Intruder Detection

7/30/2019 Intruder Detection

1/25

Intruder DetectionBryan Pearsaul


2/25

Outline

Overview

Intruder Detection

Intruder Prevention Intruder Detection Systems

Anomaly Detection

Misuse Detection Examples

Limitations/Drawbacks


3/25

Overview

Intrusion when a user takes anaction that they are not legallyallowed to take

Whether they meant to take thataction or not

Increasingly important as we relymore and more on computer systemsfor the correct functioning of society


4/25

Intruder Detection

Determining whether an intruder hasgain or has attempted to gainunauthorized access to the system

Two groups of intruders: External

Internal

Ways to combat intrusion: Intruder Prevention

Intruder Detection Systems


5/25

Intruder Prevention

Requiring passwords to be submittedbefore users can access the system

Fixing or patching knownvulnerabilities

Blocking network access

Restricting physical access


6/25

Intruder Detection Systems

First became needed in late 70s

Originally used with single systems

OS produced audit records that wereprocess by the IDS

IDS has expanded to distributed

systems and networks Two main approaches:

Anomaly Detection

Misuse Detection


7/25

IDS Anomaly Detection

Static and Dynamic Anomalies

IDS distinguishes between normaland the anomaly

Define normal behavior or correctstatic form

Detect changes in form or anomalousbehavior


8/25

Static Anomaly Detection

Some part of the system shouldremain constant

Determines intrusions based on dataintegrity

Define static part as strings of binarybits

If the strings are ever modified thenthere has been an error or anintrusion


9/25

Static Anomaly Detection

System bit strings are compressedinto representations of the systemcalled signatures

Signature is then compared atcertain time intervals to the currentsystem signature

Knowledge about structure of objectsin the system, meta-data, can alsobe incorporated into the system


10/25

Tripwire

Performs intruder detection using fileintegrity checking

Uses signatures and UNIX file meta-data

Configuration file specifies attributesof files

Builds a selection mask for each fileand directory that contains a flag foreach distinct field in a UNIX i-node


11/25

Tripwire

Each file has at least one signaturecomputed based off bit string of file

Selection masks and set ofsignatures are stored in a database

User-scheduled integrity checks areperformed on the signatures and theattributes

Any changes are pointed out andsecurity staff can be notified


12/25

Dynamic Anomaly Detection

Also known as Statistical-Based IDS

More difficult than detecting staticstring changes

Define profiles for each user tocharacterize normal behavior

User choices: Log-in Time, favoriteprograms

User sequence of actions

User CPU usage / network activity


13/25

Dynamic Anomaly Detection

Statistical Distributions are formedfrom profiles and compared tocurrent user profile

Anomalous boundary is establishedusing some number of standarddeviations off the mean

Profiles can be gradually changed toreflect user behavioral changes overtime


14/25

NIDES

Next-Generation Intrusion DetectionExpert System

Build statistical profiles of users by taking

measures that fall into three classes: Audit record distributions types of audit

records generated over a period of time

Categorical user name, names of files

accessed Continuous any measure in which the

outcome is how often something occurred:total number of open files, number of pages

read off secondary storage


15/25

NIDES

Stores user statistics in profiles suchas frequencies, means, variances

Detects anomalous behaviors bycomparing measures of current userprofile to measures in stored userprofile

Uses a weighted decay factor forolder audit records


16/25

Anomaly Detection Limitations

An insider could slowly modify theirbehavior from over time until it ispossible to mount an attack without

being flagged as anomalous

Users with erratic schedules or hourscan be difficult to profile

Determining the deviation thresholdcan be difficult


17/25

IDS Misuse Detection

Also known as Rule-Based IDS

Sometimes vulnerabilities are fixed,however other times fixing a

vulnerability is just not feasible Define intrusion scenarios which are

a known sequence of events that

leads to intrusion Compare known scenarios to current

activity to determine whether anintrusion attempt is in progress


18/25

IDS Misuse Detection

First generation used rules todescribe what should be consideredan intrusion

Rules accumulated and becamedifficult to read or modify

Second generation use state

transition diagrams and model-basedrule organizations


19/25

USTAT

UNIX State Transition Analysis Tool

Each intrusion scenario isrepresented in a state transitiondiagram

Actions serve as the transition fromone state to the next

Mapped all BSM Events into USTATActions: Read, Write, Modify_Owner


20/25

USTAT

Each state in the transition diagramconsists of one or more stateassertions

State assertions contain a functionname and will evaluate to true orfalse

Ex. owner(file_var) = user_id,shell_script(file_var)


21/25

USTAT

Inference engine uses a table todetect all possible intrusions

Each row represents one intrusionpossibly in progress

Maps each BSM event tocorresponding USTAT action andchecks if the action will change thecurrent state to a successor state ina known intrusion state diagram


22/25

USTAT

If this is so, then the row is copiedand marked as being in thesuccessor state

Original row is left until the state nolonger exists because another usercould repeat the same action frombefore

Once a compromised state is reachedthe decision engine alertsadministrators


23/25

Misuse Detection Limitations

Only known vulnerabilities andattacks are protected against

Administrators are always playingcatch-up with intruders

Representation of intrusion scenariosis not always intuitive


24/25

Summary

Intruder Detection

Intruder Prevention

Intruder Detection Systems Anomaly Detection

Misuse Detection

Examples

Limitations


25/25

References

Anderson, D., T. Lunt, H. Javitz, A. Tamaru, and A. Valdes.Safeguard Final Report: Detecting Unusual ProgramBehavior Using the NIDES Statistical Component, SRIInternational Computer Science Laboratory TechnicalReport, December 1993.

Ilgun, K. "USTAT: A Real-time Intrusion Detection System

for UNIX", Proceedings of the 1993 Computer SocietySymposium on Research in Security and Privacy, May 1993.

Jones, A. K., Sielken R.S. Computer System IntrusionDetection: A Survey, University of Virginia, September2000. http://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdf

Kemmerer, R. A. Computer Security, Encyclopedia ofSoftware Engineering, John Wiley and Sons, 1994.

Kim, G. H. and Spafford, E. H. A Design andImplementation of Tripwire, Purdue Technical Report CSD-TR-93-071, November 1993.

Sundaram, A.An Introduction to Intrusion Detection.

http://www.acm.org/crossroads/xrds2-4/intrus.html
http://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.acm.org/crossroads/xrds2-4/intrus.htmlhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdfhttp://www.cs.virginia.edu/~jones/IDS-research/Documents/jones-sielken-survey-v11.pdf

Intruder Detection

Documents

Transcript of Intruder Detection