453 Network Security453 Network Security

Section 6: Intruders and VirusesDr. E.C. Kulasekere

Sri Lanka Institute of Information Technology - 2006

IntrudersIntruders• significant issue for networked systems is

hostile or unwanted access either via network or local

• can identify classes of intruders:– masquerader– misfeasor– clandestine user

• varying levels of competence• clearly a growing publicized problem• may use compromised system to launch

other attacks

Intrusion TechniquesIntrusion Techniques

• aim to increase privileges on system

• basic attack methodology – target acquisition and information gathering – initial access – privilege escalation – covering tracks

• key goal often is to acquire passwords

• so then exercise access rights of owner

Intrusion Detection (1)Intrusion Detection (1)

• inevitably will have security failures

• so need also to detect intrusions so can– block if detected quickly– act as deterrent– collect info to improve security

• assume intruder will behave differently to a legitimate user– but will have imperfect distinction between

Intrusion Detection (1)Intrusion Detection (1)

• An IDS will monitor and identify attempted unauthorized system access or manupulation.

• Most IDSs are software programs that are installed over the OS.

• Network Sniffing IDSs are deployed as hardware devices for the performance.

• IDSs range from the packet level screening to application level screening.

Events that can be Detected by an IDSEvents that can be Detected by an IDS

• Impersonation attempts

• Password cracking• Protocol attacks• Buffer overflows• Installation of root kits• Rogue commands• Software vulnerability

exploits

• Malicious code like viruses, worms and Trojans

• Illegal data manipulation

• Unauthorized file access

• Denial of service (DoS) attacks

Base-Rate FallacyBase-Rate Fallacy

• practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms– if too few intrusions detected -> false security– if too many false alarms -> ignore / waste time

• this is very hard to do

• existing systems seem not to have a good record

Types of IDSTypes of IDS

• Methods of detection– Statistical Anomaly Detectors (behavior

based)– Signature based (knowledge-based or pattern

matching)

• Types of implementation– Host based (one detects anomalies on a

specific host)– Network based (operates on network

segments and analyzes the segment traffic)

Distributed Intrusion DetectionDistributed Intrusion Detection

• traditional focus is on single systems

• but typically have networked systems

• more effective defense has these working together to detect intrusions

• issues– dealing with varying audit record formats– integrity & confidentiality of networked data– centralized or decentralized architecture

Network Based IDSs (1)Network Based IDSs (1)

• This resides on a discrete network segment and monitors the traffic on that segment.

• This is a computer with a NIC set to promiscuous mode intercepting and analyzing the packets in real time.

• The packets are identified to be of interest if they match a particular signature.

Network Based IDSs (2)Network Based IDSs (2)

• Three primary types of signatures are– String signatures: String signatures look for a

text string that indicates a possible attack.– Port signatures: Port signatures watch for

connection attempts to well known, frequently attacked ports.

– Header condition signatures: Header signatures watch for dangerous or illegal combinations in packet headers.

Network Based IDSs (3)Network Based IDSs (3)

• These types of IDSs provide reliable real time information without consuming network or host resources.

• This cannot detect an attack on the host if the intruder is logged onto the hosts terminal.

• Even if its detected the detection is minimal since the packets cannot be analyzed.

Host Based IDSs (1)Host Based IDSs (1)

• These are small computer programs called agents that reside on a host computer.

• They monitor the OS detecting inappropriate activities, writing to log files and triggering alarms.

• These can only detect activities on the hosts and not on the network segment on which the host resides.

• The detection capability is limited to the completeness of the host logs.

Host Based IDSs (2)Host Based IDSs (2)

• Host based IDSs have the following characteristics:– They monitor accesses and changes to

critical system files and changes to user privileges.

– They detect trusted insider attacks better than the network based IDSs

– Capability of detecting attacks from the outside to a certain extent.

– They can be configured to look at all network packets and connection attempts etc.

Signature Based IDSs (1)Signature Based IDSs (1)

• The signatures related to an attack have to be stored so that they can be referred too.

• When the data from the host log or the network monitoring is picked up, they are compared with the attack signatures.

• If there is a match, then a response is initiated.

• These have a low rate based fallacy compared to behavior based IDSs.

Signature Based IDSs (2)Signature Based IDSs (2)

• One of the issues is that this cannot detect attacks that are spread over along period of time.

• The reason is that these IDSs do not analyze a large history of data to determine an attack.

• Another weakness is that only the signatures stored will be recognized. No new attack types will not be detected.

Signature Based IDSs (3)Signature Based IDSs (3)

• Another disadvantage is that these are resource intense.

• Attacks are very focused. They are based on the OS and the platform, the application etc.

Statistical Anomaly Detection (1)Statistical Anomaly Detection (1)

• This is a behavior based and dynamic detection.

• The base is that if the user behaves abnormally then an alarm is triggered and a response sent.

• A ‘’normal’’ user profile is needed. This is achieved by taking statistical samples.

• With this kind of IDS new attacks can be detected since they will be considered to be an anomaly.

Statistical Anomaly Detection (2)Statistical Anomaly Detection (2)• Advantages

– New situations can be detected. – This is not dependent on a specific operating system– They help detect abuse-of-privileges types of attacks

that do not actually involve exploiting any security vulnerability

• Disadvantages– It will not detect any attack that does not significantly

change the OS characteristics.– Falsely detect a one time anomaly as an attack.– High false alarm rate. – Sometimes the behaviors of network users are not

static to be analyzed using statistical methods.– The network may experience an attack at the same

time the IDS is learning the behavior.

Issues Related to Effective Use of IDSs (1)Issues Related to Effective Use of IDSs (1)

• From the point of view of the attacker he will be compelled to use better techniques to attack systems.

