Embed Size (px)
Citation preview
1
Intrusion Detection
By
Himani Singh([email protected])
&Kavita Khanna([email protected])
(CS-265, Fall-2003)
2
Intrusion Detection – “Presentation Outline”
How an Intruder gets access? Security Holes and Vulnerabilities What is Intrusion Detection? Typical intrusion scenario Host based and Network based Intrusion
Detection. Knowledge based and behavioral based
Intrusion Detection. False positives / false alarms. Do I need IDS if I already have a firewall?
3
How an Intruder get access
Intruder oa hacker and/or cracker who hacks
into systems and does unauthorized/ malicious activities
How does an intruder get access?o Physical Intrusion remove some
hardware, disk, memory…o System Intrusion low-privilege user
accounto Remote Intrusion across network
4
Security Holes and Vulnerabilities
What?
Software bugs
System configuratio
n
Bad Passwo
rd Policy
TrafficSniffing
Design
flaws
5
Security Holes and Vulnerabilities Software bugs
Buffer overflows –overflow input by intentional code.
Unexpected combinations: PERL can send some malicious input to another program
Unhandled input: action on invalid input ? Race conditions: rare but possible
System configuration Default configurations -easy-to-use
configurations Lazy administrators- empty
root/administrator password Hole creations- Turn off everything that
doesn't absolutely positively need to run
6
Security Holes and Vulnerabilities (Cont…)
Password cracking Weak passwords, Dictionary attacks and Brute force etc
Sniffing unsecured traffic Shared medium Server sniffing Remote access
Design flaws TCP/IP protocol flaws
Smurf—ICMP request as return address as victim's SYN Flood-target run out of recourse,combine with IP spooling
UNIX design flaws Distributed DoS attack – Amazon and Yahoo
Do not forget Social Engineering- Hacker “Kevin Mitnick” told congress that he use technology only 2% of time
7
What is Intrusion Detection
Intrusion: An unauthorized activity or access to an information system. Attack originated outside the organization.
Misuse:Attacks originating inside the organization.
Intrusion Detection (ID): process of detecting, if Intrusion / Misuse has been attempted, is occurring, or has occurred .[1] Intrusion and/or misuse can be as severe as
stealing sensitive information or misusing your email system for Spam
ID runs continuously Does both Detection and Response
The practical Intrusion Detection book by Paul E.Proctor
.[1]
8
Typical intrusion scenario
o Step 1: outside reconnaissance o Step 2: inside reconnaissance o Step 3: exploit o Step 4: foot hold o Step 5: profit, like bandwidth theft o Step 6: get out,cover trace random internet addresses looking for a
specific hole on any system rather than a specific system
9
Ping sweepsTCP/UDP scansOS identificationAccount scan
Step 1 & 2: Reconnaissance
10
Step 3: EXPOITS
CGI scripts Web server attacks Web browser attacks
URL, HTTP, HTML, JAVA SCRIPT, FRAMS SMTP (SendMail) attacks IP spoofing DNS poisoning Buffer Overflows
11
Detection
Signature recognition Patterns - well-known patterns of
attack e.g. cgi patterns tcp port scans
Port based signatures: if common ports are not in use and traffic is coming in / going out on that port
Invalid protocol behavior
12
Detection
Anomaly detection Some action or data that is not
considered normal for a given system, user, or network.
Can be indicated by change in CPU utilization, disk activity, user logins, file activity, traffic increased, so forth
Advantage – Detects unknown attacks/ misuse
13
Detection Anomaly detection -- three statistical criteria
Number of events – expected rangee.g. log in attempts > 3
If statistical period goes outside expected interval e.g. time to load a file on ftp server
Markov model – if there is sequence of events
Suppose xyzhjzxyz thenNow probability of ‘z ‘ coming after ‘xy’ is 1,and so on If there is a s deviation then there is a problem
14
IDS (Intrusion Detection System)
IDS should do Event log analysis for Inside threat detection Network traffic analysis for perimeter threat
detection Security configuration management File integrity checking
Agent Director
Agent
Agent
Host a
Network Mnotifier
15
Components of IDS
Command console : a center commanding authority
Network sensor Alert notificationResponse subsystem Database Network Tap(s)
16
Network Intrusion Detection System NIDS : When system detects an intruder by
“Sniffing” or monitoring the network packets on network wire and matching the attack pattern to a database of known attack patterns.
