1

60-564 Survey

“Intrusion Detection: Systems and Models”

“A Stateful Intrusion Detection System for World-Wide Web Servers”

2

Outline

Introduction Computer attacks The STAT framework Intrusion Detection System A novel IDS – WebSTAT Performance evaluation Conclusion

3

Introduction Computer security is to protect

computer resources: read and write access to a data file processing time communication over a network link

An intrusion is somebody attempting to break into or misuse your system

IDS is a network security system designed to identify intrusive or malicious behavior via monitoring of network activity.

4

Computer Attacks Worms - self replicating programs that spread across a

network. Viruses - programs that replicate when a user performs

some action such as running a program. Server attacks - a client exploits a bug in the server to

cause it to perform some unintended action. Client attacks - a server exploits a bug in a client to

cause it to perform some unintended action. Network attacks (denial of service) - a remote

attacker exploits a bug in the network software or weakness in the protocol to cause a server, router, or network to fail.

Root attacks - a user on a multiuser operating system obtains the priveliges of another user (usually root)

5

Computer Attacks - Worm A worm is an independent program that replicates from

machine to machine across network connections. The three security flaws:

Backdoor bypasses the normal security mechanisms Usually installed for maintenance purposes

Buffer overflow A process contains: Code, data, and stack Stack is to store information associated with function calls By overriding stack, the attacker can both inject a malicious

execution code and set the return address to point to the malicious code

Weak password First guess the administrator’s password Copy itself to the startup to propagate every time the machine

start up

6

Computer Attacks - Virus

software program capable of causing great harm to the computer

Unlike a worm, it requires action from a user to spread

For example, email viruses spread when the recipient runs an attached program

7

Computer Attacks - Server Attacks Nearly every type of service has

identified vulnerabilities which has been attacked

For example, IIS4 installs a number of sample scripts.

These scripts give clients access to view any file on the same volume as the web server

8

Computer Attacks - Client Attacks Unlike a server attack, it works by

waiting for victims to connect to a rogue server

For example, a buffer overflow vulnerability has been found in Outlook

It allows arbitrary code to be executed by overflowing the time zone field in the date field of the mail header

activated when the user download the mail from mail server using outlook

9

Computer Attacks - Network Attacks usually Denial of Service (DoS) attacks disturb the normal operation of

applications take advantage of a weakness in the

system or application cause it to crash or stop responding For example, ping to death: Some systems

will crash if they received a fragmented ICMP packet. An attack is to send a packet larger than 65,535 bytes, which causes many TCP/IP implementations to crash.

10

Computer Attacks - Root Attacks

a user on a multi-user system obtains root or administrative privileges

Certain programs are suid bit set, break this program means obtaining the root user privilege

11

The STAT Framework STAT is a technique for representing high-level

descriptions of computer attacks It contains 6 components:

STATL Language Extension Module Event Provider Scenario Plug-in Response Module STAT Core

12

The STATL Language Attack description language Using states and transitions to

represent attack scenarios domain-independent It is extended by the IDS developer

to express the characteristics of a particular domain and environment. E.g. Sun Solaris, Windows NT.

13

Language Extension Modules

shared libraries that define events that describe a particular application domain.

Loaded into STAT Core in runtime

Loaded before either Scenario Plugin or Event Provider can use it

14

Event Providers

collects events from the external environment

Create events as defined in Language Extension Modules

encapsulates events into generic STAT events

inserts events into the event queue of the STAT Core

15

Scenario Plugins shared library

that describes an attack scenario.

It is defined either from a STATL description or from user manually

16

Response Modules shared library that

contains Response Functions.

If the state in a scenario is reached the Response Function is invoked

For example, it an alert to someone, or take steps to stop an ongoing attack once a state is reached.

17

STAT Core

Loads various modules

matches the event supplied by Event Providers

executes the corresponding transitions

triggers responses defined in Response Modules

18

Intrusion Detection System Host-based IDS

uses log files and system’s auditing agents monitors the communications traffic in and out

of a single computer checks the integrity of system files and process

Network-based IDS monitors the traffic on its network

segment Capture three signatures: String, Port and

Header signatures

19

WebSTAT It is an IDS

developed based on STAT framework.

built by composing the STAT core with a number of web language extensions modules, event providers, attack scenarios plugins, and response modules.

20

Attack Scenario Examples

Document Root Escape Attack: detect events from the web server log and operating system logs to examine the unauthorized file system access

Cookie stealing scenario: detects if a valid cookie is improperly used by unauthorized user to steal protected web resources

21

Performance Evaluation Experiments on a host running

standalone Apache Apache monitored by WebSTAT

WebSTAT incurs a small performance overhead in web server throughput.

acceptable given the powerful detection capabilities WebSTAT provides

a sophisticated web server performance tuning would also reduce the overhead

22

Conclusion Presented classification of computer

attacks and intrusion detection system Described STAT framework The IDS implementation WebSTAT From the performance evaluation result,

we see although WebSTAT brings some small performance overhead to the web server

It is acceptable considering the advanced detection capabilities.

23

Reference Sherif, J.S.; Dearmond, T.G.; “Intrusion detection: systems

and models” Sundaram, A., “An Introduction to Intrusion Detection”. Mahoney, M., “Computer Security: A Survey of Attacks and

Defenses” Lindquist, U., and E. Jonsson, “How to Systematically

Classify Computer Security Intrusions" Giovanni Vigna, William Robertson, Vishal Kher, and Richard

A. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers”

STAT Framework Reference Manual S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An

Attack Language for State-based Intrusion Detection," G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The STAT Tool

Suite" G. Vigna, R.A. Kemmerer, and P. Blix, "Designing a Web of

Highly-Configurable Intrusion Detection Sensors"