• Will use encrypted means to transmit malicious material.

• One needs to interoperate and correlate data across many networks if you need effective use of an IDS.

• Increased network traffic is a problem.

Issues Related to Effective Use of IDSs (2)Issues Related to Effective Use of IDSs (2)

• Risks inherent in taking inappropriate automated response actions.

• Attacks on IDSs themselves.

• Lack of objectives in evaluating the suitability of an IDS.

• Most computer infrastructure is not designed to operate securely.

HoneypotsHoneypots• This is a different manner in which intrusion

detection can be done. • decoy systems to lure attackers

– away from accessing critical systems– to collect information of their activities– to encourage attacker to stay on system so

administrator can respond

• are filled with fabricated information• instrumented to collect detailed information on

attackers activities• may be single or multiple networked systems

Honeypot Operations (1)Honeypot Operations (1)• There are main uses of honeypots

– Preventing attacks– Detecting attacks– Responding to attacks

• Preventing attacks– Slowing or impeding scans initiated by worms or

automated attacks by monitoring unused IP space and detecting scanning activities.

– Consuming the attackers energy through interaction with a honeypot while the attack is detected, analyzed and handled.

– Deterring an attack by a cracker who suspects a network employs honeypots and is concerned about getting caught

Honeypot Operations (2)Honeypot Operations (2)

• Detecting attacks– The ability to capture new and unknown

attacks.– The ability to capture polymorphic code.– They reduce the amount of data that has to

be analyzed by capturing only attack information.

• Responding to attacks– Honeypots can be taken offline to analyze

and make a response.

Viruses and Other Malicious ContentViruses and Other Malicious Content

• computer viruses have got a lot of publicity

• one of a family of malicious software

• effects usually obvious

• have figured in news reports, fiction, movies (often exaggerated)

• getting more attention than deserve

• are a concern though

Malicious SoftwareMalicious Software

TrapdoorsTrapdoors

• secret entry point into a program

• allows those who know access bypassing usual security procedures

• have been commonly used by developers

• a threat when left in production programs allowing exploited by attackers

• very hard to block in O/S

• requires good s/w development & update

Logic BombLogic Bomb

• one of oldest types of malicious software

• code embedded in legitimate program

• activated when specified conditions met– eg presence/absence of some file– particular date/time– particular user

• when triggered typically damage system– modify/delete files/disks

Trojan HorseTrojan Horse

• program with hidden side-effects • which is usually superficially attractive

– eg game, s/w upgrade etc

• when run performs some additional tasks– allows attacker to indirectly gain access they

do not have directly

• often used to propagate a virus/worm or install a backdoor

• or simply to destroy data

ZombieZombie

• program which secretly takes over another networked computer

• then uses it to indirectly launch attacks

• often used to launch distributed denial of service (DDoS) attacks

• exploits known flaws in network systems

VirusesViruses

• a piece of self-replicating code attached to some other code– cf biological virus

• both propagates itself & carries a payload– carries code to make copies of itself– as well as code to perform some covert task

Virus OperationVirus Operation

• virus phases:– dormant – waiting on trigger event– propagation – replicating to programs/disks– triggering – by event to execute payload– execution – of payload

• details usually machine/OS specific– exploiting features/weaknesses

Virus StructureVirus Structure

program V :={goto main;1234567;subroutine infect-executable := {loop:

file := get-random-executable-file;if (first-line-of-file = 1234567) then goto loopelse prepend V to file; }

subroutine do-damage := {whatever damage is to be done}subroutine trigger-pulled := {return true if some condition holds}main: main-program := {infect-executable;

if trigger-pulled then do-damage;goto next;}

next:}

Types of VirusesTypes of Viruses

• can classify on basis of how they attack

• parasitic virus

• memory-resident virus

• boot sector virus

• stealth

• polymorphic virus

• macro virus

Macro VirusMacro Virus

• macro code attached to some data file • interpreted by program using file

– eg Word/Excel macros– esp. using auto command & command macros

• code is now platform independent • is a major source of new viral infections• blurs distinction between data and program files

making task of detection much harder • classic trade-off: "ease of use" vs "security"

Email VirusEmail Virus

• spread using email with attachment containing a macro virus– cf Melissa

• triggered when user opens attachment

• or worse even when mail viewed by using scripting features in mail agent

• usually targeted at Microsoft Outlook mail agent & Word/Excel documents

WormsWorms

• replicating but not infecting program • typically spreads over a network

– cf Morris Internet Worm in 1988– led to creation of CERTs

• using users distributed privileges or by exploiting system vulnerabilities

• widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS

• major issue is lack of security of permanently connected systems, esp PC's

Worm OperationWorm Operation

• worm phases like those of viruses:– dormant– propagation

• search for other systems to infect• establish connection to target remote system• replicate self onto remote system

– triggering– execution

Virus CountermeasuresVirus Countermeasures

• viral attacks exploit lack of integrity control on systems

• to defend need to add such controls

• typically by one or more of: – prevention - block virus infection mechanism– detection - of viruses in infected system – reaction - restoring system to clean state

Anti-Virus SoftwareAnti-Virus Software

• first-generation– scanner uses virus signature to identify virus– or change in length of programs

• second-generation – uses heuristic rules to spot viral infection– or uses program checksums to spot changes

• third-generation – memory-resident programs identify virus by actions

• fourth-generation – packages with a variety of antivirus techniques– eg scanning & activity traps, access-controls

Advanced Anti-Virus TechniquesAdvanced Anti-Virus Techniques

• generic decryption– use CPU simulator to check program

signature & behavior before actually running it

• digital immune system (IBM)– general purpose emulation & virus detection– any virus entering org is captured, analyzed,

detection/shielding created for it, removed