Network Security

Intrusion

4/27/2009 1
 Intrusion Techniques
• aim to increase privileges on system
• basic attack methodology
– target acquisition and information gathering
– initial access
– privilege escalation
– covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner
 Password Guessing
• one of the most common attacks
• attacker knows a login (from email/web page etc)
• then attempts to guess password for it
– try default passwords shipped with systems
– try all short passwords
– then try by searching dictionaries of common words
– intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common
words/interests)
– before exhaustively searching all possible passwords
• check by login attempt or against stolen password file
• success depends on password chosen by user
• surveys show many users choose poorly
 Password Learning
Techniques
g 1. Try default passwords used with standard accounts
u shipped with the system
e 2. Exhaustive try of all short passwords
s 3. Try words in system’s dictionary or list of likely
s passwords (hacker bulletin boards)
4. Collect information about users (full names, names
a
of spouses and children, pictures and books in their
t
t
office, related hobbies)
a 5. Try users’ phone numbers, social security
c numbers, room numbers
k 6. Try all legitimate license plate numbers
7. Use a trojan horse
8. Tap the line between a remote user and the system
 Password Capture
• Another attack involves password capture
– watching over shoulder as password is entered
– using a trojan horse program to collect
– monitoring an insecure network login (eg. telnet,
FTP, web, email)
– extracting recorded info after successful login
(web history/cache, last number dialed etc)
• using valid login/password can impersonate
user
• users need to be educated to use suitable
precautions/countermeasures
 Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently
to a legitimate user
– but will have imperfect distinction between
 Intrusion Detection
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently
to a legitimate user
– but will have imperfect distinction between
 Audit Records
• fundamental tool for intrusion detection
• native audit records
– part of all common multi-user O/S
– already present for use
– may not have info wanted in desired form
• detection-specific audit records
– created specifically to collect wanted info
– at cost of additional overhead on system
Statistical Anomaly Detection
• threshold detection
– count occurrences of specific event over time
– if exceed reasonable value assume intrusion
– alone is a crude & ineffective detector
• profile based
– characterize past behavior of users
– detect significant deviations from this
– profile usually multi-parameter
 Audit Record Analysis
• foundation of statistical approaches
• analyze records to get metrics over time
– counter, gauge, interval timer, resource use
• use various tests on these to determine if
current behavior is acceptable
– mean & standard deviation, multivariate, markov
process, time series, operational
• key advantage is no prior knowledge used
 Rule-Based Intrusion
Detection
• observe events on system & apply rules to
decide if activity is suspicious or not
• rule-based anomaly detection
– analyze historical audit records to identify usage
patterns & auto-generate rules for them
– then observe current behavior & match against
rules to see if conforms
– like statistical anomaly detection does not require
prior knowledge of security flaws
 Rule-Based Intrusion
Detection
• rule-based penetration identification
– uses expert systems technology
– with rules identifying known penetration,
weakness patterns, or suspicious behavior
– rules usually machine & O/S specific
– rules are generated by experts who interview &
codify knowledge of security admins
– quality depends on how well this is done
– compare audit records or states against rules
 Base-Rate Fallacy
• practically an intrusion detection system
needs to detect a substantial percentage of
intrusions with few false alarms
– if too few intrusions detected -> false security
– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good
record
Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working
together to detect intrusions
• issues
– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
Distributed Intrusion Detection -
Architecture
 Honeypots
• Decoy (trick) systems to lure attackers
– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so
administrator can respond
• are filled with fabricated information
• instrumented to collect detailed information
on attackers activities
• may be single or multiple networked systems
 Password Management
• front-line defense against intruders
• users supply both:
– login – determines privileges of that user
– password – to identify them
• passwords often stored encrypted
– Unix uses multiple DES
– more recent systems use crypto hash
function
 Managing Passwords
• need policies and good user education
• ensure every account has a default password
• ensure users change the default passwords
to something they can remember
• protect password file from general access
• set technical policies to enforce good
passwords
– minimum length (>6)
– require a mix of upper & lower case letters,
numbers, punctuation
– block know dictionary words
 Managing Passwords
• may reactively run password guessing tools
– note that good dictionaries exist for almost any
language/interest group
• may enforce periodic changing of passwords
• have system monitor failed login attempts, &
lockout account if see too many in a short period
• do need to educate users and get support
• balance requirements with user acceptance
• be aware of social engineering attacks
Proactive Password Checking
• most promising approach to improving
password security
• allow users to select own password
• but have system verify it is acceptable
– compare against dictionary of bad passwords
– use algorithmic (markov model or bloom filter) to
detect poor choices
 Intrusion Prevention Mechanisms
• Antivirus Approaches
• Advanced Techniques
– Generic Decryption
– Digital Immune System
– Behavior-Blocking Software
• Firewalls
 Antivirus Approaches
• Detection – determine that it has occurred
and locate the virus
• Identification – identify the specific virus
• Removal – remove all traces and restore
the program to its original state
Generations of Antivirus Software
• First: simple scanners (record of
program lengths)
• Second: heuristic scanners (integrity
checking with checksums)
• Third: activity traps (memory resident,
detect infected actions)
• Fourth: full-featured protection (suite of
antivirus techniques, access control
capability)
 Generic Decryption
• Easily detects even most complex
polymorphic virus
• No damage to the personal computer
• Contains following elements:
– CPU emulator – software based virtual
computer
– Virus signature scanner – scans target
code for known signatures
– Emulation control module – control
execution of target code
 Digital Immune System
• Pioneered by IBM
• Response to rate of virus propagation
– Integrated mail systems - Outlook
– Mobile program systems – ActiveX, Java
• Expands the use of program emulation
• Depends on a central virus analysis
machines
Digital Immune System
 Behavior-Blocking Software
• Monitors program behavior in real-time for
malicious actions – part of OS
• Look for well defined requests to the OS:
modifications to files, disk formats, mods to
scripts or macros, changes in config settings,
open network connections, etc.
• IPS – Intrusion Prevention Systems
 Malicious Code Protection
Types of Products
• Scanners - identify known malicious code -
search for signature strings
• Integrity Checkers – determine if code has been
altered or changed – checksum based
• Vulnerability Monitors - prevent modification or
access to particularly sensitive parts of the
system – user defined
• Behavior Blockers - list of rules that a legitimate
program must follow – sandbox concept
 Summary
• have considered:
– problem of intrusion
– intrusion detection (statistical & rule-based)
– password management
– Intrusion Prevention Mechanisms
 Important URLs
• http://www.cert.org/
Originally DARPA’s computer emergency response
team. An essential security site
• http://www.research.ibm.com/antivirus/
IBM’s site on virus information. Very good papers
• http://www.afsa.org/fsj/sept00/Denning.cfmHacktivism:
An Emerging Threat to Diplomacy, another Denning
term along with Information Warfare
• http://csrc.nist.gov/virus/Computer Security Resources
Center – Virus information and alerts