattered low-visibility events that defenders cannot recognize apart from specific expectations about what the attackers might do, expectations that step outside the conception of anomaly as nonspecific recognition of something outside the ordinary. Further, one recognizes an anomaly only with respect to some baseline periods of normality, making recognition difficult for events that do not fall completely within a comparable interval. This possibility increases in likelihood when attackers can make reasonable guesses about the periods of comparison and the nature of normal behavior. More fundamentally, anomaly encompasses anything apart from the norm. It does not distinguish intentional compromise from benign changes in the external environment or inexplicable accident, and so increases the rate of false alarm. Both signature and anomaly methods offer strengths and weaknesses, but neither’s strength fully compensates for the weakness of the other. For example, FTP traffic growing from normal levels to a saturation level and staying there signals a familiar class of intrusion, but no conjunction of signature and anomaly methods characterize this class. None of the FTP transactions constitutes an attack in itself, and indeed, many may be ordinary and legitimate transactions. The traffic levels certainly count as anomaISBN 0-7803-9814-9/$10.00 c ©2001 IEEE 17 lous, but so do vast numbers of other patterns representing mere accident or very different compromises. B. Illustrating the weaknesses To better understand the pragmatic weaknesses of signature and anomaly methods, consider the following fictitious description of events that amalgamates aspects of several actual attacks suffered by the MIT Artificial Intelligence Laboratory and Laboratory for Computer Science in recent years. A lab ensemble of computers runs a visual surveillance and monitoring (VSM) application. On January 12, 2002 several of the machines experience unusual traffic from outside the lab. Intrusion detection systems report observing several password scans. Fortunately, after about 3 days of varying levels of such activity, things seem to return to normal, and remain apparently normal for another 3 weeks. At that time, however, a machine named Harding that serves crucial functions within the VSM application begins to experience unusually high load averages. The application components running on this machine begin to receive less than the expected quality of service. The load average, degradation of service, the consumption of disk space and the amount of traffic to and from unknown outside machines continue to increase to annoying levels, but then level off. On March 2, a machine named Grant crashes. Fortunately, the VSM application was designed to adapt to unusual circumstances. The application considers whether it should migrate the computations which would normally have run on Grant to run on Harding instead. It considers these computations critical to the application, but decides despite the odd circumstances noticed earlier on Harding that the migration seems reasonable. Why did the application consider the migration to Harding reasonable in spite of clearly anomalous behavior? It did so because it recognized the events on Harding as a case of someone guessing a user password and setting up an unauthorized FTP site for transshipment of files, such as illicit software or images. The load on the server increased as word spread about this new transshipment site, and leveled off as demand saturated the machine. The observed events provided no evidence that the root account had been compromised, so the application had little reason to worry that critical computations migrated to Harding would experience any further compromise. The system needed to run those computations somewhere. Even though Harding was loaded more heavily than expected, it still represented the best pool of available computational resources; other machines were even more heavily loaded with other critical computations of the application. This scenario illustrates in greater detail the inadequacy of signature and anomaly methods in guiding recognition of and response to the intrusion. The intrusion detection systems certainly noticed worrying events in the early stages of the scenario, and detected these events with signature and anomaly methods. Such methods also would classify the high levels of FTP traffic as anomalous, and possibly also so classify some of the individual FTP transactions based on user history. Mere classification as anomaly, however, would not provide the VSM application with the specificity needed to effect the transfer of critical processes to Harding, as the class of anomalous behavior also includes hostile possession of root passwords and the like. Now consider instead a somewhat different scenario in which the VSM application serves in protecting a threatened diplomatic mission during a period of international tension. In this scenario, the intrusion detection systems, as before, observe a variety of information attacks being aimed at Harding, but now with at least some of these attacks of a type known to occasionally provide root access to a machine like Harding. A period of no anomalous behavior other than a periodic low volume communication with an unknown outside host follows these attacks on Harding. This time, when Grant crashes, the VSM application decides against using Harding as the backup. The event recognized admits significant probability that an intruder gained root access to Harding. The setting