chapter 22 in “introduction to computer security” intrusion detection
TRANSCRIPT
Chapter 22 in “Introduction to Computer Security”
Intrusion DetectionIntrusion Detection
Slide Slide 22
Chapter 22: Intrusion DetectionChapter 22: Intrusion Detection
Principles
Basics
Models of Intrusion Detection
Architecture of an IDS
Organization
Incident Response
Slide Slide 33
Lecture 1
Slide Slide 44
IntrusionIntrusion
An intrusion is a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable.
TypesAttempted break-ins
Masquerade attacks
Penetrations of the security control system
Leakage
Denial of service
Malicious use
Slide Slide 55
The System Intrusion ProcessThe System Intrusion Process
ReconnaissanceGather information about the target system and the details of its working and weak points.
Vulnerability assessment is part of intrusion process.
Physical IntrusionEnter an organization network masquerading as legitimate users, including administrative privileges, remote access privileges.
Slide Slide 66
The System Intrusion ProcessThe System Intrusion Process
Denial of ServiceDoS attacks are where the intruder attempts to crash a service or the machine, overload network links, overload the CPU, or fill up the disk. Ping-of-Death, sends an invalid fragment, which starts before the end of packet, but extends past the end of the packet.SYN flood, sends a huge number of TCP SYN packets to let victim wait. Land/Latierra, sends a forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection.
Slide Slide 77
The Dangers of System IntrusionsThe Dangers of System Intrusions
Loss of personal data that may be stored on a computer. The victim may not notice the loss of digital information.
Compromised privacy. A lot of individual data is kept on individuals by organizations, i.e., bank, mortgage company.
Legal Liability. Hack may use your computer to break into other systems in two or three level hacking.
Slide Slide 88
22.1 Principles of Intrusion Detection22.1 Principles of Intrusion Detection
Characteristics of systems not under attack1. User, process actions conform to statistically predictable pattern
2. User, process actions do not include sequences of actions that subvert the security policy
3. Process actions correspond to a set of specifications describing what the processes are allowed to do
Systems under attack do not meet at least one of these
Slide Slide 99
ExampleExample
Goal: insert a back door into a systemIntruder will modify system configuration file or programRequires privilege; attacker enters system as an unprivileged user and must acquire privilege
Nonprivileged user may not normally acquire privilege (violates #1)Attacker may break in using sequence of commands that violate security policy (violates #2)Attacker may cause program to act in ways that violate program’s specification (violates #3)
Slide Slide 1010
22.2 Basic Intrusion Detection22.2 Basic Intrusion Detection
Attack tool is automated script designed to violate a security policyExample: rootkit, (http://en.wikipedia.org/wiki/Rootkit)
Includes password snifferDesigned to hide itself using Trojaned versions of various programs (ps, ls, find, netstat, etc.)Adds back doors (login, telnetd, etc.)Has tools to clean up log entries (zapper, etc.)
Slide Slide 1111
DetectionDetection
Rootkit configuration files cause ls, du, etc. to hide information
ls lists all files in a directoryExcept those hidden by configuration file
dirdump (local program to list directory entries) lists them too
Run both and compare countsIf they differ, ls is doctored
Other approaches possible
Slide Slide 1212
Key PointKey Point
Rootkit does not alter kernel or file structures to conceal files, processes, and network connections
It alters the programs or system calls that interpret those structures
Find some entry point for interpretation that rootkit did not alter
The inconsistency is an anomaly (violates #1)
Slide Slide 1313
Denning’s ModelDenning’s Model
Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions
Includes deviation from usual actions
Includes execution of actions leading to break-ins
Includes actions inconsistent with specifications of privileged programs
Slide Slide 1414
Goals of IDSGoals of IDS
1. Detect wide variety of intrusionsPreviously known and unknown attacksSuggests need to learn/adapt to new attacks or changes in behavior
2. Detect intrusions in timely fashionMay need to be be real-time, especially when system responds to intrusion
Problem: analyzing commands may impact response time of system
May suffice to report intrusion occurred a few minutes or hours ago
Slide Slide 1515
Goals of IDSGoals of IDS
3. Present analysis in simple, easy-to-understand formatIdeally a binary indicatorUsually more complex, allowing analyst to examine suspected attackUser interface critical, especially when monitoring many systems
4. Be accurateMinimize false positives, false negativesMinimize time spent verifying attacks, looking for them
Slide Slide 1616
22.3 Models of Intrusion Detection22.3 Models of Intrusion Detection
An intrusion detection system (IDS) is a system used to detect unauthorized intrusions into computer systems and networks. Anomaly detection (behavior-based detection)
What is usual, is knownWhat is unusual, is badChallenges? Solutions?
