intruders & intrusion detection systems 1. 22 intruders three classes of intruders:three classes...
TRANSCRIPT
1
Intruders&
Intrusion Detection Systems
22
Intruders
• Three classes of intruders:
• An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
Masquerader
• A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
Misfeasor
• An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Clandestine user
33
Examples of Intrusion
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information, without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
• Using an unattended, logged-in workstation without permission
44
Hackers
• Traditionally, those who hack into computers do so for the thrill of it or for status
• Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to counter hacker threats• In addition to using such systems, organizations can consider
restricting remote logons to specific IP addresses and/or use virtual private network technology
• CERTs• Computer emergency response teams• These cooperative ventures collect information about system
vulnerabilities and disseminate it to systems managers• Hackers also routinely read CERT reports• It is important for system administrators to quickly insert all
software patches to discovered vulnerabilities
55
Criminal hackers
• Organized groups of hackers
• Usually have specific targets, or at least classes of targets in mind
• Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting
• IDSs and IPSs can be used for these types of attackers, but may be less effective because of the quick in-and-out nature of the attack
66
Insider Attacks• Among the most difficult to detect and prevent
• Can be motivated by revenge or simply a feeling of entitlement
• Countermeasures:Enforce least privilege, only allowing access to the resources employees need to do their job
Set logs to see what users access and what commands they are entering
Protect sensitive resources with strong authentication
Upon termination, delete employee’s computer and network access
Upon termination, make a mirror image of employee’s hard drive before reissuing it (used as evidence if your company information turns up at a competitor)
77
Intrusion Techniques
• Objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system
• Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a backdoor into the system
8
Intrusion Prevention Want to keep bad guys out Intrusion prevention is a
traditional focus of computer securityo Authentication is to prevent intrusionso Firewalls a form of intrusion
preventiono Virus defenses aimed at intrusion
preventiono Like locking the door on your car
9
Intrusion Detection In spite of intrusion prevention, bad
guys will sometime get in Intrusion detection systems (IDS)
o Detect attacks in progress (or soon after)o Look for unusual or suspicious activity
IDS evolved from log file analysis IDS is currently a hot research topic How to respond when intrusion
detected?o We don’t deal with this topic here…
10
Intrusion Detection
• A system’s second line of defense
• Is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified
• Considerations:• If an intrusion is detected quickly enough, the intruder
can be identified and ejected from the system before any damage is done or any data are compromised
• An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions
• Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility
12
Intrusion Detection Systems
Who is likely intruder?o May be outsider who got thru firewallo May be evil insider
What do intruders do?o Launch well-known attackso Launch variations on well-known attackso Launch new/little-known attackso “Borrow” system resourceso Use compromised system to attack otherso etc.
13
IDS Intrusion detection approaches
o Signature-based IDSo Anomaly-based IDS
Intrusion detection architectureso Host-based IDSo Network-based IDS
Any IDS can be classified as aboveo In spite of marketing claims to the contrary!
14
Host-Based IDS Monitor activities on hosts for
o Known attackso Suspicious behavior
Designed to detect attacks such aso Buffer overflowo Escalation of privilege, …
Little or no view of network activities
15
Network-Based IDS Monitor activity on the network for…
o Known attackso Suspicious network activity
Designed to detect attacks such aso Denial of serviceo Network probeso Malformed packets, etc.
Some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS
16
Signature Detection Example
Failed login attempts may indicate password cracking attack
IDS could use the rule “N failed login attempts in M seconds” as signature
If N or more failed login attempts in M seconds, IDS warns of attack
Note that such a warning is specifico Admin knows what attack is suspectedo Easy to verify attack (or false alarm)
17
Signature Detection
Suppose IDS warns whenever N or more failed logins in M secondso Set N and M so false alarms not common
o Can do this based on “normal” behavior
But, if Trudy knows the signature, she can try N 1 logins every M seconds…
Then signature detection slows down Trudy, but might not stop her
18
Signature Detection
Many techniques used to make signature detection more robust
Goal is to detect “almost” signatures For example, if “about” N login attempts
in “about” M secondso Warn of possible password cracking attempto What are reasonable values for “about”?o Can use statistical analysis, heuristics, etc.o Must not increase false alarm rate too much
19
Signature Detection Advantages of signature detection
o Simpleo Detect known attackso Know which attack at time of detectiono Efficient (if reasonable number of
signatures) Disadvantages of signature detection
o Signature files must be kept up to dateo Number of signatures may become largeo Can only detect known attackso Variation on known attack may not be
detected
20
Anomaly Detection Anomaly detection systems look for
unusual or abnormal behavior There are (at least) two challenges
o What is normal for this system?o How “far” from normal is abnormal?
