60564 Survey

1
60-564 Survey

• Intrusion Detection Systems and Models
• A Stateful Intrusion Detection System for
  World-Wide Web Servers

2
Outline

• Introduction
• Computer attacks
• The STAT framework
• Intrusion Detection System
• A novel IDS WebSTAT
• Performance evaluation
• Conclusion

3
Introduction

• Computer security is to protect computer
  resources
• read and write access to a data file
• processing time
• communication over a network link
• An intrusion is somebody attempting to break into
  or misuse your system
• IDS is a network security system designed to
  identify intrusive or malicious behavior via
  monitoring of network activity.

4
Computer Attacks

• Worms - self replicating programs that spread
  across a network.
• Viruses - programs that replicate when a user
  performs some action such as running a program.
• Server attacks - a client exploits a bug in the
  server to cause it to perform some unintended
  action.
• Client attacks - a server exploits a bug in a
  client to cause it to perform some unintended
  action.
• Network attacks (denial of service) - a remote
  attacker exploits a bug in the network software
  or weakness in the protocol to cause a server,
  router, or network to fail.
• Root attacks - a user on a multiuser operating
  system obtains the priveliges of another user
  (usually root)

5
Computer Attacks - Worm

• A worm is an independent program that replicates
  from machine to machine across network
  connections.
• The three security flaws
• Backdoor
• bypasses the normal security mechanisms
• Usually installed for maintenance purposes
• Buffer overflow
• A process contains Code, data, and stack
• Stack is to store information associated with
  function calls
• By overriding stack, the attacker can both inject
  a malicious execution code and set the return
  address to point to the malicious code
• Weak password
• First guess the administrators password
• Copy itself to the startup to propagate every
  time the machine start up

6
Computer Attacks - Virus

• software program capable of causing great harm to
  the computer
• Unlike a worm, it requires action from a user to
  spread
• For example, email viruses spread when the
  recipient runs an attached program

7
Computer Attacks - Server Attacks

• Nearly every type of service has identified
  vulnerabilities which has been attacked
• For example, IIS4 installs a number of sample
  scripts.
• These scripts give clients access to view any
  file on the same volume as the web server

8
Computer Attacks - Client Attacks

• Unlike a server attack, it works by waiting for
  victims to connect to a rogue server
• For example, a buffer overflow vulnerability has
  been found in Outlook
• It allows arbitrary code to be executed by
  overflowing the time zone field in the date field
  of the mail header
• activated when the user download the mail from
  mail server using outlook

9
Computer Attacks - Network Attacks

• usually Denial of Service (DoS) attacks
• disturb the normal operation of applications
• take advantage of a weakness in the system or
  application
• cause it to crash or stop responding
• For example, ping to death Some systems will
  crash if they received a fragmented ICMP packet.
  An attack is to send a packet larger than 65,535
  bytes, which causes many TCP/IP implementations
  to crash.

10
Computer Attacks - Root Attacks

• a user on a multi-user system obtains root or
  administrative privileges
• Certain programs are suid bit set, break this
  program means obtaining the root user privilege

11
The STAT Framework

• STAT is a technique for representing high-level
  descriptions of computer attacks
• It contains 6 components
• STATL
• Language Extension Module
• Event Provider
• Scenario Plug-in
• Response Module
• STAT Core

12
The STATL Language

• Attack description language
• Using states and transitions to represent attack
  scenarios
• domain-independent
• It is extended by the IDS developer to express
  the characteristics of a particular domain and
  environment. E.g. Sun Solaris, Windows NT.

13
Language Extension Modules

• shared libraries that define events that describe
  a particular application domain.
• Loaded into STAT Core in runtime
• Loaded before either Scenario Plugin or Event
  Provider can use it

14
Event Providers

• collects events from the external environment
• Create events as defined in Language Extension
  Modules
• encapsulates events into generic STAT events
• inserts events into the event queue of the STAT
  Core

15
Scenario Plugins

• shared library that describes an attack scenario.
• It is defined either from a STATL description or
  from user manually

16
Response Modules

• shared library that contains Response Functions.
• If the state in a scenario is reached the
  Response Function is invoked
• For example, it an alert to someone, or take
  steps to stop an ongoing attack once a state is
  reached.

17
STAT Core

• Loads various modules
• matches the event supplied by Event Providers
• executes the corresponding transitions
• triggers responses defined in Response Modules

18
Intrusion Detection System

• Host-based IDS
• uses log files and systems auditing agents
• monitors the communications traffic in and out of
  a single computer
• checks the integrity of system files and process
• Network-based IDS
• monitors the traffic on its network segment
• Capture three signatures String, Port and Header
  signatures

19
WebSTAT

• It is an IDS developed based on STAT framework.
• built by composing the STAT core with a number of
  web language extensions modules, event providers,
  attack scenarios plugins, and response modules.

20
Attack Scenario Examples

• Document Root Escape Attack detect events from
  the web server log and operating system logs to
  examine the unauthorized file system access
• Cookie stealing scenario detects if a valid
  cookie is improperly used by unauthorized user to
  steal protected web resources

21
Performance Evaluation

• Experiments on a host running
• standalone Apache
• Apache monitored by WebSTAT
• WebSTAT incurs a small performance overhead in
  web server throughput.
• acceptable given the powerful detection
  capabilities WebSTAT provides
• a sophisticated web server performance tuning
  would also reduce the overhead

22
Conclusion

• Presented classification of computer attacks and
  intrusion detection system
• Described STAT framework
• The IDS implementation WebSTAT
• From the performance evaluation result, we see
  although WebSTAT brings some small performance
  overhead to the web server
• It is acceptable considering the advanced
  detection capabilities.

23
Reference

• Sherif, J.S. Dearmond, T.G. Intrusion
  detection systems and models
• Sundaram, A., An Introduction to Intrusion
  Detection.
• Mahoney, M., Computer Security A Survey of
  Attacks and Defenses
• Lindquist, U., and E. Jonsson, How to
  Systematically Classify Computer Security
  Intrusions"
• Giovanni Vigna, William Robertson, Vishal Kher,
  and Richard A. Kemmerer, A Stateful Intrusion
  Detection System for World-Wide Web Servers
• STAT Framework Reference Manual
• S.T. Eckmann, G. Vigna, and R.A. Kemmerer,
  "STATL An Attack Language for State-based
  Intrusion Detection,"
• G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The
  STAT Tool Suite"
• G. Vigna, R.A. Kemmerer, and P. Blix, "Designing
  a Web of Highly-Configurable Intrusion Detection
  Sensors"