Intrusion Detection

1

• Intrusion Detection
• By
• Himani Singh
• (himanisingh_at_comcast.net)
• Kavita Khanna
• (kavita_jairath_at_yahoo.com)
• (CS-265, Fall-2003)

2
Intrusion Detection Presentation Outline

• How an Intruder gets access?
• Security Holes and Vulnerabilities
• What is Intrusion Detection?
• Typical intrusion scenario
• Host based and Network based Intrusion Detection.
• Knowledge based and behavioral based Intrusion
  Detection.
• False positives / false alarms.
• Do I need IDS if I already have a firewall?

3
How an Intruder get access

• Intruder
• a hacker and/or cracker who hacks into systems
  and does unauthorized/ malicious activities
• How does an intruder get access?
• Physical Intrusion ? remove some hardware, disk,
  memory
• System Intrusion ?low-privilege user account
• Remote Intrusion ? across network

4
Security Holes and Vulnerabilities
What?
Bad Password Policy
System configuration
Software bugs
Traffic Sniffing
Design flaws
5
Security Holes and Vulnerabilities

• Software bugs
• Buffer overflows overflow input by intentional
  code.
• Unexpected combinations PERL can send some
  malicious input to another program
• Unhandled input action on invalid input ?
• Race conditions rare but possible
• System configuration
• Default configurations -easy-to-use
  configurations
• Lazy administrators- empty root/administrator
  password
• Hole creations- Turn off everything that doesn't
  absolutely positively need to run

6
Security Holes and Vulnerabilities (Cont)

• Password cracking
• Weak passwords, Dictionary attacks and Brute
  force etc
• Sniffing unsecured traffic
• Shared medium
• Server sniffing
• Remote access
• Design flaws
• TCP/IP protocol flaws
• SmurfICMP request as return address as victim's
• SYN Flood-target run out of recourse,combine with
  IP spooling
• UNIX design flaws
• Distributed DoS attack Amazon and Yahoo
• Do not forget Social Engineering- Hacker Kevin
  Mitnick told congress that he use technology
  only 2 of time

7
What is Intrusion Detection

• Intrusion An unauthorized activity or access to
  an information system. Attack originated outside
  the organization.
• MisuseAttacks originating inside the
  organization.
• Intrusion Detection (ID) process of detecting,
  if Intrusion / Misuse has been attempted, is
  occurring, or has occurred .1
• Intrusion and/or misuse can be as severe as
  stealing sensitive information or misusing your
  email system for Spam
• ID runs continuously
• Does both Detection and Response

.1
The practical Intrusion Detection book by Paul
E.Proctor
8
Typical intrusion scenario

• Step 1 outside reconnaissance
• Step 2 inside reconnaissance
• Step 3 exploit
• Step 4 foot hold
• Step 5 profit, like bandwidth theft
• Step 6 get out,cover trace
• random internet addresses looking for a
  specific hole on any system rather than a
  specific system

9

Step 1 2 Reconnaissance

• Ping sweeps
• TCP/UDP scans
• OS identification
• Account scan

10
Step 3 EXPOITS

• CGI scripts
• Web server attacks
• Web browser attacks
• URL, HTTP, HTML, JAVA SCRIPT, FRAMS
• SMTP (SendMail) attacks
• IP spoofing
• DNS poisoning
• Buffer Overflows

11
Detection

• Signature recognition
• Patterns - well-known patterns of attack e.g.
• cgi patterns
• tcp port scans
• Port based signatures if common ports are not in
  use and traffic is coming in / going out on that
  port
• Invalid protocol behavior

12
Detection

• Anomaly detection
• Some action or data that is not considered normal
  for a given system, user, or network.
• Can be indicated by change in CPU utilization,
  disk activity, user logins, file activity,
  traffic increased, so forth
• Advantage Detects unknown attacks/ misuse

13
Detection

• Anomaly detection -- three statistical criteria
• Number of events expected range
• e.g. log in attempts gt 3
• If statistical period goes outside expected
  interval e.g. time to load a file on ftp server
• Markov model if there is sequence of events
• Suppose xyzhjzxyz then
• Now probability of z coming after xy is
  1,
• and so on
• If there is a s deviation then there is a
  problem

14
IDS (Intrusion Detection System)

• IDS should do
• Event log analysis for Inside threat detection
• Network traffic analysis for perimeter threat
  detection
• Security configuration management
• File integrity checking

