Module 4

Intruders, Intrusion Detection

Malicious Software : Viruses and related Threats, Virus Counter measures
 Intruders
• One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker.
• Three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
 Examples of intrusion

• Performing a remote root compromise of an e-mail server

• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Intruder Behavior Patterns
• Some Examples of Intruder Patterns of Behavior
• Hacker
• Select the target using IP lookup tools such as NSLookup, Dig, and others.
• Map network for accessible services using tools such as NMAP.
• Identify potentially vulnerable services (in this case, pcAnywhere).
• Brute force (guess) pcAnywhere password.
• Install remote administration tool called DameWare.
• Wait for administrator to log on and capture his password.
• Use that password to access remainder of network.
• Criminal Enterprise
• Act quickly and precisely to make their activities harder to detect.
• Exploit perimeter through vulnerable ports.
• Use Trojan horses (hidden software) to leave back doors for reentry.
• Use sniffers to capture passwords.
• Do not stick around until noticed.
• Make few or no mistakes

• Internal Threat
• Create network accounts for themselves and their friends.
• Access accounts and applications they wouldn’t normally use for their daily jobs.
• E-mail former and prospective employers.
• Conduct furtive instant-messaging chats.
• Visit Web sites that cater to disgruntled employees, such as f’dcompany.com.
• Perform large downloads and file copying.
• Access the network during off hours.
Intrusion Techniques

• The objective of the intruder is to gain access to a system or to

increase the range of privileges accessible on a system.
• The password file can be protected in one of two ways:
• One-way function: The system stores only the value of a function
based on the user’s password.
• Not reversible
• Access control: Access to the password file is limited to one or a very
few accounts.
Techniques for learning passwords:
• Try default passwords used with standard accounts that are shipped
with the system.
• Exhaustively try all short passwords.
• Try words in the system’s online dictionary or a list of likely passwords.
• Collect information about users.
• Try users’ phone numbers, Social Security numbers, and room numbers.
• Try all legitimate license plate numbers for this state.
• Use a Trojan horse to bypass restrictions on access.
• Tap the line between a remote user and the host system.
 INTRUSION DETECTION

• Intrusion detection is motivated by a number of considerations,

• If an intrusion is detected quickly enough, the intruder can be

identified and ejected from the system before any damage is done.
• An effective intrusion detection system can serve as a deterrent, so
acting to prevent intrusions.
• Intrusion detection enables the collection of information about
intrusion techniques - used to strengthen the intrusion prevention
facility.
 Approaches to intrusion detection:
• Statistical anomaly detection:
• Involves the collection of data relating to the behavior of legitimate users over a
period of time. Then statistical tests are applied to observed behavior.
Threshold detection: defining thresholds, independent of user, for the frequency of
occurrence of various events.
Profile based: A profile of the activity of each user is developed and used to detect
changes in the behavior of individual accounts.

• Rule-based detection: Involves an attempt to define a set of rules that can be used to
decide that a given behavior is that of an intruder.
Anomaly detection: Rules are developed to detect deviation from previous usage
patterns.
Penetration identification: An expert system approach that searches for suspicious
behavior
 Audit Records

• A fundamental tool for intrusion detection is the audit record.

• Record of ongoing activity by users must be maintained as input to an intrusion detection
system.

• Basically, two plans are used:

• Native audit records: Virtually all multiuser operating systems include accounting software
that collects information on user activity. The advantage of using this information is that no
additional collection software is needed. The disadvantage is that the native audit records
may not contain the needed information or may not contain it in a convenient form.

• Detection-specific audit records: Generates audit records containing only that information
required by the intrusion detection system. One advantage of such an approach is that it
could be made vendor independent and ported to a variety of systems. The disadvantage is
the extra overhead involved in having, in effect, two accounting packages running on a
machine.
 Each audit record contains the following
fields
• Subject: A subject is typically a terminal user but might also be a process acting
on behalf of users or groups of users. All activity arises through commands
issued by subjects. Subjects may be grouped into different access classes.
• Action: Operation performed by the subject on or with an object; for example,
login, read, perform I/O, execute.
• Object: Examples include files, programs, messages, records, terminals, printers,
and user- or program-created structures. When a subject is the recipient of an
action, such as electronic mail, then that subject is considered an object.
Example, database actions may be audited for the database as a whole or at the
record level.
• Exception-Condition: Denotes which, if any, exception condition is raised on
return.
• Resource-Usage: Amount used of some resource (e.g., number of lines printed
or displayed, number of records read or written, processor time, I/O units used,
session elapsed time).
 Examples of metrics that are useful for profile-based intrusion detection

• Counter: A nonnegative integer that may be incremented but not

decremented until it is reset by management action. Typically, a count of
certain event types is kept over a particular period of time.
Examples include the number of logins by a single user during an hour,
the number of times a given command is executed during a single user
session, and the number of password failures during a minute.

• Gauge: A nonnegative integer that may be incremented or decremented.

