m
 



   


Fourth Edition
by William Stallings

slides by M.S.DEEPIKA
 m 
   
 

a


   
  



 









    





  


 

   




 








 
 !


 
a
 
 

 

   
 
¢ significant issue for networked systems is
hostile or unwanted access
¢ either via network or local
¢ can identify classes of intruders:
masquerader
misfeasor
clandestine user
¢ varying levels of competence
   
 
¢ clearly a growing publicized problem
from ³Wily Hacker´ in 1986/87
to clearly escalating CERT stats
¢ may seem benign, but still cost resources
¢ may use compromised system to launch
other attacks
¢ awareness of intruders has led to the
development of CERTs
      
¢ aim to gain access and/or increase
privileges on a system
¢ basic attack methodology
target acquisition and information gathering
initial access
privilege escalation
covering tracks
¢ key goal often is to acquire passwords
¢ so then exercise access rights of owner
 ! 
! 
¢ one of the most common attacks
¢ attacker knows a login (from email/web page
etc)
¢ then attempts to guess password for it
defaults, short passwords, common word searches
user info (variations on names, birthday, phone,
common words/interests)
exhaustively searching all possible passwords
¢ check by login or against stolen password file
¢ success depends on password chosen by user
¢ surveys show many users choose poorly
 ! 
m 
¢ another attack involves  
 
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login
‡ eg. telnet, FTP, web, email
extracting recorded info after successful login (web
history/cache, last number dialed etc)
¢ using valid login/password can impersonate user
¢ users need to be educated to use suitable
precautions/countermeasures
    
¢ inevitably
will have security failures
¢ so need also to detect intrusions so can
block if detected quickly
act as deterrent
collect info to improve security
¢ assume intruder will behave differently to a
legitimate user
but will have imperfect distinction between
 j    

¢ statistical anomaly detection
threshold
profile based
¢ rule
rule--based detection
anomaly
penetration identification
 j


¢ fundamental tool for intrusion detection
¢ native audit records
part of all common multi-
multi-user O/S
already present for use
may not have info wanted in desired form
¢ detection
detection--specific audit records
created specifically to collect wanted info
at cost of additional overhead on system
j "

¢ threshold detection
count occurrences of specific event over time
if exceed reasonable value assume intrusion
alone is a crude & ineffective detector
¢ profile based
characterize past behavior of users
detect significant deviations from this
profile usually multi-
multi-parameter
 j

j 

¢ foundation of statistical approaches
¢ analyze records to get metrics over time
counter, gauge, interval timer, resource use
¢ usevarious tests on these to determine if
current behavior is acceptable
mean & standard deviation, multivariate,
markov process, time series, operational
¢ key advantage is no prior knowledge used
 #
   


¢ observe events on system & apply rules to
decide if activity is suspicious or not
¢ rule
rule--based anomaly detection
analyze historical audit records to identify
usage patterns & auto-
auto-generate rules for them
then observe current behavior & match
against rules to see if conforms
like statistical anomaly detection does not
require prior knowledge of security flaws
 #
   


¢ rule
rule--based penetration identification
uses expert systems technology
with rules identifying known penetration,
weakness patterns, or suspicious behavior
compare audit records or states against rules
rules usually machine & O/S specific
rules are generated by experts who interview
& codify knowledge of security admins
quality depends on how well this is done
 #$

#
¢ practically an intrusion detection system
needs to detect a substantial percentage
of intrusions with few false alarms
if too few intrusions detected -> false security
if too many false alarms -> ignore / waste time
¢ thisis very hard to do
¢ existing systems seem not to have a good
record
  %
   

¢ traditional focus is on single systems
¢ but typically have networked systems
¢ more effective defense has these working
together to detect intrusions
¢ issues
dealing with varying audit record formats
integrity & confidentiality of networked data
centralized or decentralized architecture
 %
    
  
j  
 %
    
  
j "" 
 G 

¢ decoy systems to lure attackers
away from accessing critical systems
to collect information of their activities
to encourage attacker to stay on system so
administrator can respond
¢ are filled with fabricated information
¢ instrumented to collect detailed
information on attackers activities
¢ single or multiple networked systems
¢ cf IETF Intrusion Detection WG standards
 ! 
& " 
¢ front
front--line
defense against intruders
¢ users supply both:
login ± determines privileges of that user
password ± to identify them
¢ passwords often stored encrypted
Unix uses multiple DES (variant with salt)
more recent systems use crypto hash function
¢ should protect password file on system
 ! 


¢ Purdue 1992 - many short passwords
¢ Klein 1990 - many guessable passwords
¢ conclusion is that users choose poor
passwords too often
¢ need some approach to counter this
 &  ! 





¢ can use policies and good user education
¢ educate on importance of good passwords
¢ give guidelines for good passwords
minimum length (>6)
require a mix of upper & lower case letters,
numbers, punctuation
not dictionary words
¢ but likely to be ignored by many users
 &  ! 



m" !  

¢ let computer create passwords

¢ if random likely not memorisable, so will
be written down (sticky label syndrome)
¢ even pronounceable not remembered
¢ have history of poor user acceptance
¢ FIPS PUB 181 one of best generators
has both description & sample code
generates words from concatenating random
pronounceable syllables
 &  ! 



'm 
¢ reactively run password guessing tools
note that good dictionaries exist for almost
any language/interest group
¢ cracked passwords are disabled
¢ but is resource intensive
¢ bad passwords are vulnerable till found
 &  ! 



! 'm 
¢ most promising approach to improving
password security
¢ allow users to select own password
¢ but have system verify it is acceptable
simple rule enforcement (see earlier slide)
compare against dictionary of bad passwords
use algorithmic (markov
(markov model or bloom filter)
to detect poor choices
 ""

¢ have considered:
problem of intrusion
intrusion detection (statistical & rule-
rule-based)
password management