Computer Security CS433 Chapter 8 Intrusion Detection PDF

Summary

This document details computer security concepts, including intruder behavior, intrusion detection, and different types of intrusion attacks. The document examines the various types of intruders, like cyber criminals and activists, and provides examples of intrusion attacks. It also introduces basic definitions within the context of intrusion detection.

Full Transcript

Objectives

Distinguish among various types of intruder behavior patterns.

Computer Security CS433 Understand the basic principles of and requirements for intrusion detection.

Chapter 8 Discuss the key features of host-based intrusion detection.

- Intrusion Detection –
Explain the concept of distributed host-based intrusion detection.

Discuss the key features network-based intrusion detection.

Define the intrusion detection exchange format.
Diyala Alturki
Explain the purpose of honeypots.

Intruders Examples of Intrusion Attacks
One of the key threats to security is the use of some form of hacking by an intruder, often referred to as a hacker or Performing a remote root compromise of an e-mail server

cracker.
Defacing a Web server

Types of intruders:
Guessing and cracking passwords
Cyber criminals: Are either individuals or members of an organized crime group with a goal of financial
reward. Their activities may include identity theft, theft of financial credentials, corporate espionage, data Copying a database containing credit card numbers

theft, or data ransoming. Viewing sensitive data, including payroll records and medical information, without authorization
Activists: Are either individuals, usually working as insiders, or members of a larger group of outsider
Running a packet sniffer on a workstation to capture usernames and passwords
attackers, who are motivated by social or political causes. They are also known as hacktivists.

State-sponsored organizations: Are groups of hackers sponsored by governments to conduct espionage or Using a permission error on an anonymous FTP server to distribute pirated software and music files

sabotage activities. They are also known as Advanced Persistent Threats (APTs).
Dialing into an unsecured modem and gaining internal network access
Others: Are hackers with motivations other than those listed above, including classic hackers or crackers who
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
are motivated by technical challenge or by peer-group esteem and reputation.

Using an unattended, logged-in workstation without permission
 Intruder Behavior Intrusion Detection - Definitions
Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security
Target Acquisition and Information Gathering: Where the attacker identifies and characterizes the target
incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without
systems using publicly available information
having authorization to do so.
Initial Access: The initial access to a target system, typically by exploiting a remote network vulnerability by
guessing weak authentication credentials used in a remote service or via the installation of malware on the system
Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding,
using some form of social engineering or drive-by-download attack
and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized
Privilege Escalation: Actions taken on the system, typically via a local access vulnerability to increase the manner
privileges available to the attacker to enable their desired goals on the target system

Information Gathering or System Exploit: Actions by the attacker to access or modify information or resources
on the system, or to navigate to another target system.

Maintaining Access: Actions such as the installation of backdoors or other malicious software to enable continued
access by the attacker after the initial attack.

Covering Tracks: Where the attacker disables or edits audit logs to remove evidence of attack activity

What components does IDS comprise? Types of IDSs

An IDS comprises three logical components: Host-based IDS (HIDS):

Monitors the characteristics of a single host and the events occurring within that host, such as process
Sensors:

Sensors are responsible for collecting data. identifiers and the system calls they make, for evidence of suspicious activity.

The input for a sensor may be any part of a system that could contain evidence of an intrusion.
Network-based IDS (NIDS):
E.g., network packets, log files, system call traces... Etc.
Monitors network traffic for particular network segments or devices and analyzes network, transport,
Analyzers:
and application protocols to identify suspicious activity.
Analyzers receive input from one or more sensors or from other analyzers.

The analyzer is responsible for determining if an intrusion has occurred. Distributed or hybrid IDS:
User interface:
Combines information from a number of sensors, often both host and network-based, in a central
The user interface to an IDS enables a user to view output from the system or control the behavior of the
system. In some systems, the user interface may equate to a manager, director, or console component analyzer that is able to better identify and respond to intrusion activity.
 Intrusion Detection Exchange Format Honeypots

To facilitate the development of distributed IDSs that can function across a wide range of platforms and Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.
environments, standards are needed to support interoperability. Such standards are the focus of the IETF
Intrusion Detection Working Group. Honeypots are designed to:

Divert an attacker from accessing critical systems.

Collect information about the attacker’s activity.
The working group issued the following RFCs (Section 8.7 Page 291):
Encourage the attacker to stay on the system long
Intrusion Detection Message Exchange Requirements (RFC 4766)
enough for administrators to respond.
The Intrusion Detection Message Exchange Format (RFC 4765)

The Intrusion Detection Exchange Protocol (RFC 4767)
 Objectives
Describe how many computer security vulnerabilities are a result of poor programming practices.

Computer Security CS433 Describe an abstract view of a program, and detail where potential points of vulnerability exist in this view.

Describe how a defensive programming approach will always validate any assumptions made, and is designed to

Chapter 11 fail gracefully and safely whenever errors occur.

Detail the many problems that occur as a result of incorrectly handling program input, failing to check its size or
- Software Security – interpretation.

