Chapter 9 · Prevention: Enforce good password selection. Fact: That the defender must attempt to thwart all possible attacks, whereas the attacker is free to try to find the weakest

Chapter 9

Intruders

Bhargavi H Goswami,

Sunshine Group of Institutions,

Rajkot, Gujarat, India.

Email: [email protected]

Mob: +91 9426669020Email:[email protected],

Mob: 9426669020

Outline1. Intruders

1. Intrusion Techniques2. Intrusion Detection

1. Audit Records2. Statistical Anomaly Detection3. Rule-Based Intrusion Detection4. The Base-Rate Fallacy5. Distributed Intrusion Detection6. Honeypots7. Intrusion Detection Exchange Format

3. Password Management1. Password Protection2. Password Selection Strategies

Email:[email protected],

Mob: 9426669020

Intruders

• Three classes of intruders (hackers or crackers) given by Anderson:– Masquerader: An individual who is not authorized to use

the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.(appear as different personality). Outsider.

– Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.(to do wrong). Insider.

– Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. (done in secret). Outsider or Insider.


Mob: 9426669020

Wily Hacker

• Incident happened in 1986-1987.• Nationwide Crackdown on illicit computer hackers.• Arrests.• Criminal Charges• One Dramatic Show Trial• Several Guilty Pleas• Confiscation of Massive data and computer equipment.• People believed that problem is under control.• But, actually it was not.• Bell Labs Experienced:

– Attempts to copy password file every other day.– Suspicious remote procedure call every week.– Attempts to connect to nonexistent “bait” machines every 15

days.


Mob: 9426669020

Texas A&M University

• August 1992• By monitoring activity, the computer center personnel

learned that there were several outside intruders involved, who were running password-cracking routines on various computers.

• Connected to almost 12,000 systems.• Analysis says that there are 2 level of Hackers:

– High Level: Sophisticated users, thru with technology.– Low Level: Foot soldiers, uses cracking programs.

• Solution: Computer Emergency Response Teams (CERTs).• Another problem: intruders attempted to modify login

software to enable them to capture passwords of users logging on to systems.

• Lets have a look over Intrusion Techniques.


Mob: 9426669020

Intrusion Techniques

• System maintain a file that associates a password with each authorized user.

• Password file can be protected with:– One-way encryption (password is used to

generate key for one way function.)

– Access Control (access to password file is limited to one or very few accounts)


Mob: 9426669020

Techniques for guessing passwords:

• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family

names, birthday, etc.• Try user’s phone number, social security number, street

address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse to bypass restriction on access.• Tap the line between a remote user and the host

system.Solution:

Detection: Learning of an attack either before or after its success.Prevention: Enforce good password selection.

Fact: That the defender must attempt to thwart all possible attacks, whereas the attacker is free to try to find the weakest link in the defense chain and attack at that point.


Mob: 9426669020

Intrusion Detection

• Main Topics:a. Audit Records

b. Statistical Anomaly Detection

c. Rule Based Intrusion Detection

d. The Base Rate Fallacy

e. Distributed Intrusion Detection

f. Honey-pots

g. Intrusion Detection Exchange FormatEmail:[email protected],

Mob: 9426669020

Intrusion Detection Considerations:

• If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done.

• An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

• Information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

• Anderson’s Study [ANDE80]: one could, with reasonable confidence, distinguish between a masquerader and a legitimate user by observing past history.

• [PORR92] identifies the following approaches to intrusion detection:


Mob: 9426669020

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

1. Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.a. Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events.b. Profile based: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts.

2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.a. Anomaly detection: Rules are developed to detect deviation from previous usage patterns.b. Penetration identification: An expert system approach that searches for suspicious behavior.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

• Statistical anomaly detection is effective against masqueraders.

• But unable to deal with misfeasors.

• For this recommended rule-based approaches may be able to recognize events and sequences that, in context, reveal penetration.

• Conclusion: In practice, a system may exhibit a combination of both approaches to be effective against a broad range of attacks.


Mob: 9426669020

a) Audit Records• To implement intrusion detection system, u

need to maintain records of ongoing activities.• Two Plans:

– Native Audit Records:• Multiuser OS collects information.• Advantage: no additional s/w required.• Disadvantage: may not be in convenient form.

