intrusion detection

Intrusion Detection

Dr. Eric BreimerComputer Science Department

Siena College

04/22/23 Intrusion Detection 2

What is Intrusion Detection?

Monitoring a computer network to detect a variety of security attacks Including

• Hacker attacks• Insider attacks• Masquerade attacks


What is Intrusion Detection?

Monitoring a computer network to detect a variety of security attacks Including

• Hacker attacks• Insider attacks• Masquerade attacks

This talk focuses on the masquerade attack


Types of Attacks

Hacker Attack Unauthorized user Bogus account and privileges Recognizable:

• system administrator may notice intrusion before a malicious action is committed


Types of Attacks

Insider Attack Authorized user Legitimate account and privileges Malicious activities No repudiation:

• Once discovered, its hard for the insider to cover his tracks.


Types of Attacks

Masquerade Attack Hacker assumes the identity of an

authorized user Malicious activities are attributed to an

innocent user Repudiation:

• Easier for the hacker to cover his trail.


Malicious Activities

Data Disclosure Accessing proprietary information Leading to Fraud

Data insertion, removal & modification Modifying proprietary information Leading to Fraud

Denial of Service (DoS) Sabotage


Masquerade Attack

Methods Remote Attack

• Packet sniffer• Spyware• Used simply to gain user password

On-site Attack• Computer left logged-in• Insider with physical access


Masquerade Attack

Challenges Password disclosure may be impossible to

detect• Physical disclosure, simple eavesdropping

Access as a legitimate user with authorized privileges such as

• remote access• permission to turn off security systems such as

firewalls or intrusion detection software


Masquerade Attack

Challenges Data disclosure can be impossible to

detect• If legitimate user has access to proprietary

information Scapegoat

• Legitimate user takes the heat• Minimizes risk in an insider attack


Masquerade Detection

How can you detect a masquerader on your computer system?

To answer this question, we need to ask a more basic question:

How can you distinguish two users based on their computer usage?


Command Recording

Command-line operating systems like UNIX can easily record and archive every command typed at a prompt.

Example: >pine >ls >cd.. >g++ main.cpp


Event Recording

GUI-based operating systems like Windows or MacOS respond to every input event Mouse move Key press Button click

Every event can be recorded.


Event Recording

Primitive input events can be merged into high-level events <program opened> <program name> <file saved> <file name> <time stamp> <editfind selected> <search string> <query executed> <query name>

Recorded in real time. Archived in log files.


Computer Usage

Individuals use computers in different ways. Examples:

Every morning the first program I open is Outlook (95% of the time)

Two of my co-workers rarely use Outlook (10%); they prefer Web-base Outlook

I use CTRL-C to copy text (99%). A co-worker frequently (50%) uses the EditCopy

menu option to copy text.


Computer Usage

More Examples: For three years, Cynthia, the receptionist,

has never open a command prompt in Windows

She has never typed the command nslookup

On Thursday, she typed nslookup 30 times.


Computer Usage

Subtle signs can identify a user Users have habits

• I always keep Outlook Open in the background Users exhibit patterns

• I always type g++ main.cpp -o test.exe• I never type g++ -o test.ext main.cpp

User frequently repeat tasks• Daily basis• Weekly basis


Identifying Users

Build A Signature for Each User Record a user’s behavior (commands or events)

over a period of time A Signature somehow captures a users normal

behavior In real-time compare a user’s current behavior

with the Signature If the current behavior does not match the

signature, assume its a masquerade attack.


Building Signatures

Assumptions You are recording a legitimate user

• Physical verification or• Closed environment

Duration of recording is long enough to• capture user’s unique traits• summarize a variety of common tasks


Real-time Detection

Assumptions Use a “window” of time

• i.e., events from the last 10 minutes “Event window” can be efficiently

compared to the signature• Negligible effect on the system

Testing or Sampling can be done • at random or • at periodic intervals


Challenges

Building Signatures is difficult Data Mining can be used to identify

patterns or traits Rules can be developed to identify

masqueraders Inherent Problem:

The rules depend on the system and the software, which constantly change

May stop working over time.