Misuse detection (signature-based detection)What is bad, is knownWhat is not bad, is goodTypical misuses: unauthorized access, unauthorized modification, denial of service
Specification-based detectionWhat is good, is knownWhat is not good, is bad
Slide Slide 1717
22.3.1 Anomaly Detection22.3.1 Anomaly Detection
Anomaly based systems are “learning” systems in a sense that they work by continuously creating “norms” of activities. Anomaly detection compares observed activity against expected normal usage profiles “learned”.Assumption: all intrusive activities are necessarily anomalous. Any activity on the system is checked against “normal” profiles, is a deemed acceptable or not not based on the presence of such activity in the profile database.
Slide Slide 1818
22.3.1 Anomaly Detection22.3.1 Anomaly Detection
Individual profile is a collection of common activities a user is expected to do and with little deviation from the expected form. Usage time, login time. Group profile covers a group of users with a common work pattern, resource requests and usage, and historic activities. Resource profile includes the monitoring of the user patterns of the system resources such as applications, accounts, storage media, protocols, communication ports. Other profiles. For instance, executable profile.
Slide Slide 1919
22.3.1 Anomaly Detection22.3.1 Anomaly Detection
1. Threshold metrics
2. Statistical moments
3. Markov model
Slide Slide 2020
Threshold MetricsThreshold Metrics
Counts number of events that occurBetween m and n events (inclusive) expected to occur
If number falls outside this range, anomalous
ExampleWindows: lock user out after k failed sequential login attempts. Range is (0, k–1).
k or more failed logins deemed anomalous
Slide Slide 2121
DifficultiesDifficulties
Appropriate threshold may depend on non-obvious factors
Typing skill of users
If keyboards are US keyboards, and most users are French, typing errors very common
Dvorak vs. non-Dvorak within the UShttp://en.wikipedia.org/wiki/Dvorak_Simplified_Keyboard
Slide Slide 2222
Statistical MomentsStatistical Moments
Analyzer computes standard deviation (first two moments), other measures of correlation (higher moments)
If measured values fall outside expected interval for particular moments, anomalous
sum = x1 + x2 + .. + xnSumsquqares =
A new observation xn+1 is defined to be abnormal if it fallls outside a confidence interval that is d standard deviations from the mena for some parameter d: mean + d * stdev,
22
1... nxx
))1/(( 2meannsumsquaressqrtstdev
Slide Slide 2323
Markov ModelMarkov Model
Past state affects current transition
Anomalies based upon sequences of events, and not on occurrence of single event
Problem: need to train system to establish valid sequencesUse known, training data that is not anomalous
The more training data, the better the model
Training data should cover all possible normal uses of system
Slide Slide 2424
Example: TIMExample: TIM
Time-based Inductive LearningSequence of events is abcdedeabcabcTIM derives following rules:
R1: abc (1.0) R2: cd (0.5) R3: ce (0.5)
R4: de (1.0) R5: ea (0.5) R6: ed (0.5)
Seen: abd; triggers alertc always follows ab in rule set
Seen: acf; no alert as multiple events can follow cMay add rule R7: cf (0.33); adjust R2, R3
Slide Slide 2525
Potential Problems of Anomaly DetectionPotential Problems of Anomaly Detection
False Positive: Anomaly activities that are not intrusive are classified as intrusive.
False Negative: Intrusive activities that are not anomalous result in false negatives, that is events are not flagged intrusive, though they actually are.
Computational expensive because of the overhead of keeping track of, and possibly updating several system profile metrics.
