1 / 121

ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability

ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com. Intrusion Prevention. Prevention : This should/must never be broken in!

jared
Download Presentation

ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ecs236 Winter 2007:Computer Security:Intrusion Detection Based Approach#1: Vulnerability Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2007

  2. Intrusion Prevention • Prevention: This should/must never be broken in! • “This” means a perfectly designed, implemented, and managed/configured secure system! ecs236 winter 2007

  3. Intrusion Detection • Prevention: This should/must never be broken in! • Detection: • The IDS (Intrusion Detection System) approach has been taken as the “Second Line of Defense” and “Short Term Solutions”. ecs236 winter 2007

  4. Examples • Application/service issues  Firewalls • Email spam/voIP spit  Spam Filters • Phishing  Phishing detectors • The list goes on… ecs236 winter 2007

  5. Examples • Application/service issues  Firewalls • Email spam/voIP spit  Spam Filters • Phishing  Phishing detectors • It is NOT whether we need the “detection approach” • It is whether it can be effective. ecs236 winter 2007

  6. Intrusion Detection • Prevention: This should/must never be broken in! • Detection: “This” will need to face the reality check! • We had, have, will have so many “expected” unexpected. • Industry never really serious about cyber security – profit/market-driven ecs236 winter 2007

  7. We accept it as a fact… ecs236 winter 2007

  8. And, we have to have… ecs236 winter 2007

  9. Intrusion Detection • Prevention: This should/must never be broken in! • Detection: “This” will need to face the reality check! • We had, have, will have so many “expected” unexpected. • We had, have, will have even more “unexpected” unexpected!! ecs236 winter 2007

  10. To: All Faculty, Staff and Students On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions. ecs236 winter 2007

  11. Max-Sequence # Attack • Block LSA updates for one hour by injecting one bad LSA. • You can hit it once and come back in an hour. • Implementation Bug! • Two independently developed OSPF packages. • MaxSeq# LSA Purging has not been implemented correctly!! • Announced in May, 1997. ecs236 winter 2007

  12. What is Intrusion Detection? ecs236 winter 2007

  13. Intrusion Detection • Detecting intrusions such as • Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others • Detecting and Managing anything “unexpected” • Anomalies • Question: “Detecting what??” ecs236 winter 2007

  14. Intrusion Detection Model Input event sequence Results Intrusion Detection ecs236 winter 2007

  15. Results?? • This email contains virus XYZ • This email might be a spam with 80% probability • This email is somewhat trusted based on your social network • This email might be malicious • This email might be malicious for reasons ABC and DEF. ecs236 winter 2007

  16. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2007

  17. IDS Events • TCPdump traces • OS kernel and Host-level information • BGP traces • Application Logs • Many others… ecs236 winter 2007

  18. Anti-Virus Virus Definition Input event sequence Results Virus Detection Pattern matching ecs236 winter 2007

  19. Credit Card Fraud Detection Spending Patterns Input event sequence Results Fraud Detection Statistical Pattern Matching ecs236 winter 2007

  20. SNORT Rules Input event sequence Results Pattern matching ecs236 winter 2007

  21. ecs236 winter 2007

  22. About the Instructor • S. Felix Wu • sfelixwu@gmail.com • sfwu@ucdavis.edu • sfelixwu@yahoo.com • Office: 3057 Engineering II • Phone: 530-754-7070 • Office Hours: • 10-11 a.m. on Monday and Friday • by appointment ecs236 winter 2007

  23. Why 3 email addresses? • sfelixwu@gmail.com • sfwu@ucdavis.edu • sfelixwu@yahoo.com ecs236 winter 2007

  24. Why 3 email addresses? • sfelixwu@gmail.com • sfwu@ucdavis.edu • My main email contact for everything all the time. • sfelixwu@yahoo.com ecs236 winter 2007

  25. Why 3 email addresses? • sfelixwu@gmail.com • sfwu@ucdavis.edu • My main email contact for everything all the time. • sfelixwu@yahoo.com • Read only once in the past three months… ecs236 winter 2007

  26. Why 3 email addresses? • sfelixwu@gmail.com read/response during the quarters, especially before the homework deadlines. • sfwu@ucdavis.edu • My main email contact for everything all the time. • sfelixwu@yahoo.com • Read only once in the past three months… ecs236 winter 2007

