chapter 18. intruders. 2 intruders three classes of intruders masquerader likely to be an...
TRANSCRIPT
Chapter 18. Intruders
2
Intruders
Three classes of intruders Masquerader
likely to be an outsider penetrates a system’s access controls to exploit a legitimate user’s account
Misfeasor generally an insider performs unauthorized accesses to data, programs, or resources misuses his or her privileges
Clandestine user can be either an insider or an outsider seizes supervisory control of the system and uses it to evade auditing and ac
cess controls or to suppress audit collection
3
Intruders
Intruder Techniques aim to gain access and/or increase privileges on a system Usually user password or password file is needed to intrud
er Protection of password file
One-way encryption : the system stores an encrypted form of the user’s password, and compares it with the encrypted output of presented password
Access control : access to the password file is limited to one or a very few accounts
4
Intruders
Techniques for learning passwords Try default passwords used with standard accounts that are
shipped with the system. Exhaustively try all short passwords ( 1~3 characters). Try words in the system’s on-line dictionary of a list of likely
passwords. Collect information about users (names, books, hobbies, etc) Try users’ phone numbers, Social Security numbers, and room
numbers. Try all legitimate license plate numbers. Use a Trojan horse. Tap the line between a remote user and the host system. (use link
encryption techniques)
GuessingPasswords
5
Intrusion Detection A system’s second line of defense
second line of defense Intrusion Detection
The intruder can be identified and ejected from the system. An effective intrusion detection can prevent intrusions. The collection of information about intrusion techniques can be used
to strengthen the intrusion prevention facility.
6
Intrusion Detection An Assume that the behavior of the intruder differs from that of
legitimate user There can be false positive and false negative
7
Intrusion Detection Approaches to intrusion detection
Statistical anomaly detection : collecting data on behavior of legitimate users over a period of time Threshold detection : defining thresholds for the frequency of occurrence
of various events (independent of user) Profile based : using a profile of the activity of each user to detect
changes in the behavior of individual accounts Rule-based detection : defining a set of rules to decide that a given
behavior is that of an intruder Anomaly detection : rules are developed to detect deviation from
previous usage patterns Penetration identification : an expert system searches for suspicious
behavior Statistical approach : effective against masqueraders, unable to deal
with misfeasors Rule-based approach : able to recognize events and sequences(context, reveal penetration)
8
Intrusion Detection
Audit Records Records of ongoing activity used as input to an intrusion
detection system Native audit records
accounting software collects information on user activity (no additional collection software)
Detection-specific audit records a collection facility collects information required by the intrusion
detection systemEx) subject, action, object, exception-condition, resource-usage, time stamp
9
Intrusion Detection Statistical Anomaly Detection
Threshold detection Counting the number of occurrences of a specific event type over an
interval of time If the count surpasses threshold, then intrusion is assumed Variability across users a lot of false positive, false negative
Profile-based system Characterizing the past behavior of individual users or related groups of
users determine the activity profile of the average user by analyzing audit records over a
period of time
Detecting significant deviations current audit records are used Mean that standard deviation, multivariate, Markov process, time series, operational.
10
Intrusion Detection
Rule-Based Intrusion Detection Observe events in the system apply rules Rule-based anomaly detection
Analyze historical audit records generate automatically rules Rules represent past behavior patterns of users, programs,
privileges, time slots, terminals, and so on. Then observe current behavior
11
Intrusion Detection
Rule-based penetration identification Use rules to identify suspicious behavior, known penetrations or
penetrations that would exploit known weaknesses. Rules are generated by experts
Ex) assign degrees of suspicion to activities
Users should not read files in other users’ personal directories.
Users must not write other user’s files
Users who log in after hours often access the same file they used earlier.
Users do not generally open disk devices directly
Users should not be logged in more than once to the same system.
Users do not make copies of system programs.
12
Intrusion Detection
Base-Rate Fallacy practically an intrusion detection system needs to detect a
substantial percentage of intrusions with few false alarms if too few intrusions detected false security if too many false alarms ignore / waste time
this is very hard to do existing systems seem not to have a good record
13
Intrusion Detection
Distributed Intrusion Detection traditional focus is on single systems but typically have networked systems more effective defense has these working together to
detect intrusions issues
dealing with varying audit record formats integrity & confidentiality of networked data centralized or decentralized architecture
14
Intrusion Detection
Architecture for Distributed Intrusion Detection Host agent module
Collects data on security-related events and transmit them to the central manager
LAN monitor agent module Same as a host agent module
except that it analyzes LAN traffic and reports to the central manager
Central manager module Receives reports from LAN
monitor and host agents Processes and correlates these
reports to detect intrusion
15
Intrusion Detection Agent Architecture
Agent capture each native O/S audit
record & applies a filter Template-driven logic module
Analyzes the records
Suspicious activity is detected Send alert message to the central
manager Central manager
Include an expert system (can draw inferences from received data)
Query individual systems (copies of HAR(Host Audit Record)s to correlate with those from other agents.)
16
Intrusion Detection
Honeypots decoy systems to lure attackers
away from accessing critical systems to collect information of their activities to encourage attacker to stay on system so administrator can
respond
are filled with fabricated information instrumented to collect detailed information on attackers
activities single or multiple networked systems
17
Password Management
Password Protection front-line defense against intruders users supply both:
login – determines privileges of that user password – to identify them
passwords often stored encrypted Unix uses multiple DES (variant with salt) more recent systems use crypto hash function
should protect password file on system
18
Password Management
The vulnerability of Passwords Two threat to the UNIX password scheme
Gaining access on a machine and then run a password guessing program on that machine with little resource consumption
Obtaining a copy of the password file, then a cracker program can be run on another machine
Passwords must NOT be too short, NOT be too easy to guess
Access Control Denies the opponent access to the password file Has several flaws
Many systems are susceptible to unanticipated break-ins An accident of protection might render the password file readable Some users use the same password on other machines
19
Password Management
Unix Password scheme Crypt(3)
25 times DES encryptions
Salt(12 bits) Related to time at which
the password is assigned to the user
Prevents duplicate passw-ords from being visible in the password file
[./0-9A-Za-zA-Z] select two char.It has 4096 possible ways.
