1

Intruders and Intrusion Detection

Behzad AkbariFall 2009

In the Name of the Most High

These slides are based in parts on slides by Vitaly Shmatikov at Texas University and S. Jane Fritz at SJC

Outline

Intruders Intrusion Detection Techniques

Statistical Anomaly Rule Based Detection

Password management Password Protection Password Selection Strategies

Recommended Reading and WEB Sites

Intruders

Three classes of intruders (hackers or crackers): Masquerader- unauthorized individual who exploits

legitimate user’s account (outsider) Misfeasor- legitimate user, who misuses his or her

privileges (insider) Clandestine user- individual who seizes supervisory

control and uses it to evade auditing or access controls (insider or outsider)

Intruders

Clearly a growing publicized problem from “Wily Hacker” in 1986/87 to clearly escalating CERT stats

May seem benign, but still cost resources May use compromised system to launch

other attacks

Intrusion Detection

If intrusion is detected quickly, intruder can be identified and ejected from system before damage is done

An effective detection system acts as a deterrent, to prevent intrusions

Detection enables the collection of information to strengthen the system.

Intrusion Detection

The goal of an intrusion detection system (IDS) is to detect that bad things are happening… …just as they start happening (hope so) How is this different from a firewall?

Successful attack is usually (but not always) associated with an access control violation A buffer overflow has been exploited, and now attack code is being

executed inside a legitimate program Outsider gained access to a protected resource A program or file has been modified System is not behaving “as it should”

Intrusion Detection Techniques Objective of intruder is to gain access to the

system or to increase range of privlileges System maintains a file that associates a

password with each authorized user. Password file can be protected with:

One-way encryption Access Control

Intrusion Techniques

Aim to increase privileges on system Basic attack methodology

target acquisition and information gathering initial access privilege escalation covering tracks

Key goal often is to acquire passwords Then exercise access rights

Intrusion Techniques

Techniques for guessing passwords:• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family

names, birthday, etc.• Try user’s phone number, social security number,

street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host

system.

Prevention: Enforce good password selection (Ij4Gf4Se%f#)

Profiles of Behavior of Intruders and Authorized Users

Intrusion Detection

Based on assumption that behavior of intruder differs from legitimate user

Statistical anomaly detection threshold detection (frequency of events) profile based (change in activity of user)

Rule based detection anomaly detection (rules detect deviation in behavior

pattern) penetration identification(searches for suspicious

behavior)

Intrusion Detection

Statistical anomaly attempts to define normal or expected behavior and are effective against masqueraders.

Rule based approaches attempt to define proper behavior and are effective against misfeasors

Combination of both are generally used

Misuse Detection(Signature or Rule Based) Set of rules defining a behavioral signature likely to be associated

with attack of a certain type Example: buffer overflow

A setuid program spawns a shell with certain arguments A network packet has lots of NOPs in it Very long argument to a string function

Example: SYN flooding (denial of service) Large number of SYN packets without ACKs coming back …or is this simply a poor network connection?

Attack signatures are usually very specific and may miss variants of known attacks Why not make signatures more general?

Tools for Intrusion Detection

Statistical Anomaly Detection primarily through the analysis of audit records using the following metrics: Counter: eg. number of login attempts, password failures Gauge: value of user connections,applications,

messages Interval timer: length of time between events (eg. logins) Resource Utilization: quantity of resources consumed

(eg. pages printed, time consumed by program execution)

Tools for Intrusion Detection

Audit Records - software that collects information on user activity: Subject: action initiators (user or process) Action: operation performed Object: action receptors ( files, programs, etc.) Exception Condition Resource usage Time stamp

Other Measures Used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Execution denials. Read, write, create, delete frequency. Failure count for read, write, create and delete.

Statistical Tests

Mean and Standard Deviation- average behavior and its variability

Multivariate Model- correlation between two or more variables

Markov Process- establishes transition probabilities between two or more states

Time Series - focuses on time intervals Operational Model- judgement of what is

abnormal ( See table p. 303)

Extracting Misuse Signatures Use invariant characteristics of known attacks

Bodies of known viruses and worms, port numbers of applications with known buffer overflows, RET addresses of overflow exploits

Hard to handle mutations (e.g., metamorphic viruses)

Big research challenge: fast, automatic extraction of signatures of new attacks

Honeypots are useful for signature extraction Try to attract malicious activity, be an early target

Ross Anderson’s example: dummy hospital records with celebrity names to catch snooping employees

