Intrusion Detection Systems - Department of Computer Science

Download Report

Transcript Intrusion Detection Systems - Department of Computer Science

Intrusion Detection Systems
By Ali Hushyar
What is an intrusion?
• Intrusion: “any action or set of actions that
attempt to compromise the integrity,
confidentiality or availability of a resource”
Heady et al.[Ku95]
• Intrusion types
– External penetrations
– Internal penetrations
– Misfeasance
Preventing Intrusion
•
•
•
•
•
•
Authentication
Access Control
Firewalls
Vulnerability Patching
Restricting physical access
Intrusion Detection Systems
Principles
• Assumptions about computer systems [D86]
– Actions of processes follow specifications describing
what the processes are allowed to do
– Actions of users and processes have statistically
predictable patterns
– Actions of users and processes do not have
command sequences aimed at compromising system
security policies
• Exploiting vulnerabilities requires an abnormal
use of normal commands or instructions.
Principles
• Intrusion detection: determine whether a
user has gained or is trying to gain
unauthorized access to the system by
looking for abnormalities in the system.
• IDS Analysis Approaches
– Anomaly detection
• Distinguish anomalous behavior from normal
behavior
– Misuse detection
• Detect intrusions based on well-known techniques
Static Anomaly Detection
• File integrity checkers
– Part of system is to remain constant
(e.g. system code and data)
– Detect anomaly by comparing current system
state to original system state
– Representation of system state
• Actual bit strings
• Signatures of bit strings (hash functions)
• Meta-data “selection masks” on file or inode fields
such as size, access permissions, modification
timestamp, access timestamp, user id, group id,
etc…
Tripwire
Static Anomaly Detection
• Virus checkers
– Look for virus signatures in system files or
memory
– Actual virus bit strings are stored in database
• Self-Nonself
– Like Tripwire, part of system is static
– Like virus checkers, it is necessary to
maintain set of unwanted signatures
– Human immune system
Static Anomaly Detection
• Create Self (example from [F84])
– Represent system state as single static string
00101000100100000100001010010011
– Split string into substrings of size k
0010 1000 1001 0000 0100 0010 1001 0011
• Create Nonself
– Generate random substrings of size k
0111 1000 0101 1001
– Censor by comparing substrings to those in Self
0111 0101
Static Anomaly Detection
• Size of Nonself affects probability of
detecting anomalies and computational
load
• Probability of detection can be configured
• Generating Nonself is expensive but
monitoring system is cheaper
• Tripwire comparisons
– Does not depend on meta-data
– Will not detect deletion of files
Dynamic Anomaly Detection
• Real world examples (logins, credit-card use)
• System behavior defined as sequences of
events that are recorded by OS logs and audit
records, application logs, network monitors and
other probes
• Base profiles are created for each entity to be
monitored that characterize normal behavior for
that entity
• Current profiles are built by monitoring system
events and deviations from base profile are
measured
Statistical Models
• Each profile consists of set of measures
• Measures depict activity intensity, audit
record distribution, categorical, and ordinal
measures
• Measures can be seen as random
variables
• Profiles do evolve over time so aging of
measures or changing statistical rules take
this into consideration
Statistical Models
• Operational/Threshold Model
– Measure is deemed abnormal if it surpasses fixed
limits imposed on the measure
• Mean and Standard Deviation Model
– Mean and standard deviation of previous n values are
known. A confidence value for the new measure can
be determined.
• Multivariate Model
– Better conclusions can be made by taking into
consideration correlations of related measures.
Statistical Models
• Clustering Model is an example of a
nonparametric statistical technique
• Data is grouped into clusters
• Example from [B03]
Process
User
CPU Time
25% ranges
50% ranges
p1
matt
359
4
2
p2
holly
10
1
1
p3
heidi
263
3
2
p4
steven
68
1
1
p5
david
133
2
1
p6
mike
195
3
2
Statistical Models
• Combining individual measurement values to
determine overall abnormality value for the
current profile
• Let Si be the recorded values of each measure
Mi. Then combining function [KU95] can be
weighted sum of squares:
Statistical Models
• If individual measures Mi are not mutually
independent then more complex combining
functions will be needed
Bayesian Statistics
• Ai is 0 or 1 depending on whether Mi normal or
anomalous respectively [KU95]
Models based on Sequences of Events
• Markov Process Model
