Scribd
Upload
11 views65 pages

BA Chapter9 Access Control Firewalls Intrusion Detection

Chapter 9 of the IT-Security lecture focuses on access control, firewalls, and intrusion detection mechanisms. It discusses various access control models such as discretionary, role-based, and attribute-based access control, along with the implementation of firewalls to regulate network traffic. Additionally, it covers the principles of intrusion detection systems and their components to enhance security measures against unauthorized access and threats.

Uploaded by

diepminhchi1617
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views65 pages

BA Chapter9 Access Control Firewalls Intrusion Detection

Chapter 9 of the IT-Security lecture focuses on access control, firewalls, and intrusion detection mechanisms. It discusses various access control models such as discretionary, role-based, and attribute-based access control, along with the implementation of firewalls to regulate network traffic. Additionally, it covers the principles of intrusion detection systems and their components to enhance security measures against unauthorized access and threats.

Uploaded by

diepminhchi1617
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 65

IT-Security

Chapter 9: Access Control, Firewalls, Intrusion Detection

Prof. Dr.-Ing. Ulrike Meyer


Overall Lecture Context

● So far, we mainly looked at cryptographic

protection of data in transit or storage User / Administrators


► IPSec, TLS, SSH, PGP, S/MIME, DNSSec

● Now we look at
Implementations
► Access Control: Blocking unauthorized access
§ Specifying a policy of who should be allowed to access
what and how Protocols and policies
► Firewalls: Blocking unwanted network traffic
§ Specifying a policy of which traffic to allow and which
Cryptographic primitives
to deny

► How to at least detect intrusions in general if other


security mechanisms fail

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 2


Overview

● Access Control

► Access control matrices and lists

► Discretionary access control


● Intrusion Detection Systems
► Access control on UNIX-based systems
► Components of an IDS
► Role-based access control
► Performance and Base-rate fallacy
► Attribute-based access control
► Anomaly vs. Misuse-based detection

► Host-based vs. network-based


● Firewalls
► Example: SNORT
► Firewalls policy

► Firewall types

► Placement of firewalls

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 3


Access Control

Access Control IETF RFC 4949

Complexity
Application
Process by which use of system resources
Middleware
is regulated according to a security policy
Operating System

Reliability
and is permitted only by authorized
Hardware
entities (users, programs, processes, or
other systems) according to that policy

Authentication determines who a subject IS


Access Control determines what a subject is AUTHORIZED to DO

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 4


Access Control

Policy expressed by Access Control Matrix


Access Control IETF RFC 4949

Process by which use of system resources Object 1 Object 2 Object 3


Subject 1 rights rights rights
is regulated according to a security policy
Subject 2 rights rights rights
and is permitted only by authorized
entities (users, programs, processes, or
other systems) according to that policy Examples for rights: read, write, execute, append,…

Authentication determines who a subject IS


Access Control determines what a subject is AUTHORIZED to DO

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 5


Access Control Lists
Access Control Matrix
● Many cells in an access control matrix are empty
File 1 File 2 File 3
► E.g., private files of a subject
Subject 1 all all
● Access control lists abbreviate matrices by Subject 2 all read
► Storing rows of matrices alongside objects Subject 3
Subject 4
Subject 5

File 1
Subject 1 all
Others

ACL of File 1

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 6


Basic Types of Access Controls

Discretionary Access Control Mandatory Access Control


► Each object has an owner ► A system-wide security policy decrees access to

► Owner decides who may access an object how objects

§ May include deciding how gets a special grant ► Compares security labels of objects to security
access right clearances of subjects

Often occur in combination in modern implementations

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 7


Discretionary Access Control Implementations Differ in

● Which subjects can modify an objects ACL

► Creator of object

► Specific right that allows changes (revocation difficult)

● Privileged user and how ACLs apply to that user

● Support of groups or wildcards

► Allow to abbreviate ACLs

● Handling of contradictory permissions

► Allow if any permission allows it

► Deny if any permission denies it

► Apply first matching entry

● Application of default settings

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 8


Classical Example for Discretionary Access Control: UNIX File System

● Each object is associated with three classes Example ACLs

of subjects Directory owner group others

► owner group others d rwx r−− −−−

● Three rights available − rw− rw− r−−

► r:read w:write x:execute


Meaning of chmod abc
● ACL for an object indicates
r = 4 w = 2 x = 1
► If object is directory or not