Challenges

Is there a more generic way to compare user behavior? Signature Sequence:

• Think of the signature as just a sequence of events for a valid userrecorded over a long timeconfirmed to be the true valid user

Current Sequence:• Think of the current sequence as any moment

of real-time computer usage.


Sequence Comparison

Compare Signature Sequence with Current Sequence

If they are sufficiently similar,sequences come from the same users No Masquerade

If they are different,sequence come from different users Masquerade


The Real Problems

How do you measure the similarity? What does it mean to be sufficiently

similar? How do you develop a cut-off or threshold

for defining “sufficiently similar?”


Sequence Comparison

A much harder sequence comparison problem has already been solved

CompareDNA Sequence A withDNA Sequence B

If they are sufficiently similar,sequences A and B come from the same ancestor

If they are differentsequences A and B are unrelated.


DNA Sequence Comparison

Extinct SpeciesTime

Lion Tiger Dog

Since a lion and tiger evolved from the same ancestor, their DNA will be similar

But, Similar is a relative term



Extinct SpeciesTime

Lion Tiger Dog

The DNA of a lion and a tiger will be more similar compared to

Lion vs. Dog or Tiger vs. Dog



Extinct Species

Time

Lion Tiger Dog

This type of DNA sequence comparison is used to generate evolutionary trees.

Extinct Species



CGTAGACAGATCATGGCTGATCCTAncestor

ATAGACAGAGATTGGCTGATCTTiger

GENE A GENE B

CGTAGACAGACAGTTGGCTGTATLion



ATAGACAGAGATTGGCTGATCTTigerCGTAGACAGACAGTTGGCTGTATLion

To compare DNA sequences,

you search for exactly matching segments, but

there can be regions that don’t match at all.



Comparison Score: Score increases for every matching symbol Score decreases for gaps that don’t match

Comparison Score is just a relative measure of similarity


Event Sequence Comparison

Apply the same algorithm used to compare DNA sequences

Only Difference: DNA is a sequence of nucleotides (AGCT) We have a sequence of events Each event can be given a label (ABCD...)


Event Sequence ComparisonSignature Sequence for USER A

USER A real-time event sequence

Unique traits, patterns, and process (like GENES)

9AM 9PMPossible intrusion


Event Sequence Comparison

9AM 9PMCurrent activity is

sufficiently different than anything in the signature

Signature Sequence for USER A



Safe Comparison Scores Record all users for a duration of time. For a given user, compare his/her event

sequences. Take a random chunk of sequence and compare it

to another random chunk Compute the average comparison score Do this for all users

This gives you comparison scores that are “sufficiently similar”



Masquerader Scores For a given user (USER A), compare his/her event

sequences with another user (USER B) Take a random chunk from USER A and compare

it to another random chunk from USER B Compute the average comparison score Do this for many random trials

This gives you comparison scores that indicate possible masquerading.


Comparison Scores

User X compared to User Y

User X compared to User X

High Comparison ScoreLow Comparison Score


Advantages

This system tunes itself based the users behavior But, the system is generic

It doesn’t matter • what software you use• what OS you use• whether the events are low level or high level

You just need some way of recording events and you need the comparison algorithm


How well does it work?

A system based on a DNA-like comparison algorithm was developed by

Bolek Szymanski, Scott Coull & Joel Branch from

RPI’s Pervasive Computing Center which Detected 60% of all masquerade attempts

with 2% False Alarms.


What else can it do?

The system can be modified to identify inefficient computer usage for specific software packages.

Modification: Record only events from a specific software

program Inter-compare users who are know to be expert

users Thus, you can develop a comparison score for

automatically identifying expert users vs. “potential” novice users.


Implications

If users do NOT exhibit the “right” kind of computer usage, Managers could recommend training System Administrators could initiate more

detailed monitoring


Summary

Detecting Masquerade Attacks is one of the most difficult computer security problems

Event or command sequences can be used to discriminate users, and to discriminate types of computer usage

The problem of comparing event sequences is surprisingly similar to the problem of comparing DNA sequences

DNA comparison algorithms are very sensitive and can address the “relative nature” of what it means for sequences to be similar

intrusion detection

Documents