Typically, a gauge is used to measure the current value of some entity.
Examples include the number of logical connections assigned to a user
application and the number of outgoing messages queued for a user
process.
• Interval timer: The length of time between two related events.
An example is the length of time between successive logins to an
account.
• Resource utilization: Quantity of resources consumed during a
specified period.
Examples include the number of pages printed during a user session
and total time consumed by a program execution.
Distributed Intrusion Detection
Agent Architecture
 Main components
• Host agent module: An audit collection module operating as a
background process on a monitored system. Its purpose is to collect
data on security related events on the host and transmit these to the
central manager.
• LAN monitor agent module: Operates in the same fashion as a host
agent module except that it analyzes LAN traffic and reports the
results to the central manager.
• Central manager module: Receives reports from LAN monitor and
host agents and processes and correlates these reports to detect
intrusion.
• When suspicious activity is detected, an alert is sent to the central
manager.
• The central manager includes an expert system that can draw
inferences from received data.
• The manager may also query individual systems for copies of HARs to
correlate with those from other agents.
• The LAN monitor agent also supplies information to the central
manager.
• The LAN monitor agent audits host-host connections, services used,
and volume of traffic.
• It searches for significant events, such as sudden changes in network
load, the use of security-related services, and network activities such
as rlogin.
 Malicious software

• Malicious software can be divided into two categories:

those that need a host program, and
those that are independent

Terminology of Malicious Programs:

Virus, Worm, Logic bomb, Trojan horse, Backdoor (trapdoor), Mobile
code, Exploits, Downloaders, Auto-rooter, Kit (virus generator),
Spammer programs, Flooders, Keyloggers, Rootkit, Zombie, bot,
Spyware, Adware
 Viruses
• A computer virus is a piece of software that can “infect” other
programs by modifying them.
• The modification includes injecting the original program with a
routine to make copies of the virus program, which can then go on to
infect other programs.

A computer virus has three parts

• Infection mechanism: The means by which a virus spreads, enabling it
to replicate. The mechanism is also referred to as the infection vector.
• Trigger: The event or condition that determines when the payload is
activated or delivered.
• Payload: What the virus does, besides spreading. The payload may
involve damage.
 Viruses
During its lifetime, a typical virus goes through the following four phases:

• Dormant phase: The virus is idle. The virus will eventually be activated by some event, such
as a date, the presence of another program or file, or the capacity of the disk exceeding some
limit. Not all viruses have this stage.

• Propagation phase: The virus places a copy of itself into other programs or into certain
system areas on the disk. The copy may not be identical to the propagating version; viruses
often morph to evade detection. Each infected program will now contain a clone of the virus,
which will itself enter a propagation phase.

• Triggering phase: The virus is activated to perform the function for which it was intended. As
with the dormant phase, the triggering phase can be caused by a variety of system events,
including a count of the number of times that this copy of the virus has made copies of itself.

• Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files
 VIRUS STRUCTURE

A Simple Virus Logic for a Compression Virus

 • We assume that program P1 is
A compression virus infected with the virus CV.
• When this program is invoked,
control passes to its virus, which
performs the following steps:
1. For each uninfected file P2 that is
found, the virus first compresses
that file to produce P2’, which is
shorter than the original program
by the size of the virus.
2. A copy of the virus is prepended to
the compressed program.
3. The compressed version of the
original infected program, P1’ is
uncompressed.
4. The uncompressed original program
is executed.
 A virus classification by target includes the
following categories:
• Boot sector infector: Infects a master boot record or boot record and spreads
when a system is booted from the disk containing the virus.
• File infector: Infects files that the operating system or shell consider to be
executable.
• Macro virus: Infects files with macro code that is interpreted by an application.

• A virus classification by concealment strategy includes the following

categories:
• Encrypted virus: A typical approach is as follows. A portion of the virus creates a
random encryption key and encrypts the remainder of the virus. The key is
stored with the virus. When an infected program is invoked, the virus uses the
stored random key to decrypt the virus. When the virus replicates, a different
random key is selected. Because the bulk of the virus is encrypted with a
different key for each instance, there is no constant bit pattern to observe
• Stealth virus: A form of virus explicitly designed to hide itself from
detection by antivirus software. Thus, the entire virus, not just a
payload is hidden.
• Polymorphic virus: A virus that mutates with every infection, making
detection by the “signature” of the virus impossible.
• Metamorphic virus: As with a polymorphic virus, a metamorphic virus
mutates with every infection. The difference is that a metamorphic
virus rewrites itself completely at each iteration, increasing the
difficulty of detection. Metamorphic viruses may change their
behavior as well as their appearance.
 Virus Countermeasures
Antivirus Approaches
• The ideal solution to the threat of viruses is prevention:
• Do not allow a virus to get into the system in the first place, or block
the ability of a virus to modify any files containing executable code or
macros.
• This goal is, in general, impossible to achieve, although prevention
can reduce the number of successful viral attacks.
• The next best approach is to be able to do the following:
• Detection: Once the infection has occurred, determine that it has occurred
and locate the virus.

• Identification: Once detection has been achieved, identify the specific virus
that has infected a program.

• Removal: Once the specific virus has been identified, remove all traces of the
virus from the infected program and restore it to its original state. Remove
the virus from all infected systems so that the virus cannot spread further.
 Four generations of antivirus software

• First generation: simple scanners

• Second generation: heuristic scanners
• Third generation: activity traps
• Fourth generation: full-featured protection
 Advanced Antivirus Techniques

• Generic decryption (GD) technology contains the following elements:

• CPU emulator: A software-based virtual computer. Instructions in an
executable file are interpreted by the emulator rather than executed
on the underlying processor. The emulator includes software versions
of all registers and other processor hardware, so that the underlying
processor is unaffected by programs interpreted on the emulator.

• Virus signature scanner: A module that scans the target code looking
for known virus signatures.

• Emulation control module: Controls the execution of the target code.

DIGITAL IMMUNE SYSTEM The digital
immune system
• Two major trends in Internet technology have had an increasing
impact on the rate of virus propagation in recent years:

• Integrated mail systems: Systems such as Lotus Notes and Microsoft

Outlook make it very simple to send anything to anyone and to work
with objects that are received.
• Mobile-program systems: Capabilities such as Java and ActiveX allow
programs to move on their own from one system to another.
Digital Immune System
BEHAVIOR-BLOCKING SOFTWARE