► Rights assigned to each subject class 7 = rwx 6 = rw− 5 = r−x

● Rights are initially set to default value 4 = r−− 3 = −wx 2 = −w−


1 = −−x
● Rights can be changed by owner with chmod
chmod 715 file sets rwx −−x r−x

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 9


Meaning of Rights for Directories in UNIX-based Systems

● The Unix permissions have the following effect on directories

► r allows listing the content of a directory

► w allows adding or deleting objects to/form a directory

► x allows cd to a directory (prerequisite for opening / executing files in the directory, cd


to subdirectory)

● Examples

► d rwx r–– r--


§ Allows group members to list the content of the directory but does not allow them to access
any subdirectory without the x permission set as well

► d rwx ––x r–-


§ Allows group members to change to the directory, if x is also set on a
file/executable/subdirectory in the directory it can be opened/executed/cd’ed to
§ But without the r right the content of the directory cannot be listed
IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 10
Unix: Access Decisions and User IDs and Group IDs

● Each process or subject is associated with a user ID and at least one group ID

► Can be a member of more groups as well

● Access decisions to objects are based on user IDs and group IDs

● When a file is created it is owned by a particular user and marked with that user’s user ID as owner

► It also belongs to a specific group


§ Initially the primary group of its creator or the group of its parent directory if that has the setGID bit set

● If the userid is 0 (root) then the access control decision is ‘yes’

► I.e. root can do whatever it likes, some things can only be done by root

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 11


Unix: User IDs, Group IDs

● Each process has three user IDs and three group IDs

► real uid, effective uid, saved uid

► real gid, effective gid, saved gid

● Real user ID (ruid)

► identifies the owner of the process

● Effective user ID (euid)

► used in most access control decisions

► can be assigned to a process by a system call (e.g. setuid)

● Saved user ID (suid)

► stores a previous user ID such that it can be restored later

● Similar: group IDs

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 12


Special Types of Permissions: setuid, setgid, sticky bit

● When setuid permission is set on an executable file, then

► a process that runs this file is granted access based on the userID of the owner of the file

► The effectiveUID on which the access decision depends is set to the UID of the owner of the file

► This special permission allows allows the process running the file to access files and directories that are
normally available only to the owner.

● Similar setgid permission

● The setuid and setgid permissions are indicated as s instead of x

► chmod 2000 sets the setuid bit, chmod 4000 sets the setgid bit

● The sticky bit protects the files within a directory

► If a directory has the sticky bit set, a file within it can be deleted only by file owner, directory owner, or root

IT-Security 2 - Chapter 7 Access Control 13


Role-based Access Control Models (RBAC)

● Define roles of subjects, e.g. as job functions within an organization

● Assigns access rights to roles instead of individual users

● User are assigned roles according to their responsibilities

Users Roles Resources

Role1

Role2

Role3

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 14


Access Matrix Representation of RBAC

Role Object
R1 R2 …. Rn R1 R2 F1 F2 P1 D2 …
U1 X R1 control Owner, r wake search
U2 X R2 c w x
U3 X X R3

Role
U4 X


User

U5 X Rn w stop
U6 X

● Assignment of users to roles according to their responsibilities


Um X
● Access control matrix maps Roles to Objects

► Allowing for roles as objects allows for hierarchy

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 15


Attribute-based Access Control

● Defines authorizations expressed as conditions on properties of the subject, object, and the

environment
► E.g. attribute of object: creator of the object

► Then a single access rule can specify the ownership privilege for any creator of an object

● Advantage of ABAC

► Flexibility and expressiveness

● Main concern with ABAC

► Performance impact of evaluating predicates on objects and user properties for each access

● Proposed uses include cooperating web services and cloud computing

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 16


Entities and Attributes in the ABAC Model

● Subject ● Object

► An active entity that causes information ► Passive system-related entity


to flow amount objects or changes § in the context of a specific request information
system state § E.g., device, file, record, table, process, program, network,
§ E.g. , user, application, process, device domain,...

