Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture."— Presentation transcript:

1 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture notes Fall 2006 Dr. Clifford Neuman University of Southern California Information Sciences Institute

2 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration http://ccss.usc.edu/530 Mid-term grading is slipping, most questions graded but graders still working on others. –Expect grades out this weekend. Assignment 3 on site by lecture All proposal responded to by time of lecture. Additional readings to be posted tonight.

3 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 11 – November 03, 2006 Intrusion Detection and Response Dr. Clifford Neuman University of Southern California Information Sciences Institute

4 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Intrusion Types External attacks –Password cracks, port scans, packet spoofing, DOS attacks Internal attacks –Masqueraders, Misuse of privileges FROM PREVIOUS LECTURE

5 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Attack Stages Intelligence gathering – attacker observes the system to determine vulnerabilities (e.g, port scans) Planning –decide what resource to attack and how Attack execution – carry out the plan Hiding – cover traces of attack Preparation for future attacks – install backdoors for future entry points FROM PREVIOUS LECTURE

6 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Intrusion Detection Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators Why Is IDS Necessary? FROM PREVIOUS LECTURE

7 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDS types Detection Method –Knowledge-based (signature-based ) vs behavior-based (anomaly-based) Behavior on detection –passive vs. reactive Deployment –network-based, host-based and application -based FROM PREVIOUS LECTURE

8 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Components of ID systems Collectors –Gather raw data Director –Reduces incoming traffic and finds relationships Notifier –Accepts data from director and takes appropriate action FROM PREVIOUS LECTURE

9 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Advanced IDS models Distributed Detection –Combining host and network monitoring (DIDS) –Autonomous agents (Crosbie and Spafford) FROM PREVIOUS LECTURE

10 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Intrusion Response Intrusion Prevention –(marketing buzzword) Intrusion Response –How to react when an intrusion is detected

11 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Possible Responses –Notify administrator –System or network lockdown –Place attacker in controlled environment –Slow the system for offending processes –Kill the process

12 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Phase of Response (Bishop) –Preparation –Identification –Containment –Eradication –Recovery –Follow up

13 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE PREPARATION Generate baseline for system –Checksums of binaries ▪For use by systems like tripwire Develop procedures to follow Maintain backups

14 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDENTIFICATION This is the role of the ID system –Detect attack –Characterize attack –Try to assess motives of attack –Determine what has been affected

15 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CONTAINMENT Passive monitoring –To learn intent of attacker –Learn new attack modes so one can defend against them later Constraining access –Locking down system –Closing connections –Blocking at firewall, or closer to source Combination –Constrain activities, but don’t let attacker know one is doing so (Honeypots, Jail).

16 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE ERADICATION Prevent attack or effects of attack from recurring. –Locking down system (also in containment phase) –Blocking connections at firewall –Isolate potential targets

17 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE RECOVERY Restore system to safe state –Check all software for backdoors –Recover data from backup –Reinstall but don’t get re-infected before patches applied.

18 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE FOLLOWUP Take action against attacker. –Find origin of attack Notify other affected parties –Some of this occurs in earlier phases as well Assess what went wrong and correct procedures. Find buggy software that was exploited and fix

19 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective on transactions Some attacks are inherently distributed –Smurf –DDoS Conclusion: “Complete solutions” aren’t

20 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Sharing Information Benefits –Increased robustness –More information for all components –Broader perspective on attacks –Capture distributed attacks Risks –Eavesdroppers, compromised components

21 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Sharing Information Communication risks can be resolved cryptographically (at least in part) Defining appropriate level of expression –Efficiency –Expressivity –Specificity

22 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CIDF Common Intrusion Detection Framework –Collaborative work of DARPA- funded projects in late 1990s –Task: Define language, protocols to exchange information about attacks and responses

23 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Common Intrusion Specification Language –Conveys information about attacks using ordinary English words –E.g., User joe obtains root access on demon.example.com at 2003 Jun 12 14:15 PDT

24 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Problem: Parsing English is hard S-expressions (Rivest) –Lisp-like grouping using parentheses –Simplest examples: (name value) pairs (Username ‘joe’) (Hostname ‘demon.example.com’) (Date ‘2003 Jun 12 14:15 PDT’) (Action obtainRootAccess)

