BY Prof.R.G.HIREGOUDAR Dept of CSE TKIET Warananaar
CHAPTER 4: SYSTEM SECURITY Q1. What are different classes f intr!ders and e"#lain $ith e"a%#le& Ans: Three classes of intruders: Mas'!erader: An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit a legitimate users account. Misfeasr: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine !ser: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. The masuerader is li!ely to be an outsider" The misfeasor generally is an insider" The clandestine user can be either an outsider or an insider. #ntruder attac!s range from the benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system. E"a%#les f intruders $erforming a remote root compromise of an e%mail server &efacing a 'eb server (uessing and crac!ing passwords )opying a database containing credit card numbers *iewing sensitive data, including payroll records and medical information, without authorization +unning a pac!et sniffer on a wor!station to capture usernames and passwords. Q2. Explain Diferent approaches used for Intrusion detection? Ans: There are Two approaches for Intrusion detection 1. Statistical an%al( detectin: #nvolves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. a. Threshold detection: This approach involves defining thresholds, independent of user, for the freuency of occurrence of various events. Threshold detection involves counting the number of occurrences of a specific event type over an interval of time. #f the count surpasses what is considered a reasonable number that one might expect to occur, then intrusion is assumed. b. Prfile )ased: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts. E"a%#les f %etrics that are !sef!l fr #rfile*)ased intr!sin detectin are the fll$in+: C!nter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is !ept over a particular period of time. ,xamples include the number of logins by a single user during an hour. ,a!+e: A nonnegative integer that may be incremented or decremented. ypically, a gauge is used to measure the current value of some entity. ,xamples include the number of logical connections assigned to a user application and the number of outgoing messages ueued for a user process. Inter-al ti%er: The length of time between two related events. An example is the length of time between successive logins to an account. Res!rce !tili.atin: -uantity of resources consumed during a specified period. ,xamples include the number of pages printed during a user session and total time consumed by a program execution /. R!le*)ased detectin: #nvolves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. a.An%al( detectin: +ules are developed to detect deviation from previous usage patterns. 'ith the rule%based approach, historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. +ules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. )urrent behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior. ). Penetratin identificatin: An expert system approach that searches for suspicious behavior. Q0.What are a!dit recrds & Which fields are #resent in detectin s#ecific a!dit recrds . Ans: A fundamental tool for intrusion detection is the audit record. Two plans of audit records are 1ati-e a!dit recrds: *irtually all multiuser operating systems include accounting software that collects information on user activity. The advantage of using this information is that no additional collection software is needed. The disadvantage is that the native audit records may not contain the needed information or may not contain it in a convenient form. 2etectin*s#ecific a!dit recrds: A collection facility can be implemented that generates audit records containing only that information reuired by the intrusion detection system. .ne advantage of such an approach is that it could be made vendor independent and ported to a variety of systems. The disadvantage is the extra overhead involved in having, in effect, two accounting pac!ages running on a machine. detectin*s#ecific a!dit recrds fields are S!)3ect: #nitiators of actions. A sub/ect is typically a terminal user but might also be a process acting on behalf of users or groups of users. All activity arises through commands issued by sub/ects. 0ub/ects may be grouped into different access classes, and these classes may overlap. Actin: .peration performed by the sub/ect on or with an ob/ect" for example, login, read, perform #1., execute. 4)3ect: +eceptors of actions. ,xamples include files, programs, messages, records, terminals, printers, and user% or program%created structures. 'hen a sub/ect is the recipient of an action, such as electronic mail, then that sub/ect is considered an ob/ect. .b/ects may be grouped by type. .b/ect granularity may vary by ob/ect type and by environment. 2or example, database actions may be audited for the database as a whole or at the record level. E"ce#tin*Cnditin: &enotes which, if any, exception condition is raised on return. Res!rce*Usa+e: A list of uantitative elements in which each element gives the amount used of some resource 3e.g., number of lines printed or displayed, number of records read or written, processor time, #1. units used, session elapsed time4. Ti%e*Sta%#: 5niue time%and%date stamp identifying when the action too! place. Q4. 2escri)e the architect!re fr distri)!ted intr!sin detectin s(ste%. Ans:
Architect!re fr distri)!ted intr!sin detectin s(ste% is one developed at the 5niversity of )alifornia at &avis which consists of three main components: Hst a+ent %d!le: An audit collection module operating as a bac!ground process on a monitored system. #ts purpose is to collect data on security related events on the host and transmit these to the central manager. 5A1 %nitr a+ent %d!le: .perates in the same fashion as a host agent module except that it analyzes 6A7 traffic and reports the results to the central manager. Central %ana+er %d!le: +eceives reports from 6A7 monitor and host agents and processes and correlates these reports to detect intrusion. The scheme is designed to be independent of any operating system or system auditing implementation. 2ig. Agent Architecture.