Describe problems that occur in implementing some algorithm.

Describe problems that occur as a result of interaction between programs and O/S components.
Diyala Alturki
Describe problems that occur when generating program output.

Introducing Software Security (1/2) Introducing Software Security (2/2)
Many computer security vulnerabilities result from poor programming practices.

Software security is closely related to software quality and reliability, but with subtle differences. Software

quality and reliability is concerned with the accidental failure of a program as a result of some theoretically

random, unanticipated input, system interaction, or use of incorrect code. These failures are expected to follow

some form of probability distribution.

The usual approach to improve software quality is to use some form of structured design and testing to identify

and eliminate as many bugs as is reasonably possible from a program.

Software security differs in that the attacker chooses the probability distribution, targeting specific bugs that

result in a failure that can be exploited by the attacker.
 Defensive/Secure Programming Abstract View of Program
Defensive or Secure Programming is the process of designing and implementing software so that it continues

to function even when under attack.

Software written using this process is able to detect erroneous conditions resulting from some attack, and to

either continue executing safely, or to fail gracefully.

The key rule in defensive programming is to never assume anything, but to check all assumptions and to

handle any possible error states.

Handling Program Input Concerns

Incorrect handling of program input is one of the most common failings in software security. Input Size and Buffer Overflow

Interpretation of Program Input

Program input refers to any source of data that originates outside the program and whose value is not explicitly Validating Input Syntax
known by the programmer when the code was written. This obviously includes data read into the program from
Input Fuzzing
user keyboard or mouse entry, files, or network connections. It also includes data supplied to the program in the
execution environment, the values of any configuration or other data read from files by the program, and values
supplied by the operating system to the program.

All sources of input data, and any assumptions about the size and type of values they take, have to be identified.
Those assumptions must be explicitly verified by the program code, and the values must be used in a manner
consistent with these assumptions.

Read Section 11.2
 Writing Safe Program Code Correct Algorithm Implementation
We need to process data according to some algorithm The algorithm may not correctly implement all cases or variants of the problem. This might allow some seemingly

legitimate program input to trigger program behavior that was not intended, providing an attacker with additional
For procedural languages like C and its descendants, this algorithm specifies the series of steps taken to manipulate
capabilities.
the input to solve the required problem.

The consequence of such a deficiency in the design or implementation of the algorithm is a bug in the resulting
High-level languages are typically compiled and linked into machine code, which is then directly executed by the
program that could be exploited.
target processor.

A high-level language such as Java may be compiled into an intermediate language that is then interpreted by Another variant of this issue is when the programmers deliberately include additional code in a program to help

a suitable program on the target system. test and debug it. While this is valid during program development, all too often this code remains in production

releases of a program. At the very least, this code could inappropriately release information to a user of the
In all cases the execution of a program involves the execution of machine language instructions by a processor to
program. At worst, it may permit a user to bypass security checks or other program limitations and perform
implement the desired algorithm.
actions they would not otherwise be allowed to perform.

Ensuring That Machine Language Corresponds Other Related Concerns
to Algorithm
Correct Interpretation of Data Values

This issue concerns the correspondence between the algorithm specified in some programming language and the
Correct Use of Memory
machine instructions that are run to implement it.
Preventing Race Conditions with Shared Memory

The assumption is that the compiler or interpreter does indeed generate or execute code that validly implements

the language statements. When this is considered, the issue is typically one of efficiency, usually addressed by

specifying the required level of optimization flags to the compiler.

Read Section 11.3
 Interacting with the Operating System and Environment Variables
Other Programs
Environment variables are a collection of string values inherited by each process from its parent that can affect the
way a running process behaves.
The program executes on a computer system under the control of an operating system. This aspect of a computer
The operating system includes these in the process’s memory when it is constructed.
program is often not emphasized in introductory programming courses; however, from the perspective of writing
By default, they are a copy of the parent’s environment variables. However, the request to execute a new program
secure software, it is critical.
can specify a new collection of values to use instead.

A program can modify the environment variables in its process at any time, and these in turn will be passed to its
children.
Excepting dedicated embedded applications, in general, programs do not run in isolation on most computer systems.
Environment variables are used on a wide variety of operating systems, including all UNIX variants, DOS and
Rather, they run under the control of an operating system that mediates access to the resources of that system and
Microsoft Windows systems, and others.
shares their use between all the currently executing programs.
The security concern for a program is that these provide another path for untrusted data to enter a program and
hence need to be validated.

The most common use of these variables in an attack is by a local user on some system attempting to gain
increased privileges on the system.

Using Appropriate, Least Privileges Other Related Concerns
Systems Calls and Standard Library Functions
The consequence of many of the program flaws is that the attacker is able to execute code with the privileges and

access rights of the compromised program or service. Preventing Race Conditions with Shared System Resources

If these privileges are greater than those available already to the attacker, then this results in a privilege escalation, Safe Temporary File Use

an important stage in the overall attack process. Interacting with Other Programs

Using the higher levels of privilege may enable the attacker to make changes to the system, ensuring future use of

these greater capabilities.

