Transcript Project Presentation Malicious Software & Intrusion Detection Systems

Intrusion Detection
By
Himani Singh
([email protected])
&
Kavita Khanna
([email protected])
(CS-265, Fall-2003)
1
Intrusion Detection – “Presentation Outline”
 How an Intruder gets access?
 Security Holes and Vulnerabilities
 What is Intrusion Detection?
 Typical intrusion scenario
 Host based and Network based Intrusion
Detection.
 Knowledge based and behavioral based
Intrusion Detection.
 False positives / false alarms.
 Do I need IDS if I already have a firewall?
2
How an Intruder get access
Intruder
o a hacker and/or cracker who hacks into
systems and does unauthorized/
malicious activities
How does an intruder get access?
o Physical Intrusion  remove some
hardware, disk, memory…
o System Intrusion low-privilege user
account
o Remote Intrusion  across network
3
Security Holes and Vulnerabilities
What?
System
configuration
Software
bugs
Traffic
Sniffing
Bad
Password
Policy
Design
flaws
4
Security Holes and Vulnerabilities
 Software bugs
Buffer overflows –overflow input by intentional
code.
Unexpected combinations: PERL can send some
malicious input to another program
Unhandled input: action on invalid input ?
Race conditions: rare but possible
 System configuration
Default configurations -easy-to-use
configurations
Lazy administrators- empty root/administrator
password
Hole creations- Turn off everything that doesn't
5
Security Holes and Vulnerabilities
(Cont…)
 Password cracking
 Weak passwords, Dictionary attacks and Brute force etc
 Sniffing unsecured traffic
 Shared medium
 Server sniffing
 Remote access
 Design flaws
 TCP/IP protocol flaws
 Smurf—ICMP request as return address as victim's
 SYN Flood-target run out of recourse,combine with IP
spooling
 UNIX design flaws
 Distributed DoS attack – Amazon and Yahoo
 Do not forget Social Engineering- Hacker
“Kevin Mitnick” told congress that he use
technology only 2% of time
6
What is Intrusion Detection
 Intrusion: An unauthorized activity or access to
an information system. Attack originated outside
the organization.
 Misuse:Attacks originating inside the
organization.
 Intrusion Detection (ID): process of detecting, if
Intrusion / Misuse has been attempted, is
occurring, or has occurred .[1]
Intrusion and/or misuse can be as severe as
stealing sensitive information or misusing your
email system for Spam
ID runs continuously
Does both Detection and Response
.[1]
The practical Intrusion Detection book by Paul E.Proctor
7
Typical intrusion scenario
o
o
o
o
o
o
Step 1: outside reconnaissance
Step 2: inside reconnaissance
Step 3: exploit
Step 4: foot hold
Step 5: profit, like bandwidth theft
Step 6: get out,cover trace
random internet addresses looking for a
specific hole on any system rather than a
specific system
8
Step 1 & 2: Reconnaissance
Ping sweeps
TCP/UDP scans
OS identification
Account scan
9
Step 3: EXPOITS
CGI scripts
Web server attacks
 Web browser attacks
URL, HTTP, HTML, JAVA SCRIPT, FRAMS
SMTP (SendMail) attacks
IP spoofing
DNS poisoning
Buffer Overflows
10
Detection
 Signature recognition
Patterns - well-known patterns of attack
e.g.
 cgi patterns
 tcp port scans
Port based signatures: if common ports are
not in use and traffic is coming in / going out
on that port
Invalid protocol behavior
11
Detection
 Anomaly detection
Some action or data that is not considered
normal for a given system, user, or network.
Can be indicated by change in CPU
utilization, disk activity, user logins, file
activity, traffic increased, so forth
Advantage – Detects unknown attacks/
misuse
12
Detection
 Anomaly detection -- three statistical criteria
Number of events – expected range
e.g. log in attempts > 3
If statistical period goes outside
expected interval e.g. time to load a
file on ftp server
Markov model – if there is
sequence of events
Suppose xyzhjzxyz
then
Now probability of ‘z ‘ coming after ‘xy’ is 1,
and so on
If there is a s deviation then there is a
13
IDS
(Intrusion Detection System)
 IDS should do
Event log analysis for Inside threat detection
Network traffic analysis for perimeter threat
detection
Security configuration management
File integrity checking
Agent
Host a
Director
Agent
Agent
Network M
notifier
14
Components of IDS
Command console : a center
commanding authority
Network sensor
Alert notification
Response subsystem
Database
Network Tap(s)
15
Network Intrusion Detection System
 NIDS : When system detects an intruder by
“Sniffing” or monitoring the network packets
on network wire and matching the attack
pattern to a database of known attack
patterns.
Architecture of NIDS
 Network–node: Agents distributed on each
critical target computer in network to monitor
traffic bound only for individual target.
 Sensor–based: Sensor is between two
communicating computers either stand-alone
or on network device to monitor whole
network
16
Steps In NIDS
 A network packet is born.
 A packet is read in real-time through sensor
(either on a network sensor or network node
sensor).
 Detection engine used to identify predefined
pattern of misuse.
 If match, Security officer is notified by audible,
e-mail, pager, visual, SNMP. For example Beep or
play a .WAV file. "You are under attack".
 An Alert is generated (either pre-defined or
through Security officer).
 A response to that Alert is generated.
17
Steps In NIDS
(Cont….)
Reconfigure firewall /router
 Filter out IP address
 Terminate (Reset) TCP connection
Alert is stored for later review
 timestamp, intruder IP address, victim IP
address/port, protocol information
Reports are generated
Data log for long-term trends
18
NIDS Limitations
 Packet loss on high speed network
o Intruder can hide in lost packets, Node-based
ID does not suffer from this issue
 Switched network : ATM