– Detection specific audit records:• Collects information which is required.• Advantage: vender independent and can be ported on

variety of systems.• Disadvantage: overhead as two accounting packages

running on same system.

• Eg. Of Good audit record Dorothy Denning

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

Dorothy Denning [DENN87]• Has following fields:

– Subject: Initiators of actions. A subject is typically a terminal user but might also be a process acting on behalf of users or groups of users. All activity arises through commandsissued by subjects. Subjects may be grouped into different access classes, and these classes may overlap.

– Action: Operation performed by the subject on or with an object; for example, login, read, perform I/O, execute.

– Exception-Condition: Denotes which, if any, exception condition is raised on return.


Mob: 9426669020

– Object: Receptors of actions. Examples include files, programs, messages, records, terminals, printers, and user- or program-created structures. subject may be considered an object. Objects may be grouped by type. Database actions may be audited for the database as a whole or at the record level.

– Resource-Usage: A list of quantitative elements in which each element gives the amount used of some resource (e.g., number of lines printed or displayed, number of records read or written, processor time, I/O units used, session elapsed time).

– Time-Stamp: Unique time-and-date stamp identifying when the action took place.


Mob: 9426669020

• A file copy involves the execution of the user command, which includes doing access validation and setting up the copy, plus the read from one file, plus the write to another file. Consider the command

COPY GAME.EXE TO<Libray>GAME.EXE• issued by Smith to copy an executable file GAME from

the current directory to the <Library> directory. The following audit records may be generated:

• In this case, the copy is aborted because Smith does not have write permission to <Library>.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

b) Statistical Anomaly Detection

• Fall into two broad categories:– threshold detection and

– profile-based systems.

• Few metrics:– Counter

– Gauge

– Interval Timer

– Resource Utilization

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

• Counter:– A nonnegative integer that may be incremented but not

decremented until it is reset by management action.– Examples

• logins by a single user during an hour, • number of password failures during a minute.

• Gauge: – A nonnegative integer that may be incremented or decremented.– Used to measure the current value of some entity.– Examples:

• number of logical connections assigned to a user application• number of outgoing messages queued for a user process

• Interval Timer:– length of time between two related events.– Examples:

• length of time between successive logins

• Resource Utilization:– Quantity of resources consumed during a specified period. – Examples

• number of pages printed during a user session• total time consumed by a program execution.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

• How to determine whether current activity fits within acceptable limits?– Mean and standard deviation

• Gives average behaviour and variability• Applicable to counter timers and resource measure.

– Multivariate• Based on correlation• Confident than previous method.

– Markov process• Establish transition probabilities among various states.

– Time series• Focus on time intervals• Look for sequence of events that happened too rapidly or too

slowly.• Characterize abnormal timings.

– Operational Model• Judgemental on what is abnormal.• Fixed limits are defined.• Eg: large number of login attempts over a short period suggests

an attempted intrusion.


Mob: 9426669020

• Please have a look over table 9.1 and page number 309 (in 4th edition table 9.2 and page no. 318).

• It gives comparative study of measures, used model and detected intrusion.

• Advantage:– Prior knowledge of security flaws is not

required.– Detector program learns what is “normal”

behaviour and then looks for deviations.– Not based on system-dependent

characteristics and vulnerabilities.– Readily portable among a variety of systems.


Mob: 9426669020

c) Rule-Based Intrusion Detection

• Detect intrusion by observing events

• Is applying a set of rules that lead to a decision that activity is or is not suspicious.

• Types:– anomaly detection

– penetration identification

• Lets see each in detail.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

• Rule-based anomaly detection: – is similar to statistical anomaly detection.

– historical audit records are analysed.

– this generate automatically rules that describe those patterns.

– Current behaviour is then observed, and matched against the set of rules.

– Advantage:• does not require knowledge of security

vulnerabilities within the system.

• assuming that the future will be like the past.

– Dis-advantage:• large database of rules will be needed.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

• Rule-based penetration identification:– Based on expert system technology.

– key feature: use of rules for identifying known penetrations or penetrations that would exploit known weaknesses.

– Rules used are specific to machine or OS.

