Download presentation
Presentation is loading. Please wait.
Published byJayson Cunningham Modified over 9 years ago
1
Chapter 18. Intruders
2
2 Intruders Three classes of intruders Masquerader likely to be an outsider penetrates a system’s access controls to exploit a legitimate user’s account Misfeasor generally an insider performs unauthorized accesses to data, programs, or resources misuses his or her privileges Clandestine user can be either an insider or an outsider seizes supervisory control of the system and uses it to evade auditing and access controls or to suppress audit collection
3
3 Intruders Intruder Techniques aim to gain access and/or increase privileges on a system Usually user password or password file is needed to intruder Protection of password file One-way encryption : the system stores an encrypted form of the user’s password, and compares it with the encrypted output of presented password Access control : access to the password file is limited to one or a very few accounts
4
4 Intruders Techniques for learning passwords Try default passwords used with standard accounts that are shipped with the system. Exhaustively try all short passwords ( 1~3 characters). Try words in the system’s on-line dictionary of a list of likely passwords. Collect information about users (names, books, hobbies, etc) Try users’ phone numbers, Social Security numbers, and room numbers. Try all legitimate license plate numbers. Use a Trojan horse. Tap the line between a remote user and the host system. (use link encryption techniques) Guessing Passwords
5
5 Intrusion Detection A system’s second line of defense second line of defense Intrusion Detection The intruder can be identified and ejected from the system. An effective intrusion detection can prevent intrusions. The collection of information about intrusion techniques can be used to strengthen the intrusion prevention facility.
6
6 Intrusion Detection An Assume that the behavior of the intruder differs from that of legitimate user There can be false positive and false negative
7
7 Intrusion Detection Approaches to intrusion detection Statistical anomaly detection : collecting data on behavior of legitimate users over a period of time Threshold detection : defining thresholds for the frequency of occurrence of various events (independent of user) Profile based : using a profile of the activity of each user to detect changes in the behavior of individual accounts Rule-based detection : defining a set of rules to decide that a given behavior is that of an intruder Anomaly detection : rules are developed to detect deviation from previous usage patterns Penetration identification : an expert system searches for suspicious behavior Statistical approach : effective against masqueraders, unable to deal with misfeasors Rule-based approach : able to recognize events and sequences (context, reveal penetration)
8
8 Intrusion Detection Audit Records Records of ongoing activity used as input to an intrusion detection system Native audit records accounting software collects information on user activity (no additional collection software) Detection-specific audit records a collection facility collects information required by the intrusion detection system Ex) subject, action, object, exception-condition, resource-usage, time stamp
9
9 Intrusion Detection Statistical Anomaly Detection Threshold detection Counting the number of occurrences of a specific event type over an interval of time If the count surpasses threshold, then intrusion is assumed Variability across users a lot of false positive, false negative Profile-based system Characterizing the past behavior of individual users or related groups of users determine the activity profile of the average user by analyzing audit records over a period of time Detecting significant deviations current audit records are used Mean that standard deviation, multivariate, Markov process, time series, operational.
10
10 Intrusion Detection Rule-Based Intrusion Detection Observe events in the system apply rules Rule-based anomaly detection Analyze historical audit records generate automatically rules Rules represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Then observe current behavior
11
11 Intrusion Detection Rule-based penetration identification Use rules to identify suspicious behavior, known penetrations or penetrations that would exploit known weaknesses. Rules are generated by experts Ex) assign degrees of suspicion to activities Users should not read files in other users’ personal directories. Users must not write other user’s files Users who log in after hours often access the same file they used earlier. Users do not generally open disk devices directly Users should not be logged in more than once to the same system. Users do not make copies of system programs.
12
12 Intrusion Detection Base-Rate Fallacy practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms if too few intrusions detected false security if too many false alarms ignore / waste time this is very hard to do existing systems seem not to have a good record
13
13 Intrusion Detection Distributed Intrusion Detection traditional focus is on single systems but typically have networked systems more effective defense has these working together to detec t intrusions issues dealing with varying audit record formats integrity & confidentiality of networked data centralized or decentralized architecture
14
14 Intrusion Detection Architecture for Distributed Intrusion Detection Host agent module Collects data on security- related events and transmit them to the central manager LAN monitor agent module Same as a host agent module except that it analyzes LAN traffic and reports to the central manager Central manager module Receives reports from LAN monitor and host agents Processes and correlates these reports to detect intrusion
15
15 Intrusion Detection Agent Architecture Agent capture each native O/S audit record & applies a filter Template-driven logic module Analyzes the records Suspicious activity is detected Send alert message to the central manager Central manager Include an expert system (can draw inferences from received data) Query individual systems (copies of HAR(Host Audit Record)s to correlate with those from other agents.)
