1 / 23

60-564 Survey

60-564 Survey. “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”. Outline. Introduction Computer attacks The STAT framework Intrusion Detection System A novel IDS – WebSTAT Performance evaluation Conclusion. Introduction.

shiri
Download Presentation

60-564 Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 60-564 Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

  2. Outline • Introduction • Computer attacks • The STAT framework • Intrusion Detection System • A novel IDS – WebSTAT • Performance evaluation • Conclusion

  3. Introduction • Computer security is to protect computer resources: • read and write access to a data file • processing time • communication over a network link • An intrusion is somebody attempting to break into or misuse your system • IDS is a network security system designed to identify intrusive or malicious behavior via monitoring of network activity.

  4. Computer Attacks • Worms - self replicating programs that spread across a network. • Viruses - programs that replicate when a user performs some action such as running a program. • Server attacks - a client exploits a bug in the server to cause it to perform some unintended action. • Client attacks - a server exploits a bug in a client to cause it to perform some unintended action. • Network attacks (denial of service) - a remote attacker exploits a bug in the network software or weakness in the protocol to cause a server, router, or network to fail. • Root attacks - a user on a multiuser operating system obtains the priveliges of another user (usually root)

  5. Computer Attacks - Worm • A worm is an independent program that replicates from machine to machine across network connections. • The three security flaws: • Backdoor • bypasses the normal security mechanisms • Usually installed for maintenance purposes • Buffer overflow • A process contains: Code, data, and stack • Stack is to store information associated with function calls • By overriding stack, the attacker can both inject a malicious execution code and set the return address to point to the malicious code • Weak password • First guess the administrator’s password • Copy itself to the startup to propagate every time the machine start up

  6. Computer Attacks - Virus • software program capable of causing great harm to the computer • Unlike a worm, it requires action from a user to spread • For example, email viruses spread when the recipient runs an attached program

  7. Computer Attacks - Server Attacks • Nearly every type of service has identified vulnerabilities which has been attacked • For example, IIS4 installs a number of sample scripts. • These scripts give clients access to view any file on the same volume as the web server

  8. Computer Attacks - Client Attacks • Unlike a server attack, it works by waiting for victims to connect to a rogue server • For example, a buffer overflow vulnerability has been found in Outlook • It allows arbitrary code to be executed by overflowing the time zone field in the date field of the mail header • activated when the user download the mail from mail server using outlook

  9. Computer Attacks - Network Attacks • usually Denial of Service (DoS) attacks • disturb the normal operation of applications • take advantage of a weakness in the system or application • cause it to crash or stop responding • For example, ping to death: Some systems will crash if they received a fragmented ICMP packet. An attack is to send a packet larger than 65,535 bytes, which causes many TCP/IP implementations to crash.

  10. Computer Attacks - Root Attacks • a user on a multi-user system obtains root or administrative privileges • Certain programs are suid bit set, break this program means obtaining the root user privilege

  11. The STAT Framework • STAT is a technique for representing high-level descriptions of computer attacks • It contains 6 components: • STATL • Language Extension Module • Event Provider • Scenario Plug-in • Response Module • STAT Core

  12. The STATL Language • Attack description language • Using states and transitions to represent attack scenarios • domain-independent • It is extended by the IDS developer to express the characteristics of a particular domain and environment. E.g. Sun Solaris, Windows NT.

  13. Language Extension Modules • shared libraries that define events that describe a particular application domain. • Loaded into STAT Core in runtime • Loaded before either Scenario Plugin or Event Provider can use it

  14. Event Providers • collects events from the external environment • Create events as defined in Language Extension Modules • encapsulates events into generic STAT events • inserts events into the event queue of the STAT Core

  15. Scenario Plugins • shared library that describes an attack scenario. • It is defined either from a STATL description or from user manually

  16. Response Modules • shared library that contains Response Functions. • If the state in a scenario is reached the Response Function is invoked • For example, it an alert to someone, or take steps to stop an ongoing attack once a state is reached.

  17. STAT Core • Loads various modules • matches the event supplied by Event Providers • executes the corresponding transitions • triggers responses defined in Response Modules

  18. Intrusion Detection System • Host-based IDS • uses log files and system’s auditing agents • monitors the communicationstraffic in and out of a single computer • checks the integrity of system files and process • Network-based IDS • monitors the traffic on its network segment • Capture three signatures: String, Port and Header signatures

  19. WebSTAT • It is an IDS developed based on STAT framework. • built by composing the STAT core with a number of web language extensions modules, event providers, attack scenarios plugins, and response modules.

  20. Attack Scenario Examples • Document Root Escape Attack: detect events from the web server log and operating system logs to examine the unauthorized file system access • Cookie stealing scenario: detects if a valid cookie is improperly used by unauthorized user to steal protected web resources

  21. Performance Evaluation • Experiments on a host running • standalone Apache • Apache monitored by WebSTAT • WebSTAT incurs a small performance overhead in web server throughput. • acceptable given the powerful detection capabilities WebSTAT provides • a sophisticated web server performance tuning would also reduce the overhead

  22. Conclusion • Presented classification of computer attacks and intrusion detection system • Described STAT framework • The IDS implementation WebSTAT • From the performance evaluation result, we see although WebSTAT brings some small performance overhead to the web server • It is acceptable considering the advanced detection capabilities.

  23. Reference • Sherif, J.S.; Dearmond, T.G.; “Intrusion detection: systems and models” • Sundaram, A., “An Introduction to Intrusion Detection”. • Mahoney, M., “Computer Security: A Survey of Attacks and Defenses” • Lindquist, U., and E. Jonsson, “How to Systematically Classify Computer Security Intrusions" • Giovanni Vigna, William Robertson, Vishal Kher, and Richard A. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers” • STAT Framework Reference Manual • S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An Attack Language for State-based Intrusion Detection," • G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The STAT Tool Suite" • G. Vigna, R.A. Kemmerer, and P. Blix, "Designing a Web of Highly-Configurable Intrusion Detection Sensors"

More Related