Architecture of NIDS
Network–node: Agents distributed on each critical target computer in network to monitor traffic bound only for individual target.
Sensor–based: Sensor is between two communicating computers either stand-alone or on network device to monitor whole network
17
A network packet is born. A packet is read in real-time through sensor
(either on a network sensor or network node sensor).
Detection engine used to identify predefined pattern of misuse.
If match, Security officer is notified by audible, e-mail, pager, visual, SNMP. For example Beep or play a .WAV file. "You are under attack".
An Alert is generated (either pre-defined or through Security officer).
A response to that Alert is generated.
Steps In NIDS
18
Steps In NIDS (Cont….)
Reconfigure firewall /router Filter out IP address Terminate (Reset) TCP connection
Alert is stored for later review timestamp, intruder IP address, victim IP
address/port, protocol information
Reports are generated Data log for long-term trends
19
NIDS Limitations Packet loss on high speed network
o Intruder can hide in lost packets, Node-based
ID does not suffer from this issue Switched network : ATM Encryption
o Solutions – network sensor decrypted side of VPNo Distributed network architecture with ID agentso Encrypted on fly; put key on router – security threat
Packet-reassembly o many signatures can be detected in full
string Sniffer detection program
20
Host based intrusion detection system HIDS : Monitors the actual target machines
to identify tampering or malicious activity occurring within the system. Can detect ‘insider’ malicious activity. Agent based
Misuse Abuse of Privilege Unintended/ inadvertent privilege grants Stale (live) accounts Bad account privilege policy/Back door
creation
21
Host based intrusion detection system (Cont…)
HIDS monitors - User specific actions System integrity checkers : system log
files, running processes, and files system,if system registry changes made by intruders.
Determine the success/failure of an attack
Data source in HIDS system logs, application logs, host traffic,
and in some instances firewall logs
22
Key points Audit Policy- if you fail to manage audit and
detection policies , your deployment is likely to fail.
Detection policy - properly configure signature and appropriate number of active signature in both real and batch time.
Data source in HIDS is the heart of HIDS System logs, application logs, host traffic, and
in some instances firewall logs Unix Syslog – not a good source , any
application can write Unix Binary Kernel Log – closest thing to TCB Window NT/2000 - Trust security log
23
Knowledge-based and behavior-based
approaches Knowledge-based approaches
All IDS tools are knowledge–based About specific attacks and system vulnerabilities Accuracy is good – no false alarms, if attack is
defined precisely Fast corrective actions – signature can be added/
modified quicklyDrawbacks: Completeness is questionable, depends on
updates New vulnerabilities – not defined, results in false
negative Maintenance is time-consuming, tedious task Knowledge is environmental based (very focused
depends on OS, platform, version…)
24
Behavior-based intrusion
Detection
Detect a deviation from normal or expected behavior of the system or the users Compare current behavior vs. valid behavior
Advantage detect attempts to exploit new and unforeseen
vulnerabilities automatic discovery of these new attacks
Disadvantage High false alarm If online retraining, can result in unavailability of
ID system (good chance for attacker) or more false alarm
Good complement to Knowledge based. Not enoughalone.
25
Best IDS
Is hybrid network-based,host-based ,must include knowledge based and behavior based detection
26
False positives / false alarms
o False positives - signaling attack when there is none.
o Why: o Difficult to detect intrusions, IDS are
limited in scope.o Tools are stateless.o Signature is not carefully designed,
lots of matches.o Accuracy is often traded for urgency
to plug in a new signature.
