Network Security 21EC742

NETWORK SECURITY

Module 4: CHAPTER 1 -INTRUDERS

Module 4: One of the two most publicized threats to security is the intruder (the other is viruses), often
Intruders, Intrusion Detection, Malicious software: Viruses and related Threats, Virus Countermeasures
referred to as a hacker or cracker. In an important early study of intrusion, Anderson[ANDE80] identified
three classes of intruders:
.
● Masquerade: An individual who is not authorized to use the computer and who penetrates a

Text Book: system’s access controls to exploit a legitimate user’s account

1. Cryptography and network Security. William Stalling, Pearson Education, 2003 ● Misfeasor: A legitimate user who accesses data, programs, or resources for which such access
is not authorized, or who is authorized for such access but misuses his or her privileges
● Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the
clandestine user can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are
many people who simply wish to explore internets and see what is out there. At the serious end are
individuals who are attempting to read privileged data, perform unauthorized modifications to data, or
disrupt the system.
Lists the following examples of intrusion:
Performing a remote root compromise of an e-mail server
● Defacing a Web server
● Guessing and cracking passwords
● Copying a database containing credit card numbers
● Viewing sensitive data, including payroll records and medical information,
● without authorization
● Running a packet sniffer on a workstation to capture usernames and passwords
● Using a permission error on an anonymous FTP server to distribute pirated
● software and music files
● Dialling into an unsecured modem and gaining internal network access
● Posing as an executive, calling the help desk, resetting the executive’s e-mail
● password, and learning the new password
● Using an unattended, logged-in workstation without permission
Network Security 21EC742
● Do not stick around until noticed.
Intruder Behaviour Patterns ● Make few or no mistakes.
(c) Internal Threat
The techniques and behaviour patterns of intruders are constantly shifting, to discovered
● Create network accounts for themselves and their friends.
weaknesses and to evade detection and countermeasures. Even so, intruders typically follow one of a
● Access accounts and applications they wouldn’t normally use for their daily jobs.
number of recognizable behaviour patterns, and these patterns typically differ from those of ordinary
● E-mail former and prospective employers.
users. In the following, we look at three broad examples of intruder behaviour patterns, to give the reader
● Conduct furtive instant-messaging chats.
some feel for the challenge facing the security administrator.
● Visit Web sites that cater to disgruntled employees, such as f’dcompany.com.
HACKERS Traditionally, those who hack into computers do so for the thrill of it or for status.
● Perform large downloads and file copying.
The hacking community is a strong meritocracy in which status is determined by level of competence.
● Access the network during off hours.
Thus, attackers often look for targets of opportunity and then share the information with others. A typical
Benign intruders might be tolerable, although they do consume resources and may slow
example is a break-in at a large financial institution reported in [RADC04]. The intruder took advantage
performance for legitimate users. However, there is no way in advance to know whether an intruder will
of the fact that the corporate network was running unprotected services, some of which were not even
be benign or malign. Consequently, even for systems with no particularly sensitive resources, there is a
needed. In this case, the key to the break-in was the pc anywhere application. The manufacturer,
motivation to control this problem.
Symantec, advertises this program as a remote control solution that enables secure connection to remote
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to
devices. But the attacker had an easy time gaining access to pc anywhere; the administrator used the same
counter this type of hacker threat. In addition to using such systems, organizations can consider
three-letter username and password for the program. In this case, there was no intrusion detection system
restricting remote logons to specific IP addresses and/or use virtual private network technology.
on the 700-node corporate network. The intruder was only discovered when a vice president walked into
One of the results of the growing awareness of the intruder problem has been the establishment
her office and saw the cursor moving files around on her Windows workstation.
of a number of computer emergency response teams (CERTs).These cooperative ventures collect
Some Examples of Intruder Patterns of Behaviour
information about system vulnerabilities and disseminate it to systems managers. Hackers also routinely
(a) Hacker
read CERT reports. Thus, it is important for system administrators to quickly insert all software patches
● Select the target using IP lookup tools such as NS Lookup, Dig, and others.
to discovered vulnerabilities. Unfortunately, given the complexity of many IT systems, and the rate at
● Map network for accessible services using tools such as NMAP.
which patches are released, this is increasingly difficult to achieve without automated updating. Even
● Identify potentially vulnerable services (in this case, pc anywhere).
then, there are problems caused by incompatibilities resulting from the updated software. Hence the need
● Brute force (guess) pc anywhere password.
for multiple layers of defence in managing security threats to IT systems.
● Install remote administration tool called Dame Ware.
CRIMINALS Organized groups of hackers have become a widespread and common threat to
● Wait for administrator to log on and capture his password.
Internet-based systems. These groups can be in the employ of a corporation or government but often are
● Use that password to access remainder of network.
loosely affiliated gangs of hackers. Typically, these gangs are young, often Eastern European, Russian,
(b) Criminal Enterprise
or southeast Asian hackers who do business on the Web. They meet in underground forums with names
● Act quickly and precisely to make their activities harder to detect.
like DarkMarket.org andtheftservices.com to trade tips and data and coordinate attacks. A common target
● Exploit perimeter through vulnerable ports.
is a credit card file at an e-commerce server. Attackers attempt to gain root access. The card numbers are
● Use Trojan horses (hidden software) to leave back doors for re-entry.
used by organized crime gangs to purchase expensive items and are then posted to carder
● Use sniffers to capture passwords.
Network Security
sites, where others can access and use the account numbers; this obscures usage patterns and complicates
investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers usually have specific
targets or at least classes of targets in mind. Once a site is penetrated, the attacker acts quickly, scooping
up as much valuable information as possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less effective because of
the quick in-and-out nature of the attack. For e-commerce sites, database encryption should be used for
sensitive customer information, especially credit cards. For hosted e-commerce sites (provided by an
outsider service), the e-commerce organization should make use of a dedicated server (not used to support
multiple customers) and closely monitor the provider’s security services.
INSIDER ATTACKS Insider attacks are among the most difficult to detect and prevent.
Employees already have access and knowledge about the structure and content of corporate databases.
Insider attacks can be motivated by revenge or simply a feeling of entitlement. An example of the former
is the case of Kenneth Patterson, fired from his position as data communications manager for American
Eagle Outfitters. Patterson disabled the company’s ability to process credit card purchases during five
days of the holiday season of 2002. As for a sense of entitlement, there have always been many employees
