570 likes | 922 Views
Intrusion Detection By Himani Singh ( himanisingh@comcast.net ) & Kavita Khanna ( kavita_jairath@yahoo.com ) (CS-265, Fall-2003). Intrusion Detection – “Presentation Outline”. How an Intruder gets access? Security Holes and Vulnerabilities What is Intrusion Detection?
E N D
Intrusion Detection By Himani Singh (himanisingh@comcast.net) & Kavita Khanna (kavita_jairath@yahoo.com) (CS-265, Fall-2003)
Intrusion Detection – “Presentation Outline” • How an Intruder gets access? • Security Holes and Vulnerabilities • What is Intrusion Detection? • Typical intrusion scenario • Host based and Network based Intrusion Detection. • Knowledge based and behavioral based Intrusion Detection. • False positives/ false alarms. • Do I need IDS if I already have a firewall?
How an Intruder get access Intruder • a hacker and/or cracker who hacks into systems and does unauthorized/ malicious activities How does an intruder get access? • Physical Intrusion remove some hardware, disk, memory… • System Intrusion low-privilege user account • Remote Intrusion across network
Security Holes and Vulnerabilities What? Bad Password Policy System configuration Software bugs Traffic Sniffing Design flaws
Security Holes and Vulnerabilities • Software bugs • Buffer overflows –overflow input by intentional code. • Unexpected combinations:PERL can send some malicious input to another program • Unhandled input: action on invalid input ? • Race conditions: rare but possible • System configuration • Default configurations -easy-to-use configurations • Lazy administrators- empty root/administrator password • Hole creations- Turn off everything that doesn't absolutely positively need to run
Security Holes and Vulnerabilities(Cont…) • Password cracking • Weak passwords, Dictionary attacks and Brute force etc • Sniffing unsecured traffic • Shared medium • Server sniffing • Remote access • Design flaws • TCP/IP protocol flaws • Smurf—ICMP request as return address as victim's • SYN Flood-target run out of recourse,combine with IP spooling • UNIX design flaws • Distributed DoS attack – Amazon and Yahoo • Do not forget Social Engineering- Hacker “Kevin Mitnick” told congress that he use technology only 2% of time
What is Intrusion Detection • Intrusion: An unauthorized activity or access to an information system. Attack originated outside the organization. • Misuse:Attacks originating inside the organization. • Intrusion Detection (ID): process of detecting, if Intrusion / Misuse has been attempted, is occurring, or has occurred .[1] • Intrusion and/or misuse can be as severe as stealing sensitive information or misusing your email system for Spam • ID runs continuously • Does both Detection and Response .[1] The practical Intrusion Detection book by Paul E.Proctor
Typical intrusion scenario • Step 1: outside reconnaissance • Step 2: inside reconnaissance • Step 3: exploit • Step 4: foot hold • Step 5: profit, like bandwidth theft • Step 6: get out,cover trace random internet addresses looking for a specific hole on any system rather than a specific system
Step 1 & 2: Reconnaissance • Ping sweeps • TCP/UDP scans • OS identification • Account scan
Step 3: EXPOITS • CGI scripts • Web server attacks • Web browser attacks • URL, HTTP, HTML, JAVA SCRIPT, FRAMS • SMTP (SendMail) attacks • IP spoofing • DNS poisoning • Buffer Overflows
Detection • Signature recognition • Patterns - well-known patterns of attack e.g. • cgi patterns • tcp port scans • Port based signatures: if common ports are not in use and traffic is coming in / going out on that port • Invalid protocol behavior
Detection • Anomaly detection • Some action or data that is not considered normal for a given system, user, or network. • Can be indicated by change in CPU utilization, disk activity, user logins, file activity, traffic increased, so forth • Advantage – Detects unknown attacks/ misuse
Detection • Anomaly detection -- three statistical criteria • Number of events – expected range e.g. log in attempts > 3 • If statistical period goes outside expected interval e.g. time to load a file on ftp server • Markov model – if there is sequence of events Suppose xyzhjzxyz then Now probability of ‘z ‘ coming after ‘xy’ is 1, and so on If there is a s deviation then there is a problem
IDS(Intrusion Detection System) • IDS should do • Event log analysis for Inside threat detection • Network traffic analysis for perimeter threat detection • Security configuration management • File integrity checking Agent Director Host a Agent Agent notifier Network M
