Transcript intruder

Intrusion Detection
State of the Art/Practice
Anita Jones
University of Virginia
Introduction
• Intrusion Detection
– determining whether or not some entity, the
intruder, has attempted to gain, or has gained
unauthorized access to the system
• Intruder Types
– External
– Internal
10/06
2
State of Practice
• Assume the Operating System as the basis
• Use what an OS knows about -- OS semantics
– users, processes, devices
– controls on access and resource usage
– network traffic management
• Record events in the life of the OS
• Use OS audit records
OS Intrusion Detection Systems -- OS IDS
10/06
3
OS IDS - the two Approaches
• Anomaly Detection
– assume that behavior can be characterized
• statically -- by known, fixed data encoding
• dynamically -- by patterns of event sequences or by
threshold limits on event occurrences (e.g. system calls)
– detect errant behavior that deviates from expected,
normal behavior
• Misuse Detection
– look for known patterns (signatures) of intrusion,
typically as the intrusion unfolds
10/06
4
OS IDS - the two Approaches
• Anomaly Detection
– Static: e.g. Tripwire, Self-Nonself
– Dynamic: e.g. Rule-based (thresholds) –see GrIDS
• Misuse Detection
– e.g. USTAT
• Networks are handled as “extensions”
– I.e. Use same two approaches listed above
– Centralized: e.g. DIDS, NADIR, NSTAT
– Decentralized: e.g. GrIDS, EMERALD
10/06
5
Audit Records
• Most IDS depend on audit records
• What do OS audit records record?
• Can the OS assure integrity of the audit
records?
• What techniques would an intruder use to cover
his tracks that might be found in an audit trail?
“Clandestine intruders”
• Forensics
10/06
6
User Profiles
• What can you use to characterize user activity?
• Measures (absolute amounts; fluctuation;
duration:
– use of memory
– use of processors
– network traffic
• Absolute measures
• Statistical measures -- thresholds
10/06
7
CPU usage
I/O usage
Location of Use
Mailer Usage
Editor Usage
Compiler Usage
Shell Usage
Directory Usage
Commands Used
Directories Created
Directories Read
Directories Modified
File Usage
Temp files created
User Ids accessed
System errors
System Errors by Type
Audit Record Activity
Hourly activity
Time of day use
Remote network activity
Network activity by Hosts
Local Network activity
Local network activity by host
count elapsed CPU execution -- seconds
# of devices; duration of use of each; # commands
# connection from each location
# invocations
# invocations
# invocations
# invocations
# directories accessed; # accesses per directory
# command; # repetitions per command
# created
# accessed; # at end of path
# directories changed; # mods/dir.; size increase decrease
# accesses; # mods; magnitude of mods
# average size; standard deviation of size
# time ID is changed
#
# per type
categories of records; # of each category; # per hour
patterns of CPU, files, memory used per hour
pattern of average on-line use per day
# packets sent; packets per hour
hosts contacted
traffic within local network
traffic by host inside local network
Signatures
• Signature is some data or pattern of
data that captures distinctive behavior
• Many IDS systems depend upon the
development of a signature
• Large variety
• Formats of signatures may differ
• What is “summarized”?
10/06
9
OS IDS -- a Particular Problem
• OS IDS has problems when
– anomalous & normal behavior can’t be
distinctly characterized
– OS IDS has no pattern for a newly invented
intrusion (misuse)
• But, the greatest problem is
– to distinguish abusive internal (legit user)
activity
10/06
10
An OS IDS
is inherently limited
by the semantics of the OS
You can’t talk about something
for which you have no words!
Alarms
• Who do you call?
• How do they respond?
• Quality of the IDS:
– False positives
– False negatives
10/06
12