Transcript 60-564 Survey

60-564 Survey
“Intrusion Detection: Systems and Models”
“A Stateful Intrusion Detection System for
World-Wide Web Servers”
1
Outline







Introduction
Computer attacks
The STAT framework
Intrusion Detection System
A novel IDS – WebSTAT
Performance evaluation
Conclusion
2
Introduction

Computer security is to protect computer
resources:





read and write access to a data file
processing time
communication over a network link
An intrusion is somebody attempting to break
into or misuse your system
IDS is a network security system designed to
identify intrusive or malicious behavior via
monitoring of network activity.
3
Computer Attacks






Worms - self replicating programs that spread across a
network.
Viruses - programs that replicate when a user performs some
action such as running a program.
Server attacks - a client exploits a bug in the server to cause
it to perform some unintended action.
Client attacks - a server exploits a bug in a client to cause it
to perform some unintended action.
Network attacks (denial of service) - a remote attacker
exploits a bug in the network software or weakness in the
protocol to cause a server, router, or network to fail.
Root attacks - a user on a multiuser operating system obtains
the priveliges of another user (usually root)
4
Computer Attacks - Worm


A worm is an independent program that replicates from machine
to machine across network connections.
The three security flaws:

Backdoor



Buffer overflow




bypasses the normal security mechanisms
Usually installed for maintenance purposes
A process contains: Code, data, and stack
Stack is to store information associated with function calls
By overriding stack, the attacker can both inject a malicious execution
code and set the return address to point to the malicious code
Weak password


First guess the administrator’s password
Copy itself to the startup to propagate every time the machine start up
5
Computer Attacks - Virus



software program capable of causing
great harm to the computer
Unlike a worm, it requires action from a
user to spread
For example, email viruses spread when
the recipient runs an attached program
6
Computer Attacks - Server
Attacks



Nearly every type of service has
identified vulnerabilities which has been
attacked
For example, IIS4 installs a number of
sample scripts.
These scripts give clients access to view
any file on the same volume as the web
server
7
Computer Attacks - Client
Attacks




Unlike a server attack, it works by waiting for
victims to connect to a rogue server
For example, a buffer overflow vulnerability
has been found in Outlook
It allows arbitrary code to be executed by
overflowing the time zone field in the date
field of the mail header
activated when the user download the mail
from mail server using outlook
8
Computer Attacks - Network
Attacks





usually Denial of Service (DoS) attacks
disturb the normal operation of applications
take advantage of a weakness in the system
or application
cause it to crash or stop responding
For example, ping to death: Some systems
will crash if they received a fragmented ICMP
packet. An attack is to send a packet larger
than 65,535 bytes, which causes many
TCP/IP implementations to crash.
9
Computer Attacks - Root
Attacks


a user on a multi-user system obtains
root or administrative privileges
Certain programs are suid bit set, break
this program means obtaining the root
user privilege
10
The STAT Framework


STAT is a technique for representing high-level
descriptions of computer attacks
It contains 6 components:






STATL
Language Extension Module
Event Provider
Scenario Plug-in
Response Module
STAT Core
11
The STATL Language




Attack description language
Using states and transitions to
represent attack scenarios
domain-independent
It is extended by the IDS developer to
express the characteristics of a
particular domain and environment.
E.g. Sun Solaris, Windows NT.
12
Language Extension Modules



shared libraries that
define events that
describe a particular
application domain.
Loaded into STAT
Core in runtime
Loaded before either
Scenario Plugin or
Event Provider can
use it
13
Event Providers




collects events from the
external environment
Create events as
defined in Language
Extension Modules
encapsulates events
into generic STAT
events
inserts events into the
event queue of the
STAT Core
14
Scenario Plugins


shared library that
describes an attack
scenario.
It is defined either
from a STATL
description or from
user manually
15
Response Modules



shared library that
contains Response
Functions.
If the state in a
scenario is reached the
Response Function is
invoked
For example, it an alert
to someone, or take
steps to stop an
ongoing attack once a
state is reached.
16
STAT Core




Loads various modules
matches the event
supplied by Event
Providers
executes the
corresponding
transitions
triggers responses
defined in Response
Modules
17
Intrusion Detection System

Host-based IDS



uses log files and system’s auditing agents
monitors the communications traffic in and out of
a single computer
checks the integrity of system files and process




Network-based IDS
monitors the traffic on its network segment
Capture three signatures: String, Port and
Header signatures
18
WebSTAT


It is an IDS developed
based on STAT
framework.
built by composing the
STAT core with a
number of web
language extensions
modules, event
providers, attack
scenarios plugins, and
response modules.
19
Attack Scenario Examples


Document Root Escape Attack:
detect events from the web server log
and operating system logs to examine
the unauthorized file system access
Cookie stealing scenario: detects if a
valid cookie is improperly used by
unauthorized user to steal protected
web resources
20
Performance Evaluation

Experiments on a host running





standalone Apache
Apache monitored by WebSTAT
WebSTAT incurs a small performance
overhead in web server throughput.
acceptable given the powerful detection
capabilities WebSTAT provides
a sophisticated web server performance
tuning would also reduce the overhead
21
Conclusion





Presented classification of computer attacks
and intrusion detection system
Described STAT framework
The IDS implementation WebSTAT
From the performance evaluation result, we
see although WebSTAT brings some small
performance overhead to the web server
It is acceptable considering the advanced
detection capabilities.
22
Reference









Sherif, J.S.; Dearmond, T.G.; “Intrusion detection: systems and
models”
Sundaram, A., “An Introduction to Intrusion Detection”.
Mahoney, M., “Computer Security: A Survey of Attacks and
Defenses”
Lindquist, U., and E. Jonsson, “How to Systematically Classify
Computer Security Intrusions"
Giovanni Vigna, William Robertson, Vishal Kher, and Richard A.
Kemmerer, “A Stateful Intrusion Detection System for World-Wide
Web Servers”
STAT Framework Reference Manual
S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An Attack
Language for State-based Intrusion Detection,"
G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The STAT Tool Suite"
G. Vigna, R.A. Kemmerer, and P. Blix, "Designing a Web of HighlyConfigurable Intrusion Detection Sensors"
23