UNIT-3

INFORMATION NETWORK SECURITY

 Here both services may be used for the same message. First,
a signature is generated for the plaintext message and
prepended to the message. Then the plaintext plus the
signature is encrypted using CAST-128 and the session key is
encrypted using RSA.
3. Compression
 As a default, PGP compresses the message after applying the
signature but before encryption. This has the benefit of saving
space for both e-mail transmission and for file storage.
The signature is generated before compression for two
reasons:

 o It is preferable to sign an uncompressed message so that

one can store only the uncompressed message together with
the signature for future verification. If one signed a
compressed document, then it would be necessary either to
store a compressed version of the message for later
verification or to recompress the message when verification
is required.
 Even if one were willing to generate dynamically a
recompressed message for verification, PGP‟s compression
algorithm presents a difficulty. The algorithm is not
deterministic; various implementations of the algorithm
achieve different tradeoffs in running speed versus
compression ratio and as a result, produce different
compression forms.
 Message encryption is applied after compression to
strengthen cryptographic security. Because the compressed
message has less redundancy than the original plaintext,
cryptanalysis is more difficult. The compression algorithm
used is ZIP.
4. e-mail compatibility
 Many electronic mail systems only permit the use of blocks
consisting of ASCII texts. To accommodate this restriction,
PGP provides the service of

 converting the raw 8-bit binary stream to a stream of
printable ASCII characters. The scheme used for this purpose
is radix-64 conversion. Each group of three octets of
binary data is mapped into four ASCII characters.

 e.g., consider the 24-bit (3 octets) raw text sequence

00100011 01011100 10010001, we can express this input in
block of 6-bits to produce 4 ASCII characters.
5. Segmentation and reassembly
 E-mail facilities often are restricted to a maximum length.
E.g., many of the facilities accessible through the internet
impose a maximum length of 50,000 octets. Any message
longer than that must be broken up into smaller segments,
each of which is mailed separately.
 To accommodate this restriction, PGP automatically
subdivides a message that is too large into segments that are
small enough to send via e-mail. The segmentation is done
after all the other processing, including the radix-64
conversion. At the receiving end, PGP must strip off all e-
mail headers and reassemble the entire original block before
performing the other steps.
2. PGP Operation Summary:
Cryptographic keys and key rings
Three separate requirements can be identified with respect to
these keys:

 A means of generating unpredictable session keys is needed.

 It must allow a user to have multiple public key/private key

pairs.

 Each PGP entity must maintain a file of its own

public/private key pairs as well as a file of public keys of
correspondents.
1. Session key generation

 Each session key is associated with a single message and is

used only for the purpose of encryption and decryption of
that message. Random 128-bit numbers are generated using
CAST-128 itself. The input to the random number generator
consists of a 128-bit key and two 64-bit blocks that are
treated as plaintext to be encrypted. Using cipher feedback
mode, the CAST-128 produces two 64-bit cipher text blocks,
which are concatenated to form the 128-bit session key. The
plaintext input to CAST-128 is itself derived from a stream of
128-bit randomized numbers. These numbers are based on
the keystroke input from the user.
2. Key identifiers
 If multiple public/private key pair are used, then how does
the recipient know which of the public keys was used to
encrypt the session key? One simple solution would be to
transmit the public key with the message but, it is
unnecessary wasteful of space. Another solution would be to
associate an identifier with each public key that is unique at
least within each user.
 The solution adopted by PGP is to assign a key ID to each
public key that is, with very high probability, unique within a
user ID. The key ID associated with each public key consists

 of its least significant 64 bits. i.e., the key ID of public key
KUa is
 (KUa mod 264).

message consists of three
components.
 Message component – includes actual data to be
transmitted, as well as the filename and a timestamp that
specifies the time of creation.

 Signature component – includes the following

Timestamp – time at which the signature was made.

o digest – hash code.
 o Two octets of message digest – to enable the recipient to
determine if the correct public key was used to decrypt the
message.

 o Key ID of sender‟s public key – identifies the public key

 Session key component – includes session key and the
identifier of the recipient public key.
3. Key rings
 PGP provides a pair of data structures at each node, one to
store the public/private key pair owned by that node and one
to store the public keys of the other users known at that
node. These data structures are referred to as private key ring
and public key ring.
3. The general structures of the private
and public key rings are shown below:
 Timestamp – the date/time when this entry was made.

 Key ID – the least significant bits of the public key.

 Public key – public key portion of the pair.

 Private key – private key portion of the pair.

 User ID – the owner of the key.
 Key legitimacy field – indicates the extent to which PGP
will trust that this is a valid public key for this user.
 signature trust field – indicates the degree to which this
PGP user trusts the signer to certify public key.

 Owner trust field – indicates the degree to which this

public key is trusted to sign other public key certificates.
PGP message generation
 First consider message transmission and assume that the
message is to be both signed and encrypted. The sending PGP
entity performs the following steps:
1. Signing the message
 PGP retrieves the sender‟s private key from the private
key ring using user ID as an index.

 o If user ID was not provided, the first private key from the
ring is retrieved.

 o PGP prompts the user for the passpharse (password) to
recover the unencrypted private key.

 o The signature component of the message is constructed.
2. Encrypting the message
 PGP generates a session key and encrypts the message.

 o PGP retrieves the recipient‟s public key from the public
key ring using user ID as index.

 o The session key component of the message is
constructed.
The receiving PGP entity performs the
following steps
1. Decrypting the message
 PGP retrieves the receiver‟s private key from the private
key ring, using the key ID field in the session key component
of the message as an index.

 o PGP prompts the user for the passpharse (password) to
recover the unencrypted private key.

 o PGP then recovers the session key and decrypts the
message.
2. Authenticating the message
 PGP retrieves the sender‟s public key from the public key
ring, using the key ID field in the signature key component of
the message as an index.
 o PGP recovers the transmitted message digest.

 o PGP computes the message digest for the received

message and compares it to the transmitted message digest to
authenticate.
Public-Key Management

 This whole business of protecting public keys from

tampering is the single most difficult problem in practical
public key applications. PGP provides a structure for solving
this problem, with several suggested options that may be
used.
 1. Approaches to Public-Key Management:

 The essence of the problem is this: User A must build up a public-

key ring containing the public keys of other users to interoperate
with them using PGP. Suppose that A's key ring contains a public
key attributed to B but that the key is, in fact, owned by C. This
could happen if, for example, A got the key from a bulletin board
system (BBS) that was used by B to post the public key but that has
been compromised by C. The result is that two threats now exist.
First, C can send messages to A and forge B's signature, so that A
will accept the message as coming from B. Second, any encrypted
message from A to B can be read by C.
 A number of approaches are possible for minimizing the risk
that a user's public-key ring contains false public keys.
Suppose that A wishes to obtain a reliable public key for B.
The following are some approaches that could be used:
 Physically get the key from B. B could store her public key
(PUb) on a floppy disk and hand it to A..

 o Verify a key by telephone. If A can recognize B on the

phone, A could call B and ask her to dictate the key, in radix-
64 format, over the phone.

 o Obtain B's public key from a mutual trusted individual D.

For this purpose, the introducer, D, creates a signed
certificate. The certificate includes B's public key, the time of
creation of the key, and a validity period for the key.
 Obtain B's public key from a trusted certifying authority.
Again, a public key certificate is created and signed by the
authority. A could then access the authority, providing a user
name and receiving a signed certificate.

 For cases 3 and 4, A would already have to have a copy of the

introducer's public key and trust that this key is valid.
Ultimately, it is up to A to assign a level of trust to anyone
who is to act as an introducer.
2. The Use of Trust

 Although PGP does not include any specification for

establishing certifying authorities or for establishing trust, it
does provide a convenient means of using trust, associating
trust with public keys, and exploiting trust information.
 The basic structure is as follows. Each entry in the public-key
ring is a public-key certificate.

