Intrusion Control

1
Intrusion Control

• CSCE 590 - Farkas

2
Historical Research - Prevention

• It is better to prevent something
• than to plan for loss.
• Problem Losses occur!
• 1999 losses to computer misuse topped 7
  billion (New York Times)

3
Contributing Factors

• Many security flaws in systems
• Secure systems are expensive
• Secure systems are not user-friendly
• Secure systems still have flaws
• Insider Threat
• Hackers improve

4
Need

• Intrusion Prevention protect system resources
• Intrusion Detection (second line of defense)
  discriminate intrusion attempts from normal
  system usage
• Intrusion Recovery cost effective recovery models

5
Intrusion Detection - Milestones

• 1980 Deviation from historical system usage
  (Anderson)
• 1987 framework for general-purpose intrusion
  detection system (Denning)
• 1988 intrusion detection research splits
• Attack signatures based detection (MIDAS)
• Anomaly detection based detection (IDES)

6
Intrusion Detection - Milestones

• Early 1990s Commercial installations
• IDES, NIDES (SRI)
• Haystack, Stalker (Haystack Laboratory Inc.)
• Distributed Intrusion Detection System (Air
  Force)
• Late 1990s
• Integration of audit sources
• Network based intrusion detection
• Hybrid models

7
Terminology

• Audit activity of looking at user/system
  behavior, its effects, or the collected data
• Profiling looking at users or systems to
  determine what they usually do
• Anomaly abnormal behavior
• Misuse activity that violates the security
  policy
• Outsider someone without access right to the
  system
• Insider someone with access right to the system
• Intrusion misuse by outsiders and insiders

8
Audit Data

• Format, granularity and completeness depend on
  the collecting tool
• Examples
• System tools collect data (login, mail)
• Additional collection of low system level
• Sniffers as network probes
• Application auditing
• Needed for
• Establishing guilt of attackers
• Detecting subversive user activity

9
Audit-Based Intrusion Detection
Profiles, Rules, etc.
Audit Data
Intrusion Detection System

• Need
• Audit data
• Ability to characterize
• behavior

Decision
10
Issues

• Audit collection and storage what to store,
  where, how to reduce volume and how long to keep
• Integration of audit data in a network
  environment
• Batch v.s. real-time analysis of data
• Audit data integrity
• Audit data confidentiality

11
Anomaly versus Misuse
Non-intrusive use
Intrusive use
Looks like NORMAL behavior
False negative Non-anomalous but Intrusive
activities
Does NOT look Like NORMAL behavior
False positive Non-intrusive but Anomalous
activities
12
Intrusion Detection Techniques

• Anomaly Detection
• Misuse Detection
• Hybrid Misuse/Anomaly Detection
• Continuous System Health Monitoring

13
Anomaly Detection Techniques

• Assume that all intrusive activities are
  necessarily anomalous ? flag all system states
  that very from a normal activity profile .

14
Anomaly Detection Techniques

• Need
• Selection of features to monitor
• Good threshold levels to prevent false-positives
  and false-negatives
• Efficient method for keeping track and updating
  system profile metrics

Update Profile
Deviation
Attack State
Audit Data
System Profile
Generate New Profile
15
Misuse Detection Techniques

• Represent attacks in the form of pattern or a
  signature (variations of same attack can be
  detected)
• Problem!
• Cannot represent new attacks

16
Misuse Detection Techniques

• Expert Systems
• Model Bases Reasoning
• State Transition Analysis
• Neutral Networks

Modify Rules
Attack State
Rule Match
Audit Data
System Profile
Add New Rules
Timing Information
17
Hybrid Misuse / Anomaly Detection

• Anomaly and misuse detection approaches together
• Example
• Browsing using nuclear is not misuse but might
  be anomalous
• Administrator accessing sensitive files is not
  anomalous but might be misuse

18
Continuous System Health Monitoring

• Detect intrusions by identifying suspicious
  changes in system-wide activities.
• System health factors
• Performance
• Use of system resources
• Need identify system-wide measurements

19
Intrusion Types

• Doorknob rattling
• Masquerade attacks
• Diversionary Attack
• Coordinated attacks
• Chaining
• Loop-back

20
Doorknob Rattling

• Attack on activity that can be audited by the
  system (e.g., password guessing)
• Number of attempts is lower than threshold
• Attacks continue until
• All targets are covered
• or
• Access is gained

21
Masquerading
Target 2
Target 1
Login as Y
Login as X
Change identity Im Y
Legitimate user
Attacker
22
Diversionary Attack
Create diversion to draw attention away from
real target
TARGET
Real attack
Fake attacks
23
Coordinated attacks
Target
Attacker 1
Multiple attack sources, maybe over extended
period of time
Attacker 2
24
Chaining
Move from place to place To hide origin and make
tracing more difficult
Attacker
Target
25
Intrusion Recovery

• Actions to avoid further loss from intrusion.
• Terminate intrusion and protect against
  reoccurrence.
• Reconstructive methods based on
• Time period of intrusion
• Changes made by legitimate users during the
  effected period
• Regular backups, audit trail based detection of
  effected components, semantic based recovery,
  minimal roll-back for recovery.