Agent
Director
Host a
Agent
Agent
notifier
Network M
15
Components of IDS

• Command console a center commanding
  authority
• Network sensor
• Alert notification
• Response subsystem
• Database
• Network Tap(s)

16
Network Intrusion Detection System

• NIDS When system detects an intruder by
  Sniffing or monitoring the network packets on
  network wire and matching the attack pattern to a
  database of known attack patterns.
• Architecture of NIDS
• Networknode Agents distributed on each critical
  target computer in network to monitor traffic
  bound only for individual target.
• Sensorbased Sensor is between two communicating
  computers either stand-alone or on network device
  to monitor whole network

17

Steps In NIDS

• A network packet is born.
• A packet is read in real-time through sensor
  (either on a network sensor or network node
  sensor).
• Detection engine used to identify predefined
  pattern of misuse.
• If match, Security officer is notified by
  audible, e-mail, pager, visual, SNMP. For example
  Beep or play a .WAV file. "You are under
  attack". 
• An Alert is generated (either pre-defined or
  through Security officer).
• A response to that Alert is generated.

18
Steps In NIDS (Cont.)

• Reconfigure firewall /router
• Filter out IP address
• Terminate (Reset) TCP connection
• Alert is stored for later review
• timestamp, intruder IP address, victim IP
  address/port, protocol information
• Reports are generated
• Data log for long-term trends

19
NIDS Limitations

• Packet loss on high speed network
• Intruder can hide in lost packets, Node-based
• ID does not suffer from this issue
• Switched network ATM
• Encryption
• Solutions network sensor decrypted side of VPN
• Distributed network architecture with ID agents
• Encrypted on fly put key on router security
  threat
• Packet-reassembly
• many signatures can be detected in full string
• Sniffer detection program

20
Host based intrusion detection system

• HIDS Monitors the actual target machines to
  identify tampering or malicious activity
  occurring within the system. Can detect
  insider malicious activity.
• Agent based
• Misuse
• Abuse of Privilege
• Unintended/ inadvertent privilege grants
• Stale (live) accounts
• Bad account privilege policy/Back door creation

21
Host based intrusion detection system (Cont)

• HIDS monitors -
• User specific actions
• System integrity checkers system log files,
  running processes, and files system,if system
  registry changes made by intruders.
• Determine the success/failure of an attack
• Data source in HIDS
• system logs, application logs, host traffic, and
  in some instances firewall logs

22
Key points

• Audit Policy- if you fail to manage audit and
  detection policies , your deployment is likely to
  fail.
• Detection policy - properly configure signature
  and appropriate number of active signature in
  both real and batch time.
• Data source in HIDS is the heart of HIDS
• System logs, application logs, host traffic, and
  in some instances firewall logs
• Unix Syslog not a good source , any
  application can write
• Unix Binary Kernel Log closest thing to TCB
• Window NT/2000 - Trust security log

23
Knowledge-based and behavior-based approaches

• Knowledge-based approaches
• All IDS tools are knowledgebased
• About specific attacks and system vulnerabilities
• Accuracy is good no false alarms, if attack is
  defined precisely
• Fast corrective actions signature can be added/
  modified quickly
• Drawbacks
• Completeness is questionable, depends on updates
• New vulnerabilities not defined, results in
  false negative
• Maintenance is time-consuming, tedious task
• Knowledge is environmental based (very focused
  depends on OS, platform, version)

24

• Behavior-based intrusion Detection
• Detect a deviation from normal or expected
  behavior of the system or the users
• Compare current behavior vs. valid behavior
• Advantage
• detect attempts to exploit new and unforeseen
  vulnerabilities
• automatic discovery of these new attacks
• Disadvantage
• High false alarm
• If online retraining, can result in
  unavailability of ID system (good chance for
  attacker) or more false alarm
• Good complement to Knowledge based. Not enough
• alone.

25
Best IDS

• Is hybrid network-based,host-based ,must include
  knowledge based and behavior based detection

26
False positives / false alarms

• False positives - signaling attack when there is
  none.
• Why
• Difficult to detect intrusions, IDS are limited
  in scope.
• Tools are stateless.
• Signature is not carefully designed, lots of
  matches.
• Accuracy is often traded for urgency to plug in a
  new signature.