 Encryption
o Solutions – network sensor decrypted side of VPN
o Distributed network architecture with ID agents
o Encrypted on fly; put key on router – security threat
 Packet-reassembly
o many signatures can be detected in full
string
 Sniffer detection program
19
Host based intrusion detection system
 HIDS : Monitors the actual target machines to
identify tampering or malicious activity occurring
within the system. Can detect ‘insider’ malicious
activity.
 Agent based
 Misuse
Abuse of Privilege
Unintended/ inadvertent privilege grants
Stale (live) accounts
Bad account privilege policy/Back door creation
20
Host based intrusion detection system
(Cont…)
HIDS monitors User specific actions
System integrity checkers : system log files,
running processes, and files system,if system
registry changes made by intruders.
Determine the success/failure of an attack
Data source in HIDS
system logs, application logs, host traffic, and
in some instances firewall logs
21
Key points
 Audit Policy- if you fail to manage audit and
detection policies , your deployment is likely to fail.
 Detection policy - properly configure signature and
appropriate number of active signature in both real
and batch time.
 Data source in HIDS
is the heart of HIDS
 System logs, application logs, host traffic, and in
some instances firewall logs
Unix Syslog – not a good source , any application
can write
Unix Binary Kernel Log – closest thing to TCB
Window NT/2000 - Trust security log
22
Knowledge-based and behavior-based approaches
Knowledge-based approaches
All IDS tools are knowledge–based
About specific attacks and system vulnerabilities
Accuracy is good – no false alarms, if attack is
defined precisely
Fast corrective actions – signature can be added/
modified quickly
Drawbacks:
Completeness is questionable, depends on
updates
New vulnerabilities – not defined, results in false
negative
Maintenance is time-consuming, tedious task
23
Behavior-based intrusion Detection
 Detect a deviation from normal or expected behavior
of the system or the users
Compare current behavior vs. valid behavior
 Advantage
detect attempts to exploit new and unforeseen
vulnerabilities
automatic discovery of these new attacks
 Disadvantage
High false alarm
If online retraining, can result in unavailability of
ID system (good chance for attacker) or more false
alarm
Good complement to Knowledge based. Not enough
alone.
24
Best IDS
Is hybrid network-based,host-based ,must
include knowledge based and behavior
based detection
25
False positives / false alarms
o False positives - signaling attack when
there is none.
o Why:
o Difficult to detect intrusions, IDS are
limited in scope.
o Tools are stateless.
o Signature is not carefully designed, lots
of matches.
o Accuracy is often traded for urgency to
plug in a new signature.
26
Do I need IDS if I already have a firewall?
Firewall is not a dynamic defensive system
and has no capability to understand that
someone is trying to break-in
Example: ColdFusion bug (port 80 web attack)
 Boundary of network
 Firewall is prevention and ID is detection and
response
 Reasons
Catches attacks that firewalls legitimately allow
through (such as attacks against web servers).
Catches attempts that fail.
Catches insider hacking, financial loss
27
Popular NIDS – SNORT™
 open source network intrusion detection
system
real-time traffic analysis
Detect attacks such as
buffer overflows,
stealth port scans,
CGI attacks, SMB probe and more
Decision of traffic depends on flexible rules
language
28
Popular NIDS – Snort Cont….
Platforms
SunOS 4.1.X—Sparc , Linux ,Win32 (Win9x/NT/2000), OpenBSD, HP-UX
Snort is lightweight intrusion detection,
cost efficient, open source so keep
getting updated for signature, very
powerful post-processors
29
Interesting
 Snort and other signature based IDS match
unique patterns against rules in the database .
 For example Snort uses following rule the SubSeven Trojan:
Alert tcp $EXTERNAL_NET any -> $HOME_NET 27374
(msg: "BACKDOOR SIG - SubSseven 22"; flags: A+; content:
“|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;)
alert
Snort match hex signature ,can be present anywhere in
payload"0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a”
 Attacker can change/ scramble the noticeable content by
encryption.
Add 1st byte of the packet payload to every subsequent byte.
 If 3 then payload is "31 3d 8e 85 83 7f 81 63 63 65 31 3e"
 which does not mach any of the known signatures.
The attacker has now evaded our intrusion detection system.
30
Matthewhttp://www.snort.org/what_is_snort.htm
Resources… in case you get hacked
CERT (Computer Emergency Response Team)
http://www.cert.org.
CIAC (Computer Incident Advisory Capability) by
US Department of Energy
http://www.ciac.org/
SANS http://www.sans.org/
AUSCERT (Australian Computer Emergency
Response Team)http://www.auscert.org.au/
Network Intrusion Detection Systems
http://www.robertgraham.com/pubs/networkintrusion-detection.html
31
References
 The Practical Intrusion detection hand book – Paul E.
Proctor
 www.intrusion.com/
 www.snort.org/
 Retrieved Nov 14, 2003 from website: www.sans.org
 Retrieved Nov 15, 2003 from website:
www.cerias.purdue.edu/coast/intrusion-detection/
 www.cs.usask.ca/undergrads/der850/project/ids/ - 9k -
32
Project Presentation
Instructor : Prof. Mark Stamp
Due Date : 11/18/03
Malicious Software
&
Intrusion Detection
By,
Kavita Khanna
Himani Singh
33
(CS-265, Fall-2003)
Malicious Software
By
Kavita Khanna
([email protected])
&
Himani Singh
([email protected])
(CS-265, Fall-2003)
34
Malicious Software – “Presentation Outline”
 What is malicious software?
 Categories of malicious software.
 Different malicious software – viruses,
worms, Trojan Horse etc.
 More description about viruses :