● Subject attributes ● Object attributes

► Associated with a subject ► Associated with an object

► Define the identity and characteristics of § E.g., title, creator, date, author,…

the subject ● Environment attributes


§ E.g., subject identifier, organization, job ► Operational, technical, or situations environement or context
title,… in which the access occurs
§ E.g. Current date and time, current malware activities,,...

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 17


Attribute Evaluation

● ABAC relies on

► Evaluation of attributes of subjects and objects

► A formal access control rule defining allowable operations for subject/object attribute combinations in a
given environment

● ABAC systems are able to enforce DAC, RBAC, and MAC concepts

● ABAC enables fine-grained access control

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 18


ABAC Logical Architecture

Access Control Policy

1. Subject request access to object


Environmental
2. Access control mechanism Conditions
2.
governed by set of rules defined 3.
by access control policy Rules
3. Based on these rules assesses 1. 4.
Decision Enforce
attributes Object
Subject 3.
Access Control Mechanism 3.
4. Grants access to object if access is
authorized, denies otherwise
Name Owner

Classi-
Clearence
fication

Subject Attributes Object Attributes

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 19


Example: RBAC vs ABAC (1)

● Assume store must enforce access rule to movies based on


Movie Rating Users Allowed Access
user age and movie rating (no environment here)
R Age 17 and older
● In RBAC PG-13 Age 13 and older
► Users would be assigned one of the three roles adult, juvenile, G Everyone

child

► Three rights: can view R-rated movies, can view PG-13-rated


movies, can view G-rated movies

► The adult role obtains all three rights, the juvenile role only the
last two, child role only the last one

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 20


Example: RBAC vs ABAC (2)

● In ABAC there is no need for roles, instead whether a user u can

access a movie m given environment e is determined by a rule

R1: can_access(u,m,e) ← Movie Rating Users Allowed Access


(Age(u) ≥ 17 ⋀ Rating(m) ∈ {R,PG-13,G}) ⋁ R Age 17 and older
(Age(u) ≥ 13 ⋀ Rating(m) ∈ {PG-13,G}) ⋁ PG-13 Age 13 and older
(Age(u) < 13 ⋀ Rating(m) ∈ {G} G Everyone

● No user to role assignment, no role to rights assignment necessary

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 21


Example: RBAC vs ABAC (3)

● Advantage of ABAC becomes clearer if we add more attributes

● Assume that objects have an additional release date

► Divides movies into new release or old release

● Users have the attribute premium user or regular user


► Only premium users are allowed to access new release movies

● To capture this new situation in RBAC we would have to

► Double the number of roles and double the number of rights

● In ABAC we just need two new rules in addition to R1 on last slide:


R2: can_access(u,m,e) ←
((MembershipType(u) = Premium) ⋁
((MembershipType(u) = Regular ⋀ MovieType(m) = OldRelease)

R3: can_access(u,m,e) ← R1 ⋀ R2

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 22


Overview

● Access Control

► Access control matrices and lists

► Discretionary access control


● Intrusion Detection Systems
► Access control on UNIX-based systems
► Components of an IDS
► Role-based access control
► Performance and Base-rate fallacy
► Attribute-based access control
► Anomaly vs. Misuse-based detection

► Host-based vs. network-based


● Firewalls
► Example: SNORT
► Firewalls policy

► Firewall types

► Placement of firewalls

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 23


Principle of Firewalls

Internet
(External Network)
Internal Network

● A network firewall

► Controls access between an internal network and an external network

► Allowing or denying (IP) packets according to a security policy

● The internal network is to be secured, the external network is not trusted

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 24


Firewall Policy

● When a packet arrives at a firewall, a security policy is applied to

determine the appropriate action


► Accept / deny

► If a packet is denied it is either silently dropped or bounced back

► In addition a firewall often logs information about packets arriving

● A firewall policy can be viewed as a list of rules

► Each rule consists of a set of tuples and actions

► Each tuple corresponds to a field in the packet header


§ E.g for IP packets: the protocol type, source IP, destination IP, source port,
destination port

