Ch 10-Intruders

Download Report

Transcript Ch 10-Intruders

Intruders
&
Intrusion Detection Systems
1
Intruders
• Three classes of intruders:
Masquerader
• An individual who is not authorized to use
the computer and who penetrates a system’s
access controls to exploit a legitimate user’s
account
Misfeasor
• A legitimate user who accesses data,
programs, or resources for which such access
is not authorized, or who is authorized for
such access but misuses his or her privileges
Clandestine
user
• An individual who seizes supervisory control
of the system and uses this control to evade
auditing and access controls or to suppress
audit collection
2
Examples of Intrusion
•
Performing a remote root compromise of an e-mail server
•
Defacing a Web server
•
Guessing and cracking passwords
•
Copying a database containing credit card numbers
•
Viewing sensitive data, including payroll records and medical information, without
authorization
•
Running a packet sniffer on a workstation to capture usernames and passwords
•
Using a permission error on an anonymous FTP server to distribute pirated software and
music files
•
Dialing into an unsecured modem and gaining internal network access
•
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and
learning the new password
•
Using an unattended, logged-in workstation without permission
3
Hackers
• Traditionally, those who hack into computers do so for the thrill
of it or for status
• Intrusion detection systems (IDSs) and intrusion prevention
systems (IPSs) are designed to counter hacker threats
• In addition to using such systems, organizations can consider
restricting remote logons to specific IP addresses and/or use
virtual private network technology
• CERTs
• Computer emergency response teams
• These cooperative ventures collect information about system
vulnerabilities and disseminate it to systems managers
• Hackers also routinely read CERT reports
• It is important for system administrators to quickly insert all
software patches to discovered vulnerabilities
4
Criminal hackers
• Organized groups of hackers
• Usually have specific targets, or at least classes of
targets in mind
• Once a site is penetrated, the attacker acts quickly,
scooping up as much valuable information as possible
and exiting
• IDSs and IPSs can be used for these types of attackers,
but may be less effective because of the quick in-andout nature of the attack
5
Insider Attacks
• Among the most difficult to detect and prevent
• Can be motivated by revenge or simply a feeling of
entitlement
• Countermeasures:
Enforce least privilege, only allowing access to the resources employees need to do their job
Set logs to see what users access and what commands they are entering
Protect sensitive resources with strong authentication
Upon termination, delete employee’s computer and network access
Upon termination, make a mirror image of employee’s hard drive before reissuing it (used as
evidence if your company information turns up at a competitor)
6
Intrusion Techniques
• Objective of the intruder is to gain access to a system
or to increase the range of privileges accessible on a
system
• Most initial attacks use system or software
vulnerabilities that allow a user to execute code that
opens a backdoor into the system
7
Intrusion Prevention
 Want
to keep bad guys out
 Intrusion prevention is a traditional
focus of computer security
o Authentication is to prevent intrusions
o Firewalls a form of intrusion prevention
o Virus defenses aimed at intrusion
prevention
o Like locking the door on your car
8
Intrusion Detection


In spite of intrusion prevention, bad guys
will sometime get in
Intrusion detection systems (IDS)
o Detect attacks in progress (or soon after)
o Look for unusual or suspicious activity

IDS evolved from log file analysis

IDS is currently a hot research topic

How to respond when intrusion detected?
o We don’t deal with this topic here…
9
Intrusion Detection
• A system’s second line of defense
• Is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways
that can be quantified
• Considerations:
• If an intrusion is detected quickly enough, the intruder can be
identified and ejected from the system before any damage is
done or any data are compromised
• An effective intrusion detection system can serve as a deterrent,
so acting to prevent intrusions
• Intrusion detection enables the collection of information about
intrusion techniques that can be used to strengthen the
intrusion prevention facility
10
Intrusion Detection Systems

Who is likely intruder?
o May be outsider who got thru firewall
o May be evil insider

What do intruders do?
o Launch well-known attacks
o Launch variations on well-known attacks
o Launch new/little-known attacks
o “Borrow” system resources
o Use compromised system to attack others
o etc.
12
IDS

Intrusion detection approaches
o Signature-based IDS
o Anomaly-based IDS

Intrusion detection architectures
o Host-based IDS
o Network-based IDS

Any IDS can be classified as above
o In spite of marketing claims to the contrary!
13
Host-Based IDS
 Monitor
activities on hosts for
o Known attacks
o Suspicious behavior
 Designed
to detect attacks such as
o Buffer overflow
o Escalation of privilege, …
 Little
or no view of network activities
14
Network-Based IDS

Monitor activity on the network for…

Designed to detect attacks such as
o Known attacks
o Suspicious network activity
o Denial of service
o Network probes
o Malformed packets, etc.
Some overlap with firewall
 Little or no view of host-base attacks
 Can have both host and network IDS

15
Signature Detection Example
Failed login attempts may indicate
password cracking attack
 IDS could use the rule “N failed login
attempts in M seconds” as signature
 If N or more failed login attempts in M
seconds, IDS warns of attack
 Note that such a warning is specific

o Admin knows what attack is suspected
o Easy to verify attack (or false alarm)
16
Signature Detection

Suppose IDS warns whenever N or more
failed logins in M seconds
o Set N and M so false alarms not common
o Can do this based on “normal” behavior


But, if Trudy knows the signature, she can
try N  1 logins every M seconds…
Then signature detection slows down Trudy,
but might not stop her
17
Signature Detection
Many techniques used to make signature
detection more robust
 Goal is to detect “almost” signatures
 For example, if “about” N login attempts in
“about” M seconds

o Warn of possible password cracking attempt
o What are reasonable values for “about”?
o Can use statistical analysis, heuristics, etc.
o Must not increase false alarm rate too much
18
Signature Detection

Advantages of signature detection
o Simple
o Detect known attacks
o Know which attack at time of detection
o Efficient (if reasonable number of signatures)

Disadvantages of signature detection
o Signature files must be kept up to date
o Number of signatures may become large
o Can only detect known attacks
o Variation on known attack may not be detected
19
Anomaly Detection


Anomaly detection systems look for unusual
or abnormal behavior
There are (at least) two challenges
o What is normal for this system?
o How “far” from normal is abnormal?