Rule Based Detection

Observe events and apply set of rules as to whether or not they are suspicious, for example: Users should not read other user’s files Users must not write other’s files Users who login after hours usually use files they used

earlier in the day Users generally use system commands to open devices Users should not be logged in more than once to same

system Users should not make copies of system programs

Anomaly Detection

Define a profile describing “normal” behavior Works best for “small”, well-defined systems (single program rather

than huge multi-user OS) Profile may be statistical

Build it manually (this is hard) Use machine learning and data mining techniques

Log system activities for a while, then “train” IDS to recognize normal and abnormal patterns

Risk:attacker trains IDS to accept his activity as normal Daily low-volume port scan may train IDS to accept port

scans IDS flags deviations from the “normal” profile

Intrusion Detection Errors

False negatives: attack is not detected Big problem in rule-based misuse detection

False positives: harmless behavior is classified as an attack Big problem in statistical anomaly detection

Both types of IDS suffer from both error types Which is a bigger problem?

Attacks are fairly rare events IDS often suffer from base-rate fallacy

Conditional Probability

Suppose two events A and B occur with probability Pr(A) and Pr(B), respectively

Let Pr(AB) be probability that both A and B occur What is the conditional probability that A occurs assuming

B has occurred?

Pr(AB)Pr(A | B) = Pr(B)

Bayes’ Theorem

Suppose mutually exclusive events E1, … ,En together cover the entire set of possibilities

Then probability of any event A occurring is

Pr(A) = 1in Pr(A | Ei) Pr(Ei)

Intuition: since E1, … ,En cover entire probability space,

whenever A occurs, some event Ei must have occurred

Can rewrite this formula as Pr(A | Ei) Pr(Ei) Pr(Ei | A) = Pr(A)

Base-Rate Fallacy

1% of traffic is SYN floods; IDS accuracy is 90% IDS classifies a SYN flood as attack with probability

of 90%, classifies a valid connection as attack with probability of 10%

What is the probability that a valid connection is erroneously flagged as a SYN flood by the IDS?

Base Rate Fallacy

Pr(alarm | valid) Pr(valid) Pr(valid | alarm) = Pr(alarm)

Pr(alarm | valid) Pr(valid)= Pr(alarm | valid) Pr(valid) + Pr(alarm | SYN flood) Pr(SYN flood)

0.10 0.99= 0.10 0.99 + 0.90 0.01 = 92% chance raised alarm is false!!!

The Stages of a Network Intrusion1. Scan the network to:

• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”

privileges).4. Download from Hacker Web site special versions of

systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast.

26

Where are IDS employed?

Host-based intrusion detection Monitor activity on a single host Advantage: better visibility into behavior of individual

applications running on the host Network-based intrusion detection (NIDS)

Often placed on a router or firewall Monitor traffic, examine packet headers and payloads Advantage: single NIDS can protect many hosts and look

for global patterns

Distributed Intrusion Detection Major issues in design:

Need to deal with different audit record formats One of more nodes in network will serve as

collection points for data, which must then be transmitted securely

Centralized or decentralized architecture can be used

Requires coordination and cooperation

Distributed Intrusion Detection System

Developed at Univ. of California-Davis: Host Agent module: collects data on security

events in hosts and transmits to central manager

LAN monitor agent module: analyzes LAN traffic and reports to central manager

Central manager module: receives reports and correlates them to detect intrusion

Distributed Intrusion Detection

Developed at University of California at Davis

Distributed Intrusion Detection

HONEYPOTS

Relatively recent intrusion detection technology Honeypots are decoy systems designed to lure a

potential attacker away from critical systems: divert attacker from accessing critical systems collect information about attacker’s activities encourages the attacker to stay on the system long enough

for administrators to respond Filled with fabricated information designed to appear

valuable, but which user wouldn’t access

Intrusion Detection Exchange Format

Standards are needed to facilitate IDS that can function across a wide range of platforms and environments

Currently being developed by IETF (Internet Engineering Taskforce) working group

(See http://www.ietf.org )

Host Based IDS

Use OS auditing and monitoring mechanisms to find applications taken over by attacker Log all system events (e.g., file accesses) Monitor shell commands and system calls executed by

user applications and system programs Pay a price in performance if every system call is filtered

Killer application: detect rootkits Con: need an IDS for every machine Con: if attacker takes over machine, can tamper

with IDS binaries and modify audit logs Con: only local view of the attack

RootKit Rootkit is a set of Trojan system binaries

Emerged in 1994, evolved since then

Typical infection path: Use stolen password or dictionary attack to log in Use buffer overflow in rdist, sendmail, loadmodule, rpc.ypupdated, lpr, or passwd to

gain root access Download Rootkit by FTP, unpack, compile and install

Includes a sniffer (to record users’ passwords) Hides its own presence!

Installs hacked binaries for netstat, ps, ls, du, login Modified binaries have same checksum as originalsCan’t detect attacker’s processes,

files or network connections by running standard UNIX commands!