 Associated with each such entry is a key legitimacy field that

indicates the extent to which PGP will trust that this is a
valid public key for this user; the higher the level of trust, the
stronger is the binding of this user ID to this key. This field is
computed by PGP.
 Also associated with the entry are zero or more signatures
that the key ring owner has collected that sign this certificate.
In turn, each signature has associated with it a signature trust
field that indicates the degree to which this PGP user trusts
the signer to certify public keys.

 The key legitimacy field is derived from the collection of

signature trust fields in the entry.
 Finally, each entry defines a public key associated with a
particular owner, and an owner trust field is included that
indicates the degree to which this public key is trusted to sign
other public-key certificates; this level of trust is assigned by
the user.
 The three fields mentioned in the previous paragraph are
each contained in a structure referred to as a trust flag byte.
 Suppose that we are dealing with the public-key ring of user A. We
can describe the operation of the trust processing as follows:
 When A inserts a new public key on the public-key ring, PGP
must assign a value to the trust flag that is associated with the
owner of this public key. If the owner is A, and therefore this
public key also appears in the private-key ring, then a value of
ultimate trust is automatically assigned to the trust field.
Otherwise, PGP asks A for his assessment of the trust to be
assigned to the owner of this key, and A must enter the desired
level. The user can specify that this owner is unknown, untrusted,
marginally trusted, or completely trusted.

 When the new public key is entered, one or more signatures
may be attached to it. More signatures may be added later.
When a signature is inserted into the entry, PGP searches the
public-key ring to see if the author of this signature is among
the known public-key owners. If so, the OWNERTRUST
value for this owner is assigned to the SIGTRUST field for
this signature. If not, an unknown user value is assigned.
 The value of the key legitimacy field is calculated on the basis
of the signature trust fields present in this entry. If at least
one signature has a signature trust value of ultimate, then the
key legitimacy value is set to complete.
 The node labeled "You" refers to the entry in the public-key
ring corresponding to this user. This key is legitimate and the
OWNERTRUST value is ultimate trust. Each other node in
the key ring has an OWNERTRUST value of undefined
unless some other value is assigned by the user. In this
example, this user has specified that it always trusts the
following users to sign other keys: D, E, F, L. This user
partially trusts users A and B to sign other keys.
 So the shading, or lack thereof, of the nodes indicates the
level of trust assigned by this user. The tree structure
indicates which keys have been signed by which other users.
If a key is signed by a user whose key is also in this key ring,
the arrow joins the signed key to the signatory. If the key is
signed by a user whose key is not present in this key ring, the
arrow joins the signed key to a question mark, indicating that
the signatory is unknown to this user.
S/MIME
 S/MIME (Secure/Multipurpose Internet Mail Extension) is a
security enhancement to the MIME Internet e-mail format
standard, based on technology from RSA Data Security.
S/MIME is defined in a number of documents, most
importantly RFCs 3369, 3370, 3850 and 3851.
1. Multipurpose Internet Mail
Extensions
 MIME is an extension to the RFC 822 framework that is
intended to address some of the problems and limitations of
the use of SMTP (Simple Mail Transfer Protocol) or some
other mail transfer protocol and RFC 822 for electronic
mail. Following are the limitations of SMTP/822 scheme:
 SMTP cannot transmit executable files or other binary objects.

 2. SMTP cannot transmit text data that includes national

language characters because these are represented by 8-bit codes
with values of 128 decimal or higher, and SMTP is limited to 7-bit
ASCII.

 3. SMTP servers may reject mail message over a certain size.

 4. SMTP gateways that translate between ASCII and the

character code EBCDIC do not use a consistent set of mappings,
resulting in translation problems.
 5. SMTP gateways to X.400 electronic mail networks cannot
handle contextual data included in X.400 messages.

 6. Some SMTP implementations do not adhere completely to

the SMTP standards defined in RFC 821. Common problems
include:
 Deletion, addition, or reordering of carriage return and
linefeed
 o Truncating or wrapping lines longer than 76 characters
 o Removal of trailing white space (tab and space characters)
 o Padding of lines in a message to the same length
 o Conversion of tab characters into multiple space
characters
 MIME is intended to resolve these problems in a manner that
is compatible with existing RFC 822 implementations. The
specification is provided in RFCs 2045 through 2049.
2. Overview
 The MIME specification includes the following elements:
 1. Five new message header fields are defined, which
may be included in an RFC 822 header. These fields provide
information about the body of the message.
 2. A number of content formats are defined, thus
standardizing representations that support multimedia
electronic mail.
 3. Transfer encodings are defined that enable the
conversion of any content format into a form that is
protected from alteration by the mail system.

 In this subsection, we introduce the five message header

fields. The next two subsections deal with
 content formats and transfer encodings.
3. The five header fields defined in
MIME are as follows:
 MIME-Version: Must have the parameter value 1.0. This
field indicates that the message conforms to RFCs 2045 and
2046.

 o Content-Type: Describes the data contained in the body
with sufficient detail

 o
 Content-Transfer-Encoding: Indicates the type of
transformation that has been used to represent the body of
the message in a way that is acceptable for mail transport.

 o Content-ID: Used to identify MIME entities uniquely in
multiple contexts.

 o Content-Description: A text description of the object
with the body; this is useful when the object is not readable
(e.g., audio data).

4. MIME Content Types
 The bulk of the MIME specification is concerned with the
definition of a variety of content types. This reflects the need
to provide standardized ways of dealing with a wide variety
of information representations in a multimedia environment.

 Below lists the content types specified in RFC 2046. There

are seven different major types of content and a total of 15
subtypes
 For the text type of body, no special software is required to
get the full meaning of the text, aside from support of the
indicated character set. The primary subtype is plain text,
which is simply a string of ASCII characters or ISO 8859
characters. The enriched subtype allows greater formatting
flexibility. The multipart type indicates that the body contains
multiple, independent parts. The Content-Type header field
includes a parameter, called boundary, that defines the
delimiter between body parts.

 The multipart/digest subtype is used when each of the body
parts is interpreted as an RFC 822 message with headers.
This subtype enables the construction of a message whose
parts are individual messages. For example, the moderator of
a group might collect e-mail messages from participants,
bundle these messages, and send them out in one
encapsulating MIME message.
 The message type provides a number of important
capabilities in MIME. The message/rfc822 subtype indicates
that the body is an entire message, including header and body.
Despite the name of this subtype, the encapsulated message
may be not only a simple RFC 822 message, but also any
MIME message.

 The message/partial subtype enables fragmentation of a large
message into a number of parts, which must be reassembled
at the destination. For this subtype, three parameters are
specified in the Content-Type: Message/Partial field: an id
common to all fragments of the same message, a sequence
number unique to each fragment, and the total number of
fragments.