No avoiding statistics here!
o mean defines normal
o variance gives distance from normal to abnormal
20
How to Measure Normal?
 How
to measure normal?
o Must measure during “representative”
behavior
o Must not measure during an attack…
o …or else attack will seem normal!
o Normal is statistical mean
o Must also compute variance to have any
reasonable idea of abnormal
21
How to Measure Abnormal?

Abnormal is relative to some “normal”

Statistical discrimination techniques include
o Abnormal indicates possible attack
o
o
o
o

Bayesian statistics
Linear discriminant analysis (LDA)
Quadratic discriminant analysis (QDA)
Neural nets, hidden Markov models (HMMs), etc.
Fancy modeling techniques also used
o Artificial intelligence
o Artificial immune system principles
o Many, many, many others
22
Anomaly Detection (1)

Suppose we monitor use of three commands:
open, read, close

Under normal use we observe Alice:
open, read, close, open, open, read, close, …

Of the six possible ordered pairs, we see
four pairs are normal for Alice,
(open,read), (read,close), (close,open), (open,open)

Can we use this to identify unusual activity?
23
Anomaly Detection (1)
We monitor use of the three commands
open, read, close
 If the ratio of abnormal to normal pairs is
“too high”, warn of possible attack
 Could improve this approach by

o Also use expected frequency of each pair
o Use more than two consecutive commands
o Include more commands/behavior in the model
o More sophisticated statistical discrimination
24
Anomaly Detection (2)

Over time, Alice has
accessed file Fn at
rate Hn

Recently, “Alice”
has accessed Fn at
rate An
H0
H1
H2
H3
A0
A1
A2
A3
.10
.40
.40
.10
.10
.40
.30
.20

Is this normal use for Alice?

We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02
o We consider S < 0.1 to be normal, so this is normal

How to account for use that varies over time?
25
Anomaly Detection (2)



To allow “normal” to adapt to new use, we
update averages: Hn = 0.2An + 0.8Hn
In this example, Hn are updated…
H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And we now have
H0
H1
H2
H3
.10 .40 .38 .12
26
Anomaly Detection (2)

The updated long
term average is

Suppose new
observed rates…
H0
H1
H2
H3
A0
A1
A2
A3
.10
.40
.38
.12
.10
.30
.30
.30
Is this normal use?
 Compute S = (H0A0)2+…+(H3A3)2 = .0488

o Since S = .0488 < 0.1 we consider this normal

And we again update the long term averages:
Hn = 0.2An + 0.8Hn
27
Anomaly Detection (2)

The starting
averages were:

After 2 iterations,
averages are:
H0
H1
H2
H3
H0
H1
.10
.40
.40
.10
.10
.38
H2
H3
.364 .156
Statistics slowly evolve to match behavior
 This reduces false alarms for SA
 But also opens an avenue for attack…

o Suppose Trudy always wants to access F3
o Can she convince IDS this is normal for Alice?
28
Anomaly Detection (2)


To make this approach more robust, must
incorporate the variance
Can also combine N stats Si as, say,
T = (S1 + S2 + S3 + … + SN) / N
to obtain a more complete view of “normal”


Similar (but more sophisticated) approach
is used in an IDS known as NIDES
NIDES combines anomaly & signature IDS
29
Anomaly Detection Issues

Systems constantly evolve and so must IDS
o Static system would place huge burden on admin
o But evolving IDS makes it possible for attacker to
(slowly) convince IDS that an attack is normal
o Attacker may win simply by “going slow”

What does “abnormal” really mean?
o Indicates there may be an attack
o Might not be any specific info about “attack”
o How to respond to such vague information?
o In contrast, signature detection is very specific
30
Anomaly Detection

Advantages?
o Chance of detecting unknown attacks

Disadvantages?
o Cannot use anomaly detection alone…
o …must be used with signature detection
o Reliability is unclear
o Anomaly detection indicates “something unusual”,
but lacks specific info on possible attack
31
Anomaly Detection: The
Bottom Line
Anomaly-based IDS is active research topic
 Many security experts have high hopes for its
ultimate success
 Often cited as key future security technology
 Hackers are not convinced!

o Title of a talk at Defcon: “Why Anomaly-based
IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky
 As hard as AI?

32
Honeypots
• Decoy systems that are designed to lure a potential attacker away from critical systems
Has no
production
value
• These systems are filled with fabricated information designed
to appear valuable but that a legitimate user of the system
wouldn’t access
• Thus, any attempt to communicate with the system is most
likely a probe, scan, or attack
Designed to:
• Divert an attacker from accessing critical systems
• Collect information about the attacker’s activity
• Encourage the attacker to stay on the system long enough for
administrators to respond
• Because any attack against the honeypot is made to seem successful, administrators
have time to mobilize and log and track the attacker without ever exposing productive
systems
• Recent research has focused on building entire honeypot networks that emulate an
enterprise, possible with actual or simulated traffic and data
33