chapter 4 q and a
-
Upload
sushrut-bhosale -
Category
Documents
-
view
226 -
download
0
Transcript of chapter 4 q and a
-
8/11/2019 chapter 4 q and a
1/15
INFORMATION SECURITY
QUESTIONS AND ANSWERS
BY
Prof.R.G.HIREGOUDAR
Dept of CSE
TKIET Warananaar
-
8/11/2019 chapter 4 q and a
2/15
CHAPTER 4: SYSTEM SECURITY
Q1. What are different classes f intr!ders and e"#lain $ith e"a%#le&
Ans:
Three classes of intruders:
Mas'!erader: An individual who is not authorized to use the computer and who
penetrates a systems access controls to exploit a legitimate users account.
Misfeasr: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her
privileges.
Clandestine !ser: An individual who seizes supervisory control of the system and uses
this control to evade auditing and access controls or to suppress audit collection.
The masuerader is li!ely to be an outsider"
The misfeasor generally is an insider"
The clandestine user can be either an outsider or an insider.
#ntruder attac!s range from the benign to the serious. At the benign end of the scale, there
are many people who simply wish to explore internets and see what is out there. At the
serious end are individuals who are attempting to read privileged data, perform
unauthorized modifications to data, or disrupt the system.
E"a%#les f intruders
$erforming a remote root compromise of an e%mail server
&efacing a 'eb server
(uessing and crac!ing passwords
)opying a database containing credit card numbers
*iewing sensitive data, including payroll records and medical information, without
authorization
+unning a pac!et sniffer on a wor!station to capture usernames and passwords.
-
8/11/2019 chapter 4 q and a
3/15
Q2. Explain Diferent approaches used or Intrusion detection?
Ans:
There are Two approaches or Intrusion detection
1. Statistical an%al( detectin:
#nvolves the collection of data relating to the behavior of legitimate users over a
period of time. Then statistical tests are applied to observed behavior to determine
with a high level of confidence whether that behavior is not legitimate user behavior.
a. Threshold detection:
This approach involves defining thresholds, independent of user, for the freuency of
occurrence of various events. Threshold detection involves counting the number of
occurrences of a specific event type over an interval of time. #f the count surpasses what
is considered a reasonable number that one might expect to occur, then intrusion is
assumed.
b. Prfile )ased: A profile of the activity of each user is developed and used
to detect changes in the behavior of individual accounts.
E"a%#les f %etrics that are !sef!l fr #rfile*)ased intr!sin detectin are
the fll$in+:
C!nter: A nonnegative integer that may be incremented but not decremented until it is
reset by management action. Typically, a count of certain event types is !ept over a
particular period of time. xamples include the number of logins by a single user during
an hour.
,a!+e: A nonnegative integer that may be incremented or decremented. ypically, a
gauge is used to measure the current value of some entity. xamples include the number
of logical connections assigned to a user application and the number of outgoing
messages ueued for a user process.
Inter-al ti%er: The length of time between two related events. An example is the
length of time between successive logins to an account.
-
8/11/2019 chapter 4 q and a
4/15
-
8/11/2019 chapter 4 q and a
5/15
detection system. ne advantage of such an approach is that it could be made vendor
independent and ported to a variety of systems. The disadvantage is the extra overhead
involved in having, in effect, two accounting pac!ages running on a machine.
detectin*s#ecific a!dit recrds fields are
S!)3ect: #nitiators of actions. A sub/ect is typically a terminal user but might also be a
process acting on behalf of users or groups of users. All activity arises through commands
issued by sub/ects. 0ub/ects may be grouped into different access classes, and these
classes may overlap.
Actin: peration performed by the sub/ect on or with an ob/ect" for example, login,
read, perform #1, execute.
)3ect: +eceptors of actions. xamples include files, programs, messages, records,
terminals, printers, and user% or program%created structures. 'hen a sub/ect is the
recipient of an action, such as electronic mail, then that sub/ect is considered an ob/ect.
b/ects may be grouped by type. b/ect granularity may vary by ob/ect type and by
environment. 2or example, database actions may be audited for the database as a whole
or at the record level.
E"ce#tin*Cnditin: &enotes which, if any, exception condition is raised on return.
Res!rce*Usa+e: A list of uantitative elements in which each element gives the
amount used of some resource 3e.g., number of lines printed or displayed, number of
records read or written, processor time, #1 units used, session elapsed time4.
Ti%e*Sta%#: 5niue time%and%date stamp identifying when the action too! place.
Q4. 2escri)e the architect!re fr distri)!ted intr!sin detectin s(ste%.