Detecting Rootkit Presence

Sad way to find out Run out of physical disk space because of sniffer logs Logs are invisible because du and ls have been hacked!

Manual confirmation Reinstall clean ps and see what processes are running

Automatic detection Rootkit does not alter the data structures normally used by

netstat, ps, ls, du, ifconfig Host-based intrusion detection can find Rootkit files

…assuming an updated version of Rootkit did not disable your intrusion detection system!

Tripwire File integrity checker

Records hashes of critical files and binaries Recorded hashes must be in read-only memory (why?)

Periodically checks that files have not been modified, verifies sizes, dates, permission

Good for detecting rootkits Can be subverted by a clever rootkit

Install backdoor inside a continuously running system process

(no changes on disk!) Modify database of file attributes Copy old files back into place before Tripwire runs

Network Based IDS

Inspect network traffic For example, use tcpdump to sniff packets on a router Passive (unlike packet-filtering firewalls) Default action: let traffic pass (unlike firewalls)

Watch for protocol violations, unusual connection patterns, attack strings in packet payloads Check packets against rule sets

Con: can’t inspect encrypted traffic (IPSec, VPNs) Con: not all attacks arrive from the network Con: record and process huge amount of traffic

Popular IDS

Snort Most popular open-source tool Large rule sets for known vulnerabilities

Date: 2005-04-05 Synopsis: the Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various implementations of Telnet […] Programming errors in the telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer […] Rules to detect attacks against this vulnerability are included in this rule pack

Bro (www.bro-ids.org) Developed by Vern Paxson at Lawrence Berkeley Labs Separates data collection and security decisions

Event Engine distills the packet stream into high-level events describing what’s happening on the network

Policy Script Interpeter uses a script defining the network’s security policy to decide what to do in response

Detecting Backdoors with NIDS

Look for telltale signs of sniffer and rootkit activity Entrap sniffers into revealing themselves

Use bogus IP addresses and username/password pairs; open bogus TCP connections, then measure ping times Sniffer may try a reverse DNS query on the planted address; rootkit

may try to log in with the planted username If sniffer is active, latency will increase

Clever sniffer can use these to detect NIDS presence! Detect attacker returning to his backdoor

Small packets with large inter-arrival times Simply search for root shell prompt “# ” (!!)

Attacks on Network-Based IDS

Overload NIDS with huge data streams, then attempt the intrusion Bro solution: watchdog timer

Check that all packets are processed by Bro within T seconds; if not, terminate Bro, use tcpdump to log all subsequent traffic

Hide malicious data, split into multiple packets NIDS does not have full TCP state and does not always

understand every command of receiving application Simple example: send “ROB<DEL><BS><BS>OT”,

receiving application may reassemble to “ROOT”

Detecting Attack Strings

Want to detect “USER root” in packet stream Scanning for it in every packet is not enough

Attacker can split attack string into several packets; this will defeat stateless NIDS

Recording previous packet’s text is not enough Attacker can send packets out of order

Full reassembly of TCP state is not enough Attacker can use TCP tricks so that certain packets

are seen by NIDS but dropped by the receiving application Manipulate checksums, TTL (time-to-live), fragmentation

E

TCP Attacks on NIDS

Insertion attack

NIDS

U S R r X o o t

Insert packet with

bogus checksum

EU S R r

X

o o t

Dropped

E

TTL attack

NIDS

U S R r

X

o o t

EU S R r

X

o o t

10 hops 8 hops

TTL=20

TTL=12

Short TTL to ensure this packet

doesn’t reach destination

TTL=20Dropped (TTL

expired)

Intrusion Detection Summary

No bullet-proof solutions, constant arms race Increasing diversity of traffic = challenge for NIDS

Lots of anomalous, but benign junk Vern Paxson on stuff they’ve seen on a DMZ:

Storms of 10,000+ FIN or RST packets due to TCP bugs Horrible fragmentation TCPs that acknowledge data that was never sent TCPs that retransmit different data from what was sent

False alarms are THE problem for IDS “The Boy Who Cried Wolf” (base-rate fallacy) Can’t flag every anomaly as an attack

Storing UNIX Passwords

UNIX passwords were kept in in a publicly readable file, etc/passwords.

Now they are kept in a “shadow” directory and only visible by “root”.