27
Do I need IDS if I already have a firewall?
Firewall is not a dynamic defensive system and has no capability to understand that someone is trying to break-inExample: ColdFusion bug (port 80 web attack)
Boundary of network Firewall is prevention and ID is detection and
response Reasons
Catches attacks that firewalls legitimately allow through (such as attacks against web servers).
Catches attempts that fail. Catches insider hacking, financial loss
28
Popular NIDS – SNORT™
open source network intrusion detection system real-time traffic analysis Detect attacks such as
buffer overflows, stealth port scans, CGI attacks, SMB probe and more
Decision of traffic depends on flexible rules language
29
Popular NIDS – Snort Cont….
Platforms SunOS 4.1.X—Sparc , Linux ,Win32 -
(Win9x/NT/2000), OpenBSD, HP-UX
Snort is lightweight intrusion detection, cost efficient, open source so keep getting updated for signature, very powerful post-processors
30
Interesting Snort and other signature based IDS match
unique patterns against rules in the database . For example Snort uses following rule the SubSeven Trojan:
Alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22"; flags: A+; content: “|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert Snort match hex signature ,can be present anywhere in payload"0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a”
Attacker can change/ scramble the noticeable content by encryption. Add 1st byte of the packet payload to every subsequent byte.
If 3 then payload is "31 3d 8e 85 83 7f 81 63 63 65 31 3e" which does not mach any of the known signatures. The attacker has now evaded our intrusion detection system.
Matthewhttp://www.snort.org/what_is_snort.htm
31
Resources… in case you get hackedCERT (Computer Emergency Response Team)
http://www.cert.org. CIAC (Computer Incident Advisory Capability)
by US Department of Energyhttp://www.ciac.org/
SANS http://www.sans.org/
AUSCERT (Australian Computer Emergency Response Team)http://www.auscert.org.au/
Network Intrusion Detection Systems http://www.robertgraham.com/pubs/network-intrusion-detection.html
32
References
The Practical Intrusion detection hand book – Paul E. Proctor
www.intrusion.com/ www.snort.org/ Retrieved Nov 14, 2003 from website: www.sans.org Retrieved Nov 15, 2003 from website:
www.cerias.purdue.edu/coast/intrusion-detection/ www.cs.usask.ca/undergrads/der850/project/ids/ - 9k -
33
Project Presentation
Instructor : Prof. Mark StampDue Date : 11/18/03
Malicious Software&
Intrusion Detection
By,Kavita KhannaHimani Singh
(CS-265, Fall-2003)
35
Malicious Software – “Presentation Outline”
What is malicious software?Categories of malicious software.Different malicious software – viruses,
worms, Trojan Horse etc.More description about viruses : Desirable properties of viruses. Identifying infected files and programs. Where do viruses reside. Identifying and detecting viruses – virus
signature. Effect of Virus attack on computer system.Protection against attacks by malicious
software – preventing infection.References.
36
What is Malicious Software:
Software deliberately designed to harmcomputer systems.
Malicious software program causes undesired actions in information systems.
Spreads from one system to another through:1. E-mail (through attachments)2. Infected floppy disks3. Downloading / Exchanging of corrupted files4. Embedded into computer games
37
Malicious Software - Categories
Malicious SoftwareMalicious Software
VirusesViruses TrapdoorTrapdoor WormsWormsSpywareSpywareTrojan HorseTrojan HorseHoaxesHoaxesRabbitRabbit
Time BombTime Bomb Logic BombLogic BombBoot VirusesBoot Viruses File VirusesFile Viruses
38
Types of Malicious Software
Virus : These are the programs that spread to other software in the system .i.e., program that incorporates copies of itself into other programs.
Two major categories of viruses:1. Boot sector virus : infect boot sector of systems.
become resident. activate while booting
machine2. File virus : infects program files.
activates when program is run.