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 25


Simple Example for a Firewall Policy

No. Protocol Src IP Src Port Dest IP Dest Port Action


1 UDP 190.1.1.* * * 80 deny
2 TCP 180.* * 180.* 90 accept
3 UDP 210.1.* * * 90 accept
4 TCP 210.* * 220.* 80 accept
5 UDP 190.* * * 80 accept
6 * * * * * deny

● Simple packet filter firewall policy

► Rules can be fully specified or contain wildcards

► Header information of passing packet is compared to the fields of a rule

► If the packet header information is a subset of the rule, the packet is said to match the rule

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 26


Rule Matching Policy: First Match Policy

Most firewalls use a first-match policy as rule matching policy


► The packet header information is matched sequentially with the rules starting from the first rule
► The action of the first matching rule is executed
► Any other rules further down in the policy that may also match the packet are ignored

► A default rule is often placed at the end of a policy with action deny
§ Makes the policy comprehensive
No. Protocol Src IP Src Port Dest IP Dest Port Action
1 UDP 190.1.1.* * * 80 deny
2 TCP 180.* * 180.* 90 accept
3 UDP 210.1.* * * 90 accept
4 TCP 210.* * 220.* 80 accept
5 UDP 190.* * * 80 accept
6 * * * * * deny

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 27


Example

No. Protocol Src IP Src Port Dest IP Dest Port Action


1 UDP 190.1.1.* * * 80 deny
2 TCP 180.* * 180.* 90 accept
3 UDP 210.1.* * * 90 accept
4 TCP 210.* * 220.* 80 accept
5 UDP 190.* * * 80 accept
6 * * * * * deny

● Assume the following packet arrives:

► TCP, 210.1.1.1:3080, 220.2.33.8:80

● What will be the rule to apply?

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 28


Example

No. Protocol Src IP Src Port Dest IP Dest Port Action


1 UDP 190.1.1.* * * 80 deny
2 TCP 180.* * 180.* 90 accept
3 UDP 210.1.* * * 90 accept
4 TCP 210.* * 220.* 80 accept
5 UDP 190.* * * 80 accept
6 * * * * * deny

● Assume the following packet:

► TCP, 210.1.1.1:3080, 220.2.33.8:80

● First matching rule: rule 4, action: accept

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 29


Simple Mathematical Model of a Packet Filtering Firewall

● Each tuple in a rule can be modeled as set of packets

► E.g ,the tuple 198.188.150.* corresponds to the set of IP addresses ranging from 198.188.150.0 to
198.188.150.255

● The tuples of a rule collectively define a set of packets that match this rule

► E.g. the rule Proto = TCP, SIP = 190.150.140.38, SP = 188, DIP = 190.180.39.*, DP = 80, action = accept
defines a set of 256 unique packet headers that match this rule

● The overall set of possible packets is denoted by P

● Each firewall policy R can be described by three sets

► A(R) ⊆ P describes the set of packets that will be accepted

► D(R) ⊆ P describes the set of packets that will be denied

► U(R) ⊆ P describes the set of packets that do not match any rule in the policy

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 30


Simple Mathematical Model (2)

● A firewall policy R is considered comprehensive if any packet from P will match at

least one rule


► I.e. A(R) ∪ D(R) = P or equivalently U(R) = ∅

► typically ensured by adding a default rule of “deny” at the end of the policy

● This simple model also allows to compare two policies

► Assume two firewall policies R, S

► The two policies are said to be equivalent if their accept, deny and non-match sets are
the same

● Note that being equivalent does not mean that the two policies have the same

rules!!
► Just that given any packet the two policies will lead to the same actions always

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 31


Anomalies on First-Match Policies - Shadowing

● In first-match policies more specific policy rules typically appear at the beginning of the policy and

more general ones appear towards the end

● An anomaly is an unintended consequence of adding rules in a certain order

► Introducing anomalies into large firewalls is very easy

● Example: shadowing

► Occurs if an earlier rule i matches every packet that another lower rule j (j > i) matches

No. Protocol Src IP S - Port Dest IP D - Port Action


i TCP 190.150.140.38 188 190.180.39.* 80 accept
j TCP 190.150.140.38 188 190.180.39.180 80 drop