This strongly suggests that programs should execute with the least amount of privileges needed to complete their

function.

This is known as the principle of least privilege and is widely recognized as a desirable characteristic in a secure

program. Read Section 11.4
 Handling Program Output
Another issue is the generation of output as a result of the processing of input and other interactions

As with program input, the output data may be classified as binary or textual

If directed to a user, it will be interpreted and displayed by some appropriate program or device. If this output

includes unexpected content, then anomalous behavior may result, with detrimental effects on the user.

Read Section 11.5
 Objectives

Provide an overview of MIME.
Computer Security CS433
Chapter 22
Explain the key components of SSL.

Discuss the use of HTTPS.

– Network Security –
Internet Security, Protocols and Standards

Diyala Alturki

What is this chapter about? Secure E-MAIL and S/MIME

This chapter looks at some of the most widely used and important Internet security protocols and standards: S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail

S/MIME format standard, based on technology from RSA Data Security.

SSL/TLS MIME is an extension to the old RFC 822 specification of an Internet mail format:

HTTPS RFC 822 defines a simple header with To, From, Subject, and other fields that can be used to route an e-

mail message through the Internet and that provides basic information about the e-mail content. RFC

822 assumes a simple ASCII text format for the content.
 Secure E-MAIL and S/MIME Typical S/MIME Process for Creating and
S/MIME Message
S/MIME is defined as a set of additional MIME content types (as shown in the table) and provides the ability to

sign and/or encrypt e-mail messages.

DomainKeys Identified Mail Simple Example of DKIM Deployment

DomainKeys Identified Mail (DKIM) is a specification for cryptographically signing e-mail messages, permitting a

signing domain to claim responsibility for a message in the mail stream.

Message recipients (or agents acting in their behalf) can verify the signature by querying the signer’s domain

directly to retrieve the appropriate public key and thereby can confirm that the message was attested to by a party

in possession of the private key for the signing domain.

DKIM has been widely adopted by a range of e-mail providers, including corporations, government agencies,

gmail, yahoo, and many Internet service providers (ISPs).
 Transport Layer Security (TLS) Transport Layer Security (TLS)

TLS is designed to make use of TCP to provide a reliable end-to-end secure service.
There are two important TLS concepts:

TLS is not a single protocol but rather two layers of protocols.
Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable
The Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can
type of service. For TLS, such connections are peer-to-peer relationships. The connections are
operate on top of TLS.
transient. Every connection is associated with one session.

Three higher-layer protocols are defined as part of TLS:

1. Handshake Protocol
Session: A TLS session is an association between a client and a server. Sessions are created by the
2. Change Cipher Spec Protocol
Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared

3. Alert Protocol. among multiple connections. Sessions are used to avoid the expensive negotiation of new security

These TLS-specific protocols are used in the management of TLS exchanges and are examined later in this parameters for each connection.

section.

TLS Protocols - SSL TLS Handshake

The SSL (Secure Socket Layer) Record Protocol provides two services for SSL connections:
This protocol allows the server and client to
Confidentiality: The Handshake Protocol defines a shared secret key that is used for symmetric encryption
authenticate each other and to negotiate an
of SSL payloads.
encryption and MAC algorithm and cryptographic

Message integrity: The Handshake Protocol also defines a shared secret key that is used to form a message keys to be used to protect data sent in an TLS

authentication code (MAC). record.

The Handshake Protocol is used before any

application data are transmitted.

The Handshake Protocol consists of a series of

messages exchanged by client and server.
 SSL/TLS Attacks HTTPS

We can group the attacks into four general categories: HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication

Attacks on the Handshake Protocol: As early as 1998, an approach to compromising the Handshake between a Web browser and a Web server. The HTTPS capability is built into all modern Web browsers. Its use

Protocol based on exploiting the formatting and implementation of the RSA encryption scheme was depends on the Web server supporting HTTPS communication.

presented. As countermeasures were implemented, the attack was refined and adjusted to not The principal difference seen by a user of a Web browser is that URL (uniform resource locator) addresses
only thwart the countermeasures but also speed up the attack begin with https:// rather than http://. A normal HTTP connection uses port 80. If HTTPS is specified, port 443
Attacks on the record and application data protocols: A number of vulnerabilities have been discovered is used, which invokes SSL.
in these protocols, leading to patches to counter the new threats.

Attacks on the PKI: Checking the validity of X.509 certificates is an activity subject to a variety of
When HTTPS is used, the following elements of the communication are encrypted:
attacks, both in the context of SSL/TLS and elsewhere. For example, some researchers demonstrated
that commonly used libraries URL of the requested document

for SSL/TLS suffer from vulnerable certificate validation implementations. Contents of the document

Other attacks: Contents of browser forms (filled in by browser user)

One example is an attack announced in 2011 by the German hacker group The Hackers Choice, Cookies sent from browser to server and from server to browser
which is a DoS attack. Contents of HTTP header