Академический Документы
Профессиональный Документы
Культура Документы
Overview
13.a Intruders
• Introduction
• Classes of Intruders
• Intrusion Techniques
– Password Guessing
Dr Joseph Sevilla – Password Capture
MIT 8342 Cryptography and Information Security – Buffer Overflows
• Intrusion Detection
– Approaches
– Audit Record Analysis
– Statistical Anomaly Detection
– Rule-Based Intrusion Detection
– Base-Rate Fallacy
• Distributed Intrusion Detection
• Honeypots
1
3 4
• Two types of hackers: • Aim: Gain access and/or increase privileges on a system.
– Benign intruders: simply wish to explore to find out what is there. – Typically involves knowledge of some info that should have been
• May seem tolerable, but still cost resources.
protected: e.g. a user’s password.
– Malign intruders: perform unauthorised modifications or disrupt system. • Systems maintain a file that associates passwords to
• You can’t tell in advance whether an attack will be benign or malign. authorised users.
• May use compromised system to launch other attacks. • Protection of password files:
• Two levels of hackers: 1. One-way function
– Sophisticated users with thorough knowledge of the technology. • Store value of a function based on the user’s password.
– Low-level ‘foot soldiers’, merely use available cracking programs with • User presented password is transformed and compared with the
little understanding of the technology.
stored value.
• Awareness of intruders has led to the development of Computer • In practice, system performs a one-way transformation in which
Emergency Response Teams (CERTs): the password is used to generate a key for the one-way function.
– Collect information about system vulnerabilities and disseminate them to 2. Access Control
IT managers.
– Hackers also have access to such reports. • Access to password file limited to one or very few accounts.
5 6
1
07/07/2009
• Does not require learning a password. • Inevitably, intrusion prevention will have security failures.
• Need for detection as a second line of defence.
• Intruders get access to the system by exploiting – The sooner an intrusion is detected, the less the amount of
attacks such as buffer overflows on a program that damage and faster recovery is achievable.
runs with certain privileges. – Effective IDS can be a deterrent thus preventing intrusions.
– Enables collection of information that could be used to improve
• Privilege escalation can be done also in this way. security.
• Based on the assumption that intruder will behave
differently from a legitimate user.
– This is not exactly distinct! Expected overlap in behaviour.
– Means some false positives or false negatives may be arrived at in
trying to catch intruders.
9 10
• Statistical anomaly detection: collection of data related to • Fundamental tool for intrusion detection. Two plans:
behaviour of legitimate users over time.
– Statistical tests applied to observed behaviour to determine with high
• Native audit records
level of confidence the legitimacy of a certain behaviour. – Collects info on user activity and is part of all common multi-user
– Threshold detection: define thresholds for the frequency of occurrence O/S.
of events – independent of user. • Advantages: software already present for use.
– Profile based: A profile for each user is developed and used to detect • Disadvantage: may not contain the information required or
changes in behaviour.
may have it in an inconvenient format.
• Rule-based detection: define a set of rules that determine an
intruder. • Detection-specific audit records
– Anomaly detection: detect deviation from previous patterns. – Created specifically to collect information required by the IDS.
– Penetration identification: expert system approach to search for – Could me made vendor independent and ported to different
suspicious behaviour. systems.
• In practice, a combination of both approaches will be more effective. – Additional overhead (two auditing packages running).
11 12
2
07/07/2009
13 14
• Given metrics, various tests are performed to determine if • Observe events on system & apply rules to decide
current behavior is acceptable using approaches such as: if activity is suspicious or not.
– mean & standard deviation, multivariate, Markov process, time • Approaches focus on either anomaly detection or
series, operational.
penetration identification.
• Advantage of statistical profiles: no prior knowledge of
security flaws is required. • Rule-based anomaly detection:
– The detector program learns what is normal and then looks for – Analyse historical audit records to identify usage
deviations. patterns & auto-generate rules that define them.
– Not based on system-dependent characteristics and – Then observe current behavior & match against rules to
vulnerabilities. see if conforms.
– Portable between systems. – Like statistical anomaly detection does not require prior
knowledge of security flaws.
15 16
3
07/07/2009
19 20
21 22
4
07/07/2009
Honeypots References