27
Do I need IDS if I already have a firewall?

• Firewall is not a dynamic defensive system and
  has no capability to understand that someone is
  trying to break-in
• Example ColdFusion bug (port 80 web attack)
• Boundary of network
• Firewall is prevention and ID is detection and
  response
• Reasons
• Catches attacks that firewalls legitimately allow
  through (such as attacks against web servers).
• Catches attempts that fail.
• Catches insider hacking, financial loss

28
Popular NIDS SNORT

• open source network intrusion detection system
• real-time traffic analysis
• Detect attacks such as
• buffer overflows,
• stealth port scans,
• CGI attacks, SMB probe and more
• Decision of traffic depends on flexible rules
  language

29
Popular NIDS Snort Cont.

• Platforms
• SunOS 4.1.XSparc , Linux ,Win32 -
  (Win9x/NT/2000), OpenBSD, HP-UX
• Snort is lightweight intrusion detection, cost
  efficient, open source so keep getting updated
  for signature, very powerful post-processors

30
Interesting

• Snort and other signature based IDS match
  unique patterns against rules in the database .
• For example Snort uses following rule the
  SubSeven Trojan Alert tcp EXTERNAL_NET any -gt
  HOME_NET 27374 (msg "BACKDOOR SIG - SubSseven
  22" flags A content 0d0a5b52504c5d3030320d0
  a" referencearachnids,485) alert Snort
  match hex signature ,can be present anywhere in
  payload"0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a
• Attacker can change/ scramble the noticeable
  content by encryption. Add 1st byte of the
  packet payload to every subsequent byte.
• If 3 then payload is "31 3d 8e 85 83 7f 81
  63 63 65 31 3e"
• which does not mach any of the known signatures.
• The attacker has now evaded our intrusion
  detection system.

Matthewhttp//www.snort.org/what_is_snort.htm
31
Resources in case you get hacked

• CERT (Computer Emergency Response Team)
  http//www.cert.org.
• CIAC (Computer Incident Advisory Capability) by
  US Department of Energy
• http//www.ciac.org/
• SANS http//www.sans.org/
• AUSCERT (Australian Computer Emergency Response
  Team)http//www.auscert.org.au/
• Network Intrusion Detection Systems
  http//www.robertgraham.com/pubs/network-intrusion
  -detection.html

32
References

• The Practical Intrusion detection hand book
  Paul E. Proctor
• www.intrusion.com/
• www.snort.org/
• Retrieved Nov 14, 2003 from website www.sans.org
  
• Retrieved Nov 15, 2003 from website
  www.cerias.purdue.edu/coast/intrusion-detection/
• www.cs.usask.ca/undergrads/der850/project/ids/ -
  9k -

33
Project PresentationInstructor Prof. Mark
StampDue Date 11/18/03Malicious
SoftwareIntrusion Detection

• By,
• Kavita Khanna
• Himani Singh
• (CS-265, Fall-2003)

34

• Malicious Software
• By
• Kavita Khanna
• (kavita_jairath_at_yahoo.com)
• Himani Singh
• (himanisingh_at_comcast.net)
• (CS-265, Fall-2003)

35

• Malicious Software Presentation Outline
• What is malicious software?
• Categories of malicious software.
• Different malicious software viruses, worms,
  Trojan Horse etc.
• More description about viruses
• Desirable properties of viruses.
• Identifying infected files and programs.
• Where do viruses reside.
• Identifying and detecting viruses virus
  signature.
• Effect of Virus attack on computer system.
• Protection against attacks by malicious software
  preventing infection.
• References.

36
What is Malicious Software

• Software deliberately designed to harm
• computer systems.
• Malicious software program causes undesired
  actions in information systems.
• Spreads from one system to another through
• E-mail (through attachments)
• Infected floppy disks
• Downloading / Exchanging of corrupted files
• Embedded into computer games

37
Malicious Software - Categories
38
Types of Malicious Software

• Virus These are the programs that spread to
  other software in the system .i.e., program that
  incorporates copies of itself into other
  programs.
• Two major categories of viruses
• Boot sector virus infect boot sector of
  systems.
• become resident.
• activate while booting machine
• File virus infects program files.
• activates when program is run.

39
Categories of Viruses

• Armored
• Virus
• Hides
• modifications it
• has made to
• files or to the
• disk.
• Reports
• false values to
• programs as
• they read files
• or data from
• storage media. 