● If both rules have the same action, this is not a problem but if e.g. rule i is added after rule j the

consequence may be undesirable

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 32


Anomalies on First-Match Policies – Half-Shadowing

● Only a portion of an earlier rule i shadows a lower rule j (j > i)

► For example

No. Protocol Src IP S - Port Dest IP D - Port Action


i TCP, SIP 190.150.140.38 188 190.180.39.* 80 accept
j TCP, SIP 190.150.140.38 * 190.180.39.180 80 drop

► The rule j is partially shadowed by the first rule i

► By itself rule j will drop any TCP packet arriving from 190.150.140.38 and destined to 190.180.39.180 on
port 80

► When rule i is added before rule j, then any packet like this with source port 188 will be accepted

► Only the system administrator will typically know whether or not this behavior was intended

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 33


Policy Optimization

● The number of firewall rules will typically impact the firewall performance

► Every rule requires some processing time

► More rules will require more processing time on average

● Ways to enhance performance through optimizing the policy

► Policy reordering such that rules that match more packets are placed earlier in the policy
§ Must be done with care to avoid violating the integrity of a policy
§ I.e., after reordering, the policy should still accept and deny the same packets

► Removing unnecessary rules by


§ Removing redundant rules
§ Combining rules if possible

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 34


Removing Unnecessary Rules

● Removing redundant rules

No. Protocol Src IP S - Port Dest IP D - Port Action


i TCP 190.150.140.38 188 190.180.39.* 80 drop
j TCP 190.150.140.38 188 190.180.39.180 80 drop

● Combining several rules …


No. Protocol Src IP S - Port Dest IP D - Port Action
i TCP 190.150.140.38 188 190.180.39.* 80 accept
j UDP 190.150.140.38 188 190.180.39.* 80 accept

● … to one No. Protocol Src IP S - Port Dest IP D - Port Action


i * 190.150.140.38 188 190.180.39.* 80 accept

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 35


Firewall Types

● Firewalls can be categorized into three general classes

► Packet filters

► Stateful firewalls

► Application layer firewalls

Application HTTP, FTP, SMTP,…

Transport TCP, UDP,…

Network IPv4 and IPv6

Data Link 802.11, 802.3

Physical

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 36


Why Stateless Filtering Is Not Enough

● In TCP connections, ports with numbers less than 1024 are permanently assigned to servers

► 20,21 for FTP, 23 for telnet, 25 for SMTP, 80 for HTTP…

● Clients use ports numbered from 1024 to 49151

► They must be available for clients to receive responses

● Dynamic and/or Private Ports: 49152 through 65535

● What should a firewall do if it sees, say, an incoming request to some client’s port 5612?

► It must allow it: this could be a server’s response in a previously established connection…

► …OR it could be malicious traffic

► Can’t tell without keeping state for each connection

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 37


Stateful Packet Firewalls

● Stateful firewalls perform the same operations as packet filter

● But they enable connection tracking

► E.g., if no stateful packet filter is used, allowing internal users to connect to any external webserver will
require two rules
§ One for outgoing traffic to any webserver

§ One for incoming traffic to any user regardless of whether a user requested traffic from that webserver

► A stateful firewall can support a more restrictive policy that allows incoming traffic from webservers only in
response to requests by users

► Dynamically add a rule to the policy that allows return packets when a connection is started

► Delete this rule when the connection is closed


§ Typically based on timers as it is hard for the firewall to reliably determine whether a connection is closed

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 38


Firewall Placement: Using a Demilitarized Zone (DMZ)
Application and
Database Servers DNS Email Web

External
Firewall

Internet

Workstations Boarder
Internal Router
Firewall
Internal protected network DMZ

● Internal firewall adds more strict filtering capabilities compared to external firewall

● Internal firewall provides two-way protection to DMZ

► Filter attacks from DMZ towards internal network and vice versa

● Multiple internal firewalls can be used to protect portions of internal network from each other

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 39


Application Layer Firewalls

● Can filter traffic at the network, transport, and application layer

● Typically come with proxy capabilities

► Application proxies are intermediaries for network connections

► If a user on the internal network wants to connect to an application server on the external network
§ The proxy (here the firewall) would terminate the connection
§ The proxy would then create a connection to the external server