who felt entitled to take extra office supplies for home use, but this now extends to corporate data. An
example is that of a vice president of sales for a stock analysis firm who quit goingto a competitor.
Before she left, she copied the customer database to take with her. The offender reported feeling no
animus toward her former employee; she simply wanted the data because it would be useful to her.
Although IDS and IPS facilities can be useful in countering insider attacks, other more direct
approaches are of higher priority. Examples include the following:
● Enforce least privilege, only allowing access to the resources employees need to do their job.
● Set logs to see what users access and what commands they are entering.
● Protect sensitive resources with strong authentication.
● Upon termination, delete employee’s computer and network access.
● Upon termination, make a mirror image of employee’s hard drive before reissuing it. That
evidence might be needed if your company information turns up at a competitor.
Intrusion Techniques
The objective of the intruder is to gain access to a system or to increase the range of privileges
accessible on a system. Most initial attacks use system or software vulnerabilities that allow a user to
execute code that opens a back door into the system. Alternatively, the intruder attempts to acquire
21EC742
information that should have been protected. In some cases, this information is in the form of a user
password. With knowledge of some other user’s password, an intruder can log in to a system and exercise
all the privileges accorded to the legitimate user.
Typically, a system must maintain a file that associates a password with each authorized user. If
such a file is stored with no protection, then it is an easy matter to gain access to it and learn passwords.
The password file can be protected in one of two ways:
● One-way function: The system stores only the value of a function based on the user’s password.
When the user presents a password, the system transforms that password and compares it with the
stored value. In practice, the system usually performs a one-way transformation (not reversible) in
which the password is used to generate a key for the one-ay function and in which a fixed-length
output is produced.
● Access control: Access to the password file is limited to one or a very few accounts. If one or both
of these countermeasures are in place, some effort is needed for a potential intruder to learn
passwords. On the basis of a survey of the literature and interviews with a number of password
crackers, reports the following techniques for learning passwords:
● Try default passwords used with standard accounts that are shipped with the system. Many
administrators do not bother to change these defaults.
● Exhaustively try all short passwords (those of one to three characters).
● Try words in the system’s online dictionary or a list of likely passwords. Examples of the
latter are readily available on hacker bulletin boards.
● Collect information about users, such as their full names, the names of their spouse and
children, pictures in their office, and books in their office that are related to hobbies.
● Try users’ phone numbers, Social Security numbers, and room numbers.
● Try all legitimate license plate numbers for this state.
● Use a Trojan to bypass restrictions on access.
● Tap the line between a remote user and the host system.
Intrusion Detection
Inevitably, the best intrusion prevention system will fail. A system’s second line of defence is
intrusion detection, and this has been the focus of much research in recent years. This interest is motivated
by a number of considerations, including the following:
If an intrusion is detected quickly enough, the intruder can be identified and ejected from the
system before any damage is done or any data are compromised. Even if the detection is not
Network Security
sufficiently timely to pre-empt the intruder, the sooner that the intrusion is detected, the less the
amount of damage and the more quickly that recovery can be achieved.
An effective intrusion detection system can serve as a deterrent, so acting to prevent Intrusions.
Intrusion detection enables the collection of information about intrusion techniques that can be
used to strengthen the intrusion prevention facility.
Intrusion detection is based on the assumption that the behaviour of the intruder differs from that of
a legitimate user in ways that can be quantified. Of course, we cannot expect that there will be a crisp,
exact distinction between an attack by an intruder and the normal use of resources by an authorized user.
Rather, we must expect that there will be some overlap.
Figure 4.1 suggests, in very abstract terms, the nature of the task confronting the designer of an
intrusion detection system. Although the typical behaviour of an intruder differs from the typical
behaviour of an authorized user, there is an overlap in these behaviours. Thus, a loose interpretation of
intruder behaviour, which will catch more intruders, will also lead to a number of ―false positives,ǁ or
authorized user identified as intruders. On the other hand, an attempt to limit false positives by a tight
interpretation of intruder behaviour will lead to an increase in false negatives, or intruders not identified
as intruders. Thus, there is an element of compromise an dart in the practice of intrusion detection.
In Anderson’s study, it was postulated that one could, with reasonable confidence, distinguish
between a masquerade and a legitimate user. Patterns of legitimate user behaviour can be established by
observing past history, and significant deviation from such patterns can be detected. Anderson suggests
that the task of detecting a misfeasor (legitimate user performing in an unauthorized fashion) is more
difficult, in that the distinction between abnormal and normal behaviour maybe small. Anderson
concluded that such violations would be undetectable solely through the search for anomalous behaviour.
However, misfeasor behaviour might nevertheless be detectable by intelligent definition of the class of
conditions that suggest unauthorized use. Finally, the detection of the clandestine user was felt to be
beyond the scope of purely automated techniques. These observations, which were made in 1980, remain
true today.
21EC742
Figure 4.1: Profiles of Behaviour of Intruders and Authorized Users
Identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the behaviour of
legitimate users over a period of time. Then statistical tests are applied to observed behaviour to
determine with a high level of confidence whether that behaviour is not legitimate user behaviour.
● Threshold detection: This approach involves defining thresholds, independent of user, for
the frequency of occurrence of various events.
● Profile based: A profile of the activity of each user is developed and used to detect changes
in the behaviour of individual accounts.
2. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide
that a given behaviour is that of an intruder.
● Anomaly detection: Rules are developed to detect deviation from previous usage patterns.
● Penetration identification: An expert system approach that searches for suspicious
behaviour.
Audit Records
A fundamental tool for intrusion detection is the audit record. Some record of ongoing activity by
users must be maintained as input to an intrusion detection system. Basically, two plans are used:
● Native audit records: Virtually all multiuser operating systems include accounting software that
collects information on user activity. The advantage of using this information is that no additional
collection software is needed. The disadvantage is that the native audit records may not contain
the needed information or may not contain it in a convenient form.
Network Security
● Detection-specific audit records: A collection facility can be implemented that generates audit
records containing only that information required by the intrusion detection system. One advantage
of such an approach is that it could be made vendor independent and ported to a variety of systems.