Ans:
-
8/11/2019 chapter 4 q and a
6/15
Architect!re fr distri)!ted intr!sin detectin s(ste%is one developed
at the 5niversity of )alifornia at &avis which consists of three main components:
Hst a+ent %d!le: An audit collection module operating as a bac!ground process on
a monitored system. #ts purpose is to collect data on security related events on the host
and transmit these to the central manager.
5A %nitr a+ent %d!le: perates in the same fashion as a host agent module
except that it analyzes 6A7 traffic and reports the results to the central manager.
Central %ana+er %d!le: +eceives reports from 6A7 monitor and host agents and
processes and correlates these reports to detect intrusion.
The scheme is designed to be independent of any operating system or system auditing
-
8/11/2019 chapter 4 q and a
7/15
implementation.
2ig. Agent Architecture.
Q6. E"#lain Uni" #ass$rd sche%e &
Ans:
s'hen a user attempts to log on to a 57#8 system, the user provides an
#& and a password. The operating system uses the #& to index into the password file and
retrieve the plaintext salt and the encrypted password. The salt and user%supplied
-
8/11/2019 chapter 4 q and a
8/15
password are used as input to the encryption routine. #f the result matches the stored
value, the password is accepted.
The encryption routine is designed to discourage guessing attac!s.
0oftware implementations of &0 are slow compared to hardware versions, and the use
of 9 iterations multiplies the time reuired by 9. ;owever, since the original design of
this algorithm, two changes have occurred. 2irst, newer implementations of the algorithm
itself have resulted in speedups. 0econd, hardware performance continues to increase, so
that any software algorithm executes more uic!ly.
Thus, there are two threats to the 57#8 password scheme. 2irst, a user can gain access
on a machine using a guest account or by some other means and then run a password
guessing program, called a password crac!er, on that machine. The attac!er should be
able to chec! hundreds and perhaps thousands of possible passwords with little resource
consumption. #n addition, if an opponent is able to obtain a copy of the password file,
then a crac!er program can be run on another machine.
-
-
8/11/2019 chapter 4 q and a
9/15
pronounceable, the user may have difficulty remembering it and so be tempted to write it
down. #n general, computer%generated password schemes have a history of poor
acceptance by users. 2#$0 $5> ?@? defines one of the best%designed automated password
generators. The standard includes not only a description of the approach but also a
complete listing of the ) source code of the algorithm. The algorithm generates words by
forming pronounceable syllables and concatenating them to form a word. A random
number generator produces a random stream of characters used to construct the syllables
and words.
A reacti-e #ass$rd chec9in+ strategy is one in which the system periodically runs its
own password crac!er to find guessable passwords. The system cancels any passwords
that are guessed and notifies the user. This tactic has a number of drawbac!s.
2irst, it is resource intensive if the /ob is done right. >ecause a determined opponent who
is able to steal a password file can devote full )$5 time to the tas! for hours or even
days, an effective reactive password chec!er is at a distinct disadvantage.
2urthermore, any existing passwords remain vulnerable until the reactive password
chec!er finds them.
#racti-e #ass$rd chec9er. #n this scheme, a user is allowed to select his or her own
password.
;owever, at the time of selection, the system chec!s to see if the password is allowable
and, if not, re/ects it. 0uch chec!ers are based on the philosophy that, with sufficient
guidance from the system, users can select memorable passwords from a fairly large
password space that are not li!ely to be guessed in a dictionary attac!.
The tric! with a proactive password chec!er is to stri!e a balance between user
acceptability and strength. #f the system re/ects too many passwords, users will complain
that it is too hard to select a password. #f the system uses some simple algorithm to define
what is acceptable, this provides guidance to password crac!ers to refine their guessing
techniue. #n the remainder of this subsection, we loo! at possible approaches to
proactive password chec!ing .
-
8/11/2019 chapter 4 q and a
10/15
Q. E"#lain -erall ta"n%( f %alici!s #r+ra%s&
Ans:
-
8/11/2019 chapter 4 q and a
11/15
Q;. E"#lain T(#es f -ir!s &
A-ir!sclassification by tar+etincludes the following categories:
ecause
the bul! of the virus is encrypted with a different !ey for each instance, there is no
constant bit pattern to observe.
. Stealth -ir!s: A form of virus explicitly designed to hide itself from detection by
antivirus software.Thus, the entire virus, not /ust a payload is hidden.
Pl(%r#hic -ir!s: A virus that mutates with every infection, ma!ing detection by the
signatureB of the virus impossible.
