Intruders and Viruses

1
Intruders and Viruses

• Intruders
• Password protection
• Password selection strategies
• Intrusion detection
• Malicious Programs
• The Nature of Viruses
• Types of Viruses
• Macro Viruses
• Antivirus Approaches

2
Intruders
Intruders

• Want to gain access to a system or to increase
  the range of privileges accessible on a system
• Three classes of intruders
• Masquerader
• likely to be an outsider
• penetrates a systems access controls to exploit
  a legitimate users account
• Misfeasor
• generally an insider
• performs unauthorized accesses to data, programs,
  or resources
• misuses his or her privileges
• Clandestine user
• can be either an insider or an outsider
• seizes supervisory control of the system and uses
  it to evade auditing and access controls or to
  suppress audit collection

3
Intrusion Techniques
Intruders

• Usually user password or password file is
  essential to intrude
• Protection of password file
• One-way encryption the system stores an
  encrypted form of the users password, and
  compares it with the encrypted output of
  presented password
• Access control access to the password file is
  limited to one or a very few accounts

UNIX Password Scheme
4
Intrusion Techniques
Intruders

• Techniques for learning passwords
• Try default passwords used with standard accounts
  that are shipped with the system.
• Exhaustively try all short passwords ( 13
  characters).
• Try words in the systems on-line dictionary of a
  list of likely passwords.
• Collect information about users (names, books,
  hobbies, etc)
• Try users phone numbers, Social Security
  numbers, and room numbers.
• Try all legitimate license plate numbers.
• Use a Trojan horse.
• Tap the line between a remote user and the host
  system.

5
Password Protection
Password Protection

• Unix password scheme

• Crypt(3)
• 25 times DES encryptions
• Salt
• Related to time
• Prevents duplicate passwords from being visible
  in the password file
• Increase the length of the passwords ( 2
  characters)
• Prevent the use of a hardware implementation of
  DES, which would ease the difficulty of a
  brute-force guessing attack

6
Unix Password Scheme Example
Password Protection

• usernamepasswdUIDGIDfull_namedirectoryshell

username The User Name passwd The Encoded
password last Days since Jan 1, 1970 that
password was last changed may Days before
password may be changed must Days after which
password must be changed warn Days before
password is to expire that user is warned expire
Days after password expires that account is
disabled disable Days since Jan 1, 1970 that
account is disabled reserved A reserved field
7
Password Protection
Password Protection

• The vulnerability of Passwords
• Two threat to the UNIX password scheme
• Gaining access on a machine and then run a
  password guessing program on that machine with
  little resource consumption
• Obtaining a copy of the password file, then a
  cracker program can be run on another machine
• Not yet feasible to use a brute-force technique
  of trying all possible combinations of characters
• Passwords must NOT be too short, NOT be too easy
  to guess
• Access Control
• Denies the opponent access to the password file
• Has several flaws
• Many systems are susceptible to unanticipated
  break-ins
• An accident of protection might render the
  password file readable
• Some users use the same password on other machines

8
Password Selection Strategies
Password Selection Strategies

• Eliminate guessable passwords, while allow
  memorable passwords
• Four basic techniques
• User education
• Ignoring guidelines, misunderstanding what a
  strong password is
• Computer-generated passwords
• Hard to remember even if they are pronounceable
• Reactive password checking
• The system periodically runs its password cracker
  to find guessable passwords
• Resource intensive
• Unchecked passwords remains vulnerable
• Proactive password checking
• When a user selects his or her own password, the
  system checks to see if the password is allowable

9
Proactive Password Checking
Password Selection Strategies

• Rule enforcement
• All passwords must be at least eight characters
  long
• In the first eight characters, the passwords must
  include at least one each of uppercase,
  lowercase, numeric digits, and punctuation marks
• Compiling a large dictionary of bad passwords
• When a user selects a password, the system checks
• Large space (storage) and time consumption
• Two techniques for developing an effective and
  efficient password checker
• Markov model
• Bloom filter
• Based on rejecting words on a list show promise

10
Markov Model
Password Selection Strategies

• m, A, T, kwhere
• m number of states
• A state space
• T matrix of transition prob.
• k order of the model
• prob. depends on previous k
  characters

Example
11
2nd order Markov Model
Password Selection Strategies

• Calculating transition matrix
• When a dictionary of guessable passwords is
  constructed
• Determine the freq. matrix f(i,j,k) which is
  the number of occurrences of the trigram
  consisting of the ith, jth ,and kth character
• For each bigram ij, calculate f(i,j,) as the
  total number of trigrams beginning with ij
• Compute the entries of T T(i,j,k) f(i,j,k)
  / f(i,j,)
• T reflects the structure of the words in the
  dictionary
• Is this a bad password? ? Was this password
  generated by this model?
• Passwords likely to be generated by the model are
  rejected.