The disadvantage is the extra overhead involved in having, in effect, two accounting packages
running on a machine.
A good example of detection-specific audit records is one developed by Dorothy Denning. Each audit
record contains the following fields:
● Subject: Initiators of actions. A subject is typically a terminal user but might also be process acting
on behalf of users or groups of users. All activity arises through commands issued by subjects.
Subjects may be grouped into different access classes, and these classes may overlap.
● Action: Operation performed by the subject on or with an object; for example, login, read, perform
I/O, execute.
● Object: Receptors of actions. Examples include files, programs, messages, records, terminals,
printers, and user- or program-created structures. When a subject is the recipient of an action, such
as electronic mail, then that subject is considered an object. Objects may be grouped by type. Object
granularity may vary by object type and by environment. For example, database actions may be
audited for the database as a whole or at the record level.
● Exception-Condition: Denotes which, if any, exception condition is raised on return.
● Resource-Usage: A list of quantitative elements in which each element gives the amount used of
some resource (e.g., number of lines printed or displayed, number of records read or written,
processor time, I/O units used, session elapsed time).
● Time-Stamp: Unique time-and-date stamp identifying when the action took place.
Most user operations are made up of a number of elementary actions. For example, a file copy involves
the execution of the user command, which includes doing access validation and setting up the copy, plus
the read from one file, plus the write to another file. Consider the command
COPY GAME.EXE TO <Libray>GAME.EXE
Issued by Smith to copy an executable file GAME from the current directory to the<Library> directory.
The following audit records may be generated:
In this case, the copy is aborted because Smith does not have write permission to<Library>.
21EC742
The decomposition of a user operation into elementary actions has three advantages:
● Because objects are the protectable entities in a system, the use of elementary actions enables an
audit of all behaviour affecting an object. Thus, the system can detect attempted subversions of
access controls (by noting an abnormality in the number of exception conditions returned) and can
detect successful subversions by noting an abnormality in the set of objects accessible to the subject.
● Single-object, single-action audit records simplify the model and the implementation.
● Because of the simple, uniform structure of the detection-specific audit records, it may be relatively
easy to obtain this information or at least part of it by a straightforward mapping from existing
native audit records to the detection-specific audit records.
Statistical Anomaly Detection
As was mentioned, statistical anomaly detection techniques fall into two broad categories:
threshold detection and profile-based systems. Threshold detection involves counting the number of
occurrences of a specific event type over an interval of time. If the count surpasses what is considered a
reasonable number that one might expect to occur, then intrusion is assumed.
Threshold analysis, by itself, is a crude and ineffective detector of even moderately sophisticated
attacks. Both the threshold and the time interval must be determined. Because of the variability across
users, such thresholds are likely to generate either a lot of false positives or a lot of false negatives.
However, simple threshold detectors may be useful in conjunction with more sophisticated techniques.
Profile-based anomaly detection focuses on characterizing the past behaviour of individual users
or related groups of users and then detecting significant deviations. A profile may consist of a set of
parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert.
The foundation of this approach is an analysis of audit records. The audit records provide input
to the intrusion detection function in two ways. First, the designer must decide on a number of
quantitative metrics that can be used to measure user behaviour. An analysis of audit records over a period
of time can be used to determine the activity profile of the average user. Thus, the audit records serve to
define typical behaviour. Second, current audit records are the input used to detect intrusion. That is, the
intrusion detection model analyzes incoming audit records to determine deviation from average
behaviour.
Examples of metrics that are useful for profile-based intrusion detection are the following:
● Counter: A nonnegative integer that may be incremented but not decremented until it is reset by
management action. Typically, a count of certain event types is kept over a particular period of
time. Examples include the number of logins by a single user during an hour, the number of times
Network Security 21EC742
a given command is executed during a single user session, and the number of password failures can be deduced from certain types of activities. For example, a large number of login attempts over a
during a minute. short period suggest an attempted intrusion.
● Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used As an example of the use of these various metrics and models, Table 6.2 shows various measures
to measure the current value of some entity. Examples include the number of logical connections considered or tested for the Stanford Research Institute(SRI) intrusion detection system(IDES) .The
assigned to a user application and the number of outgoing messages queued for a user process. main advantage of the use of statistical profiles is that a prior knowledge of security flaws is not required.
● Interval timer: The length of time between two related events. An example is the length of time The detector program learns what ―normalǁ behaviour is and then looks for deviations. The approach is
between successive logins to an account. not based on system-dependent characteristics and vulnerabilities. Thus, it should be readily portable
● Resource utilization: Quantity of resources consumed during a specified period. Examples include among a variety of system.
the number of pages printed during a user session and total time consumed by a program execution.
Given these general metrics, various tests can be performed to determine whether current activity fits
within acceptable limits. [DENN87] lists the following approaches that may be taken: Table 4.1: Measures That May Be Used for Intrusion Detection
Mean and standard deviation
● Multivariate
● Markov process
● Time series
● Operational
The simplest statistical test is to measure the mean and standard deviation of a parameter over some
historical period. This gives a reflection of the average behaviour and its variability. The use of mean and
standard deviation is applicable to a wide variety of counters, timers, and resource measures. But these
measures, by themselves, are typically too crude for intrusion detection purposes.
A multivariate model is based on correlations between two or more variables. Intruder behavior
may be characterized with greater confidence by considering such correlations (for example, processor
time and resource usage, or login frequency and session elapsed time).
A Markov process model is used to establish transition probabilities among various states. As an
example, this model might be used to look at transitions between certain commands.
A time series model focuses on time intervals, looking for sequences of events that happen too
rapidly or too slowly. A variety of statistical tests can be applied to characterize abnormal timing.
Finally, an operational model is based on a judgment of what is considered abnormal, rather than an
automated analysis of past audit records. Typically, fixed limits are defined and intrusion is suspected for
an observation that is outside the limits. This types of approach works best where intruder behavior
Network Security 21EC742
● Users should not be logged in more than once to the same system.
● Users do not make copies of system programs.