If bit 12 of the salt is set,then bits 12 and 36 are swapped in the DES E-box output.
<Loading a new password>
<Verifying a password>
20
Password Management Password Selection Strategies
Eliminate guessable passwords, while allow memorable passwords
Four basic techniques User education
Ignoring guidelines, misunderstanding what a strong password is Computer-generated passwords
Hard to remember even if they are pronounceable Reactive password checking
The system periodically runs its password cracker to find guessable passwords
Resource intensive Unchecked passwords remains vulnerable
Proactive password checking When a user selects his or her own password, the system checks to see if the
password is allowable
21
Password Management Proactive Password Checking
Rule enforcement All passwords must be at least eight characters long In the first eight characters, the passwords must include at least one each
of uppercase, lowercase, numeric digits, and punctuation marks Compiling a large dictionary of “bad” passwords
When a user selects a password, the system checks Large space (storage) and time consumption
Two techniques for developing an effective and efficient password checker - Based on rejecting words on a list show promise Markov model Bloom filter
22
Password Management
Markov Model Effective and efficient
proactive password checker [m, A, T, k]
where
m : number of states
A : state space
T : matrix of transition probabilities.
k : order of the model
kth-order model: probability of making a transition to a particular letter depends on previous k characters
23
Password Management Second-order Markov model
M = {9, {AA, AB, AC, BA, BB, BC, CA, CB, CC}, T, 2}
A B C
AA 0.00 0.00 0.00
AB 0.00 0.10 0.50
AC 0.00 0.10 0.50
BA 0.10 0.08 0.00
BB 0.20 0.16 0.00
BC 0.20 0.16 0.00
CA 0.50 0.40 0.00
CB 0.00 0.00 0.00
CC 0.00 0.00 0.00
T =
AA
AB
AC
BA
BB
BC
CA
CB
CC
Pr(A|AA)
Pr(B|AA)
Pr(C|AA)
0.00
0.00
0.00
0.00 0.00
0.10 0.10
0.50 0.50
Pr(A|BA)
Pr(B|BA)
Pr(C|BA)
0.10
0.08
0.00
0.20 0.20
0.16 0.16
0.00 0.00
Pr(A|CA)
Pr(B|CA)
Pr(C|CA)
0.50
0.40
0.00
0.00 0.00
0.00 0.00
0.00 0.00
24
second-order Markov model Calculating transition matrix
When a dictionary of guessable passwords is constructed1. Determine the frequency matrix f(i,j,k)
which is the number of occurrences of the trigram consisting of the i th, jth
,and kth characterex) abbbababbb abb, bbb, bba, aba, aba, bab, abb, bbb
2. For each bigram ij, calculate f(i,j,∞) as the total number of trigrams beginning with ijex) f(a, b, ∞) aba, abb, …
bigram : groups of two written letters, two syllables, or two wordstrigram : triples / pairs of letters or words
Password Management
AA
AB
BA
BB
Pr(A|AA) Pr(A|AB)
Pr(B|AA) Pr(B|AB)
Pr(A|BA) Pr(A|BB)
Pr(B|BA) Pr(B|BB)
25
Password Management
3. Compute the entries of T
T reflects the structure of the words in the dictionary “Is this a bad password?”
“Was this password generated by this model?” Passwords likely to be generated by the model are rejected.
A B
AA 0 0
AB 0.125 0.25
BA 0.0 0.25
BB 0.125 0.25
26
Password Management Bloom Filter
bloom filter : Order k bloom filter consists of a set of k independent hash function.
Hash function Each function maps a password into a hash value in the range 0 to N-1
Hi(Xj) = y 1 ≤ i ≤ k; i ≤ j ≤ D; 0 ≤ y ≤ N-1;
where
Xj = jth word in password dictionaryD = Number of words in password dictionaryk = order of Bloom filter
Procedure applied to the dictionary A hash table of N bits with all bits initially set to 0 For each password, its k hash values are calculated, and the corresponding bits i
n the hash table are set to 1 If the bit already has the value 1, it remains at 1
27
Password Management Bloom Filter
Password checking k hash values are calculated for presented password If all corresponding bits of the hash table are equal to 1 reject Possible existence of FALSE POSITIVE
H1(undertaker) = 25, H2(undertaker) = 998 H1(hulkhogan) = 83, H2(hulkhogan) = 665H1(xG%#jj98) = 665, H2(xG%#jj98) = 998 rejected
…
…
…
…
…
…
…
…
…
Password Dictionary
Hash Table
H1
H2
Hash Function
25
83
665
998
reject
reject
0
0
0
0
1
1
1
1
undertaker
hulkhogan
xG%#jj98
28
Password Management
Bloom Filter
To minimize false positive The probability of a false positive
or, equivalently
29
Password Management
Performance of Bloom Filter Suppose that number of words in the dictionary: 1 million
words(106)We wish to Probability of false positive : 0.01
If select six hash functions, required ratio R=9.6 hash table : 9.6*106 bits or about 1.2MB of storage
6.9
)01.01ln(
6
)1ln( 6
11
kp
kR
bitDRTablehash 610*6.9*
30
Password Management
Advantages storage of the entire dictionary is 8MB, but, we need
1.2MB of storage. => Compression : factor of 7.
Password checking is Involves straightforward calculation of six hash function independent of size of the dictionary