Intrusion Detection

&

Password Management

Intruders, Intrusions

Intruders significant issue for networked systems is hostile or unwanted access either via network or

local

can identify classes of intruders:

masquerader

misfeasor

clandestine user

varying levels of competence

clearly a growing publicized problem

from “Wily Hacker” in 1986/87

to clearly escalating CERT stats

may seem benign, but still cost resources

may use compromised system to launch other attacks

Examples of Intrusion • Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information, without authorization

• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated software and music files

• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password

• Using an unattended, logged-in workstation without permission

Intrusion Detection/Prevention

Intrusions Detection • Definitions

• Elements

• Components of IDS

• Approaches

‣ Misuse Detection

‣ Anomaly Detection

• Deployments

‣ Host-based IDSs

‣ Network-based IDSs

✴Key-metrics

✴Architecture of Net-IDS

Definitions

• Intrusion: a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable. The person who intrudes is an intruder.

Instrusion is a set of actions aimed to compromise the security goals, namely : Integrity, confidentiality, or availability, of a computing and networking resource

• Intrusion detection (ID):

‣ The process of identifying and responding to intrusion activities

• Intrusion prevention:

‣ Extension of ID with exercises of access control to protect computers from exploitation

six types of intrusions

• Attempted break-ins, which are detected by atypical behavior profiles or violations of security constraints. An intrusion detection system for this type is called anomaly-based IDS.

• Masquerade attacks, which are detected by atypical behavior profiles or violations of security constraints. These intrusions are also detected using anomaly-based IDS.

• Penetrations of the security control system, which are detected by monitoring for specific patterns of activity.

• Leakage, which is detected by atypical use of system resources.

• Denial of service, which is detected by atypical use of system resources.

• Malicious use, which is detected by atypical behavior profiles, violations of security constraints, or use of special privileges.

Elements • Primary assumptions:

‣ System activities are observable

‣ Normal and intrusive activities have distinct evidence

• Components of intrusion detection systems:

‣ From an algorithmic perspective:

✴Features - capture intrusion evidences

✴Models - piece evidences together

• From a system architecture perspective:

‣ Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

Components of IDS • system activities are observable

• normal and intrusive activities have distinct evidence

Intrusion Detection Approaches

• Modeling

‣ Features: evidences extracted from audit data

‣ Analysis approach: piecing the evidences together

✴Misuse detection (a.k.a. signature-based)

✴Anomaly detection (a.k.a. statistical-based)

• Deployment: Network-based or Host-based

‣ Network based: monitor network traffic

‣ Host based: monitor computer processes

Misuse Detection

• Example:

if (src_ip == dst_ip) then “land_attack”

• Can’t detect new attacks

• Rule-based detection

‣ Anomaly

‣ Penetration identifications

Anomaly Detection

• Statistical anomaly detections

‣ Threshold

‣ Profile based

• problems???

‣ Relatively high false positive rate

‣ Anomalies can just be new normal activities.

‣ Anomalies caused by other element faults

✴ E.g., router failure or misconfiguration, P2P misconfiguration

Host-based IDSs

• Using OS auditing mechanisms

‣ E.G., BSM on Solaris: logs all direct or indirect events generated by a user

‣ strace for system calls made by a program (Linux)

• Monitoring user activities

‣ E.G., analyze shell commands

• Problems: user dependent

‣ Have to install IDS on all user machines !

‣ Ineffective for large scale attacks

Network-based IDSs

• At the early stage of the worm, only limited worm samples.

• Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage

Network-based IDSs

• Deploying sensors at strategic locations

‣ E.G., Packet sniffing via tcpdump at routers

• Inspecting network traffic

‣ Watch for violations of protocols and unusual connection patterns

• Monitoring user activities

‣ Look into the data portions of the packets for malicious code

• May be easily defeated by encryption

‣ Data portions and some header information can be encrypted

‣ The decryption engine may still be there, especially for exploit

Key Metrics of IDS/IPS

• Algorithm

‣ Alarm: A; Intrusion: I

‣ Detection (true alarm) rate: P(A|I)

✴False negative rate P(¬A|I)

‣ False alarm (aka, false positive) rate: P(A|¬I)

✴True negative rate P(¬A|¬I)

• Architecture

‣ Throughput of NIDS, targeting 10s of Gbps

✴E.g., 32 nsec for 40 byte TCP SYN packet

‣ Resilient to attacks

Architecture of Net IDS

Firewall/Net IPS vs. Net IDS

• Firewall/IPS

‣ Active filtering

‣ Fail-close

• Network IDS

‣ Passive monitoring

‣ Fail-open

Distributed IDS • Traditional systems focused on single-system

stand-alone facilities

‣ The typical organization, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork

‣ A more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network

• Major design issues:

‣ A distributed intrusion detection system may need to deal with different audit record formats

‣ One or more nodes in the network will serve as collection and analysis points for the data from the systems on the network

‣ Either a centralized or decentralized architecture can be used

Honeypots • Decoy systems that are designed to lure a potential attacker away from critical systems

• Has no production value

‣ These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldn’t access

‣ Thus, any attempt to communicate with the system is most likely a probe, scan, or attack

• Designed to:

‣ Divert an attacker from accessing critical systems

‣ Collect information about the attacker’s activity

‣ Encourage the attacker to stay on the system long enough for administrators to respond

• Because any attack against the honeypot is made to seem successful, administrators have time to mobilize and log and track the attacker without ever exposing productive systems

• Recent research has focused on building entire honeypot networks that emulate an enterprise, possible with actual or simulated traffic and data

Password Management (Additional Slide)

UNIX Password Scheme

Password Selection Strategies • The goal is to eliminate guessable passwords while allowing the user to select a password that is

memorable

• Four basic techniques are in use:

‣ User education

✴Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords

‣ Computer-generated passwords

✴Computer-generated password schemes have a history of poor acceptance by users

✴Users have difficulty remembering them

‣ Reactive password checking

✴A strategy in which the system periodically runs its own password cracker to find guessable passwords

‣ Proactive password checking

✴A user is allowed to select his or her own password, however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it

Passwords…… New Ways

• Use passwords manager applications

• Use passphrase instead of passwords

‣ Random common words instead of gibberish hard-to-memmorized random word (xkcd #936)

References

• W. Stallings, “Cryptography and Network Security: Principles and Practice”, 7th Ed., Pearson Publishing.

Happy Learning ;)

Exercise 1. Gunakan wireshark untuk memantau trafik/lalu lintas jaringan kamu

‣ Simpan Trafik jaringanmu tersebut selama 30 menit

‣ Dari File trafik tersebut:

✴Tentukan berapa banyak trafik ARP, DNS dan HTTP yang lewat?

✴Berapa IP address mu?? Apa DNS server mu??

2. Asumsikan bahwa password dipilih dari kombinasi empat karakter dari 26 karakter alfabet. Asumsikan bahwa musuh mampu mencoba kata kunci dengan kecepatan one per second. Jawablah pertanyaan dibawah ini :

a. Dengan asumsi tidak ada umpan balik kepada lawan sampai setiap usaha telah selesai, berapakah waktu yang diharapkan untuk menemukan kata kunci yang benar?

b. Dengan asumsi umpan balik terhadap musuh menandai kesalahan karena setiap karakter salah dimasukkan, berapakah waktu yang diharapkan untuk menemukan kata kunci yang benar?

Exercise…(2)

3. Carilah dari paper 2 tahun terakhir, teknik intrusion detection yang digunakan. Jelaskan dengan singkat model yang mereka lakukan !