25 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Problems with simple pairs –Confusion about roles played by entities ▪Is joe an attacker, an observer, or a victim? ▪Is demon.example.com the source or the target of the attack? –Inability to express compound events ▪Can’t distinguish attackers in multiple stages Group objects into GIDOs

26 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Roles Clarifies roles identified by descriptors (Attacker (Username ‘joe’) (Hostname ‘carton.example.com’) (UserID 501) ) (Target (Hostname ‘demon.example.com’) )

27 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Verbs Permit generic description of actions (Compromise (Attacker …) (Observer (Date ‘2003 Jun 12 14:15 PDT’) (ProgramName ‘GrIDSDetector’) ) (Target …) )

28 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Conjunctions Permit expression of compound events –HelpCause: Indicates partial causality –InOrder: Indicates sequencing –AsAWayOf: Indicates multiple views of the same attack

29 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Open S-expressions Lambda calculus-like macros (def CompromiseHost $1 $2 $3 (Compromise (Attacker (Username $1)) (Target (Hostname $2)) (Observer (Date $3)) )

30 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Open S-expressions Originally defined to reduce payload Also usable for database queries –Look for all records matching ‘CompromiseHost’ –Difficulty: Store expanded form or macro form in database?

31 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Testing CISL CISL is expressive, leading to questions –Is it ambiguous? ▪Does a given GIDO have more than one interpretation? –Is it overbuilt? ▪Is there more than one GIDO that expresses the same thing (aside from reordering)?

32 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Testing CISL GIDO Bake-offs –June 1999: Demonstration of simple corroboration –October 2000: Semantic testing ▪Group A: Devised scenarios/questions ▪Group B: Only knows scenarios, creates GIDOs ▪Group C: Only knows questions, receives GIDOs ▪Three levels: Easy, medium, gnarly

33 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Lessons from CISL Lessons from testing, standardization efforts –Heavyweight –Not ambiguous, but too many ways to say the same thing –Mismatch between what CISL can say and what detectors/analyzers can reliably know

34 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Enter IDWG Intrusion Detection Working Group –WG of Internet Engineering Task Force –Chief product: IDMEF ▪Intrusion Detection Message Exchange Format ▪Driven by many CIDF participants

35 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDMEF XML-based; defines DTD for ID Reduced vocabulary –Roles reduced to analyzer (observer), source, target –Extra information for identifying exploits, buffer overflows –Provision for indicating that previous alerts are related –No provision for response prescriptions

36 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDWG Status IDMEF (and other IDWG drafts) –Submitted to IESG for advancement to IETF Draft Standard (as standards-track RFC)

37 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 12 – November 10, 2006 The Human Element (intro slides) Dr. Clifford Neuman University of Southern California Information Sciences Institute

38 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The Human is the Weak Point Low bandwidth used between computer and human. –User can read, but unable to process crypto in head. –Needs system as its proxy –This creates vulnerability. Users don’t understand system –Often trust what is displayed –Basis for phishing

39 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The Human is the Weak Point(2) Humans make mistakes –Configure system incorrectly Humans can be compromised –Bribes –Social Engineering Programmers often don’t consider the limitations of users when designing systems.

40 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Some Attacks Social Engineering –Phishing – in many forms Mis-configuration Carelessness Malicious insiders Bugs in software

41 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Addressing the Limitations Personal Proxies –Smartcards or devices User interface improvements –Software can highlight things that it thinks are odd. Delegate management –Users can rely on better trained entities to manage their systems. Try not to get in the way of the users legitimate activities –Or they will disable security mechanisms.

42 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Much More Next Week

43 Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current Event Bot nets likely behind jump in spam The Register (Tuesday 31st October 2006) A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk email. Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months. While bulk emailers have, in the past, sent unwanted messages from a single server, increasingly the spam emanates from networks of compromised PCs, known as bot nets. The level of junk email has increased almost in lock step with the number of compromised systems used for spam, said David Hart, the administrator for Total Quality Management. Many bot herders - as the criminals that infect computers with bot software are named - sell or rent bot nets to others to use, and spammers increasingly seem to be among their customers.

Download ppt "Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture."

Similar presentations

Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
12-1 Last time Security in Networks Threats in Networks.

12-1 Last time Security in Networks Threats in Networks.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Drs.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Drs.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Dr.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Similar presentations

Ads by Google