– What are the approach to developing such rules?• Analyze attack tools

• Interview system administrators and security analysts

• Detect key events that threaten the security


Mob: 9426669020

– Some heuristics: rules that can be used is found in NIDX.• Users should not read files in other users’ personal directories.• Users must not write other users’ files.• Users who log in after hours often access the same files they

used earlier.• Users do not generally open disk devices directly but rely on

higher-level operating system utilities.• Users should not be logged in more than once to the same system.• Users do not make copies of system programs.

– If a match is found, then the user’s suspicion rating is increased.

– If rating will pass a threshold that results in the reporting of an anomaly.

– Disadvantage: lack of flexibility.– Solution: develop a higher level model independent of

specific audit records. Eg: USTAT• Deals on general actions instead of specific.• implemented on a SunOS system• Out of 239 events, pre-processor uses on 28 mapping to 10

actions.• See table:

– Another option is modification in state transition diagram.

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

d) Base Rate Fallacy

• Intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

• How to detect false alarm?– If modest percentage of intrusion is detected, system

appearing to be secure is not actually.– If the system frequently triggers an alert when there

is no intrusion (a false alarm), then either system managers will begin to ignore the alarms, or much time will be wasted analysing the false alarms.

• Conclusion: It is very difficult to meet the standard of high rate of detections with a low rate of false alarms.


Mob: 9426669020

e) Distributed Intrusion Detection

• Intrusion detection systems focused on single-systemstandalone.

• Organization, needs to defend a distributed collection of hosts supported by a LAN or internetwork.

• More effective defence can be achieved by coordination and cooperation among intrusion detection systems across the network.

• Major issues in the design of a distributed intrusion detection system:– Need to deal with different audit record formats.– Requirement to assure the integrity and confidentiality

of these data.– Either a centralized or decentralized architecture can be

used.


Mob: 9426669020


Mob: 9426669020

Example: University of California at Davis [HEBE92, SNAP91]

• 3 main components:1. Host agent module: An audit collection module

operating as a background process on a monitored system. Its purpose is to collect data on security related events on the host and transmit to the central manager.

2. LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.

3. Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion.


Mob: 9426669020

• Independent of any operating system or system auditing implementation.

• Steps:– captures each audit record– Filters security required– reformatted into a standardized format called HAR Host

audit records.– template-driven logic module analyses the records for

suspicious activity.– Modifications are done based on past behaviour, failed file

access, known attack patterns.– Alerts are sent to central manager.– Central manager has expert system with it.

• Architecture is quite general and flexible.• Machine-independent approach.• Can expand• Correlate activity from a number of sites and networks

to detect suspicious activity.• See next figure Email:[email protected],

Mob: 9426669020

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

f) Honeypots• Recent innovation.• Honeypots are decoy(lalach aapvi) systems that are designed to

lure(lalchavvu) a potential attacker away from critical systems.• Designed to

– divert an attacker from accessing critical systems– collect information about the attacker’s activity– encourage the attacker to stay on the system long enough for

administrators to respond.• Appear available to intruders but is not used by legitimate user.• All access to honeypots is suspect.• Instrumented with sensitive monitors and event loggers and access

detectors.• It track the attacker without ever exposing productive systems.• May be single system to entire n/w.• Hackers are called in system, observe their behaviour and figure out

defenses.

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

g) Intrusion Detection Exchange Format

• Distributed intrusion detection systems function across a wide range of platforms and environments.

• What about their standardization for inter-operatability?• IETF Intrusion Detection Working Group.• Purpose: define data formats and exchange procedures for

sharing information of interest to intrusion detection and response systems.

• Output:• A requirements document: high-level functional requirements

for communication between intrusion detection systems with management systems.

• A common intrusion language specification, which describes data formats that satisfy the requirements.

• A framework document, which identifies existing protocolsbest used for communication between intrusion detection systems, and describes how the devised data formats relate to them.


Mob: 9426669020

We did:Intrusion Detection

• Main Topics:a. Audit Records

b. Statistical Anomaly Detection

c. Rule Based Intrusion Detection

d. The Base Rate Fallacy

e. Distributed Intrusion Detection

f. Honey-pots

g. Intrusion Detection Exchange FormatEmail:[email protected],

Mob: 9426669020

Password Management

• The password serves to authenticate the ID.

• ID provides security in following way:– ID determines whether the user is

authorized to gain access to a system.– ID determines the privileges accorded to

the user.– ID is used in what is referred to as

discretionary access control(give rights to read files to other users).