Slide Slide 2626
22.3.2 Misuse Modeling22.3.2 Misuse Modeling
Determines whether a sequence of instructions being executed is known to violate the site security policy
Descriptions of known or potential exploits grouped into rule setsIDS matches data against rule sets; on success, potential attack found
Cannot detect attacks unknown to developers of rule setsNo rules to cover them
Slide Slide 2727
Example: Network Flight Recorder (NFR)Example: Network Flight Recorder (NFR)
Built to make adding new rules easilyArchitecture:
Packet sucker: read packets from networkDecision engine: uses filters to extract informationBackend: write data generated by filters to disk
Query backend allows administrators to extract raw, post-processed data from this fileQuery backend is separate from NFR process
Strength: clean design and adaptability to the need of the usersWeakness: one must know what to look for
Slide Slide 2828
N-Code LanguageN-Code Language
Users can write their own filters using N-code languageExample: ignore all traffic not intended for 2 web servers:# list of my web serversmy_web_servers = [ 10.237.100.189 10.237.55.93 ] ;# we assume all HTTP traffic is on port 80filter watch tcp ( client, dport:80 ){
if (ip.dest != my_web_servers)return;
# now process the packet; we just write out packet inforecord system.time, ip.src, ip.dest to www._list;
}www_list = recorder(“log”)
Slide Slide 2929
22.3.3 Specification Modeling22.3.3 Specification Modeling
Determines whether execution of sequence of instructions violates specificationOnly need to check programs that alter protection state of system
System traces, or sequences of events t1, … ti, ti+1, …, are basis of this
Event ti occurs at time C(ti)Events in a system trace are totally ordered
Slide Slide 3030
ExamplesExamples
Subject S composed of processes p, q, r, with traces Tp, Tq, Tr has Ts = TpTq Tr
Filtering function: apply to system traceOn process, program, host, user as 4-tuple
< ANY, emacs, ANY, bishop >lists events with program “emacs”, user “bishop”
< ANY, ANY, nobhill, ANY >list events on host “nobhill”
Slide Slide 3131
Example: Apply to Example: Apply to rdistrdist
Ko, Levitt, Ruschitzka defined PE-grammar to describe accepted behavior of program
rdist creates temp file, copies contents into it, changes protection mask, owner of it, copies it into place
Attack: during copy, delete temp file and place symbolic link with same name as temp file
rdist changes mode, ownership to that of program
Slide Slide 3232
Comparison and ContrastComparison and Contrast
Misuse detection: if all policy rules known, easy to construct rule sets to detect violations
Usual case is that much of policy is unspecified, so rule sets describe attacks, and are not complete
Anomaly detection: detects unusual events, but these are not necessarily security problemsSpecification-based vs. misuse: spec assumes if specifications followed, policy not violated; misuse assumes if policy as embodied in rule sets followed, policy not violated
Slide Slide 3333
22.4 IDS Architecture22.4 IDS Architecture
Basically, a sophisticated audit systemAgent like logger; it gathers data for analysis
Director like analyzer; it analyzes data obtained from the agents according to its internal rules
Notifier obtains results from director, and takes some actionMay simply notify security officer
May reconfigure agents, director to alter collection, analysis methods
May activate response mechanism
Slide Slide 3434
22.4.1 Agents22.4.1 Agents
Obtains information and sends to director
May put information into another formPreprocessing of records to extract relevant parts
May delete unneeded information
Director may request agent send other information
Slide Slide 3535
ExampleExample
IDS uses failed login attempts in its analysisAgent scans login log every 5 minutes, sends director for each new login attempt:
Time of failed loginAccount name and entered password
Director requests all records of login (failed or not) for particular user
Suspecting a brute-force cracking attempt
Slide Slide 3636
Host-Based AgentHost-Based Agent
Obtain information from logsMay use many logs as sources
May be security-related or not
May be virtual logs if agent is part of the kernel
Agent generates its informationScans information needed by IDS, turns it into equivalent of log record
Typically, check policy; may be very complex
Slide Slide 3737
Network-Based AgentsNetwork-Based Agents