The Base-Rate Fallacy

To be of practical use, an intrusion detection system should detect a substantial percentage of
intrusions while keeping the false alarm rate at an acceptable level. If only a modest percentage of actual
intrusions are detected, the system provides a false sense of security. On the other hand, if the system
frequently triggers an alert when there is no intrusion (a false alarm), then either system managers will
begin to ignore the alarms, or much time will be wasted analyzing the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very difficult to meet the
standard of high rate of detections with a low rate of false alarms. In general, if the actual numbers of
intrusions is low compared to the number of legitimate uses of a system, then the false alarm rate will
be high unless the test is extremely discriminating. A study of existing intrusion detection systems,
reported in [AXEL00], indicated that current systems have not overcome the problem of the base-rate
fallacy. See Appendix 20A for a brief background on the mathematics of this problem.

Distributed Intrusion Detection

Until recently, work on intrusion detection systems focused on single-system stand alone
facilities. The typical organization, however, needs to defend a distributed collection of hosts supported
by a LAN or internetwork. Although it is possible to mount a defence by using stand-alone intrusion
detection systems on each host, a more effective defense can be achieved by coordination and cooperation
among intrusion detection systems across the network. Pores points out the following major issues in the
design of a distributed intrusion detection system.
● A distributed intrusion detection system may need to deal with different audit record formats. In a
System administrators and security analysts to collect a suite of known penetration scenarios and heterogeneous environment, different systems will employ different native audit collection systems
key events that threaten the security of the target system. A simple example of the type of rules that can and, if using intrusion detection, may employ different formats for security-related audit records.
be used is found in NIDX, a nearly system that used heuristic rules that can be used to assign degrees of ● One or more nodes in the network will serve as collection and analysis points for the data from the
suspicion to activities Example heuristics are the following: systems on the network. Thus, either raw audit data or summary data must be transmitted across
● Users should not read files in other users’ personal directories. the network. Therefore, there is a requirement to assure the integrity and confidentiality of these

● Users must not write other users’ files. data. Integrity is required to prevent an intruder from masking his or her activities by altering the

● Users who log in after hours often access the same files they used earlier. transmitted audit information. Confidentiality is required because the transmitted audit information

● Users do not generally open disk devices directly but rely on higher-level operating system could be valuable.

