intruders
DESCRIPTION
Intruders. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ [email protected] +46 470 70 86 49. Outline. Intrusion Techniques Intrusion Detection Password Protection Password Selection Strategies. Three classes of intruders (hackers or crackers). Masquerader - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/1.jpg)
1
Ola FlygtVäxjö University, Sweden
http://w3.msi.vxu.se/users/ofl/[email protected]+46 470 70 86 49
Intruders
![Page 2: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/2.jpg)
2
OutlineIntrusion TechniquesIntrusion DetectionPassword ProtectionPassword Selection Strategies
![Page 3: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/3.jpg)
3
Three classes of intruders (hackers or crackers)
MasqueraderAn individual trying to exploit a
legitimate user’s account Misfeasor
A legitimate user misusing it’s privileges
Clandestine userAn individual seizing supervisory
control to evade detection
![Page 4: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/4.jpg)
4
Intrusion Techniques
A main goal of an attacker is to gain access to computing resources
Systems maintain a file that associates a password with each authorized user.
Password file can be protected with:One-way encryptionAccess Control
![Page 5: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/5.jpg)
5
Intrusion Techniques• Techniques for guessing passwords:
• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family
names, birthday, etc.• Try user’s phone number, social security number,
street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host
system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)
![Page 6: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/6.jpg)
6
The Stages of a Network Intrusion
1. Scan the network to:• locate which IP addresses are in use, • what operating systems are in use, • what TCP or UDP ports are “open” (being listened to by Servers).
2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”
privileges).4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
![Page 7: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/7.jpg)
7
Intrusion Detection
The intruder can be identified and ejected from the system.
An effective intrusion detection can prevent intrusions. (Intrusion Prevention)
Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
![Page 8: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/8.jpg)
8
Profiles of Behaviour of Intruders and Authorized Users
![Page 9: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/9.jpg)
9
Intrusion Detection
Statistical anomaly detection - what is not normal behaviour?Threshold detection (per system)Profile based (per user)
Rule based detection - what is not a proper behaviour?Anomaly detection - based on normal
activitiesPenetration identification - expert system
approach
![Page 10: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/10.jpg)
10
Audit Records
A fundamental tool in an IDSAudit Records are used in two
phasesTo collect information about a system
during normal use used to build a model of the system
To monitor the running system and detect intrusion attempts
![Page 11: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/11.jpg)
11
Audit Records
The information can be Native - information already collected
in the system, eg. log files for loginDetection specific - extra modules
introduced in the system that generate information deemed to be interesting
![Page 12: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/12.jpg)
12
Audit Records
An Audit record may have different fields of informationSubjectActionObjectException-ConditionResource-UsageTime-Stamp
![Page 13: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/13.jpg)
13
Measures used for Intrusion Detection
![Page 14: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/14.jpg)
14
Measures used for Intrusion Detection
![Page 15: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/15.jpg)
15
Measures used for Intrusion Detection
![Page 16: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/16.jpg)
16
Different IDS
Most systems use the Audit Records to either create a statistical model for the system or as a input to a rule generator
Rule-based penetration identification however are based on rules created by security experts
![Page 17: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/17.jpg)
17
Example of heuristics in a Rule-based penetration
identification 1. Users should not read files in
other users’ personal directories2. Users must not write in other
users’ files3. Users who log in after ours often
access the same files they used earlier
4. Users do not copy system files
![Page 18: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/18.jpg)
18
USTAT - state transition model
USTAT is a way to simplify the creation if rules by limiting the number of actions used
May also be used to standardize the IDS system
![Page 19: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/19.jpg)
19
Distributed Intrusion Detection
Developed at University of California at Davis
![Page 20: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/20.jpg)
20
Distributed Intrusion Detection
![Page 21: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/21.jpg)
21
Honey pots
A Honey Pot is an intrusion detection technique used to study hacker movements and probing to help better system defenses against later attacks usually made up of a virtual machine that sits on a network or single client.