Detects network-oriented attacksDenial of service attack introduced by flooding a network
Monitor traffic for a large number of hostsExamine the contents of the traffic itselfAgent must have same view of traffic as destination
TTL tricks, fragmentation may obscure this
End-to-end encryption defeats content monitoringNot traffic analysis, though
Slide Slide 3838
Network IssuesNetwork Issues
Network architecture dictates agent placementEthernet or broadcast medium: one agent per subnet
Point-to-point medium: one agent per connection, or agent at distribution/routing point
Focus is usually on intruders entering networkIf few entry points, place network agents behind them
Does not help if inside attacks to be monitored
Slide Slide 3939
Aggregation of InformationAggregation of Information
Agents produce information at multiple layers of abstraction
Application-monitoring agents provide one view (usually one line) of an eventSystem-monitoring agents provide a different view (usually many lines) of an eventNetwork-monitoring agents provide yet another view (involving many network packets) of an event
Slide Slide 4040
22.4.2 Director22.4.2 Director
Reduces information from agentsEliminates unnecessary, redundant records
Analyzes remaining information to determine if attack under way
Analysis engine can use a number of techniques, discussed before, to do this
Usually run on separate systemDoes not impact performance of monitored systems
Rules, profiles not available to ordinary users
Slide Slide 4141
ExampleExample
Jane logs in to perform system maintenance during the dayShe logs in at night to write reportsOne night she begins recompiling the kernelAgent #1 reports logins and logoutsAgent #2 reports commands executed
Neither agent spots discrepancyDirector correlates log, spots it at once
Slide Slide 4242
Adaptive DirectorsAdaptive Directors
Modify profiles, rule sets to adapt their analysis to changes in system
Usually use machine learning or planning to determine how to do this
Example: use neural nets to analyze logsNetwork adapted to users’ behavior over timeUsed learning techniques to improve classification of events as anomalous
Reduced number of false alarms
Slide Slide 4343
22.4.3 Notifier22.4.3 Notifier
Accepts information from director
Takes appropriate actionNotify system security officer
Respond to attack
Often GUIsWell-designed ones use visualization to convey information
Slide Slide 4444
GrIDS GUIGrIDS GUI
A E
D
C
B
GrIDS interface showing the progress of a worm as it spreads through network
Left is early in spread
Right is later on
Slide Slide 4545
Other ExamplesOther Examples
Courtney detected SATAN attacksAdded notification to system logCould be configured to send email or paging message to system administrator
IDIP protocol coordinates IDSes to respond to attack
If an IDS detects attack over a network, notifies other IDSes on co-operative firewalls; they can then reject messages from the source
Slide Slide 4646
Types of Intrusion Detection SystemsTypes of Intrusion Detection Systems
Network-Based Intrusion Detection SystemsHave the whole network as the monitoring scope, and monitor the traffic on the network to detect intrusions.
Can be run as an independent standalone machine where it promiscuously watches over all network traffic,
Or just monitor itself as the target machine to watch over its own traffic. (SYN-flood or a TCP port scan)
Slide Slide 4747
Advantage of NIDSAdvantage of NIDS
Ability to detect attacks that a host-based system would miss because NIDSs monitor network traffic at a transport layer.
Difficulty to remove evidence compared with HIDSs.
Real-time detection and response. Real time notification allows for a quick and appropriate response.
Ability to detect unsuccessful attacks and malicious intent.
Slide Slide 4848
Disadvantages of NIDSDisadvantages of NIDS
Blind spots. Deployed at the border of an organization network, NIDS are blink to the whole inside network.
Encrypted data. NIDSs have no capabilities to decrypt encrypted data.
Slide Slide 4949
Host-based Intrusion Detection Systems (HIDS)Host-based Intrusion Detection Systems (HIDS)
Misuse is not confined only to the “bad” outsiders but within organizations.
Local inspection of systems is called HIDS to detect malicious activities on a single computer.
Monitor operating system specific logs including system, event, and security logs on Windows systems and syslog in Unix environments to monitor sudden changes in these logs.
They can be put on a remote host.