utilities.
Network Security
● Either a centralized or decentralized architecture can be used. With a centralized architecture,
there is a single central point of collection and analysis of all audit data. This eases the task of
correlating incoming reports but creates a potential bottleneck and single point of failure. With a
decentralized architecture, there are more than one analysis centers, but these must coordinatetheir
activities and exchange information.
Figure 20.2 shows the overall architecture, which consists of three main components:
• Host agent module: An audit collection module operating as a background process on a monitored
system. Its purpose is to collect data on security related events on the host and transmit these to the
central manager.
• LAN monitor agent module: Operates in the same fashion as a host agent module except that it
analyzes LAN traffic and reports the results to the central manager.
• Central manager module: Receives reports from LAN monitor and host agents and processes and
correlates these reports to detect intrusion.
The scheme is designed to be independent of any operating system or system auditing
implementation. Figure 20.3 [SNAP91] shows the general approach that is taken. The agent captures
each audit record produced by the native audit collection system. A filter is applied that retains only those
records that are of security interest. These records are then reformatted into a standardized format referred
to as the host audit record (HAR). Next, a template-driven logic module analyzes the records for
suspicious activity. At the lowest level, the agent scans for notable events that are of interest independent
of any past events. Examples include failed file accesses, accessing system files, and
21EC742
changing a file’s access control. At the next higher level, the agent looks for sequences of events, such
as known attack patterns (signatures). Finally, the agent looks for anomalous behaviour of an individual
user based on a historical profile of that user, such as number of programs executed, number of files
accessed, and the like.
Figure 6.3: Agent Architecture
When suspicious activity is detected, an alert is sent to the central manager. The central manager
includes an expert system that can draw inferences from received data. The manager may also query
individual systems for copies of HARs to correlate with those from other agents.
The LAN monitor agent also supplies information to the central manager. The LAN monitor agent
audits host-host connections, services used, and volume of traffic. It searches for significant events, such
as sudden changes in network load, the use of security-related services, and network activities such as
rlogin.
The architecture depicted in Figures 7.2 and 7.3 is quite general and flexible. It offers a foundation
for a machine-independent approach that can expand from stand-alone intrusion detection toa system that
is able to correlate activity from a number of sites and networks to detect suspicious activity that would
otherwise remain undetected.
Network Security 21EC742
Honey pots
A relatively recent innovation in intrusion detection technology is the honey pot. Honey pots are
Malicious software programs, Viruses and related Threats, Virus Countermeasure.
decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are
designed to
● Divert an attacker from accessing critical systems
CHAPTER 2 - MALICIOUS
● Collect information about the attacker’s activity SOFTWARE
● Encourage the attacker to stay on the system long enough for administrators to respond The terminology in this area presents problems because of a lack of universal agreement on all of
These systems are filled with fabricated information designed to appear valuable but that a the terms and because some of the categories overlap.
legitimate user of the system wouldn’t access. Thus, any access to the honey pot is suspect. The system Malicious software can be divided into two categories: those that need a host program, and those
is instrumented with sensitive monitors and event loggers that detect these accesses and collect that are independent. The former, referred to as parasitic, are essentially fragments of programs that
information about the attacker’s activities. Because any attack against the honey pot is made to seem cannot exist independently of some actual application program, utility, or system program. Viruses, logic
successful, administrators have time to mobilize and log and track the attacker without ever exposing bombs,
productive systems. Table 4.2 Terminology of Malicious Programs
Initial efforts involved a single honey pot computer with IP addresses designed to attracthackers.
More recent research has focused on building entire honey pot networks that emulate an enterprise,
possibly with actual or simulated traffic and data. Once hackers are within the network, administrators
can observe their behaviour in detail and figure out defences.

Intrusion Detection Exchange Format

To facilitate the development of distributed intrusion detection systems that can function across a
wide range of platforms and environments, standards are needed to support interoperability. Such
standards are the focus of the IETF Intrusion Detection Working Group. The purpose of the working
group is to define data formats and exchange procedures for sharing information of interest to intrusion
detection and response systems and to management systems that may need to interact with them. The
outputs of this working group include:

● A requirements document, which describes the high-level functional requirements for