Desirable properties of viruses.
Identifying infected files and programs.
Where do viruses reside.
Identifying and detecting viruses – virus signature.
Effect of Virus attack on computer system.
 Protection against attacks by malicious
software – preventing infection.
 References.
35
What is Malicious Software:

Software deliberately designed to harm
computer systems.

Malicious software program causes undesired
actions in information systems.

1.
2.
3.
4.
Spreads from one system to another through:
E-mail (through attachments)
Infected floppy disks
Downloading / Exchanging of corrupted files
Embedded into computer games
36
Malicious Software - Categories
Malicious Software
Viruses
Boot Viruses
Rabbit
File Viruses
Hoaxes
Time Bomb
Trojan Horse
Spyware
Trapdoor
Worms
Logic Bomb
37
Types of Malicious Software
 Virus : These are the programs that spread to other
software in the system .i.e., program that incorporates
copies of itself into other programs.
Two major categories of viruses:
1.
Boot sector virus :
2.
File virus :
infect boot sector of systems.
become resident.
activate while booting machine
infects program files.
activates when program is run.
38
Categories of Viruses
Polymorphic
Virus
Stealth
Virus
Armored
Virus
 Produces
modified & fully
operational code.
 Produces new
& different code
every time when
virus is copied &
transmitted to a
new host.
 Difficult to
detect & remove.
 Programming
tricks make the
tracing and
understanding
the code difficult.
 Complex
programming
methods used to
design code, so
difficult to repair
infected file.
 Hides
modifications it
has made to
files or to the
disk.
 Reports
false values to
programs as
they read files
or data from
storage media.
Companion
Virus
 Creates new
program instead
of modifying
existing program.
 Contains all
virus code.
 Executed by
shell, instead of
original program.
39
 Rabbit : This malicious software replicates itself
without limits. Depletes some or all the system’s
resources.