 The message/external-body subtype indicates that the actual
data to be conveyed in this message are not contained in the
body. Instead, the body contains the information needed to
access the data. As with the other message types, the
message/external-body subtype has an outer header and an
encapsulated message with its own header. The only
necessary field in the outer header is the Content-Type field,
which identifies this as a message/external-body subtype.
The inner header is the message header for the encapsulated
message. The Content-Type field in the outer header must
include an access-type parameter, which indicates the
method of access, such as FTP (file transfer protocol).
 The application type refers to other kinds of data, typically
either uninterpreted binary data or information to be
processed by a mail-based application.
5. MIME Transfer Encodings
 The other major component of the MIME specification, in
addition to content type specification, is a definition of transfer
encodings for message bodies. The objective is to provide reliable
delivery across the largest range of environments.
 The MIME standard defines two methods of encoding data.The
Content-Transfer-Encoding field can actually take on six values.
For SMTP transfer, it is safe to use the 7bit form. The 8bit and
binary forms may be usable in other mai transport contexts.
Another Content-Transfer-Encoding value is x-token, which
indicates that some other encoding scheme is used, for which a
name is to be supplied.The two actual encoding schemes defined
are quoted-printable and base64.
 The quoted-printable transfer encoding is useful when the
data consists largely of octets that correspond to printable
ASCII characters. In essence, it represents nonsafe characters
by the hexadecimal representation of their code and
introduces reversible (soft) line breaks to limit message lines
to 76 characters.
 The base64 transfer encoding, also known as radix-64
encoding, is a common one for encoding arbitrary binary
data in such a way as to be invulnerable to the processing by
mail transport programs.

Canonical Form
 An important concept in MIME and S/MIME is that of
canonical form. Canonical form is a format, appropriate to
the content type, that is standardized for use between
systems. This is in contrast to native form, which is a format
that may be peculiar to a particular system.
S/MIME Functionality and Messages

 S/MIME Functionality
 In terms of general functionality, S/MIME is very similar to
PGP. Both offer the ability to sign and/or encrypt messages.
In this subsection, we briefly summarize S/MIME capability.
We then look in more detail at this capability by examining
message formats and message preparation.
1. Functions

 S/MIME provides the following functions:


 · Enveloped data: This consists of encrypted content
of any type and encrypted-content encryption keys for one or
more recipients.

 · Signed data: A digital signature is formed by taking
the message digest of the content to be signed and then
encrypting that with the private key of the signer. The
content plus signature are then encoded using base64
encoding. A signed data message can only b
 viewed by a recipient with S/MIME capability.

 · Clear-signed data: As with signed data, a digital signature
of the content is formed. However, in this case, only the digital
signature is encoded using base64. As a result, recipients without
S/MIME capability can view the message content, although they
cannot verify the signature.

 · Signed and enveloped data: Signed-only and encrypted-
only entities may be nested, so that encrypted data may be signed
and signed data or clear-signed data may be encrypted.

Cryptographic Algorithms
 hash functions: SHA-1 & MD5
 · digital signatures: DSS & RSA
 · session key encryption: ElGamal & RSA
 · message encryption: Triple-DES, Others
 · have a procedure to decide which algorithms to use.
 S/MIME uses the following terminology, taken from RFC
2119 to specify the requirement level:

 · Must: The definition is an absolute requirement of the
specification. An implementation must include this feature or
function to be in conformance with the specification.

 · Should: There may exist valid reasons in particular
circumstances to ignore this feature or function, but it is
recommended that an implementation include the feature or
function.
S/MIME Messages
 S/MIME makes use of a number of new MIME content
types. All of the new application types use the designation
PKCS. This refers to a set of public-key cryptography
specifications issued by RSA Laboratories and made available
for the S/MIME effort.
 We examine each of these in turn after first looking at the
general procedures for S/MIME message preparation.
INTRUDERS
 One of the most publicized attacks to security is the intruder, generally referred
to as hacker or cracker. Three classes of intruders are as follows:

 · Masquerader – an individual who is not authorized to use the computer
and who penetrates a system‟s access controls to exploit a legitimate user‟s
account.

 · Misfeasor – a legitimate user who accesses data, programs, or resources
for which such access is not authorized, or who is authorized for such access but
misuse his or her privileges.

 · Clandestine user – an individual who seizes supervisory control of the
system and uses this control to evade auditing and access controls or to suppress
audit collection.

 The masquerader is likely to be an outsider; the misfeasor
generally is an insider; and the clandestine user can be either an
outsider or an insider.
 Intruder attacks range from the benign to the serious. At the
benign end of the scale, there are many people who simply wish to
explore internets and see what is out there. At the serious end are
individuals who are attempting to read privileged data, perform
unauthorized modifications to data, or disrupt the system. Benign
intruders might be tolerable, although they do consume resources
and may slow performance for legitimate users. However there is
no way in advance to know whether an intruder will be benign or
malign.
 An analysis of previous attack revealed that there were two levels of hackers:

 · The high levels were sophisticated users with a thorough knowledge of the technology.

 · The low levels were the „foot soldiers‟ who merely use the supplied cracking programs with little
understanding of how they work.


 one of the results of the growing awareness of the intruder

problem has been the establishment of a number of Computer
Emergency Response Teams (CERT). these co-operative
ventures collect information about system vulnerabilities and
disseminate it to systems managers. Unfortunately, hackers can
also gain access to CERT reports.

 In addition to running password cracking programs, the
intruders attempted to modify login software to enable them
to capture passwords of users logging onto the systems.
 The objective of the intruders is to gain access to a system or to
increase the range of privileges accessible on a system. Generally,
this requires the intruders to acquire information that should be
protected. In most cases, the information is in the form of a user
password.

 Typically, a system must maintain a file that associates a password
with each authorized user. If such a file is stored with no
protection, then it is an easy matter to gain access to it. The
password files can be protected in one of the two ways:

 One way encryption – the system stores only an
encrypted form of user‟s password. In practice, the system
usually performs a one way transformation (not reversible) in
which the password is used to generate a key for the
encryption function and in which a fixed length output is
produced.

 ·Access control – access to the password file is limited to

one or a very few accounts.
The following techniques are used for
learning passwords.
 Try default passwords used with standard accounts that are
shipped with the system. Many administrators do not bother to
change these defaults.

 · Exhaustively try all short passwords.

 · Try words in the system‟s online dictionary or a list of likely
passwords.

 · Collect information about users such as their full names, the
name of their spouse and children, pictures in their office and
books in their office that are related to hobbies.

 Try user‟s phone number, social security numbers and room
numbers.

 · Try all legitimate license plate numbers.

 · Use a torjan horse to bypass restriction on access.

 · Tap the line between a remote user and the host
system.
 Two principle countermeasures:

 Detection – concerned with learning of an attack, either
before or after its success.
 Prevention – challenging security goal and an uphill
bottle at all times.



INTRUSION DETECTION:
 Inevitably, the best intrusion prevention system will fail. A
system's second line of defense is intrusion detection, and this has
been the focus of much research in recent years. This interest is
motivated by a number of considerations, including the following:

 · If an intrusion is detected quickly enough, the intruder can
be identified and ejected from the system before any damage is
done or any data are compromised.

 · An effective intrusion detection system can serve as a
deterrent, so acting to prevent intrusions.

 Intrusion detection enables the collection of information
about intrusion techniques that can be used to strengthen the
intrusion prevention facility.

 Intrusion detection is based on the assumption that the
behavior of the intruder differs from that of a legitimate user
in ways that can be quantified.

 Figure 5.2.1 suggests, in very abstract terms, the nature of the
task confronting the designer of an intrusion detection system.
Although the typical behavior of an intruder differs from the
typical behavior of an authorized user, there is an overlap in these
behaviors. Thus, a loose interpretation of intruder behavior, which
will catch more intruders, will also lead to a number of "false
positives," or authorized users identified as intruders. On the
other hand, an attempt to limit false positives by a tight
interpretation of intruder behavior will lead to an increase in false
negatives, or intruders not identified as intruders.Thus, there is an
element of compromise and art in the practice of intrusion
detection.
1. The approaches to intrusion
detection:
 Statistical anomaly detection: Involves the collection of data
relating to the behavior of legitimate users over a period of time.
Then statistical tests are applied to observed behavior to
determine with a high level of confidence whether that behavior is
not legitimate user behavior.

 Threshold detection: This approach involves defining

thresholds, independent of user, for the frequency of occurrence
of various events.