communication between intrusion detection systems and requirements for communication between
intrusion detection systems and with management systems, including the rationale for those
requirements. Scenarios will be used to illustrate the requirements.
● A common intrusion language specification, which describes data, formats that satisfy the
requirements.
● A framework document, which identifies existing protocols best used for communication between
intrusion detection systems, and describes how the devised data formats relate to them. As of this
writing, all of these documents are in an Internet-draft document stage.
Network Security
And backdoors are examples. Independent malware is a self-contained program that can be
scheduled and run by the operating system. Worms and boot programs are examples.
We can also differentiate between those software threats that do not replicate and those that do.
The former are programs or fragments of programs that are activated by a trigger. Examples are logic
bombs, backdoors, and boot programs. The latter consist of either a program fragment or an independent
program that, when executed, may produce one or more copies of itself to be activated later on the same
system or some other system. Viruses and worms are examples.
In the remainder of this section, we briefly survey some of the key categories of malicious
software, deferring discussion on the key topics of viruses and worms until the following sections.
Backdoor
A backdoor, also known as a trapdoor, is a secret entry point into a program that allows someone
who is aware of the backdoor to gain access without going through the usual security access procedures.
Programmers have used backdoors legitimately for many years to debug and test programs; such a
backdoor is called a maintenance hook. This usually is done when the programme is developing an
application that has an authentication procedure, or a long setup, requiring the user to enter many different
values to run the application. To debug the program, the developer may wish to gain special privileges
or to avoid all the necessary setup and authentication. The programmer may also want to ensure that there
is a method of activating the program should something be wrong with the authentication procedure that
is being built into the application. The backdoor is code that recognizes some special sequence of input
or is triggered by being run from a certain user ID or by an unlikely sequence of events.
Backdoors become threats when unscrupulous programmers use them to gain unauthorized
access. The backdoor was the basic idea for the vulnerability portrayed in the movie War Games. Another
example is that during the development of Multics, penetration tests were conducted by an Air Force
―tiger teamǁ(simulating adversaries). One tactic employed was to send a bogus operating system update
to a site running Multics. The update contained a Trojan horse (described later) that could be activated
by a backdoor and that allowed the tiger team to gain access. The threat was so wellimplemented
that the Multics developers could not find it, even after they were informed of its presence [ENGE80].
It is difficult to implement operating system controls for backdoors. Security measures must focus
on the program development and software update activities.
21EC742
Logic Bomb
One of the oldest types of program threat, predating viruses and worms, is the logic bomb. The
logic bomb is code embedded in some legitimate program that is set to ―explodeǁ when certain
conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence
or absence of certain files, a particular day of the week or date, or a particular user running the application.
Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some
other damage. A striking example of how logic bombs can be employed was the case of Tim Lloyd, who
was convicted of setting a logic bomb that cost his employer, Omega Engineering, more than $10 million,
derailed its corporate growth strategy, and eventually led to the layoff of 80workers [GAUD00].
Ultimately, Lloyd was sentenced to 41 months in prison and ordered to pay $2 million in restitution.
Trojan Horses
A Trojan horse1 is a useful, or apparently useful, program or command procedure containing
hidden code that, when invoked, performs some unwanted or harmful function.
Trojan horse programs can be used to accomplish functions indirectly that an unauthorized user
could not accomplish directly. For example, to gain access to the files of another user on a shared system,
a user could create a Trojan horse program that, when executed, changes the invoking user’s file
permissions so that the files are readable by any user. The author could then induce users to run the
program by placing it in a common directory and naming it such that it appears to be a useful utility
program or application. An example is a program that ostensibly produces a listing of the user’s files in
a desirable format. After another user has run the program, the author of the program can then access the
information in the user’s files. An example of a Trojan horse program that would be difficult to detect is
a compiler that has been modified to insert additional code into certain programs as they are compiled,
such as a system login program. The code creates a backdoor in the login program that permits the author
to log on to the system using a special password. This Trojan horse can never be discovered by reading
the source code of the login program.
Another common motivation for the Trojan horse is data destruction. The program appears to be
performing a useful function (e.g., a calculator program), but it may also be quietly deleting the user’s
files. For example, a CBS executive was victimized by a Trojan horse that destroyed all information
contained in his computer’s memory The Trojan horse was implanted in a graphics routine offered on an
electronic bulletin board system.
Trojan horses fit into one of three models:
Network Security
● Continuing to perform the function of the original program and additionally performing a
separate malicious activity
● Continuing to perform the function of the original program but modifying the function to perform
malicious activity (e.g., a Trojan horse version of a login program that collects passwords) or to
disguise other malicious activity (e.g., a Trojan horse version of a process listing program that
does not display certain processes that are malicious)
● Performing a malicious function that completely replaces the function of the original program
Mobile Code
Mobile code refers to programs (e.g., script, macro, or other portable instruction) that can be
shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
[JANS01]. The term also applies to situations involving a large homogeneous collection of platforms
(e.g., Microsoft Windows).Mobile code is transmitted from a remote system to a local system and then
executed on the local system without the user’s explicit instruction. Mobile code often acts as a
mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation. In other cases,
mobile code takes advantage of vulnerabilities to perform its own exploits, such as unauthorized data
access or root compromise. Popular vehicles for mobile code include Java applets, ActiveX, JavaScript,
and VB Script. The most common ways of using mobile code for malicious operations on local system
are cross-site scripting, interactive and dynamic Web sites, e-mail attachments, and downloads from
untrusted sites or of untrusted software.
Multiple-Threat Malware
Viruses and other malware may operate in multiple ways. The terminology is far from uniform;
this subsection gives a brief introduction to several related concepts that could be considered multiple-
threat malware.
A multipartite virus infects in multiple ways. Typically, the multipartite virus is capable of
infecting multiple types of files, so that virus eradication must deal with all of the possible sites of
infection.
A blended attack uses multiple methods of infection or transmission, to maximize the speed of
contagion and the severity of the attack. Some writer’s characterize a blended attack as a package that
includes multiple types of malware. An example of a blended attack is the Nimda attack, erroneously
referred to as simply a worm. Nimda uses four distribution methods:
● E-mail: A user on a vulnerable host opens an infected e-mail attachment; Nimda looks for e- mail
addresses on the host and then sends copies of itself to those addresses.
21EC742
● Windows shares: Nimda scans hosts for unsecured Windows file shares; it can then use
NetBIOS86 as a transport mechanism to infect files on that host in the hopes that a user will run
an infected file, which will activate Nimda on that host.
● Web servers: Nimda scans Web servers, looking for known vulnerabilities in Microsoft IIS. If it
finds a vulnerable server, it attempts to transfer a copy of itself to the server and infect it and its
files.
● Web clients: If a vulnerable Web client visits a Web server that has been infected by Nimda, the
client’s workstation will become infected.
Thus, Nimda has worm, virus, and mobile code characteristics. Blended attacks may also spread
through other services, such as instant messaging and peer-to-peer file sharing.
VIRUSES AND RELATED ATTACKS:
The Nature of Viruses
A computer virus is a piece of software that can ―infectǁ other programs by modifying them; the
modification includes injecting the original program with a routine to make copies of the virus program,
which can then go on to infect other programs. Computer viruses first appeared in the early 1980s, and
the term itself is attributed to Fred Cohen in 1983. Cohen is the author of a groundbreaking book on the
subject
Biological viruses are tiny scraps of genetic code—DNA or RNA—that can take over the
machinery of a living cell and trick it into making thousands of flawless replicas of the original virus.
Like its biological counterpart, a computer virus carries in its instructional code the recipe for making
perfect copies of itself. The typical virus becomes embedded in a program on a computer. Then, whenever
the infected computer comes into contact with an uninfected piece of software, a fresh copy of the virus
passes into the new program. Thus, the infection can be spread from computer to computer by
unsuspecting users who either swap disks or send programs to one another over a network. In a network
environment, the ability to access applications and system services on other computers provides a perfect
culture for the spread of a virus.
A virus can do anything that other programs do. The difference is that a virus attaches itself to
another program and executes secretly when the host program is run. Once a virus is executing, it can
perform any function, such as erasing files and programs that is allowed by the privileges of the current
user.
A computer virus has three parts :
● Infection mechanism: The means by which a virus spreads, enabling it to replicate. The
mechanism is also referred to as the infection vector.
Network Security
● Trigger: The event or condition that determines when the payload is activated or delivered.
● Payload: What the virus does, besides spreading. The payload may involve damage or may
involve benign but noticeable activity.
During its lifetime, a typical virus goes through the following four phases:
● Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as
a date, the presence of another program or file, or the capacity of the disk exceeding some limit.
Not all viruses have this stage.
● Propagation phase: The virus places a copy of itself into other programs or into certain system
areas on the disk. The copy may not be identical to the propagating version; viruses often morph
to evade detection. Each infected program will now contain a clone of the virus, which will itself
enter a propagation phase.
● Triggering phase: The virus is activated to perform the function for which it was intended. As
with the dormant phase, the triggering phase can be caused by a variety of system events,
including a count of the number of times that this copy of the virus has made copies of itself.
● Execution phase: The function is performed. The function may be harmless, such as a message
on the screen, or damaging, such as the destruction of programs and data files. Most viruses carry
out their work in a manner that is specific to a particular operating system and, in some cases,
specific to a particular hardware platform. Thus, they are designed to take advantage of the details
and weaknesses of particular systems.
21EC742
to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to
notice any difference between the execution of an infected and an uninfected program.
A virus such as the one just described is easily detected because an infected version of a program
is longer than the corresponding uninfected one. A way to thwart such a simple means of detecting a
virus is to compress the executable file so that both the infected and uninfected versions are of identical
length. Figure 7.2 shows in general terms the logic required. The key lines in this virus are numbered,
illustrates the operation. We assume that program P1 is infected with the virus CV. When this program
is invoked, control passes to its virus, which performs the following steps:
1. For each uninfected file P2 that is found, the virus first compresses that file to produce ,
which is shorter than the original program by the size of the virus.
2. A copy of the virus is prepended to the compressed program.
3. The compressed version of the original infected program, , is uncompressed.
4. The uncompressed original program is executed.