Re-attacks the infected systems – difficult recovery.

Exhausts all the system’s resources such as CPU
time, memory, disk space.

Depletion of resources thus denying user access to
those resources.
40
Hoaxes : False alerts of spreading viruses.
 e.g., sending chain letters.
 message seems to be important to recipient, forwards
it to other users – becomes a chain.
 Exchanging large number of messages (in chain)
floods the network resources – bandwidth wastage.
 Blocks the systems on network – access denied due to
heavy network traffic.
41
Trojan Horse : This is a malicious program
with unexpected additional functionality. It includes
harmful features of which the user is not aware.
 Perform a different function than what these are
advertised to do (some malicious action e.g., steal the
passwords).
 Neither self-replicating nor self-propagating.
 User assistance required for infection.
 Infects when user installs and executes infected
programs.
 Some types of trojan horses include Remote Access
Trojans (RAT), KeyLoggers, Password-Stealers (PSW),
and logic bombs.
42

1.
2.
3.
4.
Transmitting medium :
spam or e-mail
a downloaded file
a disk from a trusted source
a legitimate program with the Trojan inside.

Trojan looks for your personal information and
sends it to the Trojan writer (hacker). It can also
allow the hacker to take full control of your system.

1.
Different types of Trojan Horses :
Remote access Trojan takes full control of your
system and passes it to the hacker.
The data-sending Trojan sends data back to the
hacker by means of e-mail.
e.g., Key-loggers – log and transmit each keystroke.
2.
43
3.
4.
5.
6.
The destructive Trojan has only one purpose: to
destroy and delete files. Unlikely to be detected by
anti-virus software.
The denial-of-service (DOS) attack Trojans combines
computing power of all computers/systems it infects
to launch an attack on another computer system.
Floods the system with traffic, hence it crashes.
The proxy Trojans allows a hacker to turn user’s
computer into HIS (Host Integration Server) server
– to make purchases with stolen credit cards and
run other organized criminal enterprises in
particular user’s name.
The FTP Trojan opens port 21 (the port for FTP
transfer) and lets the attacker connect to your
computer using File Transfer Protocol (FTP).
44
7.
The security software disabler Trojan is designed to
stop or kill security programs such as anti-virus
software, firewalls, etc., without you knowing it.
 Spyware :



Spyware programs explore the files in an
information system.
Information forwarded to an address specified in
Spyware.
Spyware can also be used for investigation of
software users or preparation of an attack.
45
Trapdoor : Secret undocumented entry point to
the program.
 An example of such feature is so called back door,
which enables intrusion to the target by passing user
authentication methods.
 A hole in the security of a system deliberately left in
place by designers or maintainers.
 Trapdoor allows unauthorized access to the system.
 Only purpose of a trap door is to "bypass" internal
controls. It is up to the attacker to determine how this
circumvention of control can be utilized for his benefit.
46
Types of Trapdoor
Undetectable
Trapdoor
Hardware
Trapdoor
Virtually undetectable.
Security-related
hardware flaws.
47
 Worms :