16
16 Intrusion Detection Honeypots decoy systems to lure attackers away from accessing critical systems to collect information of their activities to encourage attacker to stay on system so administrator can respo nd are filled with fabricated information instrumented to collect detailed information on attackers activities single or multiple networked systems
17
17 Password Management Password Protection front-line defense against intruders users supply both: login – determines privileges of that user password – to identify them passwords often stored encrypted Unix uses multiple DES (variant with salt) more recent systems use crypto hash function should protect password file on system
18
18 Password Management The vulnerability of Passwords Two threat to the UNIX password scheme Gaining access on a machine and then run a password guessing program on that machine with little resource consumption Obtaining a copy of the password file, then a cracker program can be run on another machine Passwords must NOT be too short, NOT be too easy to guess Access Control Denies the opponent access to the password file Has several flaws Many systems are susceptible to unanticipated break-ins An accident of protection might render the password file readable Some users use the same password on other machines
19
19 Password Management Unix Password scheme Crypt(3) 25 times DES encryptions Salt(12 bits) Related to time at which the password is assigned to the user Prevents duplicate passw- ords from being visible in the password file [./0-9A-Za-zA-Z] select two char. It has 4096 possible ways. If bit 12 of the salt is set, then bits 12 and 36 are swapped in the DES E-box output.
20
20 Password Management Password Selection Strategies Eliminate guessable passwords, while allow memorable passwords Four basic techniques User education Ignoring guidelines, misunderstanding what a strong password is Computer-generated passwords Hard to remember even if they are pronounceable Reactive password checking The system periodically runs its password cracker to find guessable passwords Resource intensive Unchecked passwords remains vulnerable Proactive password checking When a user selects his or her own password, the system checks to see if the password is allowable
21
21 Password Management Proactive Password Checking Rule enforcement All passwords must be at least eight characters long In the first eight characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks Compiling a large dictionary of “bad” passwords When a user selects a password, the system checks Large space (storage) and time consumption Two techniques for developing an effective and efficient password checker - Based on rejecting words on a list show promise Markov model Bloom filter
22
22 Password Management Markov Model Effective and efficient proactive password checker [m, A, T, k] where m : number of states A : state space T : matrix of transition probabilities. k : order of the model k th -order model: probability of making a transition to a particular letter depends on previous k characters
23
23 Password Management Second-order Markov model M = {9, {AA, AB, AC, BA, BB, BC, CA, CB, CC}, T, 2} ABC AA0.00 AB0.000.100.50 AC0.000.100.50 BA0.100.080.00 BB0.200.160.00 BC0.200.160.00 CA0.500.400.00 CB0.00 CC0.00 T = AA AB AC BA BB BC CA CB CC Pr(A|AA) Pr(B|AA) Pr(C|AA) 0.00 0.10 0.50 Pr(A|BA) Pr(B|BA) Pr(C|BA) 0.10 0.08 0.00 0.20 0.16 0.00 Pr(A|CA) Pr(B|CA) Pr(C|CA) 0.50 0.40 0.00
24
24 second-order Markov model Calculating transition matrix When a dictionary of guessable passwords is constructed 1. Determine the frequency matrix f(i,j,k) which is the number of occurrences of the trigram consisting of the i th, j th,and k th character ex) abbbababbb abb, bbb, bba, aba, aba, bab, abb, bbb 2. For each bigram ij, calculate f(i,j,∞) as the total number of trigrams beginning with ij ex) f(a, b, ∞) aba, abb, … bigram : groups of two written letters, two syllables, or two words trigram : triples / pairs of letters or words Password Management AA AB BA BB Pr(A|AA) Pr(A|AB) Pr(B|AA) Pr(B|AB) Pr(A|BA) Pr(A|BB) Pr(B|BA) Pr(B|BB)
25
25 Password Management 3. Compute the entries of T T reflects the structure of the words in the dictionary “Is this a bad password?” “Was this password generated by this model?” Passwords likely to be generated by the model are rejected. AB AA00 AB0.1250.25 BA0.00.25 BB0.1250.25
26
26 Password Management Bloom Filter bloom filter : Order k bloom filter consists of a set of k independent hash function. Hash function Each function maps a password into a hash value in the range 0 to N-1 H i (X j ) = y 1 ≤ i ≤ k; i ≤ j ≤ D; 0 ≤ y ≤ N-1; where X j = j th word in password dictionary D = Number of words in password dictionary k = order of Bloom filter Procedure applied to the dictionary A hash table of N bits with all bits initially set to 0 For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1 If the bit already has the value 1, it remains at 1
27
27 Password Management Bloom Filter Password checking k hash values are calculated for presented password If all corresponding bits of the hash table are equal to 1 reject Possible existence of FALSE POSITIVE H1(undertaker) = 25, H2(undertaker) = 998 H1(hulkhogan) = 83, H2(hulkhogan) = 665 H1(xG%#jj98) = 665, H2(xG%#jj98) = 998 rejected … … … … … … … … … Password Dictionary Hash Table H1 H2 Hash Function 25 83 665 998 reject 0 0 0 0 1 1 1 1 undertaker hulkhogan xG%#jj98
28
28 Password Management Bloom Filter To minimize false positive The probability of a false positive or, equivalently
29
29 Password Management Performance of Bloom Filter Suppose that number of words in the dictionary: 1 million words(10 6 ) We wish to Probability of false positive : 0.01 If select six hash functions, required ratio R=9.6 hash table : 9.6*10 6 bits or about 1.2MB of storage
30
30 Password Management Advantages storage of the entire dictionary is 8MB, but, we need 1.2MB of storage. => Compression : factor of 7. Password checking is Involves straightforward calculation of six hash function independent of size of the dictionary
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.