Components of IDS • Command console : a center commanding authority • Network sensor • Alert notification • Response subsystem • Database • Network Tap(s)
Network Intrusion Detection System • NIDS : When system detects an intruder by “Sniffing” or monitoring the network packets on network wire and matching the attack pattern to a database of known attack patterns. Architecture of NIDS • Network–node: Agents distributed on each critical target computer in network to monitor traffic bound only for individual target. • Sensor–based: Sensor is between two communicating computers either stand-alone or on network device to monitor whole network
Steps In NIDS • A network packet is born. • A packet is read in real-time through sensor (either on a network sensor or network node sensor). • Detection engine used to identify predefined pattern of misuse. • If match, Security officer is notified by audible, e-mail, pager, visual, SNMP. For example Beep or play a .WAV file. "You are under attack". • An Alert is generated (either pre-defined or through Security officer). • A response to that Alert is generated.
Steps In NIDS(Cont….) • Reconfigure firewall /router • Filter out IP address • Terminate (Reset) TCP connection • Alert is stored for later review • timestamp, intruder IP address, victim IP address/port, protocol information • Reports are generated • Data log for long-term trends
NIDS Limitations • Packet loss on high speed network • Intruder can hide in lost packets, Node-based ID does not suffer from this issue • Switched network : ATM • Encryption • Solutions – network sensor decrypted side of VPN • Distributed network architecture with ID agents • Encrypted on fly; put key on router – security threat • Packet-reassembly • many signatures can be detected in full string • Sniffer detection program
Host based intrusion detection system • HIDS :Monitors the actual target machines to identify tampering or malicious activity occurring within the system. Can detect ‘insider’ malicious activity. • Agent based • Misuse • Abuse of Privilege • Unintended/ inadvertent privilege grants • Stale (live) accounts • Bad account privilege policy/Back door creation
Host based intrusion detection system (Cont…) HIDS monitors - • User specific actions • System integrity checkers : system log files, running processes, and files system,if system registry changes made by intruders. • Determine the success/failure of an attack Data source in HIDS • system logs, application logs, host traffic, and in some instances firewall logs
Key points • Audit Policy-if you fail to manage audit and detection policies , your deployment is likely to fail. • Detection policy -properly configure signature and appropriate number of active signature in both real and batch time. • Data source in HIDS is the heart of HIDS • System logs, application logs, host traffic, and in some instances firewall logs • Unix Syslog – not a good source , any application can write • Unix Binary Kernel Log – closest thing to TCB • Window NT/2000 - Trust security log
Knowledge-based and behavior-based approaches • Knowledge-based approaches • All IDS tools are knowledge–based • About specific attacks and system vulnerabilities • Accuracy is good – no false alarms, if attack is defined precisely • Fast corrective actions – signature can be added/ modified quickly Drawbacks: • Completeness is questionable, depends on updates • New vulnerabilities – not defined, results in false negative • Maintenance is time-consuming, tedious task • Knowledge is environmental based (very focused depends on OS, platform, version…)
Behavior-based intrusion Detection • Detect a deviation from normal or expected behavior of the system or the users • Compare current behavior vs. valid behavior • Advantage • detect attempts to exploit new and unforeseen vulnerabilities • automatic discovery of these new attacks • Disadvantage • High false alarm • If online retraining, can result in unavailability of ID system (good chance for attacker) or more false alarm Good complement to Knowledge based. Not enough alone.
Best IDS Is hybrid network-based,host-based ,must include knowledge based and behavior based detection
False positives / false alarms • False positives - signaling attack when there is none. • Why: • Difficult to detect intrusions, IDS are limited in scope. • Tools are stateless. • Signature is not carefully designed, lots of matches. • Accuracy is often traded for urgency to plug in a new signature.
