intrusion detection systems by ali hushyar. what is an intrusion? intrusion: “any action or set of...
Post on 22-Dec-2015
214 views
TRANSCRIPT
Intrusion Detection Systems
By Ali Hushyar
What is an intrusion?
• Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality or availability of a resource”
Heady et al.[Ku95]
• Intrusion types– External penetrations– Internal penetrations– Misfeasance
Preventing Intrusion
• Authentication
• Access Control
• Firewalls
• Vulnerability Patching
• Restricting physical access
• Intrusion Detection Systems
Principles
• Assumptions about computer systems [D86]– Actions of processes follow specifications describing
what the processes are allowed to do– Actions of users and processes have statistically
predictable patterns– Actions of users and processes do not have
command sequences aimed at compromising system security policies
• Exploiting vulnerabilities requires an abnormal use of normal commands or instructions.
Principles
• Intrusion detection: determine whether a user has gained or is trying to gain unauthorized access to the system by looking for abnormalities in the system.
• IDS Analysis Approaches– Anomaly detection
• Distinguish anomalous behavior from normal behavior
– Misuse detection• Detect intrusions based on well-known techniques
Static Anomaly Detection
• File integrity checkers – Part of system is to remain constant
(e.g. system code and data) – Detect anomaly by comparing current system
state to original system state– Representation of system state
• Actual bit strings • Signatures of bit strings (hash functions) • Meta-data “selection masks” on file or inode fields
such as size, access permissions, modification timestamp, access timestamp, user id, group id, etc…
Tripwire
Static Anomaly Detection
• Virus checkers– Look for virus signatures in system files or
memory – Actual virus bit strings are stored in database
• Self-Nonself – Like Tripwire, part of system is static – Like virus checkers, it is necessary to
maintain set of unwanted signatures– Human immune system
Static Anomaly Detection
• Create Self (example from [F84]) – Represent system state as single static string 00101000100100000100001010010011 – Split string into substrings of size k 0010 1000 1001 0000 0100 0010 1001 0011
• Create Nonself– Generate random substrings of size k 0111 1000 0101 1001– Censor by comparing substrings to those in Self 0111 0101
Static Anomaly Detection
• Size of Nonself affects probability of detecting anomalies and computational load
• Probability of detection can be configured• Generating Nonself is expensive but
monitoring system is cheaper• Tripwire comparisons
– Does not depend on meta-data– Will not detect deletion of files
Dynamic Anomaly Detection
• Real world examples (logins, credit-card use) • System behavior defined as sequences of
events that are recorded by OS logs and audit records, application logs, network monitors and other probes
• Base profiles are created for each entity to be monitored that characterize normal behavior for that entity
• Current profiles are built by monitoring system events and deviations from base profile are measured
Statistical Models
• Each profile consists of set of measures• Measures depict activity intensity, audit
record distribution, categorical, and ordinal measures
• Measures can be seen as random variables
• Profiles do evolve over time so aging of measures or changing statistical rules take this into consideration
Statistical Models
• Operational/Threshold Model– Measure is deemed abnormal if it surpasses fixed
limits imposed on the measure
• Mean and Standard Deviation Model– Mean and standard deviation of previous n values are
known. A confidence value for the new measure can be determined.
• Multivariate Model – Better conclusions can be made by taking into
consideration correlations of related measures.