1.
2.
3.
4.
program that spreads copies of itself through a
network.
Does irrecoverable damage to the computer system.
Stand-alone program, spreads only through network.
Also performs various malicious activities other than
spreading itself to different systems e.g., deleting files.
Attacks of Worms:
Deleting files and other malicious actions on systems.
Communicate information back to attacker e.g.,
passwords, other proprietary information.
Disrupt normal operation of system, thus denial of
service attack (DoS) – due to re-infecting infected
system.
48
Worms may carry viruses with them.
Means of spreading Infection by Worms :
 Infects one system, gain access to trusted host lists on
infected system and spread to other hosts.
 Another method of infection is penetrating a system
by guessing passwords.
 By exploiting widely known security holes, in case,
password guessing and trusted host accessing fails.
e.g., A well-known example of a worm is the ILOVEYOU
worm, which invaded millions of computers through
e-mail in 2000.
49
VIRUSES – More Description
Desirable properties of Viruses :
 Virus program should be hard to detect by
anti-virus software.
 Viruses should be hard to destroy or deactivate.
 Spread infection widely.
 Should be easy to create.
 Be able to re-infect.
 Should be machine / platform independent, so that it
can spread on different hosts.
50
Detecting virus infected files/programs :
 Virus infected file changes – gets bigger.
 Modification detection by checksum :
> Use cryptographic checksum/hash function
e.g., SHA, MD5.
> Add all 32-bit segments of a file and store the sum
(i.e., checksum).
51
Identifying Viruses :
 A virus is a unique program.
 It as a unique object code.
 It inserts in a deterministic manner.
 The pattern of object code and where it is inserted
provides a signature to the virus program.
 This virus signature can be used by virus scanners to
identify and detect a particular virus.
 Some viruses try to hide or alter their signature:
 Random patterns in meaningless places.
 Self modifying code – metamorphic, polymorphic viruses.
 Encrypt the code, change the key frequently.
52
Places where viruses live :







Boot sector
Memory resident
Disk – Applications and data stored on disk.
Libraries – stored procedures and classes.
Compiler
Debugger
Virus checking program infected by virus – unable to
detect that particular virus signature.
53
Effect of Virus attack on computer system
 Virus may affect user’s data in memory – overwriting.
 Virus may affect user’s program – overwriting.
 Virus may also overwrite system’s data or programs –
corrupting it – disrupts normal operation of system.
 “Smashing the Stack” – Buffer overflow due to
execution of program directed to virus code.
54
Preventing infection by malicious software :
Use only trusted software, not pirated software.
Test all new software on isolated computer system.
Regularly take backup of the programs.
Use anti-virus software to detect and remove viruses.
Update virus database frequently to get new virus
signatures.
 Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
 Make sure that the e-mail attachments are secure.
 Do not keep a floppy disk in the drive when starting a
program, unless sure that it does not include malicious
software, else virus will be copied in the boot sector.
55





References:
 Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website:
http://www.webopedia.com/TERM/T/Trojan_horse.html
 Staffordshire University, Information & Security Team (Jun 8,
2002). Information Systems Security Guidelines. Retrieved
Nov 10, 2003 from website:
http://www.staffs.ac.uk/services/information_technology/regs/security7.shtm
 M.E.Kabay, Norwich University, VT (2002). Malicious Software. Retrieved
Nov 9, 2003 from website:
http://www2.norwich.edu/mkabay/cyberwatch/09malware.htm
 Computer Emergency Response Team (CERT), Information Security (Jul 2,
2002). Malicious Software – general. Retrieved Nov 10, 2003 from
website: http://www.ficora.fi/englanti/tietoturva/haittaohj.htm
56
References Cont...
 Rutgers, New Jersey (Oct 10, 2003). Trojan Horses. Retrieved Nov 10,
2003 from website: http://netsecurity.rutgers.edu/trojan.htm
 Dr. Roger R. Schell, Monterey CA (Apr 24, 2000). Malicious Software.
Retrieved Nov 11, 2003 from website: www.sp.nps.navy.mil
 Edward F. Gehringer. Computer Abuse – Worms, Trojan Horses,
Viruses. Retrieved Nov 12, 2003 from website:
http://legacy.eos.ncsu.edu/eos/info/computer_ethics/abuse/wvt/study.html
 Bullguard.com Computer Viruses. Retrieved Nov12, 2003 from website:
http://www.bullguard.com/antivirus/vi_info.aspx
 Google.com. Program Security. Retrieved Nov 12, 2003 from website:
http://www.sm.luth.se/csee/courses/smd/102/lek6-6.pdf.
57