Slide Slide 5050
Advantages of HIDSAdvantages of HIDS
Ability to verify success or failure of an attack quickly because they log continuing events that have actually occurred, have less false positive than their cousins.
Low level monitoring. Can see low-level activities such as file accesses, changes to file permissions, attempts to install new executables or attempts to access privileged services, etc.
Almost real-time detection and response.
Ability to deal with encrypted and switched environment.
Cost effectiveness. No additional hardware is needed to install HIDS.
Slide Slide 5151
Disadvantages of HIDSDisadvantages of HIDS
Myopic viewpoint. Since they are deployed at a host, they have a very limited view of the network.
Since they are close to users, they are more susceptible to illegal tempering.
Slide Slide 5252
22.5 Organization of an IDS22.5 Organization of an IDS
Monitoring network traffic for intrusionsNSM system
Combining host and network monitoringDIDS
Making the agents autonomous, distributing the director among multiple systems to enhance security and reliability
AAFID system
Slide Slide 5353
Lecture 2
Slide Slide 5454
22.5.1 Monitoring Networks: NSM22.5.1 Monitoring Networks: NSM
Develops profile of expected usage of network, compares current usageHas 3-D matrix for data
Axes are source, destination, serviceEach connection has unique connection IDContents are number of packets sent over that connection for a period of time, and sum of dataNSM generates expected connection dataExpected data masks data in matrix, and anything left over is reported as an anomaly
Slide Slide 5555
ProblemProblem
Too much data!Solution: arrange data hierarchically into groups
Construct by folding axes of matrix
Analyst could expand any group flagged as anomalous
(S1, D1, SMTP)(S1, D1, FTP)
…
(S1, D1)
(S1, D2, SMTP)(S1, D2, FTP)
…
(S1, D2)
S1
Slide Slide 5656
SignaturesSignatures
Analyst can write rule to look for specific occurrences in matrix
Repeated telnet connections lasting only as long as set-up indicates failed login attempt
Analyst can write rules to match against network traffic
Used to look for excessive logins, attempt to communicate with non-existent host, single host communicating with 15 or more hosts
Slide Slide 5757
OtherOther
Graphical interface independent of the NSM matrix analyzerDetected many attacks
But false positives too
Still in use in some placesSignatures have changed, of course
Also demonstrated intrusion detection on network is feasibleDid no content analysis, so would work even with encrypted connections
Slide Slide 5858
22.5.2 Combining Sources: DIDS22.5.2 Combining Sources: DIDS
Neither network-based nor host-based monitoring sufficient to detect some attacks
Attacker tries to telnet into system several times using different account names: network-based IDS detects this, but not host-based monitorAttacker tries to log into system using an account without password: host-based IDS detects this, but not network-based monitor
DIDS uses agents on hosts being monitored, and a network monitor
DIDS director uses expert system to analyze data
Slide Slide 5959
Attackers Moving in NetworkAttackers Moving in Network
Intruder breaks into system A as alice
Intruder goes from A to system B, and breaks into B’s account bob
Host-based mechanisms cannot correlate these
DIDS director could see bob logged in over alice’s connection; expert system infers they are the same user
Assigns network identification number NID to this user
Slide Slide 6060
Handling Distributed DataHandling Distributed Data
Agent analyzes logs to extract entries of interestAgent uses signatures to look for attacks
Summaries sent to director
Other events forwarded directly to director
DIDS model has agents report:Events (information in log entries)Action, domain
Slide Slide 6161
Actions and DomainsActions and Domains
Subjects perform actionssession_start, session_end, read, write, execute, terminate, create, delete, move, change_rights, change_user_id
Domains characterize objectstagged, authentication, audit, network, system, sys_info, user_info, utility, owned, not_ownedObjects put into highest domain to which it belongs