12
Approach Using Bloom Filter
Password Selection Strategies

• Order of bloom filter the number of independent
  hash functions where each function maps a
  password into a hash value
• Hash function
• Procedure applied to the dictionary
• A hash table of N bits with all bits initially
  set to 0
• For each password, its k hash values are
  calculated, and the corresponding bits in the
  hash table are set to 1
• If the bit already has the value 1, it remains at
  1

13
Approach Using Bloom Filter
Password Selection Strategies

• Password checking
• k hash values are calculated for presented
  password
• If all corresponding bits of the hash table are
  equal to 1 ? reject
• Possible existence of FALSE POSITIVE
• H1(understand) 25, H2(understand) 998
  H1(hulkmask) 83, H2(hulkmask)
  665H1(xGjj84) 665, H2(xGjj84) 998 ?
  rejected
• To minimize false positive
• The probability of a false positive

14
Performance of Bloom Filter
Password Selection Strategies

• Number of words in the dictionary 1 million
  words (106)Prob. of false positive 0.01
• If 6 hash functions, R9.6 ? hash table
  9.6106 bits(1.2MB)
• Storing the entire dictionary order of 8 MB
• Advantages
• Compression factor of 7
• Password checking is
• Involves straightforwardcalculation of 6
  hashfunction
• independent of sizeof the dictionary

15
Intrusion Detection
Intrusion Detection

• A systems second line of defense
• The intruder can be identified and ejected from
  the system.
• An effective intrusion detection can prevent
  intrusion.
• The collection of information about intrusion
  techniques can be used. to strengthen the
  intrusion prevention facility.
• Assume that the behavior of the intruder differs
  from that of a legitimate user
• There can be false positive and false
  negative

16
Intrusion Detection
Intrusion Detection

• Approaches to intrusion detection
• Statistical anomaly detection collecting data
  on behavior of legitimate users over a period of
  time
• Threshold detection defining thresholds for the
  frequency of occurrence of various events
  (independent of user)
• Profile based using a profile of the activity
  of each user to detect changes in the behavior of
  individual accounts
• Rule-based detection defining a set of rules to
  decide that a given behavior is that of an
  intruder
• Anomaly detection rules are developed to detect
  deviation from previous usage patterns
• Penetration identification an expert system
  searches for suspicious behavior
• Statistical approach defines normal, or
  expected behavior Rule-based approach defines
  proper behavior

17
Audit Records
Intrusion Detection

• Records of ongoing activity used as input to an
  intrusion detection system
• Native audit records
• accounting software collects information on user
  activity (no additional collection software)
• Detection-specific audit records
• a collection facility collects information
  required by the intrusion detection system
• Ex) subject, action, object, exception-condition,
  resource-usage, time stamp

18
Statistical Anomaly Detection
Intrusion Detection

• Threshold detection
• Counting the number of occurrences of a specific
  event type over an interval of time
• If the count surpasses threshold, then intrusion
  is assumed
• Variability across users ? a lot of false
  positive, false negative
• Profile-based system
• Characterizing the past behavior of individual
  users or related groups of users
• determine the activity profile of the average
  user by analyzing audit records over a period of
  time
• Detecting significant deviations
• current audit records are used
• Mean and std., multivariate, Markov process, time
  series, etc.

19
Rule-Based Intrusion Detection
Intrusion Detection

• Observe events in the system ? apply rules
• Rule-based anomaly detection
• Analyze historical audit records ? generate
  automatically rules
• Rules represent past behavior patterns of users,
  programs, privileges, time slots, terminals, and
  so on.
• Then observe current behavior
• Rule-based penetration identification
• Use rules to identify suspicious behavior, known
  penetrations or penetrations that would exploit
  known weaknesses.
• Rules are generated by experts
• Ex) assign degrees of suspicion to activities
• Users should not read files in other users
  personal directories.
• Users who log in after hours often access the
  same file they used earlier.
• Users do not make copies of system programs.

20
Distributed Intrusion Detection
Intrusion Detection

• Example

• Host agent module
• Collects data on security-related events and
  transmit them to the central manager
• LAN monitor agent module
• Same as a host agent module except that it
  analyzes LAN traffic and reports to the central
  manager
• Central manager module
• Receives reports from LAN monitor and host agents
• Processes and correlates these reports to detect
  intrusion

21
Distributed Intrusion Detection
Intrusion Detection

• Agent

• analyze records forsuspicious activity

22
Intruders and Viruses (2)

• Malicious Programs
• The Nature of Viruses
• Types of Viruses
• Macro Viruses
• Antivirus Approaches

23
Malicious Programs (1)

• Viruses have the ability to replicate themselves
• Other Malicious programs may be installed by hand
  on a single machine. They may also be built into
  widely distributed commercial software packages.
• (Trojan Horse, Trap Doors and Logic Bombs)

24
Malicious Programs (2)

• Taxonomy of Malicious Programs

25
Malicious Programs (3)

• Trap doors
• A trap door is a secret entry point into a
  program that allows someone that is aware of the
  trap doors to gain access without going through
  the usual security access procedures.
• They have been used legitimately for many years
  by programmers to debug and test programs.
• It is code that recognizes some special sequence
  of input or is triggered by being run from a
  certain user ID or by an unlikely sequence of
  events.
• They become threats when they are used by
  unscrupulous programmers to gain unauthorized
  access.
• It is difficult to implement operating system
  controls for trap doors

• Logic Bomb
• It si code embedded in some legitimate program
  that is set to explode when certain conditions
  are met.
• Examples of conditions are the presence or
  absence of certain files, a particular day of the
  week or date, or a particular user running the
  application.