No avoiding statistics here!o mean defines normalo variance gives distance from normal to
abnormal
21
How to Measure Normal?
How to measure normal?o Must measure during “representative”
behavioro Must not measure during an attack…o …or else attack will seem normal!o Normal is statistical meano Must also compute variance to have
any reasonable idea of abnormal
22
How to Measure Abnormal?
Abnormal is relative to some “normal”o Abnormal indicates possible attack
Statistical discrimination techniques include o Bayesian statisticso Linear discriminant analysis (LDA)o Quadratic discriminant analysis (QDA)o Neural nets, hidden Markov models (HMMs),
etc. Fancy modeling techniques also used
o Artificial intelligenceo Artificial immune system principleso Many, many, many others
23
Anomaly Detection (1) Suppose we monitor use of three
commands:open, read, close
Under normal use we observe Alice:open, read, close, open, open, read, close, …
Of the six possible ordered pairs, we see four pairs are normal for Alice,(open,read), (read,close), (close,open), (open,open)
Can we use this to identify unusual activity?
24
Anomaly Detection (1)
We monitor use of the three commands open, read, close
If the ratio of abnormal to normal pairs is “too high”, warn of possible attack
Could improve this approach by o Also use expected frequency of each pairo Use more than two consecutive commandso Include more commands/behavior in the
modelo More sophisticated statistical discrimination
25
Anomaly Detection (2) Over time, Alice
has accessed file Fn at rate Hn
H0 H1 H2 H3
.10 .40 .40 .10
Is this normal use for Alice? We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2
= .02o We consider S < 0.1 to be normal, so this is normal
How to account for use that varies over time?
Recently, “Alice” has accessed Fn at rate An
A0 A1 A2 A3
.10 .40 .30 .20
26
Anomaly Detection (2)
To allow “normal” to adapt to new use, we update averages: Hn = 0.2An + 0.8Hn
In this example, Hn are updated… H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And we now haveH0 H1 H2 H3
.10 .40 .38 .12
27
Anomaly Detection (2) The updated
long term average is
H0 H1 H2 H3
.10 .40 .38 .12
Is this normal use? Compute S = (H0A0)2+…+(H3A3)2 = .0488
o Since S = .0488 < 0.1 we consider this normal And we again update the long term
averages:
Hn = 0.2An + 0.8Hn
Suppose new observed rates…
A0 A1 A2 A3
.10 .30 .30 .30
28
Anomaly Detection (2) The starting
averages were:
H0 H1 H2 H3
.10 .40 .40 .10
Statistics slowly evolve to match behavior This reduces false alarms for SA But also opens an avenue for attack…
o Suppose Trudy always wants to access F3
o Can she convince IDS this is normal for Alice?
After 2 iterations, averages are:
H0 H1 H2 H3
.10 .38.364
.156
29
Anomaly Detection (2) To make this approach more robust,
must incorporate the variance Can also combine N stats Si as, say,
T = (S1 + S2 + S3 + … + SN) / N
to obtain a more complete view of “normal”
Similar (but more sophisticated) approach is used in an IDS known as NIDES
NIDES combines anomaly & signature IDS
30
Anomaly Detection Issues Systems constantly evolve and so must
IDSo Static system would place huge burden on
admin o But evolving IDS makes it possible for attacker
to (slowly) convince IDS that an attack is normal
o Attacker may win simply by “going slow” What does “abnormal” really mean?
o Indicates there may be an attacko Might not be any specific info about “attack”o How to respond to such vague information?o In contrast, signature detection is very specific
31
Anomaly Detection Advantages?
o Chance of detecting unknown attacks Disadvantages?
o Cannot use anomaly detection alone…o …must be used with signature detectiono Reliability is unclearo Anomaly detection indicates “something
unusual”, but lacks specific info on possible attack
32
Anomaly Detection: The Bottom Line
Anomaly-based IDS is active research topic Many security experts have high hopes for
its ultimate success Often cited as key future security
technology Hackers are not convinced!
o Title of a talk at Defcon: “Why Anomaly-based IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky As hard as AI?
Honeypots
• Decoy systems that are designed to lure a potential attacker away from critical systems
• Because any attack against the honeypot is made to seem successful, administrators have time to mobilize and log and track the attacker without ever exposing productive systems
• Recent research has focused on building entire honeypot networks that emulate an enterprise, possible with actual or simulated traffic and data
• These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldn’t access
• Thus, any attempt to communicate with the system is most likely a probe, scan, or attack
Has no production
value
• Divert an attacker from accessing critical systems• Collect information about the attacker’s activity• Encourage the attacker to stay on the system long
enough for administrators to respondDesigned to:
33
