intrusion detection
DESCRIPTION
Intrusion Detection. Dr. Eric Breimer Computer Science Department Siena College. What is Intrusion Detection?. Monitoring a computer network to detect a variety of security attacks Including Hacker attacks Insider attacks Masquerade attacks. What is Intrusion Detection?. - PowerPoint PPT PresentationTRANSCRIPT
Intrusion Detection
Dr. Eric BreimerComputer Science Department
Siena College
04/22/23 Intrusion Detection 2
What is Intrusion Detection?
Monitoring a computer network to detect a variety of security attacks Including
• Hacker attacks• Insider attacks• Masquerade attacks
04/22/23 Intrusion Detection 3
What is Intrusion Detection?
Monitoring a computer network to detect a variety of security attacks Including
• Hacker attacks• Insider attacks• Masquerade attacks
This talk focuses on the masquerade attack
04/22/23 Intrusion Detection 4
Types of Attacks
Hacker Attack Unauthorized user Bogus account and privileges Recognizable:
• system administrator may notice intrusion before a malicious action is committed
04/22/23 Intrusion Detection 5
Types of Attacks
Insider Attack Authorized user Legitimate account and privileges Malicious activities No repudiation:
• Once discovered, its hard for the insider to cover his tracks.
04/22/23 Intrusion Detection 6
Types of Attacks
Masquerade Attack Hacker assumes the identity of an
authorized user Malicious activities are attributed to an
innocent user Repudiation:
• Easier for the hacker to cover his trail.
04/22/23 Intrusion Detection 7
Malicious Activities
Data Disclosure Accessing proprietary information Leading to Fraud
Data insertion, removal & modification Modifying proprietary information Leading to Fraud
Denial of Service (DoS) Sabotage
04/22/23 Intrusion Detection 8
Masquerade Attack
Methods Remote Attack
• Packet sniffer• Spyware• Used simply to gain user password
On-site Attack• Computer left logged-in• Insider with physical access
04/22/23 Intrusion Detection 9
Masquerade Attack
Challenges Password disclosure may be impossible to
detect• Physical disclosure, simple eavesdropping
Access as a legitimate user with authorized privileges such as
• remote access• permission to turn off security systems such as
firewalls or intrusion detection software
04/22/23 Intrusion Detection 10
Masquerade Attack
Challenges Data disclosure can be impossible to
detect• If legitimate user has access to proprietary
information Scapegoat
• Legitimate user takes the heat• Minimizes risk in an insider attack
04/22/23 Intrusion Detection 11
Masquerade Detection
How can you detect a masquerader on your computer system?
To answer this question, we need to ask a more basic question:
How can you distinguish two users based on their computer usage?
04/22/23 Intrusion Detection 12
Command Recording
Command-line operating systems like UNIX can easily record and archive every command typed at a prompt.
Example: >pine >ls >cd.. >g++ main.cpp
04/22/23 Intrusion Detection 13
Event Recording
GUI-based operating systems like Windows or MacOS respond to every input event Mouse move Key press Button click
Every event can be recorded.
04/22/23 Intrusion Detection 14
Event Recording
Primitive input events can be merged into high-level events <program opened> <program name> <file saved> <file name> <time stamp> <editfind selected> <search string> <query executed> <query name>
Recorded in real time. Archived in log files.
04/22/23 Intrusion Detection 15
Computer Usage
Individuals use computers in different ways. Examples:
Every morning the first program I open is Outlook (95% of the time)
Two of my co-workers rarely use Outlook (10%); they prefer Web-base Outlook
I use CTRL-C to copy text (99%). A co-worker frequently (50%) uses the EditCopy
menu option to copy text.
04/22/23 Intrusion Detection 16
Computer Usage
More Examples: For three years, Cynthia, the receptionist,
has never open a command prompt in Windows
She has never typed the command nslookup
On Thursday, she typed nslookup 30 times.
04/22/23 Intrusion Detection 17
Computer Usage
Subtle signs can identify a user Users have habits
• I always keep Outlook Open in the background Users exhibit patterns
• I always type g++ main.cpp -o test.exe• I never type g++ -o test.ext main.cpp
User frequently repeat tasks• Daily basis• Weekly basis
04/22/23 Intrusion Detection 18
Identifying Users
Build A Signature for Each User Record a user’s behavior (commands or events)
over a period of time A Signature somehow captures a users normal
behavior In real-time compare a user’s current behavior
with the Signature If the current behavior does not match the
signature, assume its a masquerade attack.
04/22/23 Intrusion Detection 19
Building Signatures
Assumptions You are recording a legitimate user
• Physical verification or• Closed environment
Duration of recording is long enough to• capture user’s unique traits• summarize a variety of common tasks
04/22/23 Intrusion Detection 20
Real-time Detection
Assumptions Use a “window” of time
• i.e., events from the last 10 minutes “Event window” can be efficiently
compared to the signature• Negligible effect on the system
Testing or Sampling can be done • at random or • at periodic intervals
04/22/23 Intrusion Detection 21
Challenges
Building Signatures is difficult Data Mining can be used to identify
patterns or traits Rules can be developed to identify
masqueraders Inherent Problem:
The rules depend on the system and the software, which constantly change
May stop working over time.