VIRUS STRUCTURE A virus can be prepended or postpended to an executable program, or it

can be embedded in some other fashion. The key to its operation is that the infected program, when
invoked, will first execute the virus code and then execute the original code of the program.
A very general depiction of virus structure is shown in Figure 7.1 In this case, the virus code, V,
is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, Figure 7.2 Logic for a Compression Virus

is the first line of the program.

The infected program begins with the virus code and works as follows. The first line of code is a
jump to the main virus program. The second line is a special marker that is used by the virus to determine
whether or not a potential victim program has already been infected with this virus. When theprogram is
invoked, control is immediately transferred to the main virus program. The virus program may first seek
out uninfected executable files and infect them. Next, the virus may perform some action, usually
detrimental to the system. This action could be performed every time the program is invoked, or it could
be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control
Network Security 21EC742
Metamorphic viruses may change their behavior as well as their appearance.One example of a stealth
virus was discussed earlier: a virus that uses compressionso that the infected program is exactly the same
length as an uninfectedversion. Far more sophisticated techniques are possible. For example, a virus
canplace intercept logic in disk I/O routines, so that when there is an attempt to readsuspected portions
of the disk using these routines, the virus will present back theoriginal, uninfected program.Thus, stealth
is not a term that applies to a virus as suchbut, rather, refers to a technique used by a virus to evade
detection.
A polymorphic virus creates copies during replication that are functionallyequivalent but have
distinctly different bit patterns. As with a stealth virus, the purposeis to defeat programs that scan for
Figure 7.3 A Compression Virus
viruses. In this case, the ―signatureǁ of thevirus will vary with each copy. To achieve this variation, the
virus may randomlyinsert superfluous instructions or interchange the order of independent instructions.