26
Malicious Programs (4)

• Trojan Horses
• It is a useful program or command procedure
  containing hidden ode that, when invoked,
  performs some unwanted or harmful function.
• It can be used to accomplish functions indirectly
  that an unauthorized user could not accomplish
  directly.
• Another common motivation for the Trojan horse is
  data destruction.

• Viruses
• It is a program that can infect other programs
  by modifying them.
• A virus carries in its instructional code the
  recipe for making perfect copies of itself.
• The infection can be spread form computer to
  computer by unsuspecting users
• In a network environment, the ability to access
  applications and system services on other
  computers provides a perfect culture for the
  spread of a virus.

27
Malicious Programs (5)

• Worm
• A program that replicates itself across the
  network riding the following
• Electronic mail facility
• Remote execution capability
• Remote login capability
• It exhibits the same characteristics as a
  computer virus
• The propagation phase performs the following
  functions
• Search for other systems to infect by examining
  host tables
• Establish a connection with a remote system.
• Copy itself to the remote system and cause the
  copy to be run.
• It may also disguise its presence by naming
  itself as a system process or using some other
  name that may not be noticed by a system
  operator.
• Bacteria
• It replicates until if fills all disk space, or
  CPU cycles.

28
The Nature of Viruses (1)

• During its lifetime, a typical virus goes through
  the following four stages
• Dormant phase The virus is idle
• Propagation phase The virus places an identical
  copy of itself into other programs or into
  certain system areas on the disk.
• Triggering phase The virus is activated to
  perform the function for which it was intended.
• Execution phase The function is performed.

29
The Nature of Viruses (2)

• Virus Structure

program V go to main 1234567
subroutine infect-executable loop fileg
et-random-executable-file if(
first-line-of-file 1234567 ) then goto
loop else prepend V to file subroutine
do-damage whatever damage is to be
done subroutine trigger-pulled
return true if some condition holds main
main-program infect-executable if
trigger-pulled then do-damage goto
next next
- A simple virus - This virus is easily detected
because an infected version of a program is
longer than the corresponding uninfected one
30
The Nature of Viruses (3)
program CV go to main 01234567
subroutine infect-executable loop fileg
et-random-executable-file if(
first-line-of-file 1234567 ) then goto
loop (1) compress file (2) prepend CV to
file main main-program if
ask-permission then infect-executable (3)
uncompress rest-of-file (4) run uncompressed
file goto next next
- A Compression virus - A way to thwart a means
of detecting a simple virus is to compress the
executable file so that both the infected and
uninfected versions are of identical length.
31
The Nature of Viruses (4)
32
The Nature of Viruses (5)

• Initial Infection
• Viral infection can be completely prevented by
  preventing the virus from gaining entry in the
  first place. ? extraordinarily difficult
• Most viral infections initiate with a disk from
  which programs are copied onto a machine.
• the disks that have games or simple utilities
  that employees obtain for their home computers .
• the manufacturer of an applications.
• across a network connection.

33
Types of Viruses

• Parasitic virus
• it attaches itself to executable files and
  replicates.
• Memory-resident virus
• Lodges in main memory as part of a resident
  system program.
• Boot sector virus
• Infects a master boot record or boot record.
• Stealth virus
• A form of virus explicitly designed to hide
  itself from detection by antivirus software.
• Polymorphic virus
• A virus that mutates with every infection.

34
Macro Viruses

• Microsoft Office applications allow macro to be
  part of the document. The macro could run
  whenever the document is opened, or when a
  certain command is selected.
• It is platform independent.
• It infect documents, delete files
• Autoexecuting macros
• Autoexecute
• Automacro
• Command macro

35
Antivirus Approaches (1)

• First generation (simple scanners)
• searched files for any of a library of known
  virus signatures.
• checked executable files for length change.
• Second generation (heuristic scanners)
• use heuristic rules to search for probable virus
  infection
• Checked files for checksum or hash changes.
• Third generation (activity traps)
• memory-resident programs that identify a virus by
  its actions
• Fourth generation (full-featured protection)
• combine the best of the techniques above.

36
Antivirus Approaches (2)

• Advenced Antivirus Techniques
• Generic Decryption (GD)
• Digital Immune System

37
Antivirus Approaches (3)

• Generic Decryption (GD)
• CPU emulator
• A software-based virtual computer.
• Instructions are interpreted by the emulator
• The underlying processor is unaffected by
  programs
• Virus signature scanner
• A module that scans the target code looking for
  known virus signatures.
• Emulation control module
• Controls the execution of the target code.
• How long to run each interpretation.

38
Antivirus Approaches (4)

• Digital Immune System
• It is a comprehensive approach to virus
  protection developed by IBM
• The objective of this system is to provide rapid
  response time so that viruses can be stamped out
  almost as soon as they are introduced

39
Antivirus Approaches (5)