Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Intrusion.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Intrusion."— Presentation transcript:

1 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Intrusion Detection and Response 19 November 2004 Dr. Clifford Neuman University of Southern California Information Sciences Institute

2 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Announcements Mid-term grading done –See TA’s to collect graded exam All paper proposal responded to Final exam December 13 th –We may have some new experimental features on the discussion board focused around last years exam. –We will spend time reviewing during part of final lecture Final lecture on December 3 –Will cover multiple current topics suggested by the class –Send email to csci530@usc.edu with requests for topics.csci530@usc.edu Class evaluations on December 3 rd –I need a volunteer to distributed and collect evaluations –See me during break

3 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Components of ID systems Collectors –Gather raw data Director –Reduces incoming traffic and finds relationships Notifier –Accepts data from director and takes appropriate action

4 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Advanced IDS models Distributed Detection –Combining host and network monitoring (DIDS) –Autonomous agents (Crosbie and Spafford)

5 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Intrusion Response Intrusion Prevention –(marketing buzzword) Intrusion Response –How to react when an intrusion is detected

6 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Possible Responses –Notify administrator –System or network lockdown –Place attacker in controlled environment –Slow the system for offending processes –Kill the process

7 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Phase of Response (Bishop) –Preparation –Identification –Containment –Eradication –Recovery –Follow up

8 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE PREPARATION Generate baseline for system –Checksums of binaries ▪For use by systems like tripwire Develop procedures to follow Maintain backups

9 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDENTIFICATION This is the role of the ID system –Detect attack –Characterize attack –Try to assess motives of attack –Determine what has been affected

10 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CONTAINMENT Passive monitoring –To learn intent of attacker –Learn new attack modes so one can defend against them later Constraining access –Locking down system –Closing connections –Blocking at firewall, or closer to source Combination –Constrain activities, but don’t let attacker know one is doing so (Honeypots, Jail).

11 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE ERADICATION Prevent attack or effects of attack from recurring. –Locking down system (also in containment phase) –Blocking connections at firewall –Isolate potential targets

12 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE RECOVERY Restore system to safe state –Check all software for backdoors –Recover data from backup –Reinstall but don’t get re-infected before patches applied.

13 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE FOLLOWUP Take action against attacker. –Find origin of attack Notify other affected parties –Some of this occurs in earlier phases as well Assess what went wrong and correct procedures. Find buggy software that was exploited and fix

14 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective on transactions Some attacks are inherently distributed –Smurf –DDoS Conclusion: “Complete solutions” aren’t

15 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Sharing Information Benefits –Increased robustness –More information for all components –Broader perspective on attacks –Capture distributed attacks Risks –Eavesdroppers, compromised components

16 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Sharing Information Communication risks can be resolved cryptographically (at least in part) Defining appropriate level of expression –Efficiency –Expressivity –Specificity

17 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CIDF Common Intrusion Detection Framework –Collaborative work of DARPA- funded projects in late 1990s –Task: Define language, protocols to exchange information about attacks and responses

18 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Common Intrusion Specification Language –Conveys information about attacks using ordinary English words –E.g., User joe obtains root access on demon.example.com at 2003 Jun 12 14:15 PDT

19 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Problem: Parsing English is hard S-expressions (Rivest) –Lisp-like grouping using parentheses –Simplest examples: (name value) pairs (Username ‘joe’) (Hostname ‘demon.example.com’) (Date ‘2003 Jun 12 14:15 PDT’) (Action obtainRootAccess)

20 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL Problems with simple pairs –Confusion about roles played by entities ▪Is joe an attacker, an observer, or a victim? ▪Is demon.example.com the source or the target of the attack? –Inability to express compound events ▪Can’t distinguish attackers in multiple stages Group objects into GIDOs

21 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Roles Clarifies roles identified by descriptors (Attacker (Username ‘joe’) (Hostname ‘carton.example.com’) (UserID 501) ) (Target (Hostname ‘demon.example.com’) )

22 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Verbs Permit generic description of actions (Compromise (Attacker …) (Observer (Date ‘2003 Jun 12 14:15 PDT’) (ProgramName ‘GrIDSDetector’) ) (Target …) )

23 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Conjunctions Permit expression of compound events –HelpCause: Indicates partial causality –InOrder: Indicates sequencing –AsAWayOf: Indicates multiple views of the same attack

24 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Open S-expressions Lambda calculus-like macros (def CompromiseHost $1 $2 $3 (Compromise (Attacker (Username $1)) (Target (Hostname $2)) (Observer (Date $3)) )

25 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CISL: Open S-expressions Originally defined to reduce payload Also usable for database queries –Look for all records matching ‘CompromiseHost’ –Difficulty: Store expanded form or macro form in database?

26 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Testing CISL CISL is expressive, leading to questions –Is it ambiguous? ▪Does a given GIDO have more than one interpretation? –Is it overbuilt? ▪Is there more than one GIDO that expresses the same thing (aside from reordering)?