Do I need IDS if I already have a firewall? • Firewall is not a dynamic defensive system and has no capability to understand that someone is trying to break-in Example: ColdFusion bug (port 80 web attack) • Boundary of network • Firewall is prevention and ID is detection and response • Reasons • Catches attacks that firewalls legitimately allow through (such as attacks against web servers). • Catches attempts that fail. • Catches insider hacking, financial loss
Popular NIDS – SNORT™ • open source network intrusion detection system • real-time traffic analysis • Detect attacks such as • buffer overflows, • stealth port scans, • CGI attacks, SMB probe and more • Decision of traffic depends on flexible rules language
Popular NIDS – Snort Cont…. • Platforms • SunOS 4.1.X—Sparc , Linux ,Win32 - (Win9x/NT/2000), OpenBSD, HP-UX • Snort is lightweight intrusion detection, cost efficient, open source so keep getting updated for signature, very powerful post-processors
Interesting • Snort and other signature based IDS match unique patterns against rules in the database . • For example Snort uses following rule the SubSeven Trojan: Alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22"; flags: A+; content: “|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;)alert Snort match hex signature ,can be present anywhere in payload"0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a” • Attacker can change/ scramble the noticeable content by encryption. Add 1st byte of the packet payload to every subsequent byte. • If 3 then payload is "31 3d 8e 85 83 7f 81 63 63 65 31 3e" • which does not mach any of the known signatures. The attacker has now evaded our intrusion detection system. Matthewhttp://www.snort.org/what_is_snort.htm
Resources… in case you get hacked • CERT (Computer Emergency Response Team)http://www.cert.org. • CIAC (Computer Incident Advisory Capability) by US Department of Energy http://www.ciac.org/ • SANS http://www.sans.org/ • AUSCERT (Australian Computer Emergency Response Team)http://www.auscert.org.au/ • Network Intrusion Detection Systemshttp://www.robertgraham.com/pubs/network-intrusion-detection.html
References • The Practical Intrusion detection hand book – Paul E. Proctor • www.intrusion.com/ • www.snort.org/ • Retrieved Nov 14, 2003 from website: www.sans.org • Retrieved Nov 15, 2003 from website: www.cerias.purdue.edu/coast/intrusion-detection/ • www.cs.usask.ca/undergrads/der850/project/ids/ - 9k -
Project PresentationInstructor : Prof. Mark StampDue Date : 11/18/03Malicious Software&Intrusion Detection By, Kavita Khanna Himani Singh (CS-265, Fall-2003)
Malicious Software By Kavita Khanna (kavita_jairath@yahoo.com) & Himani Singh (himanisingh@comcast.net) (CS-265, Fall-2003)
Malicious Software –“Presentation Outline” • What is malicious software? • Categories of malicious software. • Different malicious software – viruses, worms, Trojan Horse etc. • More description about viruses : • Desirable properties of viruses. • Identifying infected files and programs. • Where do viruses reside. • Identifying and detecting viruses – virus signature. • Effect of Virus attack on computer system. • Protection against attacks by malicious software – preventing infection. • References.
What is Malicious Software: • Software deliberately designed to harm computer systems. • Malicious software program causes undesired actions in information systems. • Spreads from one system to another through: • E-mail (through attachments) • Infected floppy disks • Downloading / Exchanging of corrupted files • Embedded into computer games
Types of Malicious Software • Virus :These are the programs that spread to other software in the system .i.e., program that incorporates copies of itself into other programs. Two major categories of viruses: • Boot sector virus : infect boot sector of systems. become resident. activate while booting machine • File virus : infects program files. activates when program is run.
Categories of Viruses Armored Virus Hides modifications it has made to files or to the disk. Reports false values to programs as they read files or data from storage media. Polymorphic Virus Produces modified & fully operational code. Produces new & different code every time when virus is copied & transmitted to a new host. Difficult to detect & remove. Stealth Virus Programming tricks make the tracing and understanding the code difficult. Complex programming methods used to design code, so difficult to repair infected file. Companion Virus Creates new program instead of modifying existing program. Contains all virus code. Executed by shell, instead of original program.