![Page 22: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/22.jpg)
22
Three goals of a Honey Pot System
The virtual system should look as real as possible, it should attract unwanted intruders to connect to the virtual machine for study.
The virtual system should be watched to see that it isn’t used for a massive attack on other systems, ie smurfing
The virtual system should look and feel just like a regular system, meaning it must include files, directories, and information that will catch the eye of the hacker.
![Page 23: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/23.jpg)
23
Example Honey Pot System
![Page 24: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/24.jpg)
24
Password Management
Passwords are interesting for a hacker since whey may be used to gain access to
different types of assetsthe are used in almost all systemsthey often are of bad quality or easily
compromised
![Page 25: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/25.jpg)
25
UNIX Password Scheme
Loading a new password
![Page 26: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/26.jpg)
26
UNIX Password Scheme Hash is stored in
/etc/passwd (public) or /etc/shadow (readable by root)
8 byte ASCII password is used as 56-bit key to modified DES
Iterated thousands of times to slow down brute force guessing
12 bit salt used to thwart table lookup and detection of reused passwords
DES modified to thwart hardware acceleration
ModifiedDES
password salt
IV = 0
hashsalt
key
![Page 27: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/27.jpg)
27
UNIX Password Scheme
Verifying a password file
![Page 28: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/28.jpg)
28
”Salt”
The salt serves three purposes:Prevents duplicate passwords.Effectively increases the length of the
password.Prevents the use of hardware
implementations of DES
![Page 29: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/29.jpg)
29
Storing UNIX Passwords
• UNIX passwords were historically kept in in a publicly readable file, etc/passwords.
• Now they are kept in a “shadow” directory and only visible by “root”.
![Page 30: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/30.jpg)
30
BSDi extended DES-based scheme
To gain greater cryptographic security and resistance to brute-force attacks, modern versions of Unix now have a variety of new password hash schemes implemented using the crypt() interface.
BSDi modified the original DES-based scheme, extending the salt to 24 bits and making the number of rounds variable (up to 224-1). The chosen number of rounds is encoded in the stored password hash, avoiding the incompatibility that occurred when sites modified the number of rounds used by the original scheme. These hashes are identified by starting with _.
The BSDi algorithm also supports longer passwords, using DES to fold the initial long password down to the eight bytes supported by the original algorithm.
![Page 31: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/31.jpg)
31
Length of observed passwords
![Page 32: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/32.jpg)
32
Cracked passwords
![Page 33: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/33.jpg)
33
Password Selecting Strategies
User educationComputer-generated passwordsReactive password checkingProactive password checking
![Page 34: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/34.jpg)
34
Markov Model - proactive password checker
![Page 35: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/35.jpg)
35
Transition Matrix
1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.
2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.
3. Compute the entries of T as follows:
∞
€
T(i, j,k) =f (i, j,k)f (i, j,∞)
![Page 36: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/36.jpg)
36
Spafford (Bloom Filter)
where
10;1;1)( −≤≤≤≤≤≤= NyDjkiyXH ii
dictionarypasswordinwordofnumberD
dictionarypasswordinwordjthX i==
The following procedure is then applied to the dictionary:
1. A hash table of N bits is defined, with all bits initially set to 0.
2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1
![Page 37: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/37.jpg)
37
Spafford (Bloom Filter)Design the hash scheme to minimize
false positive.Probability of false positive:
)()(,/
)1ln(
,,
)1()1(
/1
//
wordssizedictionarytobitssizetablehashofratioDNR
dictionaryinwordsofnumberD
tablehashinbitsofnumberN
functionhashofnumberk
where
P
kR
lyequivalentor
eeP
k
kRkkNkD
====
−−
≈
−=−≈ −−
![Page 38: Intruders](https://reader036.vdocuments.net/reader036/viewer/2022070416/5681514f550346895dbf7191/html5/thumbnails/38.jpg)
38
Performance of Bloom Filter