• Polymorphic
• Virus
• Produces
• modified fully
• operational code.
• Produces new
• different code
• every time when
• virus is copied
• transmitted to a
• new host.
• Difficult to
• detect remove.

• Stealth
• Virus
• Programming
• tricks make the
• tracing and
• understanding
• the code difficult.
• Complex
• programming
• methods used to
• design code, so
• difficult to repair
• infected file.

• Companion
• Virus
• Creates new
• program instead
• of modifying
• existing program.
• Contains all
• virus code.
• Executed by
• shell, instead of
• original program.

40

• Rabbit This malicious software replicates
  itself without limits. Depletes some or all the
  systems resources.
• Re-attacks the infected systems difficult
  recovery.
• Exhausts all the systems resources such as CPU
  time, memory, disk space.
• Depletion of resources thus denying user access
  to those resources.

41

• Hoaxes False alerts of spreading viruses.
• e.g., sending chain letters.
• message seems to be important to recipient,
  forwards it to other users becomes a chain.
• Exchanging large number of messages (in chain)
  floods the network resources bandwidth wastage.
• Blocks the systems on network access denied due
  to heavy network traffic.

42

• Trojan Horse This is a malicious program with
  unexpected additional functionality. It includes
  harmful features of which the user is not aware.
• Perform a different function than what these are
  advertised to do (some malicious action e.g.,
  steal the passwords).
• Neither self-replicating nor self-propagating.
• User assistance required for infection.
• Infects when user installs and executes infected
  programs.
• Some types of trojan horses include Remote Access
  Trojans (RAT), KeyLoggers, Password-Stealers
  (PSW), and logic bombs.

43

• Transmitting medium
• spam or e-mail
• a downloaded file
• a disk from a trusted source
• a legitimate program with the Trojan inside.
• Trojan looks for your personal information and
  sends it to the Trojan writer (hacker). It can
  also allow the hacker to take full control of
  your system.
• Different types of Trojan Horses
• 1. Remote access Trojan takes full control of
  your
• system and passes it to the hacker.
• 2. The data-sending Trojan sends data back to the
  hacker by means of e-mail.
• e.g., Key-loggers log and transmit each
  keystroke.

44

• The destructive Trojan has only one purpose to
  destroy and delete files. Unlikely to be detected
  by anti-virus software.
• The denial-of-service (DOS) attack Trojans
  combines computing power of all
  computers/systems it infects to launch an attack
  on another computer system. Floods the system
  with traffic, hence it crashes.
• The proxy Trojans allows a hacker to turn users
  computer into HIS (Host Integration Server)
  server to make purchases with stolen credit
  cards and run other organized criminal
  enterprises in particular users name.
• The FTP Trojan opens port 21 (the port for FTP
  transfer) and lets the attacker connect to your
  computer using File Transfer Protocol (FTP).

45

• The security software disabler Trojan is designed
  to stop or kill security programs such as
  anti-virus software, firewalls, etc., without you
  knowing it.
• Spyware
• Spyware programs explore the files in an
  information system.
• Information forwarded to an address specified in
  Spyware.
• Spyware can also be used for investigation of
  software users or preparation of an attack.

46

• Trapdoor Secret undocumented entry point to the
  program.
• An example of such feature is so called back
  door, which enables intrusion to the target by
  passing user
• authentication methods.
• A hole in the security of a system deliberately
  left in place by designers or maintainers. 
• Trapdoor allows unauthorized access to the
  system.
• Only purpose of a trap door is to "bypass"
  internal controls.  It is up to the attacker to
  determine how this circumvention of control can
  be utilized for his benefit.

47

• Types of Trapdoor

Undetectable Trapdoor Virtually undetectable.
Hardware Trapdoor Security-related hardware
flaws.
48

• Worms
• program that spreads copies of itself through a
• network. 
• Does irrecoverable damage to the computer system.
• Stand-alone program, spreads only through
  network.
• Also performs various malicious activities other
  than spreading itself to different systems e.g.,
  deleting files.
• Attacks of Worms
• Deleting files and other malicious actions on
  systems.
• Communicate information back to attacker e.g.,
  passwords, other proprietary information.
• Disrupt normal operation of system, thus denial
  of service attack (DoS) due to re-infecting
  infected system.
• Worms may carry viruses with them.

