07/07/2009

Overview
13.a Intruders
• Introduction
• Classes of Intruders
• Intrusion Techniques
– Password Guessing
Dr Joseph Sevilla – Password Capture
MIT 8342 Cryptography and Information Security – Buffer Overflows
• Intrusion Detection
– Approaches
– Audit Record Analysis
– Statistical Anomaly Detection
– Rule-Based Intrusion Detection
– Base-Rate Fallacy
• Distributed Intrusion Detection
• Honeypots
1

Intruders Classes of Intruders

• A significant security problem for networked systems is • Masquerader:

hostile or unwanted access by users or software. – Unauthorised individual who penetrates a system’s access
controls to exploit a legitimate user’s account.
– Via network or local access.
– Usually outsider.
– Unauthorised logon or acquisition of privileges.
• Misfeasor:
– Software intrusion: viruses, worms, Trojan horses.
– Legitimate user who abuses privileges to access data, programs
• We will examine the nature of attacks and strategies for or resources.
detection and prevention. – Usually insider.
– Detection: Learning of an attack, either before or after its success. • Clandestine user:
– Prevention: Attempt to thwart all possible attacks. – Individual who seizes supervisory control and uses it to evade
auditing and access controls.
– Insider or outsider.

3 4

Intruders Intrusion Techniques

• Two types of hackers:
– Benign intruders: simply wish to explore to find out what is there.
• May seem tolerable, but still cost resources.
– Malign intruders: perform unauthorised modifications or disrupt system.
• You can’t tell in advance whether an attack will be benign or malign.
• May use compromised system to launch other attacks.
• Two levels of hackers:
– Sophisticated users with thorough knowledge of the technology.
– Low-level ‘foot soldiers’, merely use available cracking programs with
little understanding of the technology.
• Awareness of intruders has led to the development of Computer
Emergency Response Teams (CERTs):
– Collect information about system vulnerabilities and disseminate them to
IT managers.
– Hackers also have access to such reports.
• Aim: Gain access and/or increase privileges on a system.
– Typically involves knowledge of some info that should have been
protected: e.g. a user’s password.
• Systems maintain a file that associates passwords to
authorised users.
• Protection of password files:
1. One-way function
• Store value of a function based on the user’s password.
• User presented password is transformed and compared with the
stored value.
• In practice, system performs a one-way transformation in which
the password is used to generate a key for the one-way function.
2. Access Control
• Access to password file limited to one or very few accounts.

5 6

1

Password Guessing
• One of the most common attacks.
• Attacker knows a login name (from email/web page,
etc).
• Then attempts to guess password for it:
– Defaults, short passwords, common word searches.
– User info (variations on names, birthday, phone no, number
plates, common words/hobbies).
– Exhaustively searching all possible passwords.
• Success depends on password chosen by user.
– Surveys show that many users choose passwords poorly.
• However, it is tedious and can be countered.
– Block users after several invalid attempts (but an attacker
may copy encrypted password file and try off-line).
7 8
Buffer Overflows
• Does not require learning a password.
• Intruders get access to the system by exploiting
attacks such as buffer overflows on a program that
runs with certain privileges.
• Privilege escalation can be done also in this way.
9 10
Approaches to Intrusion Detection
• Statistical anomaly detection: collection of data related to
behaviour of legitimate users over time.
– Statistical tests applied to observed behaviour to determine with high
level of confidence the legitimacy of a certain behaviour.
– Threshold detection: define thresholds for the frequency of occurrence
of events – independent of user.
– Profile based: A profile for each user is developed and used to detect
changes in behaviour.
• Rule-based detection: define a set of rules that determine an
intruder.
– Anomaly detection: detect deviation from previous patterns.
– Penetration identification: expert system approach to search for
suspicious behaviour.
• In practice, a combination of both approaches will be more effective.
11
07/07/2009
Password Capture
• Another attack involves password capture.
– Use of Trojan Horse program.
• E.g. via a game.
– Monitoring an insecure network login tapping the line between
remote user and host system.
• E.g. Telnet, FTP, web, email.
– Extracting recorded info after successful login (web history/cache,
last number dialled, etc.).
• Using valid login/password can impersonate user.
Intrusion Detection
• Inevitably, intrusion prevention will have security failures.
• Need for detection as a second line of defence.
– The sooner an intrusion is detected, the less the amount of
damage and faster recovery is achievable.
– Effective IDS can be a deterrent thus preventing intrusions.
– Enables collection of information that could be used to improve
security.
• Based on the assumption that intruder will behave
differently from a legitimate user.
– This is not exactly distinct! Expected overlap in behaviour.
– Means some false positives or false negatives may be arrived at in
trying to catch intruders.
Audit Records
• Fundamental tool for intrusion detection. Two plans:
• Native audit records
– Collects info on user activity and is part of all common multi-user
O/S.
• Advantages: software already present for use.
• Disadvantage: may not contain the information required or
may have it in an inconvenient format.
• Detection-specific audit records
– Created specifically to collect information required by the IDS.
– Could me made vendor independent and ported to different
systems.
– Additional overhead (two auditing packages running).
12
2