39
Categories of Viruses
Polymorphic
Virus Producesmodified &
fullyoperational
code. Produces
new& different
codeevery time
whenvirus is copied
&transmitted to
a new host. Difficult todetect &
remove.
StealthVirus Programmingtricks make the tracing andunderstanding the code
difficult. Complexprogramming methods used todesign code, sodifficult to repairinfected file.
Armored Virus Hides modifications
ithas made tofiles or to thedisk. Reportsfalse values to programs asthey read files or data fromstorage
media.
CompanionVirus Creates newprogram insteadof modifying existing program. Contains allvirus code. Executed byshell, instead oforiginal program.
40
Rabbit : This malicious software replicates itself without limits. Depletes some or all the system’s resources.
Re-attacks the infected systems – difficult recovery.
Exhausts all the system’s resources such as CPU time, memory, disk space.
Depletion of resources thus denying user access to those resources.
41
Hoaxes : False alerts of spreading viruses.
e.g., sending chain letters.
message seems to be important to recipient, forwards it to other users – becomes a chain.
Exchanging large number of messages (in chain) floods the network resources – bandwidth wastage.
Blocks the systems on network – access denied due to heavy network traffic.
42
Trojan Horse : This is a malicious program with unexpected additional functionality. It includes harmful features of which the user is not aware.
Perform a different function than what these are advertised to do (some malicious action e.g., steal the passwords).
Neither self-replicating nor self-propagating. User assistance required for infection. Infects when user installs and executes infected
programs. Some types of trojan horses include Remote
Access Trojans (RAT), KeyLoggers, Password-Stealers (PSW), and logic bombs.
43
Transmitting medium :1. spam or e-mail2. a downloaded file3. a disk from a trusted source4. a legitimate program with the Trojan
inside.
Trojan looks for your personal information and sends it to the Trojan writer (hacker). It can also allow the hacker to take full control of your system.
Different types of Trojan Horses :1. Remote access Trojan takes full control of your
system and passes it to the hacker.2. The data-sending Trojan sends data back to the
hacker by means of e-mail.e.g., Key-loggers – log and transmit each keystroke.
44
3. The destructive Trojan has only one purpose: to destroy and delete files. Unlikely to be detected by anti-virus software.
4. The denial-of-service (DOS) attack Trojans combines computing power of all computers/systems it infects to launch an attack on another computer system. Floods the system with traffic, hence it crashes.
5. The proxy Trojans allows a hacker to turn user’s computer into HIS (Host Integration Server) server – to make purchases with stolen credit cards and run other organized criminal enterprises in particular user’s name.
6. The FTP Trojan opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP).
45
7. The security software disabler Trojan is designed to stop or kill security programs such as anti-virus software, firewalls, etc., without you knowing it.
Spyware :
Spyware programs explore the files in an information system.
Information forwarded to an address specified in Spyware.
Spyware can also be used for investigation of software users or preparation of an attack.
46
Trapdoor : Secret undocumented entry point to the program.
An example of such feature is so called back door, which enables intrusion to the target by passing userauthentication methods.
A hole in the security of a system deliberately left in place by designers or maintainers.
Trapdoor allows unauthorized access to the system. Only purpose of a trap door is to "bypass" internal
controls. It is up to the attacker to determine how this circumvention of control can be utilized for his benefit.
47
Types of Trapdoor
Undetectable Trapdoor
Virtually undetectable.
HardwareTrapdoor
Security-related hardware flaws.
48
Worms : program that spreads copies of itself through a
network. Does irrecoverable damage to the computer system. Stand-alone program, spreads only through network. Also performs various malicious activities other than
spreading itself to different systems e.g., deleting files.
Attacks of Worms:1. Deleting files and other malicious actions on systems.2. Communicate information back to attacker e.g.,
passwords, other proprietary information.3. Disrupt normal operation of system, thus denial of
service attack (DoS) – due to re-infecting infected system.