Q6. E"#lain Uni" #ass$rd sche%e & Ans: s'hen a user attempts to log on to a 57#8 system, the user provides an #& and a password. The operating system uses the #& to index into the password file and retrieve the plaintext salt and the encrypted password. The salt and user%supplied password are used as input to the encryption routine. #f the result matches the stored value, the password is accepted. The encryption routine is designed to discourage guessing attac!s. 0oftware implementations of &,0 are slow compared to hardware versions, and the use of 9: iterations multiplies the time reuired by 9:. ;owever, since the original design of this algorithm, two changes have occurred. 2irst, newer implementations of the algorithm itself have resulted in speedups. 0econd, hardware performance continues to increase, so that any software algorithm executes more uic!ly. Thus, there are two threats to the 57#8 password scheme. 2irst, a user can gain access on a machine using a guest account or by some other means and then run a password guessing program, called a password crac!er, on that machine. The attac!er should be able to chec! hundreds and perhaps thousands of possible passwords with little resource consumption. #n addition, if an opponent is able to obtain a copy of the password file, then a crac!er program can be run on another machine. -<. E"#lain different Pass$rd Selectin Strate+ies & Ans: 7!r )asic techni'!es are in !se: 8 User ed!catin 8 C%#!ter*+enerated #ass$rds 8 Reacti-e #ass$rd chec9in+ 8 Practi-e #ass$rd chec9in+ User ed!catin strategy is unli!ely to succeed at most installations, particularly where there is a large user population or a lot of turnover. =any users will simply ignore the guidelines. .thers may not be good /udges of what is a strong password. 2or example, many users 3mista!enly4 believe that reversing a word or capitalizing the last letter ma!es a password unguessable. C%#!ter*+enerated #ass$rds also have problems. #f the passwords are uite random in nature, users will not be able to remember them. ,ven if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down. #n general, computer%generated password schemes have a history of poor acceptance by users. 2#$0 $5> ?@? defines one of the best%designed automated password generators. The standard includes not only a description of the approach but also a complete listing of the ) source code of the algorithm. The algorithm generates words by forming pronounceable syllables and concatenating them to form a word. A random number generator produces a random stream of characters used to construct the syllables and words. A reacti-e #ass$rd chec9in+ strategy is one in which the system periodically runs its own password crac!er to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. This tactic has a number of drawbac!s. 2irst, it is resource intensive if the /ob is done right. >ecause a determined opponent who is able to steal a password file can devote full )$5 time to the tas! for hours or even days, an effective reactive password chec!er is at a distinct disadvantage. 2urthermore, any existing passwords remain vulnerable until the reactive password chec!er finds them. #racti-e #ass$rd chec9er. #n this scheme, a user is allowed to select his or her own password. ;owever, at the time of selection, the system chec!s to see if the password is allowable and, if not, re/ects it. 0uch chec!ers are based on the philosophy that, with sufficient guidance from the system, users can select memorable passwords from a fairly large password space that are not li!ely to be guessed in a dictionary attac!. The tric! with a proactive password chec!er is to stri!e a balance between user acceptability and strength. #f the system re/ects too many passwords, users will complain that it is too hard to select a password. #f the system uses some simple algorithm to define what is acceptable, this provides guidance to password crac!ers to refine their guessing techniue. #n the remainder of this subsection, we loo! at possible approaches to proactive password chec!ing . Q:. E"#lain -erall ta"n%( f %alici!s #r+ra%s& Ans: Q;. E"#lain T(#es f -ir!s & A -ir!s classification by tar+et includes the following categories: <t sectr infectr: #nfects a master boot record or boot record and spreads when a system is booted from the dis! containing the virus. 7ile infectr: #nfects files that the operating system or shell consider to be executable. Macr -ir!s: #nfects files with macro code that is interpreted by an application. A virus classification by cnceal%ent strate+( includes the following categories: Encr(#ted -ir!s: A typical approach is as follows. A portion of the virus creates a random encryption !ey and encrypts the remainder of the virus. The !ey is stored with the virus. 'hen an infected program is invo!ed, the virus uses the stored random !ey to decrypt the virus. 