● The firewall can thus inspect the content of the packets

► Like an intrusion detection system

● Application layer firewalls and other security devices are being merged into one device

► E.g. intrusion prevention systems combine firewalls with intrusion detection


§ Can often filter packets as well as inspect packet contents for viruses, spam, attack signatures

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 40


Overview

● Access Control

► Access control matrices and lists

► Discretionary access control


● Intrusion Detection Systems
► Access control on UNIX-based systems
► Components of an IDS
► Role-based access control
► Performance and Base-rate fallacy
► Attribute-based access control
► Anomaly vs. Misuse-based detection

► Host-based vs. network-based


● Firewalls
► Example: SNORT
► Firewalls policy

► Firewall types

► Placement of firewalls

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 41


Intrusion Detection

● Definitions from IETF RFC 4949 ”Internet Security Glossary”

Security Intrusion: A security event, or a combination of multiple


security events that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system (or system
resource) without having authorization to do so

Intrusion Detection: A security service that monitors and analyzes


system events for the purpose of finding, and providing real-time or
near real-time warning of attempts to access system resources in
an unauthorized manner

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 42


Logical Components of an Intrusion Detection System

Sensors User Interface


► Collect data from a monitored part of the system ► Enables user to view output from analyzer
§ Input to a sensor can, e.g., include network packets, or control behavior of the IDS’s
log files, or system call traces recorded on a particular components
system

Analyzers
► Analyzers receive and store data collected by one or
more sensors

► Tries to determine if an intrusion has occurred

► Output may include


§ Evidence supporting the detection
§ Guidance about appropriate actions to take

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 43


Basic Principles (1)

● Basic assumption underlying intrusion detection systems

► Behavior of intruders differ from that of legitimate users in a quantifiable way

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 44


Basic Principles (2)

● Typical behavior of an intruder differs from typical behavior of an

authorized user, but there is an overlap in these behaviors

● So, any intrusion detection approach will make mistakes

► If it tries to catch all intruders, it will typically sometimes raise false


alarms, i.e., cause false positives
TP = True Positives = Attacks rising alarm
► If it tries to limit false alarms it will typically miss some attacks, i.e., cause FN = False Negatives = Attacks not rising alarm
FP = Benign behavior rising alarm
false negatives TN = Benign behavior not rising alarm

● Ideally one would want an IDS to

► Maximize the detection rate, i.e., the ratio of detected to total attacks
§ = Recall = TP / (TP + FN)

► Minimizing the false alarm rate, i.e., ratio of false positive to all negatives
§ = False Positive Rate = FP / (FP + TN)
IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 45
Problem: Base Rate Fallacy

● It is very difficult to meet this goal of high detection rate and low false alarm rate

● In general

► if the actual numbers of intrusions is low compared to the number of legitimate uses of a system

► Then if an alarm is raised the probability that indeed an attack takes place is very low unless the
detection is extremely discriminative

● This phenomenon is called the base rate fallacy

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 46


Reminder: Conditional Probability and Bayes Theorem

● Suppose two events A and B occur with probability Pr(𝐴) and Pr(𝐵), respectively

● Let Pr(𝐴 ∩ 𝐵) be probability that both A and B occur

● What is the conditional probability that A occurs given that B has occurred?

Pr(𝐴 ∩ 𝐵)
Pr(𝐴 ∣ 𝐵) =
Pr(𝐵)

● Applying this twice we get Bayes Theorem

Pr 𝐴 𝐵 Pr(𝐵)
Pr(𝐵 ∣ 𝐴) =
Pr(𝐴)

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 47


Law of Total Probability

● Suppose mutually exclusive events E1, … ,En together cover the entire set of possibilities

● Then probability of any event A occurring is

Pr 𝐴 = ∑! Pr(𝐴 ∣ 𝐸! ) - Pr(𝐸! )

Intuition: since E1, … ,En cover entire


probability space, whenever A occurs,

some event Ei must have occurred

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 48


Example for Base-Rate Fallacy

● Assume

► 1% of traffic is SYN floods, 99% of traffic is valid connections

► IDS’s detection rate is 90%, i.e. IDS classifies 90% of SYN floods as attack

► IDS’s false alarm rate is 1%, i.e. IDS classifies 1% of valid connections as attack