Tagged, authenticated file is in domain taggedUnowned network object is in domain network
Slide Slide 6262
More on Agent ActionsMore on Agent Actions
Entities can be subjects in one view, objects in anotherProcess: subject when changes protection mode of object, object when process is terminated
Table determines which events sent to DIDS director
Based on actions, domains associated with event
All NIDS events sent over so director can track view of systemAction is session_start or execute; domain is network
Slide Slide 6363
Layers of Expert System ModelLayers of Expert System Model
1. Log records2. Events (relevant information from log entries)3. Subject capturing all events associated with a user; NID
assigned to this subject4. Contextual information such as time, proximity to other
eventsSequence of commands to show who is using the systemSeries of failed logins follow
Slide Slide 6464
Top LayersTop Layers
5. Network threats (combination of events in context)Abuse (change to protection state)Misuse (violates policy, does not change state)Suspicious act (does not violate policy, but of interest)
6. Score (represents security state of network)Derived from previous layer and from scores associated with rules
Analyst can adjust these scores as needed
A convenience for user
Slide Slide 6565
22.5.3 Autonomous Agents: AAFID22.5.3 Autonomous Agents: AAFID
Distribute director among agents
Autonomous agent is process that can act independently of the system of which it is part
Autonomous agent performs one particular monitoring function
Has its own internal model
Communicates with other agents
Agents jointly decide if these constitute a reportable intrusion
Slide Slide 6666
AdvantagesAdvantages
No single point of failureAll agents can act as directorIn effect, director distributed over all agents
Compromise of one agent does not affect othersAgent monitors one resource
Small and simple
Agents can migrate if neededApproach appears to be scalable to large networks
Slide Slide 6767
DisadvantagesDisadvantages
Communications overhead higher, more scattered than for single director
Securing these can be very hard and expensiveAs agent monitors one resource, need many agents to monitor multiple resourcesDistributed computation involved in detecting intrusions
This computation also must be secured
Slide Slide 6868
Example: AAFIDExample: AAFID
Host has set of agents and transceiverTransceiver controls agent execution, collates information, forwards it to monitor (on local or remote system)
Filters provide access to monitored resourcesUse this approach to avoid duplication of work and system dependence
Agents subscribe to filters by specifying records needed
Multiple agents may subscribe to single filter
Slide Slide 6969
Transceivers and MonitorsTransceivers and Monitors
Transceivers collect data from agentsForward it to other agents or monitorsCan terminate, start agents on local system
Example: System begins to accept TCP connections, so transceiver turns on agent to monitor SMTP
Monitors accept data from transceiversCan communicate with transceivers, other monitors
Send commands to transceiver
Perform high level correlation for multiple hostsIf multiple monitors interact with transceiver, AAFID must ensure transceiver receives consistent commands
Slide Slide 7070
22.6 Intrusion Response22.6 Intrusion Response
Once a intrusion is detected, how can the system be protected. Goal:
Minimize the damage of attackThwart intrusionAttempt to repair damages
PhasesIncident PreventionIntrusion Handling
Containment PhaseEradication PhaseFollow-Up phase
Slide Slide 7171
22.6.1 Incident Prevention22.6.1 Incident Prevention
Identify attack before it completes, ideally
Prevent it from completing
Jails useful for thisAttacker placed in a confined environment that looks like a full, unrestricted environment
Attacker may download files, but gets bogus ones
Can imitate a slow system, or an unreliable one
Useful to figure out what attacker wants
Multilevel secure systems are excellent places to implement jails.