Password Management

Frontline of defense against intruders is the password system:

User ID - determines if user is authorized to gain access, and determines the privileges accorded to user

Password authenticates the ID of the individual

Managing Passwords Need policies and good user education Ensure every account has a default password Ensure users change the default passwords to

something they can remember Protect password file from general access Set technical policies to enforce good passwords

minimum length (>6) require a mix of upper & lower case letters, numbers,

punctuation block know dictionary words

Managing Passwords

May reactively run password guessing tools note that good dictionaries exist for almost any

language/interest group May enforce periodic changing of passwords Have system monitor failed login attempts, &

lockout account if see too many in a short period Need to educate users and get support Balance requirements with user acceptance Be aware of social engineering attacks

Proactive Password Checking

Most promising approach to improving password security

Allow users to select own password But have system verify it is acceptable

simple rule enforcement (see previous slide) compare against dictionary of bad passwords use algorithmic (markov model or bloom filter) to

detect poor choices

UNIX Password System

User selects password ( 5-8 characters) Converted to 56 bit value used as key to encryption

routine- crypt 3- based on DES Modified using a 12 bit “salt” value- related to time

at which password was assigned prevents duplicates from being visible in password file increases length of password prevents use of hardware implementation of DES

Output encrypted 25 times more

UNIX Password Scheme

Loading a new password

UNIX Password Scheme

Verifying a password file

Threats to Password Files

Encryption scheme is designed to discourage guessing but users can gain access on a machine using a guest

account and run a password guessing program or “cracker”

if opponent can gain access to password file, cracker can be run on another machine

Cracker programs are getting better and hardware executes them faster…. ( See p. 312)

Password Capture

Another attack involves password capture watching over shoulder as password is entered using a trojan horse program to collect monitoring an insecure network login (eg. telnet, FTP,

web, email) extracting recorded info after successful login (web

history/cache, last number dialed etc) Using valid login/password can impersonate user Users need to be educated to use suitable

precautions/countermeasures

Password Guessing One of the most common attacks Attacker knows a login (from email/web page etc) Then attempts to guess password for it

try default passwords shipped with systems try all short passwords then try by searching dictionaries of common words intelligent searches try passwords associated with the user

(variations on names, birthday, phone, common words/interests) before exhaustively searching all possible passwords

Check by login attempt or against stolen password file Success depends on password chosen by user Surveys show many users choose poorly

Password Selecting Strategies User education -

must be long and complex enough many choose password <= 3 characters not easily guessable

Computer-generated passwords - hard to remember

Reactive password checking- randomly checks, cancels ones that are guessed

Proactive password checking- check at time of creation, reject any too simple

Proactive Password Checkers

Two techniques for rejecting words on a list show promise:

Markov Model- based on structure of passwords

Spafford- based on use of a Bloom Filter

Markov Model

Example shows a language consisting of 3 characters (as a finite state machine) and the probability of the letters in a sequence.

The state at any time is the most recent letter The value on the transition is the probability that

one letter follows another Markov model is a quadruple [m, A,T,k], where m

is number of states, A is state space, T is matrix of transitional probabilities and k is the order of the model.

Markov Model

Transition Matrix

For a second order model- determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.

For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.

Compute the entries of T as follows:

),,(),,(

),,( jifkjif

kjiT

Markov Model

Resulting model reflects the structure of the words in a dictionary. “Is this a bad password?” becomes “Can this string be generated by the Markov Model?” Statistical test can be done to see if the password is

likely and, if so, it is rejected.

Bloom Filter

A Bloom Filter of order k consists of a set of k independent hash functions, H1(x), H2(x)… Hk(x), where each function maps a password into a hash value in the ranger 0 to N-1.

Spafford (Bloom Filter)

where

10;1;1)( NyDjkiyXH ji

dictionarypasswordinwordofnumberD

dictionarypasswordinwordjthXj

The following procedure is then applied to the dictionary:

1. A hash table of N bits is defined, with all bits initially set to 0.

2. For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1

3. When a password is presented, its hash values are calculated and if all bits =1 it is rejected.

Spafford (Bloom Filter)

Design the hash scheme to minimize false positive. Probability of false positive:

)()(,/

)1ln(

,,

)1()1(

/1

//

wordssizedictionarytobitssizetablehashofratioDNR

dictionaryinwordsofnumberD

tablehashinbitsofnumberN

functionhashofnumberk

where

P

kR

lyequivalentor

eeP

k

kRkkNkD

Performance of Bloom Filter

Graph plots the probability P as a function of R ( ratio of the Hash table size to dictionary size.

Can achieve a compression of a factor of about 7 ( hash table storage- 1.2MB for an 8MB dictionary)

Password checking involves computing 6 hash functions, independent of size of dictionary and without substantial searching

Performance of Bloom Filter

Reading Assignment

Appendix 9A in Stallings Explains the base-rate fallacy

Optional: “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” by Ptacek and Newsham Reference

Recommended Reading and WEB Sites

Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990

CERT Coordination Center (WEB Site) AntiVirus Online (IBM’s site)