Intruder Detection
-
Upload
rehan-muhammad-tariq -
Category
Documents
-
view
254 -
download
0
Transcript of Intruder Detection
-
7/30/2019 Intruder Detection
1/25
Intruder DetectionBryan Pearsaul
-
7/30/2019 Intruder Detection
2/25
Outline
Overview
Intruder Detection
Intruder Prevention Intruder Detection Systems
Anomaly Detection
Misuse Detection Examples
Limitations/Drawbacks
-
7/30/2019 Intruder Detection
3/25
Overview
Intrusion when a user takes anaction that they are not legallyallowed to take
Whether they meant to take thataction or not
Increasingly important as we relymore and more on computer systemsfor the correct functioning of society
-
7/30/2019 Intruder Detection
4/25
Intruder Detection
Determining whether an intruder hasgain or has attempted to gainunauthorized access to the system
Two groups of intruders: External
Internal
Ways to combat intrusion: Intruder Prevention
Intruder Detection Systems
-
7/30/2019 Intruder Detection
5/25
Intruder Prevention
Requiring passwords to be submittedbefore users can access the system
Fixing or patching knownvulnerabilities
Blocking network access
Restricting physical access
-
7/30/2019 Intruder Detection
6/25
Intruder Detection Systems
First became needed in late 70s
Originally used with single systems
OS produced audit records that wereprocess by the IDS
IDS has expanded to distributed
systems and networks Two main approaches:
Anomaly Detection
Misuse Detection
-
7/30/2019 Intruder Detection
7/25
IDS Anomaly Detection
Static and Dynamic Anomalies
IDS distinguishes between normaland the anomaly
Define normal behavior or correctstatic form
Detect changes in form or anomalousbehavior
-
7/30/2019 Intruder Detection
8/25
Static Anomaly Detection
Some part of the system shouldremain constant
Determines intrusions based on dataintegrity
Define static part as strings of binarybits
If the strings are ever modified thenthere has been an error or anintrusion
-
7/30/2019 Intruder Detection
9/25
Static Anomaly Detection
System bit strings are compressedinto representations of the systemcalled signatures
Signature is then compared atcertain time intervals to the currentsystem signature
Knowledge about structure of objectsin the system, meta-data, can alsobe incorporated into the system
-
7/30/2019 Intruder Detection
10/25
Tripwire
Performs intruder detection using fileintegrity checking
Uses signatures and UNIX file meta-data
Configuration file specifies attributesof files
Builds a selection mask for each fileand directory that contains a flag foreach distinct field in a UNIX i-node
-
7/30/2019 Intruder Detection
11/25
Tripwire
Each file has at least one signaturecomputed based off bit string of file
Selection masks and set ofsignatures are stored in a database
User-scheduled integrity checks areperformed on the signatures and theattributes
Any changes are pointed out andsecurity staff can be notified
-
7/30/2019 Intruder Detection
12/25
Dynamic Anomaly Detection
Also known as Statistical-Based IDS
More difficult than detecting staticstring changes
Define profiles for each user tocharacterize normal behavior
User choices: Log-in Time, favoriteprograms
User sequence of actions
User CPU usage / network activity
-
7/30/2019 Intruder Detection
13/25
Dynamic Anomaly Detection
Statistical Distributions are formedfrom profiles and compared tocurrent user profile
Anomalous boundary is establishedusing some number of standarddeviations off the mean
Profiles can be gradually changed toreflect user behavioral changes overtime
-
7/30/2019 Intruder Detection
14/25
NIDES
Next-Generation Intrusion DetectionExpert System
Build statistical profiles of users by taking
measures that fall into three classes: Audit record distributions types of audit
records generated over a period of time
Categorical user name, names of files
accessed Continuous any measure in which the
outcome is how often something occurred:total number of open files, number of pages
read off secondary storage
-
7/30/2019 Intruder Detection
15/25
NIDES
Stores user statistics in profiles suchas frequencies, means, variances
Detects anomalous behaviors bycomparing measures of current userprofile to measures in stored userprofile
Uses a weighted decay factor forolder audit records
-
7/30/2019 Intruder Detection
16/25
Anomaly Detection Limitations
An insider could slowly modify theirbehavior from over time until it ispossible to mount an attack without
being flagged as anomalous
Users with erratic schedules or hourscan be difficult to profile
Determining the deviation thresholdcan be difficult
-
7/30/2019 Intruder Detection
17/25
IDS Misuse Detection
Also known as Rule-Based IDS
Sometimes vulnerabilities are fixed,however other times fixing a
vulnerability is just not feasible Define intrusion scenarios which are
a known sequence of events that
leads to intrusion Compare known scenarios to current
activity to determine whether anintrusion attempt is in progress
-
7/30/2019 Intruder Detection
18/25
IDS Misuse Detection
First generation used rules todescribe what should be consideredan intrusion
Rules accumulated and becamedifficult to read or modify
Second generation use state
transition diagrams and model-basedrule organizations
-
7/30/2019 Intruder Detection
19/25
USTAT
UNIX State Transition Analysis Tool
Each intrusion scenario isrepresented in a state transitiondiagram
Actions serve as the transition fromone state to the next
Mapped all BSM Events into USTATActions: Read, Write, Modify_Owner
-
7/30/2019 Intruder Detection
20/25
USTAT
Each state in the transition diagramconsists of one or more stateassertions
State assertions contain a functionname and will evaluate to true orfalse
Ex. owner(file_var) = user_id,shell_script(file_var)
-
7/30/2019 Intruder Detection
21/25
USTAT
Inference engine uses a table todetect all possible intrusions
Each row represents one intrusionpossibly in progress
Maps each BSM event tocorresponding USTAT action andchecks if the action will change thecurrent state to a successor state ina known intrusion state diagram
-
7/30/2019 Intruder Detection
22/25
USTAT
If this is so, then the row is copiedand marked as being in thesuccessor state
Original row is left until the state nolonger exists because another usercould repeat the same action frombefore
Once a compromised state is reachedthe decision engine alertsadministrators
-
7/30/2019 Intruder Detection
23/25
Misuse Detection Limitations
Only known vulnerabilities andattacks are protected against
Administrators are always playingcatch-up with intruders
Representation of intrusion scenariosis not always intuitive
-
7/30/2019 Intruder Detection
24/25
Summary
Intruder Detection
Intruder Prevention
Intruder Detection Systems Anomaly Detection
Misuse Detection
Examples
Limitations
-
7/30/2019 Intruder Detection
25/25
References
Anderson, D., T. Lunt, H. Javitz, A. Tamaru, and A. Valdes.Safeguard Final Report: Detecting Unusual ProgramBehavior Using the NIDES Statistical Component, SRIInternational Computer Science Laboratory TechnicalReport, December 1993.
Ilgun, K. "USTAT: A Real-time Intrusion Detection System
for UNIX", Proceedings of the 1993 Computer SocietySymposium on Research in Security and Privacy, May 1993.
Jones, A. K., Sielken R.S. Computer System IntrusionDetection: A Survey, University of Virginia, September2000. http://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdf
Kemmerer, R. A. Computer Security, Encyclopedia ofSoftware Engineering, John Wiley and Sons, 1994.
Kim, G. H. and Spafford, E. H. A Design andImplementation of Tripwire, Purdue Technical Report CSD-TR-93-071, November 1993.
Sundaram, A.An Introduction to Intrusion Detection.
http://www.acm.org/crossroads/xrds2-4/intrus.html
http://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdf