zaštita informacionih sistema, milan milosavljević 1 kontrola pristupa
TRANSCRIPT
Zaštita informacionih sistema, Milan Milosavljević 1
Kontrola pristupa
Zaštita informacionih sistema, Milan Milosavljević 2
Kontrola pristupa Kontrola pristupa se sastoji iz dva dela Autentifikacija: Ko pristupa?
o Odredjuje se kome je dopušten pristupo Autentifikacija čoveka od strane mašineo Authentifikacija mašine od strane mašine
Autorizacija: Da vam li je dozvoljeno da nešto uradite?o Kad vam je dozvoljen pristup, šta možete da uradite?o Obezbedjuje ogrsničenja na mguće akcije
Primedba: Kontrola pristupa se često koristi kao sinonim za autorizaciju
Zaštita informacionih sistema, Milan Milosavljević 3
Autentifikacija
Zaštita informacionih sistema, Milan Milosavljević 4
Ko pristupa?
Kako mašina može da autentifikuje čoveka? Autentifikacija može biti zasnovana…
o Na nečemu što znate Npr., lozinke
o Na nečemu što imate Npr., smartkartica
o Na osnovu nečega što jeste Npr., otisak prsta
Zaštita informacionih sistema, Milan Milosavljević 5
Nešto što znate Lozinke Što šta može da bude lozinka!
o PINo Matični brojo Majčino devojačko prezimeo Datum rodjenjao Ime vašeg kućnog ljubimca, i td.
Zaštita informacionih sistema, Milan Milosavljević 6
Problemi sa lozinkama “Lozinke su jedan od najvećih praktičnih
problema sa kojima se susreću inženjeri bezbednosti danas.”
“Ljudi ne poseduju sposobnost bezbednog memorisanja kriptografskih ljučeva visokog kvalitete, i imaju neprihvatljivu brzinu i tačnost u obavljanju kriptogrfskih operacija.”
Zaštita informacionih sistema, Milan Milosavljević 7
Zašto lozinke?
Zašto je “nešto što znam” popularnije od “nečeg što imam” i “nečeg što jesam”?
Cena: lozinke su besplatne Pogodnost: jednostavnije je resetovati
lozinke nego izdati korisniku novi otisak prsta
Zaštita informacionih sistema, Milan Milosavljević 8
Ključevi i lozinke
Kripto ključevi Neka je ključ 64 bita Tada imamo 264
različitih ključeva Izabrati ključ slučajno Tada napadač mora
da isproba oko 263 ključeva
Lozinke Neka je lozinka od 8
karaktera, i neka ima 256 različitih karaktera
Tada je 2568 = 264 lozinki Korisnici ne biraju lozinke
slučajno Napadač mora da isproba
daleko manje lozinki od 263 (napad pomoću rečnika)
Zaštita informacionih sistema, Milan Milosavljević 9
Dobre i loše lozinke Loše lozinke
o franko Fidoo passwordo 4444o Pikachuo 102560o AustinStamp
Dobre lozinke?o jfIej,43j-EmmL+yo 09864376537263o P0kem0No FSa7Yagoo 0nceuP0nAt1m8o PokeGCTall150
Zaštita informacionih sistema, Milan Milosavljević 10
Eksperiment sa lozinkama Postoje tri grupe korisnika svakoj grupi je
savetovano da izabere lozinke na sledeći način
o Grupa A: Najmanje 6 karaktera, 1 neslovnio Grupa B: Lozinka zasnovana na frazio Grupa C: 8 slučajnih karaktera
Rezultati:o Grupa A: Oko 30% lozinki je lako razbitio Grupa B: Oko 10% lozinki se razbija
Lozinke se lako pamteo Grupa C: Oko 10% se razbija
Lozinke se teško pamte
winner
Zaštita informacionih sistema, Milan Milosavljević 11
Eksperiment sa lozinkama Saglasnost korisnika je teško ostvariti U svakom slučaju, 1/3 nije saglasna (i oko 1/3
ovih se lako razbija!) Ponekad je najbolje dodeliti lozinke Ako lozinke nisu unapred dodeljene, najbolji
saveti pri izboru suo Izaberite lozinku zasnovanu na frazamao Koristiti posebne alate za krekovanje slabih lozinkio Zahteva se periodična zamena lozinki?
Zaštita informacionih sistema, Milan Milosavljević 12
Napadi na lozinke Napadač može…
o Ciljati smo jedan poseban nalogo Ciljati bilo koji nalogo Ciljati bilo koji nalog na bilo kom sistemuo Pokušaj napada odbijanja servisa ( denial of
service - DoS) Uobičajeni redosled napada
o Spoljašnji korisnik normalni korisnik administrator
o Potrebna je možda samo jedna slaba lozinka!
Zaštita informacionih sistema, Milan Milosavljević 13
Uzastopno probanje lozinki Pretpostavimo da se sistem zaključa
nakon 3 pogrešne lozinke. Koliko dugo treba da bude zaključan?o 5 sekundio 5 minutao Dok sistem administrator ne obnovi servise
Šta su pozitivne, a šta negativne strane?
Zaštita informacionih sistema, Milan Milosavljević 14
Fajl lozinki Memorisanje lozinki u fajlovima je loše
rešenje Potreban nam je mehanizam za verifikovanje
lozinki Kriptografsko rešenje: heširanje lozinke
o Zapisati y = h(lozinka)o Možemo verifikovati lozinku hešngomo Ukoliko napadač ima fajl lozinki, time nije dobio i
same lozinkeo Napadač koji ima fajl lozinki, može da pokuša da
pogodi x za koje je y = h(x)o Ako uspe, napadač je pronašao lozinku!
Zaštita informacionih sistema, Milan Milosavljević 15
Napad pomomoću rečnika
Napadač unapred izračuna h(x) za sve x u rečniku uobičajenih lozinki
Neka napadač ima pristup fajlu hešovanih lozinkio Napadač treba samo da poredi hešove sa
češovima već izračunatim na osnovu rečnikao Svi naredni napadi se mogu obaviti na isti način
Da li se može osujetiti ovakav napad? Ili barem, posao napadača učiniti težim?
Zaštita informacionih sistema, Milan Milosavljević 16
Fajl lozinki Sadrži heširane lozinke Bolje je memorisati hešove sa salt-om Za zadatu lozinku, izabrati slučajan s, i
izračunati y = h(lozinka, s)
i memorisati (s,y) u fajlu lozinki Primedba: salt s nije tajan Lozinka se lako verifikuje Napadač mora da izračuna hešove rečnika
lozinki za svakog korisnika-što je mnogo posla!
Zaštita informacionih sistema, Milan Milosavljević 17
Razbijanje lozinki:proračun
Pretpostavke Lozinka ima 8 karaktera, 128 mogućnosti po
karakteruo Tada je 1288 = 256 mogućih lozinki
Neka postoji fajl lozinki sa 210 lozinki Napadač poseduje rečnik sa 220 najčešće
korišćenih lozinki Verovatnoća da je data lozinka u rečniku iznosi
1/4 Posao koji je potrebno obaviti se meri brojem
heširanja
Zaštita informacionih sistema, Milan Milosavljević 18
Razbijanje lozinki Napad na 1 lozinku bez rečnika
o Mora se isprobati 256/2 = 255 u srednjemo Analogno potpunoj pretrazi ključeva
Napad na 1 lozinku sa rečnikomo Očekivani posao je oko
1/4 (219) + 3/4 (255) = 254.6
o Ali u praksi, isprbati ceo rečnik i završiti ako se ne nadje rešenje posao je najviše 220 i verovatnoća uspeha je 1/4
Zaštita informacionih sistema, Milan Milosavljević 19
Razbijanje lozinki Napad na bilo kojih 1024 lozinki u fajlu Bez rečnika
o Neka je svih 210 lozinki različito o Potrebno je 255 poredjenja pre nego što se očekuje
da pronadjemo pravu lozinkuo Ako se ne koristi salt, svako računanje heša daje
210 poredjenja očekivani posao (broj heševa) je 255/210 = 245
o Ako se koristi salt, očekivani posao je 255 budući da svako poredjenje zahteva novo računanje heša
Zaštita informacionih sistema, Milan Milosavljević 20
Razbijanje lozinki Ako napadamo bilo koju loyinku u fajlu Sa rečnikom
o Verovatnoća da je barem jedna lozinka u rečniku je 1 - (3/4)1024 = 1
o Ignorišemo slučaj da u rečniku uopšte nema tražene lozinke
o Ako nema salta, posao je oko 219/210 = 29
o Ako ima salta, očekivani posao je manji od 222
o Primetimo da ako nema salta, možemo da preračunamo sve hešove za dati rečnik smanjujući ovaj posao
Zaštita informacionih sistema, Milan Milosavljević 21
Ostala pitanja oko lozinki Isuviše lozinki za pamćenje
o Rezultuje u ponovnoj upotrebi lozinkio Zašto je ovo problem?
Ko pati zbog loših lozinki? o Lozinka za logovanje vs ATM PIN
Neuspešna promena difolt lozinki Socialni inženjering Logovi pogrešnih lozinki mogu sadžati skoro
ispravnu lozinku Bagovi, keystroke logging, spyware, itd.
Zaštita informacionih sistema, Milan Milosavljević 22
Lozinke Definitivni zaključci Razbijanje lozinki je isuviše jednostavno!
o Lozinka u trajanju od jedne nedelje može srušiti sistem bezbednosti
o Korisnici biraju loše lozinkeo Napad zasnovan na socijalnom inženjeringu itd.
Loši momci imaju sve prednosti na svojoj strani
Sva natematika favorizuje loše momke Lozinke su veliki problem sigurnosti
Zaštita informacionih sistema, Milan Milosavljević 23
Alati za razbijanje lozinki Popularni alati za razbijanje lozinki
o Password Crackerso Password Portalo L0phtCrack and LC4 (Windows)o John the Ripper (Unix)
Adminstratori treba da testiraju ove alate, budući da će ih napadači sigurno upotrebiti!
Dobar članak o razbijanju lozinki jeo Passwords - Conerstone of Computer Security
Zaštita informacionih sistema, Milan Milosavljević 24
Biometrika
Zaštita informacionih sistema, Milan Milosavljević 25
Nešto što jesmo Biometrika
o “Vi ste vaš ključ” Schneier
Are
Know Have
Primerio Otisak prstao Potpiso Prepoznavanje licao Prepoznavanje govorao Prepoznavanje načina hodao “Digitalni pas” (prepoznavanje
mirisa)o I još mnogo što šta!
Zaštita informacionih sistema, Milan Milosavljević 26
Zašto biometrika? Biometrika je vidjena kao poželjna zamena za
lozinke Potrebna je jeftina i pouzdana biometrika Danas je to vrlo aktivna oblast istraživanja Biometrika se danas koristi u bezbednosnim
sistemimao Miš sa senzorom za otisak palcao Otisak dlana za kontrolu pristupao Otisak prsta za otključavanje kola, vrata i td.
Medjutim, biometrika nije toliko popularnao Još uvek nije dostigla očekivanja
Zaštita informacionih sistema, Milan Milosavljević 27
Idealna biometrika Universalnost primenljiva je na (skoro) svakog
o U praksi, ne postoji biometrika koja se može primeniti na svakog
Razlikovanje razlikovanje sa sigurnošćuo U praksi se ne možemo nadati 100% sigurnosti
Permanentnost upotrebljene i izmerene fizičke karakteristike ne bi trebale da se ikada promeneo U praksi se ovaj zahtev odnosi na odredjeni dugački
vremenski period Sakupljivost lako se mere i sakupljaju
o Zavisi os stepena kooperativnosti subjekata Sigurna, jednostavna za upotrebu, i td.
Zaštita informacionih sistema, Milan Milosavljević 28
Biometrijski modeli Identifikacija Ko je tamo?
o Poredjenje jedan prema mnogimao Primer: FBI-ova baza otisaka prstiju
Autentifikacija Da li si to zaista ti?o Poredjenje jedan prema jedano Primer: Miš sa ćitačem otiska palca
Problem identifikacije je znatno težio Više “slučajnih” poklapanja usled mnogih
poredjenja Pozabavićemo se autentifikacijom
Zaštita informacionih sistema, Milan Milosavljević 29
Upisivanje vs prepoznavanje Faze upisivanja
o Biometrijski podaci subjekta se pamte u bazi podataka
o Porebno je pažljivo izmeriti tražene podatkeo Ponekad je ovaj posao spor i zahteva ponovljena
merenjao Merenja moraju biti vrlo precizna za dobro
prepoznavanjeo Ovo je slaba tačka mnogih biometrijskih sistema
Faza prepoznavanjao Biometrijska detekcija u praksio Mora biti brza i jednostavnao Mora biti dovoljno tačno
Zaštita informacionih sistema, Milan Milosavljević 30
Cooperativni subjekt Pretpostavlja se kooperativnost subjekta U problemu identifikacije obično
imamonekooperativnog subjekta Na primer, prepoznavanje lica
o Predloženo za upotrebu u Las Vegas kazinima za detekciju poznatih prevaranata
o Takodje se koristi za detekciju terorista na aerodromima i td.
o Verovatno ne postoje idealni uslovi za prijavljivanjeo Subjekt će verovatno pokušati da zbuni sistem
prepoznavanja Kooperativni subjekt čini ovu fazu mnogo
lakšom!o U autentifikaciji, subjekt je kooperativan
Zaštita informacionih sistema, Milan Milosavljević 31
Biometrijske greške Stepen prevare versus stepen uvrede
o Prevara korisnik A se pogrešno autentifikuje kao korisnik B
o Uvreda korisnik A se ne autentifikuje kao korisnik A Za bilo koju biometriku, možemo smanjiti prevaru
ili uvredu, ali će ona druga vrednos biti povećana Primer
o 99% poklapanje glasa niska prevar, visoka uvredao 30% poklapanje glasa visoka prevara, niska uvreda
Jednake greške: pri tome je prevara == uvredio Najbolja mera za poredjenje biometrika
Zaštita informacionih sistema, Milan Milosavljević 32
Istorija otisaka prstiju 1823 Profesor Johannes Evangelist
Purkinje diskutuje 9 razlićitih oblika otisaka prstiju
1856 Sir William Hershel koristi otisak prsta za potpisivanje ugovora
1880 Dr. Henry Faulds piše rad u Nature otiscima prstiju za identifikaciju
1883 u delu Mark Twain-a Life on the Mississippi ubica je identifikovan preko otiska prstiju
Zaštita informacionih sistema, Milan Milosavljević 33
Istorija otisaka prstiju
1888 Sir Francis Galton (Darvinov rodjak) je razvio klasifikacioni sistemo Njegov sistem “minutia” je još uvek u upotrebio Verifikuje da se otisci prstiju ne menjaju sa
starenjem Neke zemlje propisuju broj tačaka (tj. minutia)
za verodostojnost identifikacije u kriminalnim slučajevimao U Britaniji je to 15 tačakao U Americi nije propisan fiksan broj tačaka
Zaštita informacionih sistema, Milan Milosavljević 34
Poredjenje otisaka prstiju
Petlja (dvostruka) Vrtlog Luk
Primeri petlji, vrtloga i lukova Minutia se ekstrahuju iz ovih obeležja
Zaštita informacionih sistema, Milan Milosavljević 35
Biometrika otiska prstiju
Snimanje slike otiska Izoštravanje slike Identifikacija minutia
Zaštita informacionih sistema, Milan Milosavljević 36
Biometrika otiska prstiju
Ekstrahovane minutia se porede sa minutia memorisanim u bazi podataka
Da li se radi o statističkom poklapanju?
Zaštita informacionih sistema, Milan Milosavljević 37
Geometrija dlana Popularni oblik biometrije Meri se oblik dlana
o Širina dlana, prstijuo Dužina prstiju, itd.
Ljudski dlanovi nisu jedinstveni
Geometrija dlana je dovoljna za mnoge primene
Pogodna za autentifikaciju Nije pogodna za
problematiku identifikacije
Zaštita informacionih sistema, Milan Milosavljević 38
Geometrija dlana Prednosti
o Brzinao 1 minuta je dovoljna za priavljivanjeo 5 sekundi za prepoznavanjeo Dlanovi su simetrični (korišćenje druge ruke)
Nedostacio Ne može se koristiti za vrlo mlade i vrlo stare
osobeo Relativno visoka greška jednakosti
Zaštita informacionih sistema, Milan Milosavljević 39
Oblik Irisa
Šara irisa je prilično “haotična” Mali ili gotovo nikakav uticaj genetike Različita čak i za identične blizanve Šara je stabilna kroz celokupan životni vek
Zaštita informacionih sistema, Milan Milosavljević 40
Prepoznavanje irisa: istorijat 1936 sugerisan od strane Frank
Burch-a 1980s filmovi James Bond-a 1986 pojava prvog patenta na ovu
temu 1994 John Daugman je patentirao
najbolji savremeni sistemo Vlasnik patenta je Iridian Technologies
Zaštita informacionih sistema, Milan Milosavljević 41
Skeniranje irisa Skener locira iris Uzima se b/w fotografija Koriste se polarne
koordinate… Računa se 2-D wavelet
transformacija Dobija se 256 bajtova iris
koda
Zaštita informacionih sistema, Milan Milosavljević 42
Merenje sličnosti irisa Zasniva se na Hamming-ovom rastojanju Definiše se d(x,y) na sledeći način
o # ne poklapajućoh bita/# brojem poredjenih bitao d(0010,0101) = 3/4 and d(101111,101001) = 1/3
Računa se d(x,y) na 2048-bitsko iris koduo Perfektno poklapanje daje rastojanje d(x,y) = 0o Za identičan iris, očekivano rastojanje je 0.08o Za slućajne nizove, očekivano rastojanje je 0.50o Poklapanje se prihvata, ako je rastojanje manje od 0.32
Zaštita informacionih sistema, Milan Milosavljević 43
Greška Iris skenera
rastojanje
0.29 1 in 1.31010
0.30 1 in 1.5109
0.31 1 in 1.8108
0.32 1 in 2.6107
0.33 1 in 4.0106
0.34 1 in 6.9105
0.35 1 in 1.3105
rastojanje greška
: greška jednakosti
Zaštita informacionih sistema, Milan Milosavljević 44
Napad na skeniranje irisa Dobra fotografija oka se može skenirati Napadač može upotrebiti fotografiju oka
Jedna avganistanska žena je autentifikovana na osnovu skeniranja stare fotografije okao Priča o tome se može naći na here
Da bi se osujetio foto napad, skener bi mogao da koristi svetko da bi biosiguran da je iris “živ”
Zaštita informacionih sistema, Milan Milosavljević 45
Poredjenje po kriterijumu kednakih grešaka (Equal Error Rate)
Equal error rate (EER): verovatnoća prevare == verovatnoći uvrede
Biometrika na bazi otisaka prstiju EER oko 5% Geometrija dlana : EER oko 10-3
Teoretski, skeniranje irisa ima EER oko 10-6
o U praksi je ovo teško ostvaritio Faza prijave mora biti ekstremno tačna
Većina biometrika je znatno lošija od otisaka prstiju!
Biometrika je korisna za autentifikaciju… Ali je gotovo neupotrebljiva za identifikaciju
Zaštita informacionih sistema, Milan Milosavljević 46
Biometrika: zaključak Biometrika teško podleže prevarama Ali i dalje postoje mogući napadi
o Ukrasti Alisin prsto Fptpkopirati Bobov otisak prsta, oko, i td.o Izvršiti subverziju softvera, baza odataka, “puta
poverenja”, … Kako povući “razbijenu” biometriku? Biometrika nije otporna na podvale! Biometrika se danas ograničeno koristi Očekuje se promena u ovom pogledu u bližoj
budućnosti…
Zaštita informacionih sistema, Milan Milosavljević 47
Nešto što posedujemo Nešto u vašem posedu Primeri
o Ključevi od kolao Laptop računar
Ili specifična MAC adresa
o Generator lozinkio ATM kartice, smartkartice, itd.
Zaštita informacionih sistema, Milan Milosavljević 48
Generator lozinki
Alisa dobija “challenge” R od Bob-a Alisa unosi R u generator lozinki Alisa “odgovara” Bob-u Alisa ima generator lozinki i zna PIN
Alisa Bob
1. “Ja sam Alisa”
2. R
5. F(R)
3. PIN, R
4. F(R)
Generator lozinki
Zaštita informacionih sistema, Milan Milosavljević 49
2-faktorsa autentifikacija
Zahteva 2 od 3 stavke1. Nešto što znate2. Nešto što imate3. Nešto što ste vi po svojoj prirodi
Primerio ATM: Kartica i PINo Kreditna kartica: Kartica i potpiso Generator lozinki: Uredjaj i PINo Smartkartica sa lozinkom/PIN
Zaštita informacionih sistema, Milan Milosavljević 50
Single Sign-on Velika je nepogodnost unositi lozinke često
o Korisnici žele autentifikaciju samo jedanputo “Credentials” stay with user wherever he goeso Subsequent authentication is transparent to user
Single sign-on for the Internet?o Microsoft: Passporto Everybody else: Liberty Allianceo Security Assertion Markup Language (SAML)
Zaštita informacionih sistema, Milan Milosavljević 51
Web Cookies Cookie is provided by a Website and stored on
user’s machine Cookie indexes a database at Website Cookies maintain state across sessions Web uses a stateless protocol: HTTP Cookies also maintain state within a session Like a single sign-on for a website
o Though a very weak form of authentication Cookies and privacy concerns
Zaštita informacionih sistema, Milan Milosavljević 52
Authorization
Zaštita informacionih sistema, Milan Milosavljević 53
Authentication vs Authorization
Authentication Who goes there?o Restrictions on who (or what) can access system
Authorization Are you allowed to do that?o Restrictions on actions of authenticated users
Authorization is a form of access control Authorization enforced by
o Access Control Listso Capabilities
Zaštita informacionih sistema, Milan Milosavljević 54
Lampson’s Access Control Matrix
rx rx r --- ---
rx rx r rw rw
rwx rwx r rw rw
rx rx rw rw rw
OSAccounting
programAccounting
dataInsurance
dataPayrolldata
Bob
Alice
Sam
Accountingprogram
Subjects (users) index the rows Objects (resources) index the columns
Zaštita informacionih sistema, Milan Milosavljević 55
Are You Allowed to Do That?
Access control matrix has all relevant info But how to manage a large access control (AC)
matrix? Could be 1000’s of users, 1000’s of resources Then AC matrix with 1,000,000’s of entries Need to check this matrix before access to any
resource is allowed Hopelessly inefficient
Zaštita informacionih sistema, Milan Milosavljević 56
Access Control Lists (ACLs) ACL: store access control matrix by column Example: ACL for insurance data is in blue
rx rx r --- ---
rx rx r rw rw
rwx rwx r rw rw
rx rx rw rw rw
OSAccounting
programAccounting
dataInsurance
dataPayrolldata
Bob
Alice
Sam
Accountingprogram
Zaštita informacionih sistema, Milan Milosavljević 57
Capabilities (or C-Lists) Store access control matrix by row Example: Capability for Alice is in red
rx rx r --- ---
rx rx r rw rw
rwx rwx r rw rw
rx rx rw rw rw
OSAccounting
programAccounting
dataInsurance
dataPayrolldata
Bob
Alice
Sam
Accountingprogram
Zaštita informacionih sistema, Milan Milosavljević 58
ACLs vs Capabilities
Access Control List Capability
Note that arrows point in opposite directions! With ACLs, still need to associate users to files
file1
file2
file3
file1
file2
file3
r---r
Alice
Bob
Fred
wr
---
rwrr
Alice
Bob
Fred
rwrw
---rr
r---r
Zaštita informacionih sistema, Milan Milosavljević 59
Confused Deputy Two resources
o Compiler and BILL file (billing info)
Compiler can write file BILL
Alice can invoke compiler with a debug filename
Alice not allowed to write to BILL
Access control matrix
x ---
rx rw
Compiler BILL
Alice
Compiler
Zaštita informacionih sistema, Milan Milosavljević 60
ACL’s and Confused Deputy
Compiler is deputy acting on behalf of Alice Compiler is confused
o Alice is not allowed to write BILL Compiler has confused its rights with Alice’s
Alice BILL
Compiler
debug
filename BILLBILL
Zaštita informacionih sistema, Milan Milosavljević 61
Confused Deputy
Compiler acting for Alice is confused There has been a separation of authority from
the purpose for which it is used With ACLs, difficult to avoid this problem With Capabilities, easier to prevent problem
o Must maintain association between authority and intended purpose
o Capabilities make it easy to delegate authority
Zaštita informacionih sistema, Milan Milosavljević 62
ACLs vs Capabilities ACLs
o Good when users manage their own fileso Protection is data-orientedo Easy to change rights to a resource
Capabilitieso Easy to delegateo Easy to add/delete userso Easier to avoid the confused deputyo More difficult to implemento The “Zen of information security”
Capabilities loved by academicso Capability Myths Demolished
Zaštita informacionih sistema, Milan Milosavljević 63
Multilevel Security (MLS) Models
Zaštita informacionih sistema, Milan Milosavljević 64
Classifications and Clearances Classifications apply to objects Clearances apply to subjects US Department of Defense uses 4
levels of classifications/clearancesTOP SECRETSECRETCONFIDENTIALUNCLASSIFIED
Zaštita informacionih sistema, Milan Milosavljević 65
Clearances and Classification
To obtain a SECRET clearance requires a routine background check
A TOP SECRET clearance requires extensive background check
Practical classification problemso Proper classification not always clearo Level of granularity to apply classificationso Aggregation flipside of granularity
Zaštita informacionih sistema, Milan Milosavljević 66
Subjects and Objects
Let O be an object, S a subjecto O has a classificationo S has a clearanceo Security level denoted L(O) and L(S)
For DoD levels, we haveTOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED
Zaštita informacionih sistema, Milan Milosavljević 67
Multilevel Security (MLS) MLS needed when subjects/objects at
different levels use same system MLS is a form of Access Control Military/government interest in MLS for many
decades o Lots of funded research into MLSo Strengths and weaknesses of MLS relatively well
understood (theoretical and practical)o Many possible uses of MLS outside military
Zaštita informacionih sistema, Milan Milosavljević 68
MLS Applications Classified government/military information Business example: info restricted to
o Senior management onlyo All managemento Everyone in companyo General public
Network firewallo Keep intruders at low level to limit damage
Confidential medical info, databases, etc.
Zaštita informacionih sistema, Milan Milosavljević 69
MLS Security Models
MLS models explain what needs to be done Models do not tell you how to implement Models are descriptive, not prescriptive
o High level description, not an algorithm There are many MLS models We’ll discuss simplest MLS model
o Other models are more realistico Other models also more complex, more difficult to
enforce, harder to verify, etc.
Zaštita informacionih sistema, Milan Milosavljević 70
Bell-LaPadula BLP security model designed to express
essential requirements for MLS BLP deals with confidentiality
o To prevent unauthorized reading Recall that O is an object, S a subject
o Object O has a classificationo Subject S has a clearanceo Security level denoted L(O) and L(S)
Zaštita informacionih sistema, Milan Milosavljević 71
Bell-LaPadula
BLP consists ofSimple Security Condition: S can read O if
and only if L(O) L(S)
*-Property (Star Property): S can write O if and only if L(S) L(O)
No read up, no write down
Zaštita informacionih sistema, Milan Milosavljević 72
McLean’s Criticisms of BLP McLean: BLP is “so trivial that it is hard to
imagine a realistic security model for which it does not hold”
McLean’s “system Z” allowed administrator to reclassify object, then “write down”
Is this fair? Violates spirit of BLP, but not expressly
forbidden in statement of BLP Raises fundamental questions about the nature
of (and limits of) modeling
Zaštita informacionih sistema, Milan Milosavljević 73
B and LP’s Response BLP enhanced with tranquility property
o Strong tranquility property: security labels never changeo Weak tranquility property: security label can only change if it
does not violate “established security policy” Strong tranquility impractical in real world
o Often want to enforce “least privilege”o Give users lowest privilege needed for current worko Then upgrade privilege as needed (and allowed by policy)o This is known as the high water mark principle
Weak tranquility allows for least privilege (high water mark), but the property is vague
Zaštita informacionih sistema, Milan Milosavljević 74
BLP: The Bottom Line
BLP is simple, but probably too simple BLP is one of the few security models that
can be used to prove things about systems BLP has inspired other security models
o Most other models try to be more realistico Other security models are more complexo Other models difficult to analyze and/or apply in
practice
Zaštita informacionih sistema, Milan Milosavljević 75
Biba’s Model BLP for confidentiality, Biba for integrity
o Biba is to prevent unauthorized writing Biba is (in a sense) the dual of BLP Integrity model
o Spse you trust the integrity of O but not Oo If object O includes O and O then you cannot trust
the integrity of O Integrity level of O is minimum of the integrity
of any object in O Low water mark principle for integrity
Zaštita informacionih sistema, Milan Milosavljević 76
Biba Let I(O) denote the integrity of object O and
I(S) denote the integrity of subject S Biba can be stated as
Write Access Rule: S can write O if and only if I(O) I(S)(if S writes O, the integrity of O that of S)
Biba’s Model: S can read O if and only if I(S) I(O)(if S reads O, the integrity of S that of O)
Often, replace Biba’s Model withLow Water Mark Policy: If S reads O, then
I(S) = min(I(S), I(O))
Zaštita informacionih sistema, Milan Milosavljević 77
BLP vs Biba
level
high
low
L(O)
L(O) L(O)
Confidentiality
BLP
I(O)
I(O)
I(O)
Biba
level
high
lowIntegrity
Zaštita informacionih sistema, Milan Milosavljević 78
Multilateral Security (Compartments)
Zaštita informacionih sistema, Milan Milosavljević 79
Multilateral Security Multilevel Security (MLS) enforces access
control up and down Simple hierarchy of security labels may not be
flexible enough Multilateral security enforces access control
across by creating compartments Suppose TOP SECRET divided into TOP
SECRET {CAT} and TOP SECRET {DOG} Both are TOP SECRET but information flow
restricted across the TOP SECRET level
Zaštita informacionih sistema, Milan Milosavljević 80
Multilateral Security
Why compartments?o Why not create a new classification level?
May not want either ofo TOP SECRET {CAT} TOP SECRET {DOG}o TOP SECRET {DOG} TOP SECRET {CAT}
Compartments allow us to enforce the need to know principleo Regardless of your clearance, you only have access
to info that you need to know
Zaštita informacionih sistema, Milan Milosavljević 81
Multilateral Security Arrows indicate “” relationship
Not all classifications are comparable, e.g.,TOP SECRET {CAT} vs SECRET {CAT, DOG}
TOP SECRET {CAT, DOG}
TOP SECRET {CAT}
TOP SECRET
SECRET {CAT, DOG}
SECRET {DOG}
SECRET
TOP SECRET {DOG}
SECRET {CAT}
Zaštita informacionih sistema, Milan Milosavljević 82
MLS vs Multilateral Security MLS can be used without multilateral security or
vice-versa But, MLS almost always includes multilateral Example
o MLS mandated for protecting medical records of British Medical Association (BMA)
o AIDS was TOP SECRET, prescriptions SECRETo What is the classification of an AIDS drug?o Everything tends toward TOP SECRETo Defeats the purpose of the system!
Multilateral security was used instead
Zaštita informacionih sistema, Milan Milosavljević 83
Covert Channel
Zaštita informacionih sistema, Milan Milosavljević 84
Covert Channel MLS designed to restrict legitimate channels
of communication May be other ways for information to flow For example, resources shared at different
levels may signal information Covert channel: “communication path not
intended as such by system’s designers”
Zaštita informacionih sistema, Milan Milosavljević 85
Covert Channel Example Alice has TOP SECRET clearance, Bob has
CONFIDENTIAL clearance Suppose the file space shared by all users Alice creates file FileXYzW to signal “1” to
Bob, and removes file to signal “0” Once each minute Bob lists the files
o If file FileXYzW does not exist, Alice sent 0o If file FileXYzW exists, Alice sent 1
Alice can leak TOP SECRET info to Bob!
Zaštita informacionih sistema, Milan Milosavljević 86
Covert Channel Example
Alice:
Time:
Create file Delete file Create file Delete file
Bob: Check file Check file Check file Check fileCheck file
Data: 1 0 1 01
Zaštita informacionih sistema, Milan Milosavljević 87
Covert Channel Other examples of covert channels
o Print queueo ACK messageso Network traffic, etc., etc., etc.
When does a covert channel exist?1. Sender and receiver have a shared resource2. Sender able to vary property of resource that
receiver can observe3. Communication between sender and receiver can
be synchronized
Zaštita informacionih sistema, Milan Milosavljević 88
Covert Channel Covert channels exist almost everywhere Easy to eliminate covert channels…
o Provided you eliminate all shared resources and all communication
Virtually impossible to eliminate all covert channels in any useful systemo DoD guidelines: goal is to reduce covert channel
capacity to no more than 1 bit/secondo Implication is that DoD has given up trying to
eliminate covert channels!
Zaštita informacionih sistema, Milan Milosavljević 89
Covert Channel Consider 100MB TOP SECRET file
o Plaintext version stored in TOP SECRET placeo Encrypted with AES using 256-bit key, ciphertext
stored in UNCLASSIFIED location Suppose we reduce covert channel capacity
to 1 bit per second It would take more than 25 years to leak
entire document thru a covert channel But it would take less than 5 minutes to leak
256-bit AES key thru covert channel!
Zaštita informacionih sistema, Milan Milosavljević 90
Real-World Covert Channel
Hide data in TCP header “reserved” field Or use covert_TCP, tool to hide data in
o Sequence numbero ACK number
Zaštita informacionih sistema, Milan Milosavljević 91
Real-World Covert Channel Hide data in TCP sequence numbers Tool: covert_TCP Sequence number X contains covert info
A. Covert_TCPsender
C. Covert_TCP receiver
B. Innocent server
SYNSpoofed source: CDestination: BSEQ: X
ACK (or RST)Source: BDestination: CACK: X
Zaštita informacionih sistema, Milan Milosavljević 92
Inference Control
Zaštita informacionih sistema, Milan Milosavljević 93
Inference Control Example
Suppose we query a databaseo Question: What is average salary of female CS
professors at SJSU?o Answer: $95,000o Question: How many female CS professors at
SJSU?o Answer: 1
Specific information has leaked from responses to general questions!
Zaštita informacionih sistema, Milan Milosavljević 94
Inference Control and Research
For example, medical records are private but valuable for research
How to make info available for research and protect privacy?
How to allow access to such data without leaking specific information?
Zaštita informacionih sistema, Milan Milosavljević 95
Naïve Inference Control
Remove names from medical records? Still may be easy to get specific info from
such “anonymous” data Removing names is not enough
o As seen in previous example What more can be done?
Zaštita informacionih sistema, Milan Milosavljević 96
Less-naïve Inference Control Query set size control
o Don’t return an answer if set size is too small N-respondent, k% dominance rule
o Do not release statistic if k% or more contributed by N or fewer
o Example: Avg salary in Bill Gates’ neighborhoodo Used by the US Census Bureau
Randomizationo Add small amount of random noise to data
Many other methods none satisfactory
Zaštita informacionih sistema, Milan Milosavljević 97
Inference Control: The Bottom Line
Robust inference control may be impossible Is weak inference control better than no
inference control?o Yes: Reduces amount of information that leaks and
thereby limits the damage
Is weak crypto better than no crypto?o Probably not: Encryption indicates important datao May be easier to filter encrypted data
Zaštita informacionih sistema, Milan Milosavljević 98
CAPTCHA
Zaštita informacionih sistema, Milan Milosavljević 99
Turing Test Proposed by Alan Turing in 1950 Human asks questions to one other human
and one computer (without seeing either) If human questioner cannot distinguish the
human from the computer responder, the computer passes the test
The gold standard in artificial intelligence No computer can pass this today
Zaštita informacionih sistema, Milan Milosavljević 100
CAPTCHA CAPTCHA Completely Automated Public
Turing test to tell Computers and Humans Apart
Automated test is generated and scored by a computer program
Public program and data are public Turing test to tell… humans can pass the
test, but machines cannot pass the test Like an inverse Turing test (sort of…)
Zaštita informacionih sistema, Milan Milosavljević 101
CAPTCHA Paradox “…CAPTCHA is a program that can generate
and grade tests that it itself cannot pass…” “…much like some professors…” Paradox computer creates and scores test
that it cannot pass! CAPTCHA used to restrict access to
resources to humans (no computers) CAPTCHA useful for access control
Zaštita informacionih sistema, Milan Milosavljević 102
CAPTCHA Uses? Original motivation: automated “bots” stuffed
ballot box in vote for best CS school Free email services spammers used bots sign
up for 1000’s of email accountso CAPTCHA employed so only humans can get accts
Sites that do not want to be automatically indexed by search engineso HTML tag only says “please do not index me” o CAPTCHA would force human intervention
Zaštita informacionih sistema, Milan Milosavljević 103
CAPTCHA: Rules of the Game Must be easy for most humans to pass Must be difficult or impossible for machines to
passo Even with access to CAPTCHA software
The only unknown is some random number Desirable to have different CAPTCHAs in
case some person cannot pass one typeo Blind person could not pass visual test, etc.
Zaštita informacionih sistema, Milan Milosavljević 104
Do CAPTCHAs Exist? Test: Find 2 words in the following
Easy for most humans Difficult for computers (OCR problem)
Zaštita informacionih sistema, Milan Milosavljević 105
CAPTCHAs Current types of CAPTCHAs
o Visual Like previous example Many others
o Audio Distorted words or music
No text-based CAPTCHAso Maybe this is not possible…
Zaštita informacionih sistema, Milan Milosavljević 106
CAPTCHA’s and AI
Computer recognition of distorted text is a challenging AI problemo But humans can solve this problem
Same is true of distorted soundo Humans also good at solving this
Hackers who break such a CAPTCHA have solved a hard AI problem
Putting hacker’s effort to good use!
Zaštita informacionih sistema, Milan Milosavljević 107
Firewalls
Zaštita informacionih sistema, Milan Milosavljević 108
Firewalls
Firewall must determine what to let in to internal network and/or what to let out
Access control for the network
InternetInternalnetworkFirewall
Zaštita informacionih sistema, Milan Milosavljević 109
Firewall as Secretary A firewall is like a secretary To meet with an executive
o First contact the secretaryo Secretary decides if meeting is reasonableo Secretary filters out many requests
You want to meet chair of CS department?o Secretary does some filtering
You want to meet President of US?o Secretary does lots of filtering!
Zaštita informacionih sistema, Milan Milosavljević 110
Firewall Terminology No standard terminology Types of firewalls
o Packet filter works at network layero Stateful packet filter transport layero Application proxy application layero Personal firewall for single user, home
network, etc.
Zaštita informacionih sistema, Milan Milosavljević 111
Packet Filter Operates at network layer Can filters based on
o Source IP addresso Destination IP addresso Source Porto Destination Porto Flag bits (SYN, ACK, etc.)o Egress or ingress
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 112
Packet Filter Advantage
o Speed Disadvantages
o No stateo Cannot see TCP connectionso Blind to application data
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 113
Packet Filter Configured via Access Control Lists (ACLs)
o Different meaning of ACL than previously
Allow Inside Outside Any 80 HTTP
Allow Outside Inside 80 > 1023 HTTP
Deny All All All All All
Action
Source IP
Dest IP
Source
Port
Dest Port Protoco
l
Intention is to restrict incoming packets to Web responses
Any
ACK
All
FlagBits
Zaštita informacionih sistema, Milan Milosavljević 114
TCP ACK Scan
Attacker sends packet with ACK bit set, without prior 3-way handshake
Violates TCP/IP protocol ACK packet pass thru packet filter firewall
o Appears to be part of an ongoing connection
RST sent by recipient of such packet Attacker scans for open ports thru firewall
Zaštita informacionih sistema, Milan Milosavljević 115
TCP ACK Scan
PacketFilter
Trudy InternalNetwork
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
RST
Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this (next)
o Since ACK scans not part of established connections
Zaštita informacionih sistema, Milan Milosavljević 116
Stateful Packet Filter
Adds state to packet filter Operates at transport layer Remembers TCP connections
and flag bits Can even remember UDP
packets (e.g., DNS requests)
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 117
Stateful Packet Filter Advantages
o Can do everything a packet filter can do plus...
o Keep track of ongoing connections
Disadvantageso Cannot see application datao Slower than packet filtering
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 118
Application Proxy
A proxy is something that acts on your behalf
Application proxy looks at incoming application data
Verifies that data is safe before letting it in
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 119
Application Proxy Advantages
o Complete view of connections and applications data
o Filter bad data at application layer (viruses, Word macros)
Disadvantageo Speed
application
transport
network
link
physical
Zaštita informacionih sistema, Milan Milosavljević 120
Application Proxy Creates a new packet before sending it thru
to internal network Attacker must talk to proxy and convince it to
forward message Proxy has complete view of connection Prevents some attacks stateful packet filter
cannot see next slides
Zaštita informacionih sistema, Milan Milosavljević 121
Firewalk Tool to scan for open ports thru firewall Known: IP address of firewall and IP address
of one system inside firewallo TTL set to 1 more than number of hops to firewall
and set destination port to No If firewall does not let thru data on port N, no
responseo If firewall allows data on port N thru firewall, get
time exceeded error message
Zaštita informacionih sistema, Milan Milosavljević 122
Firewalk and Proxy Firewall
Dest port 12345, TTL=4
Dest port 12344, TTL=4
Dest port 12343, TTL=4
Time exceeded
Trudy
Packetfilter
Router
This will not work thru an application proxy The proxy creates a new packet, destroys old TTL
RouterRouter
Zaštita informacionih sistema, Milan Milosavljević 123
Personal Firewall
To protect one user or home network Can use any of the methods
o Packet filtero Stateful packet filtero Application proxy
Zaštita informacionih sistema, Milan Milosavljević 124
Firewalls and Defense in Depth Example security architecture
Internet
Intranet withPersonalFirewalls
PacketFilter
ApplicationProxy
DMZ
FTP server
DNS server
WWW server
Zaštita informacionih sistema, Milan Milosavljević 125
Intrusion Detection Systems
Zaštita informacionih sistema, Milan Milosavljević 126
Intrusion Prevention
Want to keep bad guys out Intrusion prevention is a traditional focus of
computer securityo Authentication is to prevent intrusionso Firewalls a form of intrusion preventiono Virus defenses also intrusion prevention
Comparable to locking the door on your car
Zaštita informacionih sistema, Milan Milosavljević 127
Intrusion Detection In spite of intrusion prevention, bad guys will
sometime get into system Intrusion detection systems (IDS)
o Detect attackso Look for “unusual” activity
IDS developed out of log file analysis IDS is currently a very hot research topic How to respond when intrusion detected?
o We don’t deal with this topic here
Zaštita informacionih sistema, Milan Milosavljević 128
Intrusion Detection Systems Who is likely intruder?
o May be outsider who got thru firewallo May be evil insider
What do intruders do?o Launch well-known attackso Launch variations on well-known attackso Launch new or little-known attackso Use a system to attack other systemso Etc.
Zaštita informacionih sistema, Milan Milosavljević 129
IDS
Intrusion detection approacheso Signature-based IDSo Anomaly-based IDS
Intrusion detection architectureso Host-based IDSo Network-based IDS
Most systems can be classified as aboveo In spite of marketing claims to the contrary!
Zaštita informacionih sistema, Milan Milosavljević 130
Host-based IDS Monitor activities on hosts for
o Known attacks oro Suspicious behavior
Designed to detect attacks such aso Buffer overflowo Escalation of privilege
Little or no view of network activities
Zaštita informacionih sistema, Milan Milosavljević 131
Network-based IDS Monitor activity on the network for
o Known attackso Suspicious network activity
Designed to detect attacks such aso Denial of serviceo Network probeso Malformed packets, etc.
Can be some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS
Zaštita informacionih sistema, Milan Milosavljević 132
Signature Detection Example Failed login attempts may indicate password
cracking attack IDS could use the rule “N failed login attempts
in M seconds” as signature If N or more failed login attempts in M
seconds, IDS warns of attack Note that the warning is specific
o Admin knows what attack is suspectedo Admin can verify attack (or false alarm)
Zaštita informacionih sistema, Milan Milosavljević 133
Signature Detection Suppose IDS warns whenever N or more
failed logins in M seconds Must set N and M so that false alarms not
common Can do this based on normal behavior But if attacker knows the signature, he can try
N-1 logins every M seconds! In this case, signature detection slows the
attacker, but might not stop him
Zaštita informacionih sistema, Milan Milosavljević 134
Signature Detection
Many techniques used to make signature detection more robust
Goal is usually to detect “almost signatures” For example, if “about” N login attempts in
“about” M secondso Warn of possible password cracking attempto What are reasonable values for “about”?o Can use statistical analysis, heuristics, othero Must take care not to increase false alarm rate
Zaštita informacionih sistema, Milan Milosavljević 135
Signature Detection Advantages of signature detection
o Simpleo Detect known attackso Know which attack at time of detectiono Efficient (if reasonable number of signatures)
Disadvantages of signature detectiono Signature files must be kept up to dateo Number of signatures may become largeo Can only detect known attackso Variation on known attack may not be detected
Zaštita informacionih sistema, Milan Milosavljević 136
Anomaly Detection Anomaly detection systems look for unusual
or abnormal behavior There are (at least) two challenges
o What is normal for this system?o How “far” from normal is abnormal?
Statistics is obviously required here!o The mean defines normalo The variance indicates how far abnormal lives
from normal
Zaštita informacionih sistema, Milan Milosavljević 137
What is Normal? Consider the scatterplot below
x
y
White dot is “normal”
Is red dot normal? Is green dot
normal? How abnormal is
the blue dot? Stats can be tricky!
Zaštita informacionih sistema, Milan Milosavljević 138
How to Measure Normal?
How to measure normal?o Must measure during “representative”
behavioro Must not measure during an attack…o …or else attack will seem normal!o Normal is statistical meano Must also compute variance to have any
reasonable chance of success
Zaštita informacionih sistema, Milan Milosavljević 139
How to Measure Abnormal? Abnormal is relative to some “normal”
o Abnormal indicates possible attack Statistical discrimination techniques:
o Bayesian statisticso Linear discriminant analysis (LDA)o Quadratic discriminant analysis (QDA)o Neural nets, hidden Markov models, etc.
Fancy modeling techniques also usedo Artificial intelligenceo Artificial immune system principleso Many others!
Zaštita informacionih sistema, Milan Milosavljević 140
Anomaly Detection (1) Spse we monitor use of three commands:
open, read, close Under normal use we observe that Alice
open,read,close,open,open,read,close,… Of the six possible ordered pairs, four pairs are
“normal” for Alice:(open,read), (read,close), (close,open), (open,open)
Can we use this to identify unusual activity?
Zaštita informacionih sistema, Milan Milosavljević 141
Anomaly Detection (1)
We monitor use of the three commands open, read, close
If the ratio of abnormal to normal pairs is “too high”, warn of possible attack
Could improve this approach by o Also using expected frequency of each pairo Use more than two consecutive commandso Include more commands/behavior in the modelo More sophisticated statistical discrimination
Zaštita informacionih sistema, Milan Milosavljević 142
Anomaly Detection (2) Over time, Alice has
accessed file Fn at rate Hn
H0 H1 H2 H3
.10 .40 .40 .10
Is this “normal” use? We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02 And consider S < 0.1 to be normal, so this is normal Problem: How to account for use that varies over
time?
Recently, Alice has accessed file Fn at rate An
A0 A1 A2 A3
.10 .40 .30 .20
Zaštita informacionih sistema, Milan Milosavljević 143
Anomaly Detection (2) To allow “normal” to adapt to new use, we
update long-term averages as
Hn = 0.2An + 0.8Hn
Then H0 and H1 are unchanged, H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And the long term averages are updated as
H0 H1 H2 H3
.10 .40 .38 .12
Zaštita informacionih sistema, Milan Milosavljević 144
Anomaly Detection (2) The updated long
term average is
H0 H1 H2 H3
.10 .40 .38 .12
Is this normal use? Compute S = (H0A0)2+…+(H3A3)2 = .0488 Since S = .0488 < 0.1 we consider this
normal And we again update the long term
averages by Hn = 0.2An + 0.8Hn
New observed rates are…
A0 A1 A2 A3
.10 .30 .30 .30
Zaštita informacionih sistema, Milan Milosavljević 145
Anomaly Detection (2) The starting
averages were
H0 H1 H2 H3
.10 .40 .40 .10
The stats slowly evolve to match behavior This reduces false alarms and work for admin But also opens an avenue for attack… Suppose Trudy always wants to access F3 She can convince IDS this is normal for Alice!
After 2 iterations, the averages are
H0 H1 H2 H3
.10 .38.364
.156
Zaštita informacionih sistema, Milan Milosavljević 146
Anomaly Detection (2) To make this approach more robust, must
also incorporate the variance Can also combine N stats as, for example,
T = (S1 + S2 + S3 + … + SN) / Nto obtain a more complete view of “normal”
Similar (but more sophisticated) approach is used in IDS known as NIDES
NIDES includes anomaly and signature IDS
Zaštita informacionih sistema, Milan Milosavljević 147
Anomaly Detection Issues System constantly evolves and so must IDS
o Static system would place huge burden on admin o But evolving IDS makes it possible for attacker to
(slowly) convince IDS that an attack is normal!o Attacker may win simply by “going slow”
What does “abnormal” really mean?o Only that there is possibly an attacko May not say anything specific about attack!o How to respond to such vague information?
Signature detection tells exactly which attack
Zaštita informacionih sistema, Milan Milosavljević 148
Anomaly Detection Advantages
o Chance of detecting unknown attackso May be more efficient (since no signatures)
Disadvantageso Today, cannot be used aloneo Must be used with a signature detection systemo Reliability is unclearo May be subject to attacko Anomaly detection indicates something unusualo But lack of specific info on possible attack!
Zaštita informacionih sistema, Milan Milosavljević 149
Anomaly Detection: The Bottom Line
Anomaly-based IDS is active research topic Many security professionals have very high
hopes for its ultimate success Often cited as key future security technology Hackers are not convinced!
o Title of a talk at Defcon 11: “Why Anomaly-based IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky Is anomaly detection as hard as AI?
Zaštita informacionih sistema, Milan Milosavljević 150
Access Control Summary
Authentication and authorizationo Authentication who goes there?
Passwords something you know Biometrics something you are (or “you
are your key”)
Zaštita informacionih sistema, Milan Milosavljević 151
Access Control Summary
Authorization are you allowed to do that?o Access control matrix/ACLs/Capabilitieso MLS/Multilateral securityo BLP/Bibao Covert channelo Inference controlo CAPTCHAo Firewallso IDS
Zaštita informacionih sistema, Milan Milosavljević 152
Coming Attractions… Security protocols
o Generic authentication protocolso SSLo IPSeco Kerberoso GSM
We’ll see lots of crypto applications in the next chapter