Mob: 9426669020

UNIX Password Scheme

Loading a new password

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

• Each user selects a password of up to eight printable characters in length.

• This is converted into a 56-bit value that serves as the key input to an encryption routine.

• The encryption routine, known as crypt, is based on DES. • The DES algorithm is modified using a 12-bit “salt” value. • Typically, this value is related to the time at which the password is

assigned to the user. • The modified DES algorithm is exercised with a data input consisting

of a 64- bit block of zeros. • The output of the algorithm serves as input for a second encryption. • This process is repeated for a total of 25 encryptions. • The resulting 64 bit output is then translated into an 11- character

sequence.• The ciphertext password is then stored, together with a plaintext

copy of the salt, in the password file for the corresponding user ID. • When user attempts to log on to a UNIX system, the user provides an

ID and a password. • The operating system uses the ID to index into the password file and

retrieve the plaintext salt and the encrypted password, which are used as input to the encryption routine.

• If the result matches the stored value, the password is accepted.Email:[email protected],

Mob: 9426669020

UNIX Password Scheme

Verifying a password file

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

Storing UNIX Passwords

• UNIX passwords were kept in in a publicly readable file, etc/passwords.

• Now they are kept in a “shadow” directory and only visible by “root”.


Mob: 9426669020

”Salt”

• The salt serves three purposes:– Prevents duplicate passwords.

– Effectively increases the length of the password.

– Prevents the use of hardware implementations of DES


Mob: 9426669020

Password Selecting Strategies

Purpose: Eliminate guessable passwords and selecting password momorable.1. User education:

– Educate users the importance of using hard to guess passwords.

2. Computer-generated passwords: – Randomly generated password may not be possible to remember by user.

3. Reactive password checking: – System periodically runs its own password cracker to find guessable passwords. – If such passwords are found, cancelled and notified to user.– Dis-advantage:

• Resource intensive if the job is done right.• Devote full CPU time to the task• Process goes on for hours or even days.• Still password remains vulnerable to attacks till process is not over.

4. Proactive password checking:– Most promising approach– User is allowed to select his or her own password– System checks to see if the password is allowable and, if not, rejects it. – Choose fairly large password space that are not likely to be guessed in a dictionary

attack.– Balance between user acceptability and strength.


Mob: 9426669020

• What if system rejects too many password?• Solution 1: Enforce following rules.

– All passwords must be at least eight characters long.

– In the first eight characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks.

• Solution 2: – compile a large dictionary of possible “bad”

passwords. – system checks to make sure that it is not on the

disapproved list.– Problem of space used by directory and time it

takes to go thru the entire dictionary.

• Solution 3: Markov model

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

Markov ModelE

mai

l:b

har

gav

igosw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

9020

Transition Matrix

1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.

2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.

3. Compute the entries of T as follows:

),,(),,(

),,(

jif

kjifkjiT

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

Spafford (Bloom Filter)

where

10;1;1)( NyDjkiyXH ii

dictionarypasswordinwordofnumberD

dictionarypasswordinwordjthX i

The following procedure is then applied to the dictionary:

1. A hash table of N bits is definied, with all bits initially set to 0.

2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

Spafford (Bloom Filter)

• Design the hash scheme to minimize false positive.

• Probability of false positive:

)()(,/

)1ln(

,,

)1()1(

/1

//

wordssizedictionarytobitssizetablehashofratioDNR

dictionaryinwordsofnumberD

tablehashinbitsofnumberN

functionhashofnumberk

where

P

kR

lyequivalentor

eeP

k

kRkkNkD

Em

ail:bh

argav

igosw

ami@

gm

ail.com

,

Mo

b: 9

42

66

69

020

Performance of Bloom Filter

Em

ail:

bh

arg

avig

osw

ami@

gm

ail.

com

,

Mo

b:

94

26

66

90

20

Chapter Over• High time. • Utilize your day’s each minute otherwise

tension would ruin your result.• Trick for good preparation and passing max

subjects:– Complete the preparation of easy subjects

before taking harder subjects in hand.

• Tomorrow we would start with last chapter of the syllabus.


Mob: 9426669020

Documents

Chapter 9 · Prevention: Enforce good password selection. Fact: That the defender must attempt to thwart all possible attacks, whereas the attacker is free to try to find the weakest