Intruders and Viruses

1
Chapter 9

• Intruders and Viruses

2
Outline

• Intruders
• Intrusion Techniques
• Password Protection
• Password Selection Strategies
• Intrusion Detection
• Viruses and Related Threats
• Malicious Programs
• The Nature of Viruses
• Antivirus Approaches
• Advanced Antivirus Techniques
• Recommended Reading and WEB Sites

3
Intruders

• significant issue for networked systems is
  hostile or unwanted access
• either via network or local
• can identify classes of intruders
• masquerader
• misfeasor
• clandestine user
• varying levels of competence

4
Intruders

• clearly a growing publicized problem
• from Wily Hacker in 1986/87
• to clearly escalating CERT stats
• may seem benign, but still cost resources
• may use compromised system to launch other attacks

5
Intrusion Techniques

• aim to increase privileges on system
• basic attack methodology
• target acquisition and information gathering
• initial access
• privilege escalation
• covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner

6
Intrusion Techniques

• System maintain a file that associates a password
  with each authorized user.
• Password file can be protected with
• One-way encryption
• Access Control

7
Intrusion Techniques

• Techniques for guessing passwords
• Try default passwords.
• Try all short words, 1 to 3 characters long.
• Try all the words in an electronic
  dictionary(60,000).
• Collect information about the users hobbies,
  family names, birthday, etc.
• Try users phone number, social security number,
  street address, etc.
• Try all license plate numbers (MUP103).
• Use a Trojan horse
• Tap the line between a remote user and the host
  system.
• Prevention Enforce good password selection
  (Ij4Gf4Sef)

8
Password Capture

• another attack involves password capture
• watching over shoulder as password is entered
• using a trojan horse program to collect
• monitoring an insecure network login (eg. telnet,
  FTP, web, email)
• extracting recorded info after successful login
  (web history/cache, last number dialed etc)
• using valid login/password can impersonate user
• users need to be educated to use suitable
  precautions/countermeasures

9
Password Selecting Strategies

• User education
• Computer-generated passwords
• Reactive password checking
• Proactive password checking

10
Password Management

• front-line defense against intruders
• users supply both
• login determines privileges of that user
• password to identify them
• passwords often stored encrypted
• Unix uses multiple DES (variant with salt)
• more recent systems use crypto hash function

11
Managing Passwords

• need policies and good user education
• ensure every account has a default password
• ensure users change the default passwords to
  something they can remember
• protect password file from general access
• set technical policies to enforce good passwords
• minimum length (gt6)
• require a mix of upper lower case letters,
  numbers, punctuation
• block know dictionary words

12
Managing Passwords

• may reactively run password guessing tools
• note that good dictionaries exist for almost any
  language/interest group
• may enforce periodic changing of passwords
• have system monitor failed login attempts,
  lockout account if see too many in a short period
  
• do need to educate users and get support
• balance requirements with user acceptance
• be aware of social engineering attacks

13
Proactive Password Checking

• most promising approach to improving password
  security
• allow users to select own password
• but have system verify it is acceptable
• simple rule enforcement (see previous slide)
• compare against dictionary of bad passwords
• use algorithmic (markov model or bloom filter) to
  detect poor choices

14
The Stages of a Network Intrusion

• 1. Scan the network to
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are open (being
  listened to by Servers).
• 2. Run Exploit scripts against open ports
• 3. Get access to Shell program which is suid
  (has root privileges).
• 4. Download from Hacker Web site special versions
  of systems files that will let Cracker have free
  access in the future without his cpu time or disk
  storage space being noticed by auditing programs.
• 5. Use IRC (Internet Relay Chat) to invite
  friends to the feast.

14
15
Intrusion Detection

• The intruder can be identified and ejected from
  the system.
• An effective intrusion detection can prevent
  intrusions.
• Intrusion detection enables the collection of
  information about intrusion techniques that can
  be used to strengthen the intrusion prevention
  facility.

16
Intrusion Detection

• inevitably will have security failures
• so need also to detect intrusions so can
• block if detected quickly
• act as deterrent
• collect info to improve security
• assume intruder will behave differently to a
  legitimate user
• but will have imperfect distinction between

17
Approaches to Intrusion Detection

• statistical anomaly detection
• threshold
• profile based
• rule-based detection
• anomaly
• penetration identification

18
Statistical Anomaly Detection

• threshold detection
• count occurrences of specific event over time
• if exceed reasonable value assume intrusion
• alone is a crude ineffective detector
• profile based
• characterize past behavior of users
• detect significant deviations from this
• profile usually multi-parameter