of international tensions suggests some probability of malicious political intent behind the intrusion. The periodic communication with the unknown outside host bears some probability of representing attempts to contact an outside control source for a “go signal” initiating serious spoofing of the application. Under these circumstance, the VSM application chooses to shift the computations to a different machine in the ensemble even though it is considerably more overloaded than Harding. C. Transcending signature and anomaly These differing scenarios show how effective response to intrusion requires transcending the capabilities offered by straightforward signature and anomaly methods. Recognition of the FTP-site hijacking pattern requires melding the ideas of sequences and statistics in a very different way than one can obtain with parallel operation of sequence and anomaly detectors. The hijacking implies a correlation between the history of subevents that match standard intrusion-detection signatures and a specific pattern of anomalous behaviors, in which the magnitudes of the anomalies fit an increasing and saturating curve (an S-curve) to some degree of accuracy. In this recognition, mere observation that the increasing load levels constitute anomalies in each time slice does not support recognition of the hijacking event, because a succession of anomalous intervals just add up to a longer anomalous interval. Anomaly detection then might provide a report for the longer interval of the same form as for the shorter intervals. Such reports might suffice to atISBN 0-7803-9814-9/$10.00 c ©2001 IEEE 18 tract human attention, but do not suffice to distinguish the hijacking event from other intrusions. At the same time, recognition of the hijacking proceeds from observing that the load levels increase to saturation, irrespective of any observation that the load levels during this process constitute anomalies. One might seek to view detection of the increasing and saturating load in terms of an abstract signature over interval statistics. This moves in the right direction, going significantly beyond simple combination of signature and anomaly detection. Even so, to obtain the desired recognition one must expand the conception of signature beyond the traditional notion of sequences or patterns expressed in regular expressions or context-free languages. Recognition of the FTP hijacking might not depend much on the shape of the increasing and saturating curve of load levels, but recognition of other events can require distinguishing linear, quadratic, or exponential curves, or even different slopes of linear curves. For example, one might expect linearly increasing growth of certain traffic flows in organizations that linearly grow in size each year, and wish to distinguish such secular growth in traffic from exponential increases characteristic of cascaded attacks or exploitations in which each perpetrator triggers several more. For these reasons, we believe that in order to guide effective response to intrusion and compromise, event recognition must go beyond signature and anomaly to recognize patterns more abstract than signatures but more specific to the particular events of interest than anomaly. These intermediate levels in essence taxonomize different degrees of sensitivity and specificity with respect to different types of events. In any particular diagnostic reasoner, it is well known that one must trade off the sensitivity of recognizing true events against specificity (the probability that only true events are recognized). That trade-off is often shown in an ROC (Receiver Operator Characteristics) curve, whose general form shows that for any degree of increase in either sensitivity or specificity, the other decreases. An improved diagnostic method is one that reduces the magnitude of this reciprocity. Often an enriched representation, which makes it possible to distinguish previously-unrecognizable situations, helps to improve ROC performance. This is the intuition behind our present work. The following discusses methods by which one can recognize many important events without requiring signatures of specific ways the events can take place and without treating every anomalous behavior as an event. II. Characterizing events We seek to characterize different types of events in linguistic descriptions. We use such descriptions to tell the recognition system which events interest us. The recognition system, in turn, uses the descriptions both in recognition processes that match descriptions to sensor information and in explanation processes that communicate and justify recognized instances. To understand better what expressions the event description language should encompass, consider again the FTP hijacking scenario presented above. One can describe the pattern of activity resulting from the establishment of the FTP transshipment site in terms of activities during several temporal regions. First there was a period of attacks (particularly password scans). Then there was a “quiescent” period. Then there was a period of increasing degradation of service. Finally, there was a leveling off of the degradation but at the saturation level. One can resolve this summary into finer details that give more insight and perhaps improve the likelihood of recognition. To do this, we describe the trends of average resource load levels and the average volume of traffic from external sites. During the initial attack and quiescence periods, the load levels stay roughly constant while