● What is the probability that a connection flagged by IDS as a SYN flood really is a valid connection?
Pr(alarm | valid) • Pr(valid)
Pr(valid | alarm) =
Pr(alarm)

Pr(alarm | valid) • Pr(valid)


=
Pr(alarm | valid) • Pr(valid) + Pr(alarm | SYN flood) • Pr(SYN flood)

0.01 • 0.99
= ≈ 52% chance that traffic is valid
0.01 • 0.99 + 0.90 • 0.01 given an alarm is raised

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 49


General IDS Approaches

● Anomaly Detection

► Collect data corresponding to behavior of legitimate users over a period of time

► Built a model of normal behavior from it

► Try to determine whether current behavior is of a legitimate user or of intruder by comparing it to the
model

● Signature or Heuristic detection

► Use a set of known malicious data patterns (signatures) or attack rules (heuristics) and compare them to
currently observed data

► Also known as misuse detection

► Can only identify known attacks

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 50


In Other Words,…

● Anomaly detection assumes that

► What is usual, is known

► What is unusual, is bad

► Problem
§ Does not necessarily detect undesirable yet usual behavior

§ False alarm rates can be high


§ Very hard to obtain (attack free) usual behavior

● Misuse detection assumes that

► What is bad, is known

► What is not bad, is good

► Problem
§ Cannot detect new attacks, i.e. false negatives typically very high
IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 51
Anomaly Detection
● Training: develop a model of legitimate behavior
► Collect and process sensor data from normal operation of monitored system
► May occur at distinct times or may be a continuous of monitoring and evolving the model

● Detection: Compare observed sensor data to the trained model


► Classify as normal or anomalous activity

● Detection approaches
► Statistical: analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics

► Knowledge-based: approaches use an expert system that classifies observed behavior according to a set of rules that model
legitimate behavior

► Machine-learning: approaches automatically determine a suitable model from features extracted from the sensor data using
machine-learning techniques
§ E.g. Bayesian networks, Markov models, neural networks, fuzzy logic, clustering, but also classifiers such as SVMs, Random Forests, deep
neural networks,…
§ Often make use of attack data as well, i.e. train model with benign AND malicious data

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 52


Misuse Detection

● Signature approaches

► Match large collection of known attack patterns against data monitored on a system or in transit over the
network

► Signatures need to be specific enough to minimize false alarm rate but still detect malicious data

► Typically, low cost with respect to time and resources

► But: significant effort necessary to review new attacks and generate signatures

● Rule-based heuristic identification

► Rules that identify suspicious behavior

► Typically, specific to the machine and operating system monitored

► Often derived from analyzing attack tools and scripts collected on the Internet

► SNORT is a rule-based network intrusion detection system

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 53


Misuse Detection

● Set of patterns defining a behavioral signature likely to be associated with attack of a certain type

► Example: buffer overflow


§ A setuid program spawns a shell with certain arguments

§ A network packet has lots of NOPs in it


§ Very long argument to a string function

► Example: SYN flooding (denial of service)


§ Large number of SYN packets without ACKs coming back
§ …or is this simply a poor network connection?

● Attack signatures are usually very specific and may miss variants of known attacks

► Why not make signatures more general?

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 54


Extracting Misuse Signatures

● Use invariant characteristics of known attacks

► Bodies of known viruses and worms, port numbers of applications with known buffer overflows, RET
addresses of overflow exploits

► Hard to handle mutations


§ Polymorphic viruses: each copy has a different body

● Big research challenge: fast, automatic extraction of signatures of new attacks

● Honeypots are useful for signature extraction

► Try to attract malicious activity, be an early target

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 55


Host-based Intrusion Detection Systems (HIDS)

● Examines user and software activity on a specific host

● Aims to detect both attacks from the outside as well as internal attack

● Can use anomaly or misuse-based detection approach

● But: provide only a local view on an attack

● Are only able to detect attacks when they already hit the target system

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 56


Data Sources for HIDS

● System call traces: Record sequences of system calls made by processes on the system
► Works well on Linux and Unix systems
► Difficult on Windows systems as use of DLLs hides which process uses which system calls (use of DLL
function calls proposed as alternative)

