1 / 42

Intrusion Detection

Intrusion Detection. Dr. Eric Breimer Computer Science Department Siena College. What is Intrusion Detection?. Monitoring a computer network to detect a variety of security attacks Including Hacker attacks Insider attacks Masquerade attacks. What is Intrusion Detection?.

lolita
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Detection Dr. Eric Breimer Computer Science Department Siena College

  2. What is Intrusion Detection? • Monitoring a computer network to detect a variety of security attacks • Including • Hacker attacks • Insider attacks • Masquerade attacks Intrusion Detection

  3. What is Intrusion Detection? • Monitoring a computer network to detect a variety of security attacks • Including • Hacker attacks • Insider attacks • Masquerade attacks • This talk focuses on the masquerade attack Intrusion Detection

  4. Types of Attacks • Hacker Attack • Unauthorized user • Bogus account and privileges • Recognizable: • system administrator may notice intrusion before a malicious action is committed Intrusion Detection

  5. Types of Attacks • Insider Attack • Authorized user • Legitimate account and privileges • Malicious activities • No repudiation: • Once discovered, its hard for the insider to cover his tracks. Intrusion Detection

  6. Types of Attacks • Masquerade Attack • Hacker assumes the identity of an authorized user • Malicious activities are attributed to an innocent user • Repudiation: • Easier for the hacker to cover his trail. Intrusion Detection

  7. Malicious Activities • Data Disclosure • Accessing proprietary information • Leading to Fraud • Data insertion, removal & modification • Modifying proprietary information • Leading to Fraud • Denial of Service (DoS) • Sabotage Intrusion Detection

  8. Masquerade Attack • Methods • Remote Attack • Packet sniffer • Spyware • Used simply to gain user password • On-site Attack • Computer left logged-in • Insider with physical access Intrusion Detection

  9. Masquerade Attack • Challenges • Password disclosure may be impossible to detect • Physical disclosure, simple eavesdropping • Access as a legitimate user with authorized privileges such as • remote access • permission to turn off security systems such as firewalls or intrusion detection software Intrusion Detection

  10. Masquerade Attack • Challenges • Data disclosure can be impossible to detect • If legitimate user has access to proprietary information • Scapegoat • Legitimate user takes the heat • Minimizes risk in an insider attack Intrusion Detection

  11. Masquerade Detection • How can you detect a masquerader on your computer system? • To answer this question, we need to ask a more basic question: • How can you distinguish two users based on their computer usage? Intrusion Detection

  12. Command Recording • Command-line operating systems like UNIX can easily record and archive every command typed at a prompt. • Example: • >pine • >ls • >cd.. • >g++ main.cpp Intrusion Detection

  13. Event Recording • GUI-based operating systems like Windows or MacOS respond to every input event • Mouse move • Key press • Button click • Every event can be recorded. Intrusion Detection

  14. Event Recording • Primitive input events can be merged into high-level events • <program opened> <program name> • <file saved> <file name> <time stamp> • <editfind selected> <search string> • <query executed> <query name> • Recorded in real time. • Archived in log files. Intrusion Detection

  15. Computer Usage • Individuals use computers in different ways. • Examples: • Every morning the first program I open is Outlook (95% of the time) • Two of my co-workers rarely use Outlook (10%); they prefer Web-base Outlook • I use CTRL-C to copy text (99%). • A co-worker frequently (50%) uses the EditCopy menu option to copy text. Intrusion Detection

  16. Computer Usage • More Examples: • For three years, Cynthia, the receptionist, has never open a command prompt in Windows • She has never typed the command nslookup • On Thursday, she typed nslookup 30 times. Intrusion Detection

  17. Computer Usage • Subtle signs can identify a user • Users have habits • I always keep Outlook Open in the background • Users exhibit patterns • I always type g++ main.cpp -o test.exe • I never type g++ -o test.ext main.cpp • User frequently repeat tasks • Daily basis • Weekly basis Intrusion Detection

  18. Identifying Users • Build A Signature for Each User • Record a user’s behavior (commands or events) over a period of time • A Signature somehow captures a users normal behavior • In real-time compare a user’s current behavior with the Signature • If the current behavior does not match the signature, assume its a masquerade attack. Intrusion Detection

  19. Building Signatures • Assumptions • You are recording a legitimate user • Physical verification or • Closed environment • Duration of recording is long enough to • capture user’s unique traits • summarize a variety of common tasks Intrusion Detection

  20. Real-time Detection • Assumptions • Use a “window” of time • i.e., events from the last 10 minutes • “Event window” can be efficiently compared to the signature • Negligible effect on the system • Testing or Sampling can be done • at random or • at periodic intervals Intrusion Detection

  21. Challenges • Building Signatures is difficult • Data Mining can be used to identify patterns or traits • Rules can be developed to identify masqueraders • Inherent Problem: • The rules depend on the system and the software, which constantly change • May stop working over time. Intrusion Detection