 Profile based: A profile of the activity of each user is developed

and used to detect changes in the behavior of individual accounts.
 Rule-based detection: Involves an attempt to define a set
of rules that can be used to decide that a given behavior is
that of an intruder.
 Anomaly detection: Rules are developed to detect
deviation from previous usage patterns.

 Penetration identification: An expert system approach

that searches for suspicious behavior.
 In terms of the types of attackers listed earlier, statistical
anomaly detection is effective against masqueraders. On the
other hand, such techniques may be unable to deal with
misfeasors. For such attacks, rule-based approaches may be
able to recognize events and sequences that, in context,
reveal penetration. In practice, a system may exhibit a
combination of both approaches to be effective against a
broad range of attacks.
Audit Records
 A fundamental tool for intrusion detection is the audit
record. Some record of ongoing activity by users must be
maintained as input to an intrusion detection system.
Basically, two plans are used:

 Native audit records: Virtually all multiuser operating

systems include accounting software that collects information
on user activity. The advantage of using this information is
that no additional collection software is needed. The
disadvantage is that the native audit records
 may not contain the needed information or may not contain
it in a convenient form.
 Detection-specific audit records: A collection facility
can be implemented that generates audit records containing
only that information required by the intrusion detection
system. One advantage of such an approach is that it could be
made vendor independent and ported to a variety of systems.
The disadvantage is the extra overhead involved in having, in
effect, two accounting packages running on a machine.

 Each audit record contains the following fields:

 · Subject: Initiators of actions. A subject is typically a terminal user but
might also be a

 o process acting on behalf of users or groups of users.
 ·
 · Object: Receptors of actions. Examples include files, programs,
messages, records, terminals, printers, and user- or program-created structures

 · 7. Resource-Usage: A list of quantitative elements in which each
element gives the amount used of some resource (e.g., number of lines printed
or displayed, number of records read
 o or written, processor time, I/O units used, session elapsed time).
 8. Time-Stamp: Unique time-and-date stamp identifying when
the action took place. Most user operations are made up of a
number of elementary actions. For example, a file copy involves
the execution of the user command, which includes doing access
validation and setting up the copy, plus the read from one file, plus
the write to another file. Consider the command

 COPY GAME.EXE TO <Library>GAME.EXE

 issued by Smith to copy an executable file GAME from the current
directory to the <Library> directory. The following audit records
may be generated:
 In this case, the copy is aborted because Smith does not have write
permission to <Library>. The decomposition of a user operation
into elementary actions has three advantages:

 Because objects are the protectable entities in a system, the use of
elementary actions enables an audit of all behavior affecting an
object. Thus, the system can detect attempted subversions of
access

 Single-object, single-action audit records simplify the model and
the implementation.

 Because of the simple, uniform structure of the detection-
specific audit records, it may be relatively easy to obtain this
information or at least part of it by a straightforward
mapping from existing native audit records to the detection-
specific audit records.

1.1 Statistical Anomaly Detection:
 As was mentioned, statistical anomaly detection techniques
fall into two broad categories: threshold detection and
profile-based systems. Threshold detection
involves counting the number of occurrences of a specific
event type over an interval of time. If the count surpasses
what is considered a reasonable number that one might
expect to occur, then intrusion is assumed.
 Threshold analysis, by itself, is a crude and ineffective
detector of even moderately sophisticated attacks. Both the
threshold and the time interval must be determined.

 1.2 Profile-based anomaly detection focuses on
characterizing the past behavior of individual users or related
groups of users and then detecting significant deviations. A
profile may consist of a set of parameters, so that deviation
on just a single parameter may not be sufficient in itself to
signal an alert.

 The foundation of this approach is an analysis of audit
records. The audit records provide input to the intrusion
detection function in two ways. First, the designer must
decide on a number of quantitative metrics that can be used
to measure user behavior. Examples of metrics that are useful
for profile-based intrusion detection are the following:

 Counter: A nonnegative integer that may be incremented but
not decremented until it is reset by management action. Typically,
a count of certain event types is kept over a particular period of
time. Examples include the number of logins by a single user
during an hour, the number of times a given command is executed
during a single user session, and the number of password failures
during a minute.

 · Gauge: A nonnegative integer that may be incremented or
decremented. Typically, a gauge is used to measure the current
value of some entity. Examples include the number of logical
connections assigned to a user application and the number of
outgoing messages queued for a user process.

 Interval timer: The length of time between two related events.
An example is the length of time between successive logins to an
account.

 · Resource utilization: Quantity of resources consumed
during a specified period. Examples include the number of pages
printed during a user session and total time consumed by a
program execution.

 Given these general metrics, various tests can be performed to
determine whether current activity fits within acceptable limits.

 Given these general metrics, various tests can be performed
to determine whether current activity fits within acceptable
limits.

 · Mean and standard deviation
 · Multivariate
 · Markov process
 · Time series
 · Operational

 The simplest statistical test is to measure the mean and
standard deviation of a parameter over some historical
period. This gives a reflection of the average behavior and its
variability.

 A multivariate model is based on correlations between two
or more variables. Intruder behavior may be characterized
with greater confidence by considering such correlations (for
example, processor time and resource usage, or login
frequency and session elapsed time).
 A Markov process model is used to establish transition
probabilities among various states. As an example, this model
might be used to look at transitions between certain commands.

 A time series model focuses on time intervals, looking for
sequences of events that happen too rapidly or too slowly. A
variety of statistical tests can be applied to characterize abnormal
timing.

 Finally, an operational model is based on a judgment of what is
considered abnormal, rather than an automated analysis of past
audit records. Typically, fixed limits are defined and intrusion is
suspected for an observation that is outside the limits.
1.3 Rule-Based Intrusion Detection
 Rule-based techniques detect intrusion by observing events in the
system and applying a set of rules that lead to a decision regarding
whether a given pattern of activity is or is not suspicious.

 Rule-based anomaly detection is similar in terms of its
approach and strengths to statistical anomaly detection. With the
rule-based approach, historical audit records are analyzed to
identify usage patterns and to generate automatically rules that
describe those patterns. Rules may represent past behavior
patterns of users, programs, privileges, time slots, terminals, and
so on. Current behavior is then observed, and each transaction is
matched against the set of rules to determine if it conforms to any
historically observed pattern of behavior.
 As with statistical anomaly detection, rule-based anomaly
detection does not require knowledge of security
vulnerabilities within the system. Rather, the scheme is based
on observing past behavior and, in effect, assuming that the
future will be like the past
IP security (IPSec)
 The IP security (IPSec) is an Internet Engineering Task Force
(IETF) standard suite of protocols between 2 communication
points across the IP network that provide data authentication,
integrity, and confidentiality. It also defines the encrypted,
decrypted and authenticated packets. The protocols needed
for secure key exchange and key management are defined in
it.
Uses of IP Security –
 IPsec can be used to do the following things:

 To encrypt application layer data.