27 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Testing CISL GIDO Bake-offs –June 1999: Demonstration of simple corroboration –October 2000: Semantic testing ▪Group A: Devised scenarios/questions ▪Group B: Only knows scenarios, creates GIDOs ▪Group C: Only knows questions, receives GIDOs ▪Three levels: Easy, medium, gnarly

28 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Lessons from CISL Lessons from testing, standardization efforts –Heavyweight –Not ambiguous, but too many ways to say the same thing –Mismatch between what CISL can say and what detectors/analyzers can reliably know

29 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Enter IDWG Intrusion Detection Working Group –WG of Internet Engineering Task Force –Chief product: IDMEF ▪Intrusion Detection Message Exchange Format ▪Driven by many CIDF participants

30 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDMEF XML-based; defines DTD for ID Reduced vocabulary –Roles reduced to analyzer (observer), source, target –Extra information for identifying exploits, buffer overflows –Provision for indicating that previous alerts are related –No provision for response prescriptions

31 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IDWG Status IDMEF (and other IDWG drafts) –Submitted to IESG for advancement to IETF Draft Standard (as standards-track RFC)

32 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Wireless Technologies and Implications Dr. Clifford Neuman University of Southern California Information Sciences Institute

33 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What’s Different Easy (but wrong) answer: –Wireless communication involves transmission of data by radio or similar means, and this allows an attacker to read the data more readily without requiring physical access to the network. The problem with this explanation: –If you have been paying attention during this course, you will likely note that we have been assuming it is easy for an attacker to intercept data anyway, even on wired networks. Good security design should assume this. Yes, it is a little easier for an attacker to eavesdrop with wireless, but there are so many other ways to get the data that wireless doesn’t really change this part.

34 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What’s Different The real answer: –Wireless communications devices are often disconnected. –Such devices may have limited storage or limited computation abilities. –Such systems CAN be deployed in ways that create greater vulnerabilities if the basic protocols running on such systems have not applied confidentiality protection. –Such systems may be more vulnerable to jamming. –Such systems create a less accountable path into the network.

35 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE A False Sense of Security Solutions that provide encryption at the network layer or below provide a false sense of security. –WEP: Wired Equivalent Protocol is just that. ▪Doesn’t solve the end to end problems. ▪Wires aren’t that hard to tap anyway. –Attacks on WEP ▪Repeated IV on encryption enables recovery of the key stream. ▪Authentication reveals secret.

36 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE A False Claim of Security Beware of papers like the Bluetooth paper in the final week assigned readings. –These kinds of papers appear all the time, pointing to vulnerabilities in competing products or protocols and showing how their solution does not exhibit these weakness. –Keep in mind that weakness and vulnerabilities are usually approach specific. That an alternative doesn’t exhibit the SAME vulnerabilities is not at all surprising.

37 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Bluetooth Vulnerabilities Bluetooth exhibits serious vulnerabilities in its interface to the user. –Similar to SSL URL authentication problems. ▪i.e. that you know the name of the server you were talking to, but not that it was the right server. –SNARF Attack ▪Connect to device without alerting owner –Backdoor Attack ▪Establish trust by pairing, but remove from list of pair devices. –Problem is to few protection domains. ▪Connection grants access to most data on the device.

38 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Wireless to Improve Security Wireless promotes less constrained reconfiguration. –Topology of network is not constrained by physical wires. –Examples in sensor nets. ▪Home burglary example Spread spectrum can be used as a security tool. –If codes secret, useful to hide communication. –Resistant to jamming.

39 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Peer to Peer and Ad Hoc Security Security protocols may have phases independent of central infrastructure. Services may be provided by untrusted nodes. Messages need to be relayed by untrusted nodes. Devices may be overrun. Collusion is possible (Byzantine failure).

40 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Final Exam - Cryptography Basic Crypto –Transposition, Substitution –Mathematical Modes of operation –Block cipher ECB –Streams ▪CBC, CFB, OFB –Some systems –RSA, DES, 3DES, AES –Digital Signatures Key Sizes

41 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Final Exam – Authentication and Key Management Choosing Keys Authentication and Key Distribution –PKI –Kerberos Group Key Management

42 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Final Exam - Authorization Access Matrix Policy Models –Bell Lapadula, Biba, Chinese Wall –MAC – Mandatory Access Controls –Clark Wilson –Role Based Access Controls –Least Privelege Distributed Mechanisms –Proxies –GAA-API

43 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Final Exam - Intrusions Detection - how –Signature based –Anomaly based Detection - where –Network based –Host based –Application based Coordination of detection Response Recovery Forensics

44 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review for Final Exam - Wireless The real differences –Devices and connectivity Some of the benefits –Redundancy of communication paths –Autonomy WEP as examples of vulnerabilities Need for end-to-end security

45 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Summary Be critical –Look for the vulnerabilities in systems. ▪Protocol errors. ▪Vulnerabilities in administration. ▪Incorrect assumptions about the environment. ▪Failure to meet the high level goals even if the system functions perfectly. –Assume that there will be failures ▪Defense in depth ▪Mitigation

46 Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event Advanced email phishing attacks steal passwords and compromise computer security Source: http://www.theregister.co.uk/2004/11/04/phishing_exploit /ttp://www.theregister.co.uk/2004/11/04/phishing_exploit / Fraudsters have developed phishing emails capable of automatically stealing bank log-in details without requiring users to click on a website link, email filtering firm MessageLabs warns.phishingemail Over the last two weeks, MessageLabs has monitored a small number of these dangerous new emails, which are capable of sidestepping the need for user intervention in phishing attacks. Users who only open maliciously constructed emails to be exposed to risk. These emails contain scripts that rewrite the host files of targeted machines. This means that next time a user attempts to access their online banking account they will be automatically redirected to a fraudulent website instead, enabling their log-in details to be stolen.

Download ppt "Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Intrusion."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Cryptography and Network Security

Cryptography and Network Security
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture notes.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Drs.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Drs.

Similar presentations

Ads by Google