the external site activity goes up and down, because the attacks themselves do not involve much effort. During the exploitation and saturation phase, the load average climbs to saturation well before the external site activity levels out, because a few initial misusers suffice to swamp the host while word of the site continues to spread to further misusers. One can also describe the pattern of activity involved in the embassy surveillance scenario in terms of activities during several temporal regions, coupled with environmental information. First there was a period of attacks seemingly aimed at obtaining root access occurring during a period of heightened international tension related to the application being run. Then there was a “false peace” period of no attacks (or merely normal attacks) coupled with periodic low-volume foreign communications. To permit expression of such characterizations of the scenarios, we seek to enrich the event description language. Our starting point in this enrichment follows Haimowitz and Kohane [1], [2], [3], [4], [5], who developed a language of “trend templates” we will call TTL for expressing temporal patterns like those involved in the examples, along with methods for recognizing instances of trend templates in the stream. The key elements of TTL are as follows: • Landmark times. Landmark times represent significant points in the unfolding of the event over time, such as boundaries between different phases of the event. These can be concrete times (i.e., fully-specified points on the calendar), but often represent abstract times characterized only by uncertain relations to other time points. The original TTL provided only for simple forms of temporal uncertainty, representing relations of landmark times to other times with time ranges expressing the minimal and maximal times between them. • Temporal intervals. Intervals represent periods of the process that characterize significant subevents. Intervals ISBN 0-7803-9814-9/$10.00 c ©2001 IEEE 19 can bear specific or abstract durations constrained by relations to other intervals and to landmark times. Such constraints on temporal position take a form similar to temporal relations among landmark times. Each interval has beginning and ending times. Relational constraints declare these times as satisfying either uncertain (min max) offsets from other landmark points, or uncertain offsets from another interval’s beginning or ending points. • Temporal relations. These relations provide shorthand means for expressing relations among intervals that one could express at greater length using the (min max) relations. The provided interval relations include the Allen [6] interval relations and others. • State constraints. These specify characteristics of objects during temporal intervals, such as constant values, increasing or decreasing values, shapes of curves, etc. • Regression functions. These model criteria for matching templates against data, and so describe means for deciding when events occur when uncertainty exists about starting and ending times. Our current work on the MAITA system [7] seeks to extend the original trend template language in several ways, including augmenting range expressions for indicating temporal relations with more general probability distributions over the occurrence of landmark times. The current constraint language consists mainly of linear and quadratic regression models for numeric data, absolute and relative numerical constraints on functions of the data, and logical combinations of such descriptions and propositions. We expect to augment the state constraint language with probability distributions and additional commonly useful shapes of curves. To illustrate the representation, Figure 1 presents portions of a simplified trend template that describes the FTP hijacking event. The trend template contains landmark times (indicated by the :landmarks entry) corresponding to initiation of probing, achievement of compromise, initiation of transfers through the site, the point at which the exploit saturates the capabilities of the site, and the current time. We omit constraints characterizing the probing and latency intervals, but characterize the loading period as an interval constrained to exhibit saturating FTP volume and host load averages. The constraint definitions indicate the parameters being constrained (e.g., FTP-VOLUME) and the qualitative shape formed by the values of the parameter over the interval. The shape model (s-curve (d1 +)), for example, indicates an S-shaped curve connecting two levels, with a positive first derivative in the middle section of the s-curve, that is, an S-curve starting from a low level of FTP volume and leveling off at a higher level. (A simpler model might use a simple linear model (linear (d1 +)) instead of the s-curve.) Similarly, we characterize the subsequent “continuing” period as an interval constrained to exhibit continued exploitation at saturation levels. We characterize these intervals as consecutive sequential phases of the overall event. The temporal relations express lower and upper bounds on the duration of intervals between time points given in the first two elements of each four-element list. Bounds of “0 0” indicate co-occurrence of two points. The relations in this trend template do not bound the duration of probing, and require only small lower bounds on the duration of latency and loading periods, but require longer periods of continuing exploitation to rule out happenstance temporary periods of saturation.