 To provide security for routers sending routing data across
the public internet.
 To provide authentication without encryption, like to
authenticate that the data originates from a known sender.
 To protect network data by setting up circuits using IPsec
tunneling in which all data is being sent between the two
endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
 Components of IP Security –
It has the following components:
 Encapsulating Security Payload (ESP) –
It provides data integrity, encryption, authentication and anti
replay. It also provides authentication for payload.
 Authentication Header (AH) –
It also provides data integrity, authentication and anti replay
and it does not provide encryption. The anti replay
protection, protects against unauthorized transmission of
packets. It does not protect data’s confidentiality.
 Internet Key Exchange (IKE) –
It is a network security protocol designed to dynamically
exchange encryption keys and find a way over Security
Association (SA) between 2 devices. The Security Association
(SA) establishes shared security attributes between 2 network
entities to support secure communication.
 The Key Management Protocol (ISAKMP) and Internet
Security Association which provides a framework for
authentication and key exchange. ISAKMP tells how the set
up of the Security Associations (SAs) and how direct
connections between two hosts that are using IPsec.Internet
Key Exchange (IKE) provides message content protection
and also an open frame for implementing standard algorithms
such as SHA and MD5. The algorithm’s IP sec users produces
a unique identifier for each packet. This identifier then allows
a device to determine whether a packet has been correct or
not. Packets which are not authorized are discarded and not
given to receiver.
Working of IP Security –
 The host checks if the packet should be
transmitted using IPsec or not. These packet
traffic triggers the security policy for themselves.
This is done when the system sending the packet
apply an appropriate encryption. The incoming
packets are also checked by the host that they are
encrypted properly or not.
 Then the IKE Phase 1 starts in which the 2 hosts(
using IPsec ) authenticate themselves to each
other to start a secure channel. It has 2 modes.
The Main mode which provides the greater
security and the Aggressive mode which enables
the host to establish an IPsec circuit more quickly.
 The channel created in the last step is then used
to securely negotiate the way the IP circuit will
encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the
secure channel in which the two hosts negotiate
the type of cryptographic algorithms to use on
the session and agreeing on secret keying material
to be used with those algorithms.
 Then the data is exchanged across the newly
created IPsec encrypted tunnel. These packets are
encrypted and decrypted by the hosts using IPsec
SAs.
 When the communication between the
hosts is completed or the session times
out then the IPsec tunnel is terminated
by discarding the keys by both the
hosts.
IPSec Architecture
 IPSec (IP Security) architecture uses two protocols to secure
the traffic or data flow. These protocols are ESP
(Encapsulation Security Payload) and AH (Authentication
Header). IPSec Architecture include protocols, algorithms,
DOI, and Key Management. All these components are very
important in order to provide the three main services:

 Confidentiality
 Authentication
 Integirity
IP Security Architecture:
1. Architecture:
Architecture or IP Security Architecture covers the general
concepts, definitions, protocols, algorithms and security
requirements of IP Security technology.

2. ESP Protocol:
ESP(Encapsulation Security Payload) provide the confidentiality
service. Encapsulation Security Payload is implemented in
either two ways:
1. ESP with optional Authentication.
2. ESP with Authentication.
Packet Format:
 Security Parameter Index(SPI):
 This parameter is used in Security Association. It is used
to give a unique number to the connection build
between Client and Server.
 Number:
Sequence
 Unique Sequence number are allotted to every packet so that
at the receiver side packets can be arranged properly.
 Payload Data:
 Payload data means the actual data or the actual message. The
Payload data is in encrypted format to achieve confidentiality
 Padding:
 Extra bits or space added to the original message in order to
ensure confidentiality. Padding length is the size of the added
bits or space in the original message.
 Next Header:
 Next header means the next payload or next actual data.
 Authentication Data
 This field is optional in ESP protocol packet format.
 3. Encryption algorithm:
 Encryption algorithm is the document that describes various
encryption algorithm used for Encapsulation Security
Payload.
 4. AH Protocol:
AH (Authentication Header) Protocol provides both
Authentication and Integrity service. Authentication Header
is implemented in one way only: Authentication along with
Integrity.
 Authentication Header covers the packet format and general issue
related to the use of AH for packet authentication and integrity.

 5. Authentication Algorithm:
 Authentication Algorithm contains the set of the documents that
describe authentication algorithm used for AH and for the
authentication option of ESP.

 6. DOI (Domain of Interpretation):

 DOI is the identifier which support both AH and ESP protocols. It
contains values needed for documentation related to each other.
 7. Key Management:
 Key Management contains the document that describes how
the keys are exchanged between sender and receiver.

 Attention reader! Don’t stop learning now. Get hold of all

the important CS Theory concepts for SDE interviews with
the CS Theory Course at a student-friendly price and become
industry ready.


Difference between IPSec and SSL
 IPSec Protocol:
 It is an Internet Engineering Task Force standard suite of
protocols between two communication points. It can also be
defined as the encrypted, decrypted and authenticated
packets. It generally uses cryptographic security services to
protect communications. It can be seen that network-level
peer and data origin authentication, data integrity, data
encryption, and protection are supported by IPsec.
 For Example, IPSec can be used in between two routers in
order to create a site-to-site VPN and between a firewall and
windows host for a remote access VPN.
 SSL:
 It is a networking protocol that is used at the transport layer
to provide a secure connection between the client and the
server over the internet. It is a transparent protocol that
requires little interaction from the end-user when
establishing a secure session. SSL Tunneling involves a client
that requires an SSL connection to a backend service or
secure server via a proxy server.
 For Example, For securing the communication between a
web browser and a web server, he SSL is used.
IPSec SSL

Internet protocol security (IPsec) is a set of protocols that provide security for Internet
SSL is a secure protocol developed for sending information s
Protocol.

It Work in Internet Layer of the OSI model. It Work in Between the transport layer and application layer
Layer (SSL) and Transport Layer
Security (TLS)

S.NO SSL TLS

TLS stands
SSL stands
for Transport
1. for Secure
Layer
Socket Layer.
Security.
TLS
SSL (Secure (Transport
Socket Layer
 In
TLS(Transport
In SSL( Secure
Layer
Socket Layer),
Security),
Message
5. Hashed
Authentication
Message
Code protocol
Authentication
is used.
Code protocol
is used.

SSL (Secure
Socket Layer)
TLS (Transport
Secure Socket Layer (SSL)

 Secure Socket Layer (SSL) provides security to the data

that is transferred between web browser and server. SSL
encrypts the link between a web server and a browser which
ensures that all data passed between them remain private and
free from attack.
 Secure Socket Layer Protocols:

• SSL record protocol

• Handshake protocol
• Change-cipher spec protocol
• Alert protocol
SSL Protocol Stack:
SSL Record Protocol:
 SSL Record provides two services to SSL connection.
1. Confidentiality
2. Message Integrity
In the SSL Record Protocol application data is divided into
fragments. The fragment is compressed and then encrypted
MAC (Message Authentication Code) generated by algorithms
like SHA (Secure Hash Protocol) and MD5 (Message Digest) is
appended. After that encryption of the data is done and in last
SSL header is appended to the data.
Handshake Protocol:
 Handshake Protocol is used to establish sessions. This protocol
allows the client and server to authenticate each other by sending
a series of messages to each other. Handshake protocol uses four
phases to complete its cycle.

 Phase-1: In Phase-1 both Client and Server send hello-packets to

each other. In this IP session, cipher suite and protocol version are
exchanged for security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The
server end phase-2 by sending the Server-hello-end packet.
 Phase-3: In this phase Client reply to the server by sending his
certificate and Client-exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurred and after this
Handshake Protocol ends.
 Change-cipher Protocol:

 This protocol uses the SSL record protocol. Unless

Handshake Protocol is completed, the SSL record Output
will be in a pending state. After handshake protocol, the
Pending state is converted into the current state.
 Change-cipher protocol consists of a single message which is
1 byte in length and can have only one value. This protocol’s
purpose is to cause the pending state to be copied into the
current state.
Alert Protocol:
 The level is further classified into two parts:


 Warning:
 This Alert has no impact on the connection between sender
and receiver.