• Given the present state, past states of a system
have no influence on future states
• Next state relies only on present state
• Non-deterministic systems mean that there are
transition probabilities for each state
• Given an initial state, an event that transitions
system to a state of low probability is taken to be
anomalous
Time-based Inductive Learning
• Sequence of events:
abcdedeabcabc
• Predict the events:
R1: ab  c (1)
R2: c  d (0.5)
R3: c  a (0.5) R4: d  e (1)
R5: e  a (0.5) R6: e  d (0.5)
• Single out rules that are good indicators of
behavior: R1 and R4
UNM Pattern Matching
• System behavior defined as sequence of
OS routine calls
• Entities monitored consist of those
processes that run with elevated privileges
• Profile consists of legitimate traces which
are sequences of OS calls of length k
UNM Pattern Matching
• Example from [J00]
open read write open mmap write fchmod close
• Profile traces with max length 4
open read write open
open mmap write fchmod
read write open mmap
write open mmap write
write fchmod close
mmap write fchmod close
fchmod close
close
• Later sequence of calls recorded
open read read open mmap write fchmod close
Neural Networks
• Information processing model based on
biological nervous systems like the brain
• Different than expert systems in that they
have ability to learn
• Given a data vector they can either apply
what they have learned to determine an
output or “recognize” similarity between
input data vector and other inputs to
determine outputs
Neural Networks
(http://www.doc.ic.ac.uk)
X1:
0
0
0
0
1
1
1
1
X2:
0
0
1
1
0
0
1
1
X3:
0
1
0
1
0
1
0
1
OUT:
0
0
0/1
0/1
0/1
1
0/1
1
Neural Network Intrusion Detector
• Identify legitimate user on system
• Obtain logs indicating how often a user executed
a specific command on a system during different
time intervals over a period of several days
• Each command is a vector of frequencies
• 100 commands = 100 dimensional input vector
of command vectors
• Train the neural net to recognize specific user
Misuse Detection
• Anomaly detectors can be trained not to
detect intrusive behavior and often
vulnerabilities exploited by known attacks
are not patched.
• Detecting intrusions based on known
techniques or sequences of actions
• Intrusion scenario or signature must be
formally defined
Rule-based Misuse Systems
• Intrusion scenarios are defined as a set of
rules
• System maintains rule base of intrusion
scenarios and fact base of event
sequences from audit logs
• When fact pattern matches antecedent of
rule then a rule binding is established and
rest of rule is evaluated
Rule-based Misuse Systems
• MIDAS rule example [J00]
(defrule illegal_privileged_account states
if there exists a failed_login_item
such that name is (“root”) and
time is ?time_stamp and
channel is ?channel
then
(print “Alert: Attempted login to root”)
and remember a breakin_attempt
with certainty *high*
such that attack_time is ?time_stamp
and login_channel is ?channel)
State-based Misuse Detection
• Intrusion scenarios are modeled as a number of
different states and the transitions between them
• Actions of would-be intruders lead to compromised
state
• Two subclasses: state transition and Petri net
• State transition
– States form a simple chain traversed from beginning to
end
– Table for each possible intrusion in progress
– For each event processed, if event causes transition then
row with next state is added to table
– Event that causes a transition to a final state indicates
intrusion
Petri Networks
• Intrusion states form a Petri net that follow
a more general tree structure
• Many branches may exist denoting initial
states of the intrusion
• Unix version 7 mkdir command [B03]
mknod(“xxx”, directory)
chown(“xxx”, user, group)
Petri Networks
mknod(“xxx”, directory)
chown(“xxx”, user, group)
this[uid] == 0 &&
File1==true_name(this[obj])
mknod
S4
S5
unlink
F
S6
link
chown
S1
this[uid] != 0 &&
File1 == this[obj]
S2
S3
true_name(this[obj]) ==
true_name(“/etc/passwd”)
&& File2 = this[obj]
this[uid] == 0 &&
File2 == this[obj]
Other Misuse Techniques
• Simple string matching (KMP)
• Protocol Analysis
– Detect attack signatures by taking advantage
of structure of network data packets.
– Identifying packets by protocol and thus
interpreting payload data
– Fragmented packets can be reassembled
before intrusion analysis
References
• [B03] Bishop, M. (2003). Computer Security: Art and
Science.
• [Kr03]Krishna, S. (2003). Intrusion Detection Techniques:
Pattern Matching and Protocol Analysis.
• [J00]Jones, A. (2000). Computer System Intrusion
Detection: A Survey.
• [Ku95]Kumar, S. (1995). Classification and Detection of
Computer Intrusions.
• [F94]Forrest, S. (1994). Self-Nonself Discrimination in a
Computer.
• [D86] Denning, D. (1986). An Intrusion Detection Model.