Slide Slide 7272
22.6.2 Intrusion Handling22.6.2 Intrusion Handling
Restoring system to satisfy site security policySix phases
Preparation for attack (before attack detected)Identification of attack
Containment of attack (confinement) Eradication of attack (stop attack)
Recovery from attack (restore system to secure state) Follow-up to attack (analysis and other actions)
Discussed in what follows
Slide Slide 7373
22.6.2.1 Containment Phase22.6.2.1 Containment Phase
Goal: limit access of attacker to system resources
Two methodsPassive monitoring
Constraining access
Slide Slide 7474
Passive MonitoringPassive Monitoring
Records attacker’s actions; does not interfere with attackIdea is to find out what the attacker is after and/or methods the attacker is using
Problem: attacked system is vulnerable throughoutAttacker can also attack other systems
Example: type of operating system can be derived from settings of TCP and IP packets of incoming connections
Analyst draws conclusions about source of attack
Slide Slide 7575
Constraining ActionsConstraining Actions
Reduce protection domain of attacker
Problem: if defenders do not know what attacker is after, reduced protection domain may contain what the attacker is after
Stoll created document that attacker downloaded
Download took several hours, during which the phone call was traced to Germany
Slide Slide 7676
DeceptionDeception
Deception Tool KitCreates false network interface
Can present any network configuration to attackers
When probed, can return wide range of vulnerabilities
Attacker wastes time attacking non-existent systems while analyst collects and analyzes attacks to determine goals and abilities of attacker
Experiments show deception is effective response to keep attackers from targeting real systems
Slide Slide 7777
22.6.2.2 Eradication Phase22.6.2.2 Eradication Phase
Usual approach: deny or remove access to system, or terminate processes involved in attackUse wrappers to implement access control
Example: wrap system callsOn invocation, wrapper takes control of processWrapper can log call, deny access, do intrusion detectionExperiments focusing on intrusion detection used multiple wrappers to terminate suspicious processes
Example: network connectionsWrapper around servers log, do access control on, incoming connections and control access to Web-based databases
Slide Slide 7878
FirewallsFirewalls
Mediate access to organization’s networkAlso mediate access out to the Internet
Example: Java applets filtered at firewallUse proxy server to rewrite them
Change “<applet>” to something else
Discard incoming web files with hex sequence CA FE BA BEAll Java class files begin with this
Block all files with name ending in “.class” or “.zip”Lots of false positives
Slide Slide 7979
Intrusion Detection and Isolation ProtocolIntrusion Detection and Isolation Protocol
Coordinates response to attacksBoundary controller is system that can block connection from entering perimeter
Typically firewalls or routers
Neighbor is system directly connectedIDIP domain is set of systems that can send messages to one another without messages passing through boundary controller
Slide Slide 8080
Intrusion Detection and Isolation ProtocolIntrusion Detection and Isolation Protocol
IDIP protocol engine monitors connection passing through members of IDIP domains
If intrusion observed, engine reports it to neighbors
Neighbors propagate information about attack
Trace connection, datagrams to boundary controllers
Boundary controllers coordinate responsesUsually, block attack, notify other controllers to block relevant communications
Slide Slide 8181
Example of IDIPExample of IDIP
C, D, W, X, Y, Z boundary controllersf launches flooding attack on ANote after X suppresses traffic intended for A, W begins accepting it and A, b, a, and W can freely communicate again
C D
X
W
b
a
AeY
Z
f
Slide Slide 8282
22.6.2.3 Follow-Up Phase -- Counterattacking22.6.2.3 Follow-Up Phase -- Counterattacking
Use legal proceduresCollect chain of evidence so legal authorities can establish attack was real
Check with lawyers for thisRules of evidence very specific and detailed
If you don’t follow them, expect case to be dropped
Technical attackGoal is to damage attacker seriously enough to stop current attack and deter future attacks
Slide Slide 8383
ConsequencesConsequences
1. May harm innocent party• Attacker may have broken into source of attack or may be
impersonating innocent party
2. May have side effects• If counterattack is flooding, may block legitimate use of network
3. Antithetical to shared use of network• Counterattack absorbs network resources and makes threats more
immediate
4. May be legally actionable
Slide Slide 8484
Example: CounterwormExample: Counterworm
Counterworm given signature of real wormCounterworm spreads rapidly, deleting all occurrences of original worm
Some issuesHow can counterworm be set up to delete only targeted worm?What if infected system is gathering worms for research?How do originators of counterworm know it will not cause problems for any system?
And are they legally liable if it does?
Slide Slide 8585
IDS ToolsIDS Tools
Snort
Honeypot, www.honeyd.orgA honeypot is a system designed to look like something that an intruder can hack.
The goal is to deceive intruders and learn from them without compromising the security of the network.
IPAudit,
Slide Slide 8686
Key PointsKey Points
Intrusion detection is a form of auditing
Anomaly detection looks for unexpected events
Misuse detection looks for what is known to be bad
Specification-based detection looks for what is known not to be good
Intrusion response requires careful thought and planning