● Audit (log file) records: Operating systems include software that collects information on user activity
► Problem: audit records may not include relevant information; intruder may manipulate the records

● File integrity checksums: Detect intruder activity on a system by periodically scanning critical
files for changes
► Use message authentication code to compute checksums, compare them to a known baseline

► Tripwire is a well-known system using this approach

● Registry access: monitor access to the registry on Windows machines

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 57


Network-Based Intrusion Detection System (NIDS)

● Monitors traffic at selected points on a network

► Examines traffic for many hosts with a variety of devices and software

► Examines traffic packet by packet in real-time or close to real-time

► May examine network-, transport- and/or application-level protocol activity

► Typically included in perimeter security infrastructure, e.g. firewall

● Challenge

► Arranging the monitoring to minimize the number of agents but cover the complete network

● Agent must have same view of traffic as destination

► TTL tricks, fragmentation may obscure this

► End-to-end encryption defeats content monitoring


§ Not traffic analysis, though

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 58


Types of NIDS Sensors

● Inline sensor

► Inserted into a network segment such that monitored traffic must pass the sensor

► E.g., incorporate directly in firewall or as standalone component

● Passive sensor

► Monitors copy of network traffic, actual traffic does not pass through it

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 59


Logging of Alerts

● When a sensor detects potential violations it

► Sends an alert

► Logs information related to the event

● Typical information logged by a NIDS sensor includes

► Timestamp

► Connection or session ID

► Event or alert type and Rating (e.g., severity, impact, confidence,…)

► Network, transport, and application layer protocol

► Source and destination IPs and ports, number of bytes transmitted over the connection

► Decoded payload data

► State-related information (e.g., authenticated username)

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 60


Summary

● In this chapter we looked at basic non-cryptographic security mechanisms

● Access Control

► Access Controls implement an access policy

► An access policy determines which subjects have which rights over which objects
§ As opposed to authentication which determines who is who

► Access Controls can be implemented on all layers of a system


§ Hardware, operating system, middleware, application

► In discretionary access control


§ Each object has an owner, access to object is at the owner’s discretion

► In mandatory access control


§ a global policy determines access to all objects

► In role-based access control roles are used as subjects and users are assigned one or more roles
IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 61
Summary

► In attribute-based access control


§ Access is granted based on attributes of subjects, objects and the environment they act in

● Network Firewalls

► Control network traffic flow to and from one network or network segment to another

► In packet flters IP packets are accepted or blocked dependent on


§ Header Information in TCP/IP headers

► In stateful firewalls additional state is kept on previously inspected packets and acceptance / denial depends
on this state

► In application layer firewalls

► Application layer content is inspected

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 62


Summary

● Intrusion Detection Systems

► Consist of sensors that collect information and analyzers that receive information from sensors

► Network-based intrusion detection systems


§ focus on sensors that collect information on network traffic

► Host-based intrusion detection systems


§ focus on sensor that collect information on individual hosts

► Intrusion detection systems try to detect attacks and provide evidence


§ Underlying assumption: attack will be visible in the collected information

► The goal of an IDS is to


§ Mximize the detection rate, i.e., the ratio of detected to total attacks and to
§ Minimizing the false alarm rate, i.e., ratio of false positive to all negatives

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 63


Summary

► Main approaches for IDS


§ Anomaly-based approach
– Model normal behavior, classify anormal behavior as attack
§ Misuse-based approach
– Model attack behavior and try to detect it
§ Model both normal and attack behavior and try to distinguish it

► Snort is an example for a


§ host-based intrusion detection system

§ that collects information on network traffic of a host


§ it uses a misuse-based approach

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 64


References

● W. Stallings, Cryptography and Network Security: Principles and Practice, 8th edition, Pearson 2022

► Chapter 21: Network Endpoint Security


§ Firewalls, Intrusion Detection Systems

● Wenliang Du, Computer Security a Hands-on Approach, 3rd edition, 2022

► Chapter 1: Linux Security Principle


§ Access Control

IT-Security - Chapter 9 Access Control, Firewalls, Intrusion Detection 65

You might also like