  22. Challenges • Is there a more generic way to compare user behavior? • Signature Sequence: • Think of the signature as just a sequence of events for a valid user • recorded over a long time • confirmed to be the true valid user • Current Sequence: • Think of the current sequence as any moment of real-time computer usage. Intrusion Detection

  23. Sequence Comparison • Compare Signature Sequence with Current Sequence • If they are sufficiently similar,sequences come from the same users  No Masquerade • If they are different,sequence come from different users  Masquerade Intrusion Detection

  24. The Real Problems • How do you measure the similarity? • What does it mean to be sufficiently similar? • How do you develop a cut-off or threshold for defining “sufficiently similar?” Intrusion Detection

  25. Sequence Comparison • A much harder sequence comparison problem has already been solved • CompareDNA Sequence A withDNA Sequence B • If they are sufficiently similar,sequences A and B come from the same ancestor • If they are differentsequences A and B are unrelated. Intrusion Detection

  26. DNA Sequence Comparison Time Extinct Species Lion Tiger Dog Since a lion and tiger evolved from the same ancestor, their DNA will be similar But, Similar is a relative term Intrusion Detection

  27. DNA Sequence Comparison Time Extinct Species Lion Tiger Dog The DNA of a lion and a tiger will be more similar compared to Lion vs. Dog or Tiger vs. Dog Intrusion Detection

  28. DNA Sequence Comparison Time Extinct Species Extinct Species Lion Tiger Dog This type of DNA sequence comparison is used to generate evolutionary trees. Intrusion Detection

  29. Tiger ATAGACAGAGATTGGCTGATCT Lion CGTAGACAGACAGTTGGCTGTAT DNA Sequence Comparison GENE A GENE B Ancestor CGTAGACAGATCATGGCTGATCCT Intrusion Detection

  30. Tiger ATAGACAGAGATTGGCTGATCT Lion CGTAGACAGACAGTTGGCTGTAT DNA Sequence Comparison To compare DNA sequences, you search for exactly matching segments, but there can be regions that don’t match at all. Intrusion Detection

  31. DNA Sequence Comparison • Comparison Score: • Score increases for every matching symbol • Score decreases for gaps that don’t match • Comparison Score is just a relative measure of similarity Intrusion Detection

  32. Event Sequence Comparison • Apply the same algorithm used to compare DNA sequences • Only Difference: • DNA is a sequence of nucleotides (AGCT) • We have a sequence of events • Each event can be given a label (ABCD...) Intrusion Detection

  33. Event Sequence Comparison Signature Sequence for USER A Unique traits, patterns, and process (like GENES) USER A real-time event sequence 9AM 9PM Possible intrusion Intrusion Detection

  34. Current activity is sufficiently different than anything in the signature Event Sequence Comparison Signature Sequence for USER A 9AM 9PM Intrusion Detection

  35. Masquerade Detection • Safe Comparison Scores • Record all users for a duration of time. • For a given user, compare his/her event sequences. • Take a random chunk of sequence and compare it to another random chunk • Compute the average comparison score • Do this for all users • This gives you comparison scores that are “sufficiently similar” Intrusion Detection

  36. Masquerade Detection • Masquerader Scores • For a given user (USER A), compare his/her event sequences with another user (USER B) • Take a random chunk from USER A and compare it to another random chunk from USER B • Compute the average comparison score • Do this for many random trials • This gives you comparison scores that indicate possible masquerading. Intrusion Detection

  37. Comparison Scores Low Comparison Score High Comparison Score User X compared to User Y User X compared to User X Intrusion Detection

  38. Advantages • This system tunes itself based the users behavior • But, the system is generic • It doesn’t matter • what software you use • what OS you use • whether the events are low level or high level • You just need some way of recording events and you need the comparison algorithm Intrusion Detection

  39. How well does it work? • A system based on a DNA-like comparison algorithm was developed by • Bolek Szymanski, Scott Coull & Joel Branch from • RPI’s Pervasive Computing Center which • Detected 60% of all masquerade attempts with • 2% False Alarms. Intrusion Detection

  40. What else can it do? • The system can be modified to identify inefficient computer usage for specific software packages. • Modification: • Record only events from a specific software program • Inter-compare users who are know to be expert users • Thus, you can develop a comparison score for automatically identifying expert users vs. “potential” novice users. Intrusion Detection

  41. Implications • If users do NOT exhibit the “right” kind of computer usage, • Managers could recommend training • System Administrators could initiate more detailed monitoring Intrusion Detection

  42. Summary • Detecting Masquerade Attacks is one of the most difficult computer security problems • Event or command sequences can be used • to discriminate users, and • to discriminate types of computer usage • The problem of comparing event sequences is surprisingly similar to the problem of comparing DNA sequences • DNA comparison algorithms are very sensitive and can address the “relative nature” of what it means for sequences to be similar Intrusion Detection

More Related