04/22/23 Intrusion Detection 22
Challenges
Is there a more generic way to compare user behavior? Signature Sequence:
• Think of the signature as just a sequence of events for a valid userrecorded over a long timeconfirmed to be the true valid user
Current Sequence:• Think of the current sequence as any moment
of real-time computer usage.
04/22/23 Intrusion Detection 23
Sequence Comparison
Compare Signature Sequence with Current Sequence
If they are sufficiently similar,sequences come from the same users No Masquerade
If they are different,sequence come from different users Masquerade
04/22/23 Intrusion Detection 24
The Real Problems
How do you measure the similarity? What does it mean to be sufficiently
similar? How do you develop a cut-off or threshold
for defining “sufficiently similar?”
04/22/23 Intrusion Detection 25
Sequence Comparison
A much harder sequence comparison problem has already been solved
CompareDNA Sequence A withDNA Sequence B
If they are sufficiently similar,sequences A and B come from the same ancestor
If they are differentsequences A and B are unrelated.
04/22/23 Intrusion Detection 26
DNA Sequence Comparison
Extinct SpeciesTime
Lion Tiger Dog
Since a lion and tiger evolved from the same ancestor, their DNA will be similar
But, Similar is a relative term
04/22/23 Intrusion Detection 27
DNA Sequence Comparison
Extinct SpeciesTime
Lion Tiger Dog
The DNA of a lion and a tiger will be more similar compared to
Lion vs. Dog or Tiger vs. Dog
04/22/23 Intrusion Detection 28
DNA Sequence Comparison
Extinct Species
Time
Lion Tiger Dog
This type of DNA sequence comparison is used to generate evolutionary trees.
Extinct Species
04/22/23 Intrusion Detection 29
DNA Sequence Comparison
CGTAGACAGATCATGGCTGATCCTAncestor
ATAGACAGAGATTGGCTGATCTTiger
GENE A GENE B
CGTAGACAGACAGTTGGCTGTATLion
04/22/23 Intrusion Detection 30
DNA Sequence Comparison
ATAGACAGAGATTGGCTGATCTTigerCGTAGACAGACAGTTGGCTGTATLion
To compare DNA sequences,
you search for exactly matching segments, but
there can be regions that don’t match at all.
04/22/23 Intrusion Detection 31
DNA Sequence Comparison
Comparison Score: Score increases for every matching symbol Score decreases for gaps that don’t match
Comparison Score is just a relative measure of similarity
04/22/23 Intrusion Detection 32
Event Sequence Comparison
Apply the same algorithm used to compare DNA sequences
Only Difference: DNA is a sequence of nucleotides (AGCT) We have a sequence of events Each event can be given a label (ABCD...)
04/22/23 Intrusion Detection 33
Event Sequence ComparisonSignature Sequence for USER A
USER A real-time event sequence
Unique traits, patterns, and process (like GENES)
9AM 9PMPossible intrusion
04/22/23 Intrusion Detection 34
Event Sequence Comparison
9AM 9PMCurrent activity is
sufficiently different than anything in the signature
Signature Sequence for USER A
04/22/23 Intrusion Detection 35
Masquerade Detection
Safe Comparison Scores Record all users for a duration of time. For a given user, compare his/her event
sequences. Take a random chunk of sequence and compare it
to another random chunk Compute the average comparison score Do this for all users
This gives you comparison scores that are “sufficiently similar”
04/22/23 Intrusion Detection 36
Masquerade Detection
Masquerader Scores For a given user (USER A), compare his/her event
sequences with another user (USER B) Take a random chunk from USER A and compare
it to another random chunk from USER B Compute the average comparison score Do this for many random trials
This gives you comparison scores that indicate possible masquerading.
04/22/23 Intrusion Detection 37
Comparison Scores
User X compared to User Y
User X compared to User X
High Comparison ScoreLow Comparison Score
04/22/23 Intrusion Detection 38
Advantages
This system tunes itself based the users behavior But, the system is generic
It doesn’t matter • what software you use• what OS you use• whether the events are low level or high level
You just need some way of recording events and you need the comparison algorithm
04/22/23 Intrusion Detection 39
How well does it work?
A system based on a DNA-like comparison algorithm was developed by
Bolek Szymanski, Scott Coull & Joel Branch from
RPI’s Pervasive Computing Center which Detected 60% of all masquerade attempts
with 2% False Alarms.
04/22/23 Intrusion Detection 40
What else can it do?
The system can be modified to identify inefficient computer usage for specific software packages.
Modification: Record only events from a specific software
program Inter-compare users who are know to be expert
users Thus, you can develop a comparison score for
automatically identifying expert users vs. “potential” novice users.
04/22/23 Intrusion Detection 41
Implications
If users do NOT exhibit the “right” kind of computer usage, Managers could recommend training System Administrators could initiate more
detailed monitoring
04/22/23 Intrusion Detection 42
Summary
Detecting Masquerade Attacks is one of the most difficult computer security problems
Event or command sequences can be used to discriminate users, and to discriminate types of computer usage
The problem of comparing event sequences is surprisingly similar to the problem of comparing DNA sequences
DNA comparison algorithms are very sensitive and can address the “relative nature” of what it means for sequences to be similar