'hen the virus replicates, a different random !ey is selected. >ecause the bul! of the virus is encrypted with a different !ey for each instance, there is no constant bit pattern to observe. . Stealth -ir!s: A form of virus explicitly designed to hide itself from detection by antivirus software.Thus, the entire virus, not /ust a payload is hidden. Pl(%r#hic -ir!s: A virus that mutates with every infection, ma!ing detection by the AsignatureB of the virus impossible. Meta%r#hic -ir!s: As with a polymorphic virus, a metamorphic virus mutates with every infection.The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. =etamorphic viruses may change their behavior as well as their appearance. Q=. E"#lain >ir!s c!nter %eas!res & .+ E"#lain Anti-ir!s A##raches & Ans: 2irst generation: simple scanners 0econd generation: heuristic scanners Third generation: activity traps 2ourth generation: full%featured protection A first*+eneratin scanner reuires a virus signature to identify a virus. The virus may contain AwildcardsB but has essentially the same structure and bit pattern in all copies. 0uch signature%specific scanners are limited to the detection of !nown viruses. Another type of first%generation scanner maintains a record of the length of programs and loo!s for changes in length. A secnd*+eneratin scanner does not rely on a specific signature. +ather, the scanner uses heuristic rules to search for probable virus infection. .ne class of such scanners loo!s for fragments of code that are often associated with viruses. 2or example, a scanner may loo! for the beginning of an encryption loop used in a polymorphism virus and discover the encryption !ey. .nce the !ey is discovered, the scanner can decrypt the virus to identify it, then remove the infection and return the program to service. Another second%generation approach is integrity chec!ing. A chec!sum can be appended to each program. #f a virus infects the program without changing the chec!sum, then an integrity chec! will catch the change. To counter a virus that is sophisticated enough to change the chec!sum when it infects a program, an encrypted hash function can be used. The encryption !ey is stored separately from the program so that the virus cannot generate a new hash code and encrypt that. >y using a hash function rather than a simpler chec!sum, the virus is prevented from ad/usting the program to produce the same hash code as before. Third*+eneratin programs are memory%resident programs that identify a virus by its actions rather than its structure in an infected program. 0uch programshave the advantage that it is not necessary to develop signatures and heuristics for a wide array of viruses. +ather, it is necessary only to identify the small set of actions that indicate an infection is being attempted and then to intervene. 7!rth*+eneratin products are pac!ages consisting of a variety of antivirus techniues used in con/unction. These include scanning and activity trap components. #n addition, such a pac!age includes access control capability, which limits the ability of viruses to penetrate a system and then limits the ability of a virus to update files in order to pass on the infection. Ad-anced Anti-ir!s Techni'!es: Gener!" De"r#pt!on (eneric decryption 3(&4 technology enables the antivirus program to easily detect even the most complex polymorphic viruses while maintaining fast scanning speeds CPU e%!latr: A software%based virtual computer. #nstructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator. >ir!s si+nat!re scanner: A module that scans the target code loo!ing for !nown virus signatures. E%!latin cntrl %d!le: )ontrols the execution of the target code. Q1?. E"#lain 2ifferent T(#es f fire$alls& 1. Pac9et*filterin+ R!ter: Applies a set of rules to each incoming #$ pac!et and then forwards or discards he pac!et 2ilter pac!ets going in both directions The pac!et filter is typically set up as a list of rules based on matches to fields in the #$ or T)$ header Two default policies 3discard or forward4 Ad-anta+es: C 0implicity C Transparency to users C ;igh speed 2isad-anta+es: C &ifficulty of setting up pac!et filter rules C 6ac! of Authentication /.A##licatin*le-el ,ate$a( a. Also called proxy server b. Acts as a relay of application%level traffic Ad-anta+es: c. ;igher security than pac!et filters d. .nly need to scrutinize a few allowable applications e. ,asy to log and audit all incoming traffic 2isad-anta+es: f. Additional processing overhead on each connection 3gateway as splice point4. 0.Circ!it*le-el ,ate$a( g. 0tand%alone system or h. 0pecialized function performed by an Application%level (ateway i. 0ets up two T)$ connections /. The gateway typically relays T)$ segments from one connection to the other without examining the contents 4. Screened hst fire$all@ d!al*h%ed )astin cnfi+!ratin a. The pac!et%filtering router is not completely compromised b. Traffic between the #nternet and other hosts on the private networ! has to flow through the bastion host. 7i+. T(#es f fire$alls