4. Worms may carry viruses with them.
49
Means of spreading Infection by Worms :
Infects one system, gain access to trusted host lists on infected system and spread to other hosts.
Another method of infection is penetrating a system by guessing passwords.
By exploiting widely known security holes, in case, password guessing and trusted host accessing fails.
e.g., A well-known example of a worm is the ILOVEYOU worm, which invaded millions of computers through e-mail in 2000.
50
VIRUSES – More Description
Desirable properties of Viruses : Virus program should be hard to detect by
anti-virus software. Viruses should be hard to destroy or deactivate. Spread infection widely. Should be easy to create. Be able to re-infect. Should be machine / platform independent, so that
it can spread on different hosts.
51
Detecting virus infected files/programs :
Virus infected file changes – gets bigger.
Modification detection by checksum :> Use cryptographic checksum/hash function e.g., SHA, MD5.> Add all 32-bit segments of a file and store the sum (i.e., checksum).
52
Identifying Viruses : A virus is a unique program. It as a unique object code. It inserts in a deterministic manner. The pattern of object code and where it is inserted
provides a signature to the virus program. This virus signature can be used by virus scanners to
identify and detect a particular virus. Some viruses try to hide or alter their signature: Random patterns in meaningless places. Self modifying code – metamorphic, polymorphic
viruses. Encrypt the code, change the key frequently.
53
Places where viruses live :
Boot sector Memory resident Disk – Applications and data stored on disk. Libraries – stored procedures and classes. Compiler Debugger Virus checking program infected by virus – unable
to detect that particular virus signature.
54
Effect of Virus attack on computer system
Virus may affect user’s data in memory – overwriting.
Virus may affect user’s program – overwriting.
Virus may also overwrite system’s data or programs – corrupting it – disrupts normal operation of system.
“Smashing the Stack” – Buffer overflow due to execution of program directed to virus code.
55
Preventing infection by malicious software :
Use only trusted software, not pirated software. Test all new software on isolated computer system. Regularly take backup of the programs. Use anti-virus software to detect and remove viruses. Update virus database frequently to get new virus
signatures. Install firewall software, which hampers or prevents
the functionality of worms and Trojan horses. Make sure that the e-mail attachments are secure. Do not keep a floppy disk in the drive when starting a
program, unless sure that it does not include malicious software, else virus will be copied in the boot sector.
56
References: Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website:
http://www.webopedia.com/TERM/T/Trojan_horse.html
Staffordshire University, Information & Security Team (Jun 8, 2002). Information Systems Security Guidelines. RetrievedNov 10, 2003 from website:
http://www.staffs.ac.uk/services/information_technology/regs/security7.shtm
M.E.Kabay, Norwich University, VT (2002). Malicious Software. Retrieved Nov 9, 2003 from website:
http://www2.norwich.edu/mkabay/cyberwatch/09malware.htm
Computer Emergency Response Team (CERT), Information Security (Jul 2, 2002). Malicious Software – general. Retrieved Nov 10, 2003 from
website: http://www.ficora.fi/englanti/tietoturva/haittaohj.htm
57
References Cont... Rutgers, New Jersey (Oct 10, 2003). Trojan Horses. Retrieved Nov 10,
2003 from website: http://netsecurity.rutgers.edu/trojan.htm
Dr. Roger R. Schell, Monterey CA (Apr 24, 2000). Malicious Software.Retrieved Nov 11, 2003 from website: www.sp.nps.navy.mil
Edward F. Gehringer. Computer Abuse – Worms, Trojan Horses, Viruses. Retrieved Nov 12, 2003 from website:
http://legacy.eos.ncsu.edu/eos/info/computer_ethics/abuse/wvt/study.html
Bullguard.com Computer Viruses. Retrieved Nov12, 2003 from website:
http://www.bullguard.com/antivirus/vi_info.aspx
Google.com. Program Security. Retrieved Nov 12, 2003 from website:http://www.sm.luth.se/csee/courses/smd/102/lek6-6.pdf.