  27. Anti-Spam •  sfelixwu@gmail.com •  subject: [0x9876543210ABCDEF]… • 0x9876543210ABCDEF is the cyber social link between the instructor and the students in ecs236, Winter 2007. ecs236 winter 2007

  28. Intrusion Detection • Practical Engineering • Performance, Accuracy, Scalability, CPU/Memory, Correlation, Deployment. • Theoretical Foundation • Detectability/Limitation, Dimensionality, Entropy, False Negative and Positive, Evaluation ecs236 winter 2007

  29. In this quarter… • The architecture of ID and IDS • Stateful versus stateless • Signature, specification, anomaly • Analysis of ID Results • Explanation and Analysis • Event Correlation • IDS Evaluation or Attacking IDS • Attack Polymorphism and IDS Evasion • IDS Fundamental Principles • A balance between  • Engineering a High-Performance IDS system • Fundamentally understand our limitations ecs236 winter 2007

  30. Syllabus • IDS architecture • Anomaly-based Approach • Event Correlation and Analysis • IDS Evaluation • Advanced Research Topics ecs236 winter 2007

  31. Course Requirements • Teamwork or individual • Discussion with others is highly encouraged! • 50%: 5 Homework Assignments • 10% each (read 1~2 IDS papers and answer a few questions) • 10%: Proposal • 40%: Final Project ecs236 winter 2007

  32. www.cs.ucdavis.edu/~wu/ecs236/ ecs236 winter 2007

  33. Final Projects • IDS Architecture • Network versus Host • Anomaly Detection • IDS Evaluation and Evasion • Alert correlation and explanation ecs236 winter 2007

  34. More… • Polymorphic/metamorphic worms • Spam/Spit, Phishing, Spyware,… • P2P issues (e.g., Bittorrent) • Botnet.. ecs236 winter 2007

  35. Even more… • Fundamental… • “Why will we have DDoS and Spam in the first place??” ecs236 winter 2007

  36. about Web site • http://www.cs.ucdavis.edu/~wu/ecs236/ • all lectures, notes, announcements, homework assignments, tools, papers will be there. ecs236 winter 2007

  37. First Paper: BUTTERCUP • http://www.cs.ucdavis.edu/~wu/ecs236/papers/Buttercup_NOMS2004.pdf • Question: “How would you attack the Buttercup mechanism mentioned in the paper?” ecs236 winter 2007

  38. Internet Infrastructure • It enables many cool applications. • Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,... • We are connected, at least in the “IP address” sense!! ecs236 winter 2007

  39. Internet Infrastructure • It enables many cool applications. • Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,... • We are connected, at least in the “IP address” sense!! • Many other forms of connections: • Peer2Peer, Friend2Friend, community ecs236 winter 2007

  40. Internet Infrastructure • It enables many cool applications. • It enables many cool attacks. ecs236 winter 2007

  41. Internet Infrastructure • It enables many cool applications. • It enables many cool attacks. • David Clark on Morris Worms to DARPA in 1988 ecs236 winter 2007

  42. Internet Infrastructure • It enables many cool applications. • It enables many cool attacks. • David Clark on Morris Worms to DARPA in 1988 “Internet is doing exactly what it supposed to do” ecs236 winter 2007

  43. It enables many cool applications. • It enables many cool attacks. • Worm, DDoS, spamming, phishing,… (the list is still growing) ecs236 winter 2007

  44. We can not blame everything to Microsoft! • It enables many cool applications. • It enables many cool attacks. • Worm, DDoS, spamming, phishing,… (the list is still growing) Related to our Inter-domain routing today… ecs236 winter 2007

  45. WORM • Since November 2nd of 1988… • Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… • inject  infect  spread ecs236 winter 2007

  46. WORM • Since November 2nd of 1988… • Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… • inject  infect  spread • WORM is causing Internet-wide instability. ecs236 winter 2007

  47. Slammer  BGP Internet routing stability analysis on a Beijing prefix 09/01/2002 01/31/2003 ecs236 winter 2007

  48. Network meets Software • An interesting interaction among the Internet, the software on the hosts, and the worms themselves. • The “short-term” Reality: • Estimated 40~50% of Internet hosts are still vulnerable to CodeRed. ecs236 winter 2007

  49. WORM • Since November 2nd of 1988… • Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… • inject  infect  spread • WORM is causing Internet-wide instability. • WORM is a critical first step for the attacker to quickly build the large-scale attacking infrastructure. ecs236 winter 2007

  50. WORM + DDoS Victim .com ISP ecs236 winter 2007

More Related