 Fatal Error:
 This Alert breaks the connection between sender and
receiver.
Silent Features of Secure Socket Layer:
 The advantage of this approach is that the service can be
tailored to the specific needs of the given application.
 Secure Socket Layer was originated by Netscape.
 SSL is designed to make use of TCP to provide reliable end-
to-end secure service.
 This is a two-layered protocol.
Transport Layer Security (TLS)
 Transport Layer Securities (TLS) are designed to provide
security at the transport layer. TLS was derived from a
security protocol called Secure Service Layer (SSL). TLS
ensures that no third party may eavesdrops or tampers with
any message.
There are several benefits of TLS:

 Encryption:
 TLS/SSL can help to secure transmitted data using
encryption.
 Interoperability:
 TLS/SSL works with most web browsers, including
Microsoft Internet Explorer and on most operating systems
and web servers.
 Algorithm flexibility:
 TLS/SSL provides operations for authentication mechanism,
encryption algorithms and hashing algorithm that are used
during the secure session.
 Ease of Deployment:
 Many applications TLS/SSL temporarily on a windows server
2003 operating systems.
 Ease of Use:
 Because we implement TLS/SSL beneath the application
layer, most of its operations are completely invisible to client.
Working of TLS:
 The client connect to server (using TCP), the client will be
something. The client sends number of specification:

1. Version of SSL/TLS.
2. which cipher suites, compression method it wants to use.
 The server checks what the highest SSL/TLS version is that is
supported by them both, picks a cipher suite from one of the
clients option (if it supports one) and optionally picks a
compression method. After this the basic setup is done, the
server provides its certificate. This certificate must be trusted
either by the client itself or a party that the client trusts.
Having verified the certificate and being certain this server
really is who he claims to be (and not a man in the middle), a
key is exchanged. This can be a public key, “PreMasterSecret”
or simply nothing depending upon cipher suite.
 Both the server and client can now compute the key for
symmetric encryption. The handshake is finished and the two
hosts can communicate securely. To close a connection by
finishing. TCP connection both sides will know the
connection was improperly terminated. The connection
cannot be compromised by this through, merely interrupted.
Secure Electronic Transaction (SET)
Protocol
 Secure Electronic Transaction or SET is a system that ensures
the security and integrity of electronic transactions done
using credit cards in a scenario. SET is not some system that
enables payment but it is a security protocol applied to those
payments. It uses different encryption and hashing techniques
to secure payments over the internet done through credit
cards. The SET protocol was supported in development by
major organizations like Visa, Mastercard, Microsoft which
provided its Secure Transaction Technology (STT), and
Netscape which provided the technology of Secure Socket
Layer (SSL).
 SET protocol restricts the revealing of credit card details to
merchants thus keeping hackers and thieves at bay. The SET
protocol includes Certification Authorities for making use of
standard Digital Certificates like X.509 Certificate.

 Before discussing SET further, let’s see a general scenario of

electronic transactions, which includes client, payment
gateway, client financial institution, merchant, and merchant
financial institution.

 Requirements in SET :
 The SET protocol has some requirements to meet, some of the iIt
has to provide mutual authentication i.e., customer (or
cardholder) authentication by confirming if the customer is an
intended user or not, and merchant authentication.
 It has to keep the PI (Payment Information) and OI (Order
Information) confidential by appropriate encryptions.mportant
requirements are :
 It has to be resistive against message modifications i.e., no changes
should be allowed in the content being transmitted.
 SET also needs to provide interoperability and make use of the
best security mechanisms.
 Participants in SET :
 In the general scenario of online transactions, SET includes
similar participants:
 Cardholder – customer
 Issuer – customer financial institution
 Merchant
 Acquirer – Merchant financial
 Certificate authority – Authority that follows certain
standards and issues certificates(like X.509V3) to all other
participants.
 SET functionalities :
 Provide Authentication
 Merchant Authentication – To prevent theft, SET allows
customers to check previous relationships between
merchants and financial institutions. Standard X.509V3
certificates are used for this verification.
 Customer / Cardholder Authentication – SET checks if the
use of a credit card is done by an authorized user or not using
X.509V3 certificates.
 Provide Message Confidentiality: Confidentiality refers to
preventing unintended people from reading the message
being transferred. SET implements confidentiality by using
encryption techniques. Traditionally DES is used for
encryption purposes.
 Provide Message Integrity: SET doesn’t allow message
modification with the help of signatures. Messages are
protected against unauthorized modification using RSA
digital signatures with SHA-1 and some using HMAC with
SHA-1,
Dual Signature :
 The dual signature is a concept introduced with SET, which
aims at connecting two information pieces meant for two
different receivers :
 Order Information (OI) for merchant
 Payment Information (PI) for bank

 You might think sending them separately is an easy and more

secure way, but sending them in a connected form resolves
any future dispute possible. Here is the generation of dual
signature:
 Where,

 PI stands for payment information

 OI stands for order information
 PIMD stands for Payment Information Message Digest
 OIMD stands for Order Information Message Digest
 POMD stands for Payment Order Message Digest
 H stands for Hashing
 E stands for public key encryption
 KPc is customer's private key
 || stands for append operation
 Dual signature, DS= E(KPc, [H(H(PI)||H(OI))])
 Purchase Request Generation :

 The process of purchase request generation requires three

inputs:

 Payment Information (PI)

 Dual Signature
 Order Information Message Digest (OIMD)
 The purchase request is generated as follows:
 Here,
 PI, OIMD, OI all have the same meanings as before.
 The new things are :
 EP which is symmetric key encryption
 Ks is a temporary symmetric key
 KUbank is public key of bank
 CA is Cardholder or customer Certificate
 Digital Envelope = E(KUbank, Ks)
 Purchase Request Validation on Merchant Side :
 The Merchant verifies by comparing POMD generated
through PIMD hashing with POMD generated through
decryption of Dual Signature as follows:
the public key of the customer or
cardholder for decryption ‘D’.
Payment Authorization and Payment
Capture :
Payment authorization as the name suggests is the authorization
of payment information by the merchant which ensures
payment will be received by the merchant. Payment capture
is the process by which a merchant receives payment which
includes again generating some request blocks to gateway and
payment gateway in turn issues payment to the merchant.
Intrusion Detection System (IDS)
 An Intrusion Detection System (IDS) is a system that
monitors network traffic for suspicious activity and issues
alerts when such activity is discovered. It is a software
application that scans a network or a system for harmful
activity or policy breaching. Any malicious venture or
violation is normally reported either to an administrator or
collected centrally using a security information and event
management (SIEM) system. A SIEM system integrates
outputs from multiple sources and uses alarm filtering
techniques to differentiate malicious activity from false
alarms.
 Although intrusion detection systems monitor networks for
potentially malicious activity, they are also disposed to false
alarms. Hence, organizations need to fine-tune their IDS
products when they first install them. It means properly
setting up the intrusion detection systems to recognize what
normal traffic on the network looks like as compared to
malicious activity.
 Intrusion prevention systems also monitor network packets
inbound the system to check the malicious activities involved
in it and at once sends the warning notifications.
Classification of Intrusion Detection
System:
IDS are classified into 5 types:

1. Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned
point within the network to examine traffic from all devices on the
network. It performs an observation of passing traffic on the entire
subnet and matches the traffic that is passed on the subnets to the
collection of known attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the administrator. An
example of an NIDS is installing it on the subnet where firewalls are
located in order to see if someone is trying crack the firewall.
2.Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent
hosts or devices on the network. A HIDS monitors the
incoming and outgoing packets from the device only and will
alert the administrator if suspicious or malicious activity is
detected. It takes a snapshot of existing system files and
compares it with the previous snapshot. If the analytical system
files were edited or deleted, an alert is sent to the administrator
to investigate. An example of HIDS usage can be seen on
mission critical machines, which are not expected to change
their layout.
3.Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises of
a system or agent that would consistently resides at the front
end of a server, controlling and interpreting the protocol
between a user/device and the server. It is trying to secure the
web server by regularly monitoring the HTTPS protocol
stream and accept the related HTTP protocol. As HTTPS is un-
encrypted and before instantly entering its web presentation
layer then this system would need to reside in this interface,
between to use the HTTPS.
 Application Protocol-based Intrusion Detection
System (APIDS):
Application Protocol-based Intrusion Detection System
(APIDS) is a system or agent that generally resides within a
group of servers. It identifies the intrusions by monitoring
and interpreting the communication on application specific
protocols. For example, this would monitor the SQL
protocol explicit to the middleware as it transacts with the
database in the web server.
 Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the
combination of two or more approaches of the intrusion
detection system. In the hybrid intrusion detection system,
host agent or system data is combined with network
information to develop a complete view of the network
system. Hybrid intrusion detection system is more effective
in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.
Detection Method of IDS:

1.
Signature-based Method:
Signature-based IDS detects the attacks on the basis of the
specific patterns such as number of bytes or number of 1’s
or number of 0’s in the network traffic. It also detects on
the basis of the already known malicious instruction
sequence that is used by the malware. The detected
patterns in the IDS are known as signatures.Signature-
based IDS can easily detect the attacks whose pattern
(signature) already exists in system but it is quite difficult
to detect the new malware attacks as their pattern
(signature) is not known.
2.Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown
malware attacks as new malware are developed rapidly. In
anomaly-based IDS there is use of machine learning to
create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it
is not found in model. Machine learning based method has
a better generalized property in comparison to signature-
based IDS as these models can be trained according to the
applications and hardware configurations.
 Comparison of IDS with Firewalls:
IDS and firewall both are related to the network security but
an IDS differs from a firewall as a firewall looks outwardly
for intrusions in order to stop them from happening.
Firewalls restrict access between networks to prevent
intrusion and if an attack is from inside the network it don’t
signal. An IDS describes a suspected intrusion once it has
happened and then signals an alarm.

Malwares – Malicious Software

 Malware is a software that gets into the system without

user consent with an intention to steal private and
confidential data of the user that includes bank details and
password. They also generates annoying pop up ads and
makes changes in system settings
They get into the system through various means:
 Along with free downloads.
 Clicking on suspicious link.
 Opening mails from malicious source.
 Visiting malicious websites.
 Not installing an updated version of antivirus in the system.
 Types:
 Virus
 Worm
 Logic Bomb
 Trojan/Backdoor
 Rootkit
 Advanced Persistent Threat
 Spyware and Adware
 What is computer virus:
Computer virus refers to a program which damages
computer systems and/or destroys or erases data files. A
computer virus is a malicious program that self-replicates by
copying itself to another program. In other words, the
computer virus spreads by itself into other executable code
or documents. The purpose of creating a computer virus is to
infect vulnerable systems, gain admin control and steal user
sensitive data. Hackers design computer viruses with
malicious intent and prey on online users by tricking them.
 Symptoms:
 Letter looks like they are falling to the bottom of the screen.
 The computer system becomes slow.
 The size of available free memory reduces.
 The hard disk runs out of space.
 The computer does not boot.
Types of Computer Virus:
These are explained as following below.

1.Parasitic –
These are the executable (.COM or .EXE execution starts at
first instruction). Propagated by attaching itself to particular
file or program. Generally resides at the start (prepending)
or at the end (appending) of a file, e.g. Jerusalem.Boot
2.Sector –
Spread with infected floppy or pen drives used to boot the
computers. During system boot, boot sector virus is loaded
into main memory and destroys data stored in hard disk, e.g.
Polyboot, Disk killer, Stone, AntiEXE.
3.Polymorphic –
Changes itself with each infection and creates multiple
copies. Multipartite: use more than one propagation method.
>Difficult for antivirus to detect, e.g. Involutionary, Cascade,
Evil, Virus 101., Stimulate.Three major parts: Encrypted
virus body, Decryption routine varies from infection to
infection, and Mutation engine.
4.Memory Resident –
Installs code in the computer memory. Gets activated for OS
run and damages all files opened at that time, e.g. Randex,
CMJ, Meve.
4.Stealth –
Hides its path after infection. It modifies itself hence difficult to
detect and masks the size of infected file, e.g. Frodo, Joshi, Whale.
5.Macro –
Associated with application software like word and excel. When
opening the infected document, macro virus is loaded into main
memory and destroys the data stored in hard disk. As attached
with documents; spreads with those infected documents only, e.g.
DMV, Melissa, A, Relax, Nuclear, Word Concept.

 Hybrids –
Features of various viruses are combined, e.g. Happy99
(Email virus).
 Worm:
A worm is a destructive program that fills a computer system with self-
replicating information, clogging the system so that its operations are
slowed down or stopped.
 Types of Worm:
 Email worm – Attaching to fake email messages.
 Instant messaging worm – Via instant messaging applications using
loopholes in network.
 Internet worm – Scans systems using OS services.
 Internet Relay Chat (IRC) worm – Transfers infected files to web
sites.
 Payloads – Delete or encrypt file, install backdoor, creating zombie
etc.
 Worms with good intent – Downloads application patches.
 Logical Bomb:
A logical bomb is a destructive program that performs an
activity when a certain action has occurred. These are hidden
in programming code. Executes only when a specific
condition is met, e.g. Jerusalem.
 Script Virus:
Commonly found script viruses are written using the Visual
Basic Scripting Edition (VBS) and the JavaScript
programming language.
 Trojan / Backdoor:
Trojan Horse is a destructive program. It usually pretends as
computer games or application software. If executed, the
computer system will be damaged. Trojan Horse usually
comes with monitoring tools and key loggers. These are
active only when specific events are alive. These are hidden
with packers, crypters and wrappers.< Hence, difficult to
detect through antivirus. These can use manual removal or
firewall precaution.
 RootKits:
Collection of tools that allow an attacker to take control of a system.
 Can be used to hide evidence of an attacker’s presence and give them
backdoor access.
 Can contain log cleaners to remove traces of attacker.
 Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module
(LKM)
 Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and
directly target trusted part of OS
– Hooking: changing applicant’s execution flow
 Advanced Persistent Threat:
Created by well funded, organized groups, nation-state
actors, etc. Desire to compromise government and
commercial entities, e.g. Flame: used for reconnaissance and
information gathering of system.
 Spyware and Adware:
Normally gets installed along with free software downloads.
Spies on the end-user, attempts to redirect the user to
specific sites. Main tasks: Behavioral surveillance and
advertising with pop up ads Slows down the system.
 Malware and its types
 Malware is a program designed to gain access to computer
systems, normally for the benefit of some third party,
without the user’s permission. Malware includes computer
viruses, worms, Trojan horses, ransomware, spyware and
other malicious programs.
 Types of Malware:
 Viruses –
A Virus is a malicious executable code attached to another
executable file. The virus spreads when an infected file is
passed from system to system. Viruses can be harmless or
they can modify or delete data. Opening a file can trigger a
virus. Once a program virus is active, it will infect other
programs on the computer.
 Worms –
Worms replicate themselves on the system, attaching
themselves to different files and looking for pathways
between computers, such as computer network that shares
common file storage areas. Worms usually slow down
networks. A virus needs a host program to run but worms
can run by themselves. After a worm affects a host, it is able
to spread very quickly over the network.

 Spyware –
Its purpose is to steal private information from a computer system for a
third party. Spyware collects information and sends it to the hacker.