Rabbit :This malicious software replicates itself without limits. Depletes some or all the system’s resources. • Re-attacks the infected systems – difficult recovery. • Exhausts all the system’s resources such as CPU time, memory, disk space. • Depletion of resources thus denying user access to those resources.
Hoaxes :False alerts of spreading viruses. • e.g., sending chain letters. • message seems to be important to recipient, forwards it to other users – becomes a chain. • Exchanging large number of messages (in chain) floods the network resources – bandwidth wastage. • Blocks the systems on network – access denied due to heavy network traffic.
Trojan Horse :This is a malicious program with unexpected additional functionality. It includes harmful features of which the user is not aware. • Perform a different function than what these are advertised to do (some malicious action e.g., steal the passwords). • Neither self-replicating nor self-propagating. • User assistance required for infection. • Infects when user installs and executes infected programs. • Some types of trojan horses include Remote Access Trojans (RAT), KeyLoggers, Password-Stealers (PSW), and logic bombs.
Transmitting medium : • spam or e-mail • a downloaded file • a disk from a trusted source • a legitimate program with the Trojan inside. • Trojan looks for your personal information and sends it to the Trojan writer (hacker). It can also allow the hacker to take full control of your system. • Different types of Trojan Horses : 1. Remote access Trojantakes full control of your system and passes it to the hacker. 2.The data-sending Trojan sends data back to the hacker by means of e-mail. e.g., Key-loggers – log and transmit each keystroke.
The destructive Trojan has only one purpose: to destroy and delete files. Unlikely to be detected by anti-virus software. • The denial-of-service (DOS) attack Trojans combines computing power of all computers/systems it infects to launch an attack on another computer system. Floods the system with traffic, hence it crashes. • The proxy Trojans allows a hacker to turn user’s computer into HIS (Host Integration Server) server – to make purchases with stolen credit cards and run other organized criminal enterprises in particular user’s name. • The FTP Trojan opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP).
The security software disabler Trojan is designed to stop or kill security programs such as anti-virus software, firewalls, etc., without you knowing it. • Spyware : • Spyware programs explore the files in an information system. • Information forwarded to an address specified in Spyware. • Spyware can also be used for investigation of software users or preparation of an attack.
Trapdoor : Secret undocumented entry point to the program. • An example of such feature is so called back door, which enables intrusion to the target by passing user authentication methods. • A hole in the security of a system deliberately left in place by designers or maintainers. • Trapdoor allows unauthorized access to the system. • Only purpose of a trap door is to "bypass" internal controls. It is up to the attacker to determine how this circumvention of control can be utilized for his benefit.
Types of Trapdoor Undetectable Trapdoor Virtually undetectable. Hardware Trapdoor Security-related hardware flaws.
Worms : • program that spreads copies of itself through a network. • Does irrecoverable damage to the computer system. • Stand-alone program, spreads only through network. • Also performs various malicious activities other than spreading itself to different systems e.g., deleting files. • Attacks of Worms: • Deleting files and other malicious actions on systems. • Communicate information back to attacker e.g., passwords, other proprietary information. • Disrupt normal operation of system, thus denial of service attack (DoS) – due to re-infecting infected system. • Worms may carry viruses with them.
Means of spreading Infection by Worms : • Infects one system, gain access to trusted host lists on infected system and spread to other hosts. • Another method of infection is penetrating a system by guessing passwords. • By exploiting widely known security holes, in case, password guessing and trusted host accessing fails. e.g., A well-known example of a worm is the ILOVEYOU worm, which invaded millions of computers through e-mail in 2000.
VIRUSES – More Description Desirable properties of Viruses : • Virus program should be hard to detect by anti-virus software. • Viruses should be hard to destroy or deactivate. • Spread infection widely. • Should be easy to create. • Be able to re-infect. • Should be machine / platform independent, so that it can spread on different hosts.