Imagine a rainstorm. Now imagine that you must make a record of each raindrop that touches your building and then analyze each of those records to determine if any of the touches are potential intrusion attempts. It's the same when an organization monitors its computer systems and networks.

"MITRE typically sees 3 to 5 million network traffic records each day, every day, from its intrusion detection systems (IDSs)," says MITRE Lead Scientist Clem Skorupka. Of these, 1-2 million are flagged as 'interesting' by the IDS sensors. Analysts then have to review these flagged records to determine if an intrusion attempt by a hacker or cracker has occurred. This analysis process requires a significant amount of work."

Like many organizations, MITRE operates IDSs as an integral part of its information security (INFOSEC) operation. All IDSs operate basically the same way: IDS sensors generate alerts and a corresponding analysis system enables analysts to check them. MITRE uses several types of IDS sensor software—commercial-off-the-shelf, government-off-the-shelf, and open source—and each generates a report. Once an IDS sensor flags a piece of network traffic, a record is stored in a database. It is these records that are then reviewed via an analysis system. However, most analysis systems are quite limited, providing at best simplistic low, medium, and high priorities when the records are flagged. MITRE has developed an analysis system that goes far beyond these limitations.

A New Approach

MITRE's internal IDS analysis system, the MITRE Intrusion Detection and Analysis System (MIDAS), is a result of significant research and engineering and provides MITRE with a leading-edge capability unlike anything else available today. There are three key components to MIDAS: the underlying architecture, the data analysis capabilities, and the analyst interface.

The architecture includes a combination of IDS, firewall, and router sensor software to monitor MITRE's network traffic. Typically, each of these sensor products employs its own database. MITRE, however, took a different approach and created a single database that incorporates data from all of the sensors in one location.

"This was critical," says Skorupka, "because putting all of the data in one place made the development of our analysis tools and interface possible."

MIDAS Analysis Capabilities

Once the underlying architecture was created, an internal MITRE-funded team examined how data mining techniques and some heuristic techniques could be applied to the domain of IDS data and analysis. The results were capabilities that aggregate, reprioritize, and otherwise group related data. They are known as HOMER, MARGE, BART, and GHOST.

"The capabilities we've developed to look at the millions of daily records not only provide a significant reduction in what human analysts need to review personally every day, but also looks back at historical events to highlight what are referred to as 'low and slow' reconnaissance, or attacks, against our networks," says Bill Hill, a senior principal INFOSEC scientist who led the team that conducted the research. Low and slow attacks are when a patient attacker executes a few probes at a time over the course of days or weeks, attempting to avoid detection.

"We see a high incidence of outsiders mapping MITRE's networks," continues Hill, "which is something we can't really prevent without significantly reducing the operating effectiveness of our networks."

Each network-mapping incident generates thousands of records that act as "network noise" that could distract the analyst. HOMER, or "Heuristic for Obvious Mapping Episode Recognition," automatically reviews all IDS events and aggregates those that it decides are part of the same mapping scan. This significantly reduces the manual work that has to be done by the analysts before they can really start analyzing the traffic.

Attempts from outsiders to create port maps of MITRE systems (known as "host profiling") also generate significant IDS traffic. Analysis of HOMER's performance led to the development of a similar capability for aggregating host-profiling incidents: GHOST, or "Gathering Heuristic for Obvious Scanning Techniques." The usefulness of HOMER and GHOST then led to the creation of MARGE, or "Malicious Activity Report Generalized Extractor." MARGE is a framework for mapping aggregation tools that allows MITRE analysts to create configuration files to enable MARGE to analyze, for example, address-mapping or host-profiling data.

"The number of IDS sensor events recorded every day is constantly increasing," says Skorupka. "This means there is an increase in the number of mapping incidents generated by HOMER and GHOST. In a very real sense, bringing all this information together created a new problem due to the volume of incidents generated."

On the basis of our experience with the aggregation capabilities, MITRE found that the generated incidents could themselves be prioritized, further reducing the workload on the analysts. BART, or "Backup Analysis and Review of Tagging," provides MITRE with a second-level analysis of the mapping data, analyzing HOMER incidents for potential anomalies or trends that may be more than simple mapping incidents. BART raises the priority of an incident if more serious activity occurs from the same source address, such as an attempt to exploit a known vulnerability.

"It is this combination of MITRE-developed analysis capabilities and data mining techniques that gives us the confidence to let the heuristics make a large group of data low priority so we only have to look at the attacks," says Skorupka. "The last time we surveyed our data, we saw a 97 percent reduction in the number of alarms requiring manual review."

The MIDAS Interface

The final key element of MIDAS is the analyst's interface, which allows MITRE analysts to review IDS data from the highest to the lowest level, across all of our data. This provides not only a single point of entry, but an integrated and extremely powerful set of capabilities unlike anything available today.

One of the typical methods for performing advanced analysis of IDS data is through the query and reporting tools that are part of the commercial-off-the-shelf IDS tools. These tools employ standard query language (SQL) queries to sort and return data and are somewhat limited and inflexible. The MIDAS interface provides more capability and more flexibility. MIDAS is a real-time, Web browser-based interface that can perform powerful search, analysis, and filtering of the records stored in the database. The returned data can be reviewed via browser, imported into Access/Excel for pivot table analysis, or exported for use with other data mining tools.

Using MIDAS, our analysts can review and browse generated incidents, look at individual events according to multiple criteria of their choosing, and examine historical data. These capabilities allow MITRE to perform sophisticated analysis and queries far beyond the predefined or low-level queries of off-the-shelf products.

MIDAS has proven its power and flexibility during a number of investigations into attacks on MITRE systems and networks, and it has also proven to be extremely valuable for forensics analysis. Hill explains, "Everybody who does intrusion detection collects sensor data, and everybody who does intrusion detection performs analysis on their data. What we have with MIDAS is a proven, state-of-the-art data collection and analysis capability that enables MITRE IDS analysts to do things that other analysts can only dream of."

What's Next?

MITRE's experience developing these intrusion detection and analysis capabilities puts us in a better position to review similar commercial products for our sponsors. Discussions are now underway with sponsors and projects regarding the capability, and MITRE's IDS team is considering releasing portions of MIDAS to the open source community.

—by Bob Roberge

For more information about MIDAS and MITRE's IDS activities, please contact MITRE INFOSEC Section Leader Steve Boyle using the employee directory.

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us