 Trojan horse –
A Trojan horse is malware that carries out malicious operations under
the appearance of a desired operation such as playing an online game. A
Trojan horse varies from a virus because the Trojan binds itself to non-
executable files, such as image files, audio files.
 Logic Bombs –
A logic bomb is a malicious program that uses a trigger to
activate the malicious code. The logic bomb remains non-
functioning until that trigger event happens. Once triggered,
a logic bomb implements a malicious code that causes harm
to a computer. Cybersecurity specialists recently discovered
logic bombs that attack and destroy the hardware
components in a workstation or server including the cooling
fans, hard drives, and power supplies. The logic bomb
overdrives these devices until they overheat or fail.

 Ransomware –
Ransomware grasps a computer system or the data it
contains until the victim makes a payment. Ransomware
encrypts data in the computer with a key which is unknown
to the user. The user has to pay a ransom (price) to the
criminals to retrieve data. Once the amount is paid the
victim can resume using his/her system.

 Backdoors –
A backdoor bypasses the usual authentication used to access a
system. The purpose of the backdoor is to grant the cyber
criminals future access to the system even if the organization
fixes the original vulnerability used to attack the system.

 Rootkits –
A rootkit modifies the OS to make a backdoor. Attackers
then use the backdoor to access the computer distantly. Most
rootkits take advantage of software vulnerabilities to modify
system files.

 Keyloggers –
Keylogger records everything the user types on his/her
computer system to obtain passwords and other sensitive
information and send them to the source of the keylogging
program.
Virus Countermeasures

 best countermeasure is prevention

 but in general not possible
 hence need to do one or more of:
–detection-of viruses in infected system
–identification-of specific infecting virus
–removal-restoring system to clean state
 Behavior‐Blocking Software
 •integrated with host O/S
 •monitors program behaviour in real‐time eg file access, disk
format, executable mods, system settings changes, network access

 •for possibly malicious actionsif detected can block, terminate,

or seek ok

 •has advantage over scanners

 •but malicious code runs before detection
Distributed Denial of Service Attacks (DDoS)

•Distributed Denial of Service (DDoS) attacks form a

significant security threat
•making networked systems unavailable
•by flooding with useless traffic
•using large numbers of “zombies”
•growing sophistication of attacks
•defense technologies struggling to cope
Distributed Denial of Service Attacks
(DDoS)
Contructing the DDoS Attack Network

 must infect large number of zombies

 •needs:
 1.software to implement the DDoS attack
 2.an unpatched vulnerability on many systems
 3.scanning strategy to find vulnerable systemsrandom, hit‐list,
topological, local subnet
DDoS Countermeasures

 three broad lines of defense:attack prevention & preemption

(before)
 attack detection & filtering (during)
 attack source traceback & ident (after)

 •huge range of attack possibilities

 •hence evolving countermeasures
 Summary
 •have considered:various malicious programs
 trapdoor, logic bomb, trojan horse, zombie
 viruses
 worms
 countermeasures
 distributed denial of service attacks
Firewalls
 Firewall defined:
 A firewall is a security device — computer hardware or software
— that can help protect your network by filtering traffic and
blocking outsiders from gaining unauthorized access to the private
data on your computer.
 Not only does a firewall block unwanted traffic, it can also help
block malicious software from infecting your computer.
 Firewalls can provide different levels of protection. The key
is determining how much protection you need.
 The topics below can help you learn what firewalls do and
determine the level of protection that will help keep your
computer and the data on it safe and secure.
What does a firewall do?

 A firewall acts as a gatekeeper. It monitors attempts to gain access

to your operating system and blocks unwanted traffic or
unrecognized sources.
 How does it do this? A firewall acts as a barrier or filter between
your computer and another network such as the internet.You
could think of a firewall as a traffic controller. It helps to protect
your network and information by managing your network traffic.
This includes blocking unsolicited incoming network traffic and
validating access by assessing network traffic for anything
malicious like hackers and malware.
 Your operating system and your security software usually come
with a pre-installed firewall. It’s a good idea to make sure those
features are turned on. Also, check your security settings to be
sure they are configured to run updates automatically.
 How does a firewall work?
 To start, a firewalled system analyzes network traffic based
on rules. A firewall only welcomes those incoming
connections that it has been configured to accept. It does this
by allowing or blocking specific data packets — units of
communication you send over digital networks — based on
pre-established security rules.
 A firewall works like a traffic guard at your computer’s entry
point, or port. Only trusted sources, or IP addresses, are
allowed in. IP addresses are important because they identify
a computer or source, just like your postal address identifies
where you live.
 Types of firewalls
 There are software and hardware firewalls. Each format serves a
different but important purpose. A hardware firewall is physical,
like a broadband router — stored between your network and
gateway. A software firewall is internal — a program on your
computer that works through port numbers and applications.
 There also are cloud-based firewalls, known as Firewall as a
Service (FaaS). One benefit of cloud-based firewalls is that they
can grow with your organization and, similar to hardware
firewalls, do well with perimeter security.
 There are several different types of firewalls based on their
structure and functionality. Here are the various firewalls you can
implement, depending on the size of your network and the level of
security you need.
 Packet-filtering firewalls
 A packet-filtering firewall is a management program that can
block network traffic IP protocol, an IP address, and a port
number. This type of firewall is the most basic form of
protection and is meant for smaller networks.
 But beware. While packet-filtering firewalls can be helpful,
they also have limitations. Because all web traffic is allowed, a
packet-filtering firewall doesn’t block web-based attacks. So,
you need additional protection to distinguish between
friendly and malicious web traffic.
 Proxy service firewalls
 The proxy service firewall is a system that can help protect
your network security by filtering messages at the application
layer. It essentially serves as a gateway or middle man
between your internal network and outside servers on the
web. Also known as a gateway firewall, it is more secure in its
use of stateful and deep packet inspection technology to
analyze incoming traffic.
 Stateful multi-layer inspection (SMLI) firewalls
 The stateful multi-layer inspection firewall has standard
firewall capabilities and keeps track of established connections. It
filters traffic based on state, port, and protocol, along with
administrator-defined rules and context. This involves using data
from prior connections and packets from the same connection.
 Most firewalls rely on stateful packet inspection to keep track of
all internal traffic. This firewall is a step above packet-filtering in
its use of multi-layer monitoring.
 However, it is still unable to distinguish between good and bad
web traffic, so you may need additional software.
 Unified threat management (UTM) firewalls
 A unified threat management firewall is a program that
combines the functions of the SMLI firewall with intrusion
prevention and antivirus.Additional services like cloud
management may be included under the UTM umbrella of
services.
 Next-generation firewalls (NGFW)
 Next-generation firewalls are more sophisticated than
packet-filtering and stateful inspection firewalls. Why? They
have more levels of security, going beyond standard packet-
filtering to inspect a packet in its entirety.That means
inspecting not just the packet header, but also a packet’s
contents and source. NGFW are able to block more
sophisticated and evolving security threats like advanced
malware.
 Network address translation (NAT) firewalls
 A NAT firewall is able to assess internet traffic and block
unsolicited communications. In other words, it only accepts
inbound web traffic if a device on your private network
solicited it.
Virtual firewalls

 A virtual firewall is an appliance used in a cloud-based

system, both private and public. This type of firewall is used
to assess and manage internet traffic over both physical and
virtual networks.
Host-based firewalls versus network-based firewalls

 There are differences between host-based and network-based

firewalls, along with benefits of having both in place.
 Network firewalls filter traffic going to and from the internet to secured
local area networks (LAN). They typically are used by businesses that
need to protect a large network of computers, servers, and employees.
A network-based firewall is able to monitor communications between a
company’s computers and outside sources, as well as restrict certain
websites, IP addresses, or other services.
 Host-based firewalls work similarly but are stored locally on a
single computer or device. A host-based firewall is a software application
or a suite of applications that allows for more customization. They are
installed on each server, control incoming and outgoing traffic, decide
whether to allow traffic to individual devices, and protect the host.