350 likes | 493 Views
Storage–based Intrusion Detection: Watching storage activity for suspicious behavior. Adam G. Pennington, John D. Strunk, John Linwood Griffin, Graig A. N. Soules, Garth R. Goodson, Gregory R. Ganger Presented by: Anna Majkowska. New idea.
E N D
Storage–based Intrusion Detection: Watching storage activity for suspicious behavior Adam G. Pennington, John D. Strunk, John Linwood Griffin, Graig A. N. Soules, Garth R. Goodson, Gregory R. Ganger Presented by: Anna Majkowska
New idea ... • detect intrusion by observing changes to stored files • some changes (like log tampering) are very suspicious • turns out to be quite effective
Types of Intrusion Detection Systems Most of intrusion detection systems fall into one of two categories: • network based • host based (embedded in OS)
Network-based IDSs • implemented in firewalls or sniffers • scan traffic to, from and within network for suspicious content • look for attacks rather than finding an already successful intruder
Host-based IDSs • embedded in the host’ operating system • examine local information (ex. system calls) for suspicious behavior • can be disabled or fed misinformation by an intruder
Storage-based IDSs • observe suspicious manipulation of files • intruder cannot hide from storage-based IDS if it wants to run across reboots • can look for intrusions after successful compromise, if independent of host’s OS
How it works ... • IDS observes all disk activity looking for signs of intrusion • if detection rule triggers, alert is sent to administrator • administrator decides if it is real or false alarm
Assumptions • attacker software control over the host but no physical access to its hardware • storage device and admin console are not compromised • no host’s user or software (including the OS kernel) have administration privileges on the storage IDS
Are this assumptions sensible ? • storage devices (file servers, disk array controllers, IDE disks) are separate hardware with its own software • storage devices have fewer network interfaces and no local users – it should be more difficult to compromise than a client system
Warning signs • data/attribute modification • access patterns (particularly updates) • content integrity • suspicious content
Data/attribute modification • changes to files that administrator expects to remain unchanged • ex. system executables, configuration files, libraries • false alerts during system upgrades
Storage IDS versus checksumming • utilities like Tripwire periodically check the storage state against data in a reference database (stored elsewhere) • storage IDS improves this approach: • immediate detection of changes • can notice short-term changes • avoids trusting OS to perform the check
Suspicious access patterns • usually updates • modifying append-only files , ex. changing log files to scrub evidence • timestamp reversal – to hide information about modifications, false alarms - tar
Suspicious access patterns – cont. • denial of service attacks – allocating all the free space • suspicious attribute modifications – enabling set UID or reducing permissions needed to run an application
Content integrity • changes that are inconsistent with the file format • ex.: passwd file – 7 fields, legal shell, legal home directory, non-overlapping user ID
Suspicious content • detect known viruses by scanning for signatures • large number of hidden files – used for storage by the attacker, or empty files – slowing down file operations
Limitations • false alarms • intrusions that do not cause suspicious storage behavior will not be detected – use storage IDS together with network and host IDSs • performance cost
Case study • 18 intrusion tools tested (worms, rootkits, trojans) • two categories of actions: hiding evidence of the intrusion and providing reentry mechanism (backdoor) • 15 out of 18 intrusions detected (the other 3 removed after reboots)
Non-append patterns observed • 7 toolkits hide intrusions by modifying audit log – overwriting entries related to intrusion • all cause alerts
System file modifications observed • 15 toolkits modify system files, 3 replace them with files of matching size and CRC checksum • hiding intruder’s presence: ps, ls, netstat, grep, find, du, pstree • creating backdoors: telnetd, sshd, PAM module
Hidden files and directories observed • 12 toolkits create hidden files (does not have to cause alert) • 3 create directories that look like “.”or “..”, by appending spaces “.. ” – causes alert
Kernel modification methods Six toolkits modified the running OS kernel: • loadable kernel modules (LKMs) • inserting directly into /dev/kmem • modification of exec() to use a replacement – checksumming won’t work
Kernel modification detection • rootkits were detected only because they placed files in watched directories • detection can be avoided • trade-off: go undetected or persist across reboots
Secure administration • secure interface needed for specifying detection rules and receiving alerts • prevents client from forging or blocking administrative messages • no user on client system has administrative access to storage device
Secure administration - architectures Two methods of access: • local administration terminal, if physical access possible • cryptographic channel between the storage device and the administrator (can us OS as an untrusted component)
Checking the detection rules • simple for operations on individual files • for operations on directories, whole directory tree must be analyzed • rules about files that currently do not exist
Responding to rule violations • send an alert • slow down suspect’s storage access – false alarms will not cause applications’ failures • deny access – false alarms can cause application failure
Preventing loss of data - versioning • versioning for every suspicious operation until administrator approval – difficult reintegration • versioning after intrusion is detected – some data will likely be lost
Using Network IDS for storage watch • NFS traffic goes over a network • Storage IDS could be implemented in network IDS • NIDS would have to watch LAN activity (now used mostly for Internet connections)
Using NIDS for storage watch – cont. Suspicious content • replication of work • replication of data (ex. mappings of file handles to files held in NIDS) • NIDS would require read permission to all files for integrity and update pattern checks
Performance cost • SSH-build and PostMark benchmarks were used for tests • tested for the case where no rules are violated • max. 1.3% performance cost • for single file and directory operations – 0.5 – 3.3 % (rename dir and remove)
Space cost • minimal, only about 150KB for over 4700 watched files with author’s implementation • could be further reduced
False alarms • most false alarms follow a pattern and can be recognized and ignored by administrator’s console • many false alarms caused by programs like tar – perhaps time reversal rule is a bad idea (not used in any toolkit)