Viruses Classification A more effective approach is to use encryption.The strategy of the encryption virusis followed. The
portion of the virus that is responsible for generating keys andperforming encryption/decryption is
There has been a continuous arms race between virus writers and writers of antivirus software
referred to as the mutation engine. The mutationengine itself is altered with each use.
since viruses first appeared. As effective countermeasures are developed for existing types of viruses,
newer types are developed. There is no simple or universally agreed upon classification scheme for
Virus Kits
viruses, In this section, classify viruses along two orthogonal axes: the type of target the virus tries to
Another weapon in the virus writers’ armory is the virus-creation toolkit. Such a toolkit enables a relative
infect and the method the virus uses to conceal itself from detection by users and antivirus software.
novice to quickly create a number of different viruses. Although viruses created with toolkits tend to be
A virus classification by target includes the following categories: less sophisticated than viruses designed from scratch, the sheer number of new viruses that can be
• Boot sector infector: Infects a master boot record or boot record and spreads when a system is generated using a toolkit creates a problem for antivirus schemes.
booted from the disk containing the virus.
• File infector: Infects files that the operating system or shell consider to be executable.
Macro Viruses
• Macro virus: Infects files with macro code that is interpreted by an application. A virus
In the mid-1990s, macro viruses became by far the most prevalent type of virus.Macro viruses are
classification by concealment strategy includes the following categories:
particularly threatening for a number of reasons:
• Encrypted virus: A typical approach is as follows. A portion of the virus creates a random
1. A macro virus is platform independent. Many macro viruses infect MicrosoftWord documents
encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an
or other Microsoft Office documents. Any hardware platformand operating system that supports these
infected program is invoked, the virus uses the stored random key to decrypt the virus. When the
applications can be infected.
virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with
2. Macro viruses infect documents, not executable portions of code. Most of theinformation
a different key for each instance, there is no constant bit pattern to observe.
introduced onto a computer system is in the form of a documentrather than a program.
• Stealth virus: A form of virus explicitly designed to hide itself from detectionby antivirus
3. Macro viruses are easily spread.A very common method is by electronic mail.
software.Thus, the entire virus, not just a payload is hidden.
4. Because macro viruses infect user documents rather than system programs, traditionalfile
• Polymorphic virus: A virus that mutates with every infection, making detectionby the
system access controls are of limited use in preventing their spread.
―signatureǁ of the virus impossible.
• Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutateswith every
infection.The difference is that a metamorphic virus rewrites itself completely at each iteration,
increasing the difficulty of detection.
Network Security
Macro viruses take advantage of a feature found in Word and other officeapplications such as
Microsoft Excel, namely the macro. In essence, a macro is anexecutable program embedded in a word
processing document or other type of file.Typically, users employ macros to automate repetitive tasks
and thereby savekeystrokes. The macro language is usually some form of the Basic
programminglanguage.A user might define a sequence of keystrokes in a macro and set it up sothat the
macro is invoked when a function key or special short combination of keysis input.
Successive releases of MS Office products provide increased protectionagainst macro viruses. For
example, Microsoft offers an optional Macro VirusProtection tool that detects suspicious Word files and
alerts the customer to thepotential risk of opening a file with macros.Various antivirus product vendors
havealso developed tools to detect and correct macro viruses. As in other types ofviruses, the arms race
continues in the field of macro viruses, but they no longer arethe predominant virus threat.
E-Mail Viruses
A more recent development in malicious software is the e-mail virus. The firstrapidly spreading
e-mail viruses, such as Melissa, made use of a Microsoft Wordmacro embedded in an attachment. If the
recipient opens the e-mail attachment, theWord macro is activated.Then
1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mailpackage.
2. The virus does local damage on the user’s system.
In 1999, a more powerful version of the e-mail virus appeared. This newerversion can be activated
merely by opening an e-mail that contains the virus ratherthan opening an attachment. The virus uses
the Visual Basic scripting languagesupported by the e-mail package.
Thus we see a new generation of malware that arrives via e-mail and uses e-mailsoftware features to
replicate itself across the Internet. The virus propagates itself assoon as it is activated (either by opening
an e-mail attachment or by opening thee-mail) to all of the e-mail addresses known to the infected host.
As a result, whereasviruses used to take months or years to propagate, they now do so in hours.This
makesit very difficult for antivirus software to respond before much damage is done.Ultimately, a greater
degree of security must be built into Internet utility and applicationsoftware on PCs to counter the
growing threat.
VIRUS COUNTERMEASURES
Antivirus Approaches
The ideal solution to the threat of viruses is prevention: Do not allow a virus to getinto the system
in the first place, or block the ability of a virus to modify any filescontaining executable code or
21EC742
macros.This goal is, in general, impossible to achieve,although prevention can reduce the number of
successful viral attacks.The next best approach is to be able to do the following:
• Detection: Once the infection has occurred, determine that it has occurredand locate the virus.
• Identification: Once detection has been achieved, identify the specific virusthat has infected a
program.
• Removal: Once the specific virus has been identified, remove all traces of thevirus from the
infected program and restore it to its original state. Remove thevirus from all infected systems so that
the virus cannot spread further.If detection succeeds but either identification or removal is not possible,
then the alternative is to discard the infected file and reload a clean backup version.Advances in virus
and antivirus technology go hand in hand. Early viruseswere relatively simple code fragments and could
be identified and purged withrelatively simple antivirus software packages. As the virus arms race has
evolved,both viruses and, necessarily, antivirus software have grown more complex andsophisticated.
[STEP93] identifies four generations of antivirus software:
• First generation: simple scanners
• Second generation: heuristic scanners
• Third generation: activity traps
• Fourth generation: full-featured protection
A first-generation scanner requires a virus signature to identify a virus. Thevirus may contain
―wildcardsǁ but has essentially the same structure and bit patternin all copies. Such signature-specific
scanners are limited to the detection of knownviruses. Another type of first-generation scanner maintains
a record of the length ofprograms and looks for changes in length.
A second-generation scanner does not rely on a specific signature. Rather, thescanner uses
heuristic rules to search for probable virus infection. One class of suchscanners looks for fragments of
code that are often associated with viruses. Forexample, a scanner may look for the beginning of an
encryption loop used in a polymorphicvirus and discover the encryption key. Once the key is discovered,
the scanner can decrypt the virus to identify it, then remove the infection and returnthe program to service.
Another second-generation approach is integrity checking. A checksum canbe appended to each
program. If a virus infects the program without changing thechecksum, then an integrity check will catch
the change. To counter a virus that issophisticated enough to change the checksum when it infectsa
program, anencrypted hash function can be used. The encryption key is stored separately fromthe
program so that the virus cannot generate a new hash code and encrypt that. Byusing a hash function
rather than a simpler checksum, the virus is prevented fromadjusting the program to produce the same
hash code as before.
Network Security 21EC742
Third-generation programs are memory-resident programs that identify avirus by its actions
rather than its structure in an infected program. Such programshave the advantage that it is notnecessary
to develop signatures and heuristics for awide array of viruses. Rather, it is necessary only to identify the
small set of actionsthat indicate an infection is being attempted and then to intervene.
Fourth-generation products are packages consisting of a variety of antivirustechniques used in
conjunction. These include scanning and activity trap components.In addition, such a package includes
access control capability, which limits theability of viruses to penetrate a system and then limits the
ability of a virus to updatefiles in order to pass on the infection.
The arms race continues.With fourth-generation packages, a more comprehensivedefense strategy is
employed, broadening the scope of defense to moregeneral-purpose computer security measures.