Meta%r#hic -ir!s: As with a polymorphic virus, a metamorphic virus mutates with
every infection.The difference is that a metamorphic virus rewrites itself completely at
each iteration, increasing the difficulty of detection. =etamorphic viruses may change
their behavior as well as their appearance.
-
8/11/2019 chapter 4 q and a
12/15
Q=. E"#lain >ir!s c!nter %eas!res &
+
E"#lain Anti-ir!s A##raches &
Ans:
2irst generation: simple scanners
0econd generation: heuristic scanners
Third generation: activity traps
2ourth generation: full%featured protection
A first*+eneratin scanner reuires a virus signature to identify a virus. The virus may
contain wildcardsB but has essentially the same structure and bit pattern in all copies.
0uch signature%specific scanners are limited to the detection of !nown viruses. Another
type of first%generation scanner maintains a record of the length of programs and loo!s
for changes in length.
A secnd*+eneratin scanner does not rely on a specific signature. +ather, the scanner
uses heuristic rules to search for probable virus infection. ne class of such scanners
loo!s for fragments of code that are often associated with viruses. 2or example, a scanner
may loo! for the beginning of an encryption loop used in a polymorphism virus and
discover the encryption !ey. nce the !ey is discovered, the scanner can decrypt the virus
to identify it, then remove the infection and return the program to service.
Another second%generation approach is integrity chec!ing. A chec!sum can be appended
to each program. #f a virus infects the program without changing the chec!sum, then an
integrity chec! will catch the change. To counter a virus that is sophisticated enough to
change the chec!sum when it infects a program, an encrypted hash function can be used.
The encryption !ey is stored separately from the program so that the virus cannot
generate a new hash code and encrypt that. >y using a hash function rather than a simpler
chec!sum, the virus is prevented from ad/usting the program to produce the same hash
code as before.
-
8/11/2019 chapter 4 q and a
13/15
Third*+eneratin programs are memory%resident programs that identify a virus by its
actions rather than its structure in an infected program. 0uch programshave the advantage
that it is not necessary to develop signatures and heuristics for a wide array of viruses.
+ather, it is necessary only to identify the small set of actions that indicate an infection is
being attempted and then to intervene.
7!rth*+eneratinproducts are pac!ages consisting of a variety of antivirus techniues
used in con/unction. These include scanning and activity trap components.
#n addition, such a pac!age includes access control capability, which limits the ability of
viruses to penetrate a system and then limits the ability of a virus to update files in order
to pass on the infection.
Ad-anced Anti-ir!s Techni'!es:
Gener!" De"r#pt!on (eneric decryption 3(&4 technology enables the antivirus program
to easily detect even the most complex polymorphic viruses while maintaining fast
scanning speeds
CPU e%!latr: A software%based virtual computer. #nstructions in an executable file are
interpreted by the emulator rather than executed on the underlying processor. The
emulator includes software versions of all registers and other processor hardware, so that
the underlying processor is unaffected by programs interpreted on the emulator.
>ir!s si+nat!re scanner: A module that scans the target code loo!ing for !nown virus
signatures.
E%!latin cntrl %d!le: )ontrols the execution of the target code.
-
8/11/2019 chapter 4 q and a
14/15
Q1?. E"#lain 2ifferent T(#es f fire$alls&
1. Pac9et*filterin+ R!ter:
Applies a set of rules to each incoming #$ pac!et and then forwards or discards
he pac!et
2ilter pac!ets going in both directions The pac!et filter is typically set up as a list of rules based on matches to fields in
the #$ or T)$ header
Two default policies 3discard or forward4
Ad-anta+es:
C 0implicityC Transparency to users
C ;igh speed
2isad-anta+es:
C &ifficulty of setting up pac!et filter rules
C 6ac! of Authentication
/.A##licatin*le-el ,ate$a(
a. Also called proxy server
b. Acts as a relay of application%level traffic
Ad-anta+es:
c. ;igher security than pac!et filters
d. nly need to scrutinize a few allowable applications
e. asy to log and audit all incoming traffic
2isad-anta+es:
f. Additional processing overhead on each connection 3gateway as splice
point4.
0.Circ!it*le-el ,ate$a(
g. 0tand%alone system or
h. 0pecialized function performed by an Application%level (ateway
-
8/11/2019 chapter 4 q and a
15/15
i. 0ets up two T)$ connections
/. The gateway typically relays T)$ segments from one connection to
the other without examining the contents
4. Screened hst fire$all@ d!al*h%ed )astin cnfi+!ratin
a. The pac!et%filtering router is not completely compromised
b. Traffic between the #nternet and other hosts on the private networ! has to
flow through the bastion host.
7i+. T(#es f fire$alls