Statistical Models
• Clustering Model is an example of a nonparametric statistical technique
• Data is grouped into clusters • Example from [B03]
Process User CPU Time 25% ranges 50% ranges
p1 matt 359 4 2
p2 holly 10 1 1
p3 heidi 263 3 2
p4 steven 68 1 1
p5 david 133 2 1
p6 mike 195 3 2
Statistical Models
• Combining individual measurement values to determine overall abnormality value for the current profile
• Let Si be the recorded values of each measure Mi. Then combining function [KU95] can be weighted sum of squares:
Statistical Models
• If individual measures Mi are not mutually independent then more complex combining functions will be needed
Bayesian Statistics • Ai is 0 or 1 depending on whether Mi normal or
anomalous respectively [KU95]
Models based on Sequences of Events
• Markov Process Model • Given the present state, past states of a system
have no influence on future states• Next state relies only on present state • Non-deterministic systems mean that there are
transition probabilities for each state• Given an initial state, an event that transitions
system to a state of low probability is taken to be anomalous
Time-based Inductive Learning
• Sequence of events:abcdedeabcabc
• Predict the events: R1: ab c (1) R2: c d (0.5)
R3: c a (0.5) R4: d e (1) R5: e a (0.5) R6: e d (0.5)
• Single out rules that are good indicators of behavior: R1 and R4
UNM Pattern Matching
• System behavior defined as sequence of OS routine calls
• Entities monitored consist of those processes that run with elevated privileges
• Profile consists of legitimate traces which are sequences of OS calls of length k
UNM Pattern Matching
• Example from [J00]open read write open mmap write fchmod close
• Profile traces with max length 4 open read write open write fchmod close
open mmap write fchmod mmap write fchmod close
read write open mmap fchmod close
write open mmap write close
• Later sequence of calls recorded open read read open mmap write fchmod close
Neural Networks
• Information processing model based on biological nervous systems like the brain
• Different than expert systems in that they have ability to learn
• Given a data vector they can either apply what they have learned to determine an output or “recognize” similarity between input data vector and other inputs to determine outputs
Neural Networks (http://www.doc.ic.ac.uk)
X1: 0 0 0 0 1 1 1 1
X2: 0 0 1 1 0 0 1 1
X3: 0 1 0 1 0 1 0 1
OUT: 0 0 0/1 0/1 0/1 1 0/1 1
Neural Network Intrusion Detector
• Identify legitimate user on system • Obtain logs indicating how often a user executed
a specific command on a system during different time intervals over a period of several days
• Each command is a vector of frequencies • 100 commands = 100 dimensional input vector
of command vectors• Train the neural net to recognize specific user
Misuse Detection
• Anomaly detectors can be trained not to detect intrusive behavior and often vulnerabilities exploited by known attacks are not patched.
• Detecting intrusions based on known techniques or sequences of actions
• Intrusion scenario or signature must be formally defined
Rule-based Misuse Systems
• Intrusion scenarios are defined as a set of rules
• System maintains rule base of intrusion scenarios and fact base of event sequences from audit logs
• When fact pattern matches antecedent of rule then a rule binding is established and rest of rule is evaluated
Rule-based Misuse Systems
• MIDAS rule example [J00](defrule illegal_privileged_account states
if there exists a failed_login_itemsuch that name is (“root”) and time is ?time_stamp and channel is ?channel
then(print “Alert: Attempted login to root”)and remember a breakin_attempt with certainty *high*such that attack_time is ?time_stampand login_channel is ?channel)
State-based Misuse Detection
• Intrusion scenarios are modeled as a number of different states and the transitions between them
• Actions of would-be intruders lead to compromised state
• Two subclasses: state transition and Petri net• State transition
– States form a simple chain traversed from beginning to end– Table for each possible intrusion in progress– For each event processed, if event causes transition then
row with next state is added to table– Event that causes a transition to a final state indicates
intrusion
Petri Networks
• Intrusion states form a Petri net that follow a more general tree structure
• Many branches may exist denoting initial states of the intrusion
• Unix version 7 mkdir command [B03] mknod(“xxx”, directory)
chown(“xxx”, user, group)
Petri Networks
mknod(“xxx”, directory)
chown(“xxx”, user, group)
F
S1
S4
S6
S3S2
S5
unlinkchown
link
mknod
this[uid] != 0 &&File1 == this[obj]
this[uid] == 0 &&File1==true_name(this[obj])
true_name(this[obj]) ==true_name(“/etc/passwd”) && File2 = this[obj]
this[uid] == 0 &&File2 == this[obj]
Other Misuse Techniques
• Simple string matching (KMP)
• Protocol Analysis – Detect attack signatures by taking advantage
of structure of network data packets.– Identifying packets by protocol and thus
interpreting payload data – Fragmented packets can be reassembled
before intrusion analysis
References
• [B03] Bishop, M. (2003). Computer Security: Art and Science.
• [Kr03]Krishna, S. (2003). Intrusion Detection Techniques: Pattern Matching and Protocol Analysis.
• [J00]Jones, A. (2000). Computer System Intrusion Detection: A Survey.
• [Ku95]Kumar, S. (1995). Classification and Detection of Computer Intrusions.
• [F94]Forrest, S. (1994). Self-Nonself Discrimination in a Computer.
• [D86] Denning, D. (1986). An Intrusion Detection Model.