49

• Means of spreading Infection by Worms
• Infects one system, gain access to trusted host
  lists on infected system and spread to other
  hosts.
• Another method of infection is penetrating a
  system by guessing passwords.
• By exploiting widely known security holes, in
  case, password guessing and trusted host
  accessing fails.
• e.g., A well-known example of a worm is the
  ILOVEYOU
• worm, which invaded millions of computers
  through
• e-mail in 2000.

50

• VIRUSES More Description
• Desirable properties of Viruses
• Virus program should be hard to detect by
• anti-virus software.
• Viruses should be hard to destroy or deactivate.
• Spread infection widely.
• Should be easy to create.
• Be able to re-infect.
• Should be machine / platform independent, so that
  it can spread on different hosts.

51

• Detecting virus infected files/programs
• Virus infected file changes gets bigger.
• Modification detection by checksum
• gt Use cryptographic checksum/hash function
• e.g., SHA, MD5.
• gt Add all 32-bit segments of a file and store
  the sum
• (i.e., checksum).

52

• Identifying Viruses
• A virus is a unique program.
• It as a unique object code.
• It inserts in a deterministic manner.
• The pattern of object code and where it is
  inserted provides a signature to the virus
  program.
• This virus signature can be used by virus
  scanners to identify and detect a particular
  virus.
• Some viruses try to hide or alter their
  signature
• Random patterns in meaningless places.
• Self modifying code metamorphic, polymorphic
  viruses.
• Encrypt the code, change the key frequently.

53

• Places where viruses live
• Boot sector
• Memory resident
• Disk Applications and data stored on disk.
• Libraries stored procedures and classes.
• Compiler
• Debugger
• Virus checking program infected by virus unable
  to detect that particular virus signature.

54

• Effect of Virus attack on computer system
• Virus may affect users data in memory
  overwriting.
• Virus may affect users program overwriting.
• Virus may also overwrite systems data or
  programs corrupting it disrupts normal
  operation of system.
• Smashing the Stack Buffer overflow due to
  execution of program directed to virus code.

55

• Preventing infection by malicious software
• Use only trusted software, not pirated software.
• Test all new software on isolated computer
  system.
• Regularly take backup of the programs.
• Use anti-virus software to detect and remove
  viruses.
• Update virus database frequently to get new virus
  signatures.
• Install firewall software, which hampers or
  prevents the functionality of worms and Trojan
  horses.
• Make sure that the e-mail attachments are secure.
  
• Do not keep a floppy disk in the drive when
  starting a program, unless sure that it does not
  include malicious software, else virus will be
  copied in the boot sector.

56
References

• Webopedia.com. Trojan Horse. Retrieved Nov 8,
  2003 from website http//www.webopedia.com/TERM/
  T/Trojan_horse.html
• Staffordshire University, Information Security
  Team (Jun 8,
• 2002). Information Systems Security Guidelines.
  Retrieved
• Nov 10, 2003 from website
• http//www.staffs.ac.uk/services/information_tec
  hnology/regs/security7.shtm
• M.E.Kabay, Norwich University, VT (2002).
  Malicious Software. Retrieved Nov 9, 2003 from
  website
• http//www2.norwich.edu/mkabay/cyberwatch/09malw
  are.htm
• Computer Emergency Response Team (CERT),
  Information Security (Jul 2, 2002). Malicious
  Software general. Retrieved Nov 10, 2003 from
• website http//www.ficora.fi/englanti/tietoturv
  a/haittaohj.htm

57
References Cont...

• Rutgers, New Jersey (Oct 10, 2003). Trojan
  Horses. Retrieved Nov 10, 2003 from website
  http//netsecurity.rutgers.edu/trojan.htm
• Dr. Roger R. Schell, Monterey CA (Apr 24, 2000).
  Malicious Software.
• Retrieved Nov 11, 2003 from website
  www.sp.nps.navy.mil
• Edward F. Gehringer. Computer Abuse Worms,
  Trojan Horses, Viruses. Retrieved Nov 12, 2003
  from website
• http//legacy.eos.ncsu.edu/eos/info/computer_eth
  ics/abuse/wvt/study.html
• Bullguard.com Computer Viruses. Retrieved Nov12,
  2003 from website
• http//www.bullguard.com/antivirus/vi_info.aspx
  
• Google.com. Program Security. Retrieved Nov 12,
  2003 from website
• http//www.sm.luth.se/csee/courses/smd/102/lek6-
  6.pdf.