Statistical Anomaly Detection
• Threshold detection:
– Count occurrences of specific event over time.
• If count exceeds reasonable value an intrusion is assumed.
– Alone it is a crude and ineffective detector.
• Variability across users, likely to generate either many false
positives or false negatives.
• Useful in conjunction with other techniques.
• Profile-based systems:
– Characterise past behaviour of users (or groups of users).
– Detect significant deviations from this.
– Profile usually multi-parameter (deviation from one parameter may
not be sufficient to signal an alert).
13
Audit Record Analysis
• Given metrics, various tests are performed to determine if
current behavior is acceptable using approaches such as:
– mean & standard deviation, multivariate, Markov process, time
series, operational.
• Advantage of statistical profiles: no prior knowledge of
security flaws is required.
– The detector program learns what is normal and then looks for
deviations.
– Not based on system-dependent characteristics and
vulnerabilities.
– Portable between systems.
15
Rule-Based Intrusion Detection
• Rule-based penetration identification.
– Uses expert systems technology.
– Use rules identifying known penetrations, exploit of
known weakness, or identify suspicious behaviour.
– Compare audit records or states against rules.
– Rules usually machine & O/S specific.
– Rules are generated by experts who interview &
codify knowledge of security and system admins
(rather than by automated analysis).
– Quality depends on how well this is done.
17
07/07/2009
Audit Record Analysis
• Foundation of statistical approaches.
• Audit records provide input to the IDS.
– Designer must decide what metrics to use to measure
user behavior and in the long run define typical
behavior.
– Current audit records used as input to detect intrusion.
• Some metrics used include:
– Counter (logins/hr, commands per session etc), gauge,
interval timer (e.g. length of time between successive
logins), resource utilisation.
14
Rule-Based Intrusion Detection
• Observe events on system & apply rules to decide
if activity is suspicious or not.
• Approaches focus on either anomaly detection or
penetration identification.
• Rule-based anomaly detection:
– Analyse historical audit records to identify usage
patterns & auto-generate rules that define them.
– Then observe current behavior & match against rules to
see if conforms.
– Like statistical anomaly detection does not require prior
knowledge of security flaws.
16
Base-Rate Fallacy
• Need for IDSs to detect a substantial percentage
of intrusions while keeping false alarms at an
acceptable level.
– If too few intrusions detected -> false security.
– If too many false alarms -> managers start to ignore /
too much time spent analyzing false alarms.
• This is very hard to do.
• Existing systems seem not to have a good record.
18
3

Distributed Intrusion Detection
• Traditional focus is on single systems.
• But typically, we need to defend a distributed collection of
hosts supported on a LAN.
– More effective defence has IDSs across the network working
together.
• Issues in design of a distributed IDS:
– Dealing with varying native audit record formats.
– Integrity & confidentiality of raw or summary data being
transmitted over the network.
– Either centralised or decentralised architecture may be used.
19
Distributed Intrusion Detection –
Example of Architecture
21
Distributed Intrusion Detection –
Agent Architecture
• Filter is applied on what agent
has captured to retain only that
which is of security interest.
• Records standardised to Host
Audit Record (HAR) format.
• Template driven logic module
analyses records for suspicious
activity.
• If suspicious activity is detected
an alert is sent to the central
manager which includes an
expert system that can be used
to draw inferences from
received data. 23
07/07/2009
Distributed Intrusion Detection
• Centralised
– Single point of collection and analysis and easier
correlation of incoming reports.
– Potential bottleneck and single point of failure.
• Decentralised
– More than one analysis centre.
– Need for co-ordination of activities and exchange of
information.
20
Distributed Intrusion Detection -
Components
• Host agent module
– Audit collection module operating as a background process on a
monitored system.
– Collects data on security related events on the host and transmit
them to the central manager.
• LAN monitor agent module
– Analyses LAN traffic and reports results to central manager.
• Central manager module
– Processes the reports from the above and correlates the to detect
intrusion.
22
Honeypots
• Decoy systems to lure attackers.
– Divert attention from accessing critical systems.
– Collect information on attacker's activities.
– Encourage attacker to stay on system long enough for the
administrator to respond.
• Designed with fabricated information that appears
valuable.
– Legitimate users would not access it.
– Any access to the honeypot is suspect.
• System is instrumented with sensitive monitors and
event loggers.
– Able to detect accesses and collect detailed information on
attackers activities.
24
4
 07/07/2009

Honeypots References

• Because an attack is made to look successful, admins

have time to mobilise and log and track attacker • Most of the material in the previous slides was
without exposing the real systems. taken from:
• Administrators can use information obtained to figure – Cryptography and Network Security by Stallings, 4 Ed
out defences. • Supplemental material from:
• Current evolution from single host honeypots to
• Lawrie Brown Slides
honeynets of multiple dispersed systems.
– Simulates an entire network with actual or simulated traffic.
www.cisa.umbc.edu/courses/cmsc/487/slides/ch18.ppt
• The IETF Intrusion Detection Working Group is
currently drafting standards to support interoperability
of IDS info (both honeypot and normal IDS) over a
wide range of systems & O/S’s.
25 26