19
Rule-Based Intrusion Detection

• observe events on system apply rules to decide
  if activity is suspicious or not
• rule-based anomaly detection
• analyze historical audit records to identify
  usage patterns auto-generate rules for them
• then observe current behavior match against
  rules to see if conforms
• like statistical anomaly detection does not
  require prior knowledge of security flaws

20
Rule-Based Intrusion Detection

• rule-based penetration identification
• uses expert systems technology
• with rules identifying known penetration,
  weakness patterns, or suspicious behavior
• rules usually machine O/S specific
• rules are generated by experts who interview
  codify knowledge of security admins
• quality depends on how well this is done
• compare audit records or states against rules

21
Base-Rate Fallacy

• practically an intrusion detection system needs
  to detect a substantial percentage of intrusions
  with few false alarms
• if too few intrusions detected -gt false security
• if too many false alarms -gt ignore / waste time
• this is very hard to do
• existing systems seem not to have a good record

22
Audit Records

• fundamental tool for intrusion detection
• native audit records
• part of all common multi-user O/S
• already present for use
• may not have info wanted in desired form
• detection-specific audit records
• created specifically to collect wanted info
• at cost of additional overhead on system

23
Audit Record Analysis

• foundation of statistical approaches
• analyze records to get metrics over time
• counter, gauge, interval timer, resource use
• use various tests on these to determine if
  current behavior is acceptable
• mean standard deviation, multivariate, markov
  process, time series, operational
• key advantage is no prior knowledge used

24
Profiles of Behavior of Intruders and Authorized
Users
25
Measures used for Intrusion Detection

• Login frequency by day and time.
• Frequency of login at different locations.
• Time since last login.
• Password failures at login.
• Execution frequency.
• Execution denials.
• Read, write, create, delete frequency.
• Failure count for read, write, create and delete.

26
Distributed Intrusion Detection

• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working together
  to detect intrusions
• issues
• dealing with varying audit record formats
• integrity confidentiality of networked data
• centralized or decentralized architecture

27
Distributed Intrusion Detection - Architecture
28
Distributed Intrusion Detection Agent
Implementation
29
Intrusion Detection System (IDS) Introduction
30
History of IDS
31
Some Early IDS
32
Some Early IDS (Cont.)
33
Characteristics of IDS
34
Importance of IDS
35
Deployment of IDS
36
Types of IDS Network Based IDS
37
NIDS
38
NIDS Architecture Traditional Sensor-Based
39
NIDS Architecture Distributed Network-Node
40
Type of IDS Host Based IDS
41
HIDS
42
HIDS Architecture Centralized Host-Based
43
HIDS Architecture Distributed Real-time Host
Based
44
HIDS vs NIDS
45
IDS Detection Methods
46
Types of Signature Network Signatures
47
Types of Signature Host based Signatures
48
Types of Signature Compound Signatures
49
Methods to Detect Signature
50
True/False-Negative/Positive
51
IDS Tool Snort
52
Intrusion Prevention System (IPS)
53
IDS vs IPS
54
IPS Tool McAfee
55
Honeypots

• decoy systems to lure attackers
• away from accessing critical systems
• to collect information of their activities
• to encourage attacker to stay on system so
  administrator can respond
• are filled with fabricated information
• instrumented to collect detailed information on
  attackers activities
• may be single or multiple networked systems

56
Viruses and Malicious Programs

• Computer Viruses and related programs have the
  ability to replicate themselves on an ever
  increasing number of computers. They originally
  spread by people sharing floppy disks. Now they
  spread primarily over the Internet (a Worm).
• Other Malicious Programs may be installed by
  hand on a single machine. They may also be built
  into widely distributed commercial software
  packages. These are very hard to detect before
  the payload activates (Trojan Horses, Trap Doors,
  and Logic Bombs).

57
Taxanomy of Malicious Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Bacteria
Worms
58
Definitions

• Virus - code that copies itself into other
  programs.
• A Bacteria replicates until it fills all disk
  space, or CPU cycles.
• Payload - harmful things the malicious program
  does, after it has had time to spread.
• Worm - a program that replicates itself across
  the network (usually riding on email messages or
  attached documents (e.g., macro viruses).

59
Definitions

• Trojan Horse - instructions in an otherwise good
  program that cause bad things to happen (sending
  your data or password to an attacker over the
  net).
• Logic Bomb - malicious code that activates on an
  event (e.g., date).
• Trap Door (or Back Door) - undocumented entry
  point written into code for debugging that can
  allow unwanted users.
• Easter Egg - extraneous code that does something
  cool. A way for programmers to show that they
  control the product.

60
Virus Phases

• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
  copy of itself into other programs
• Triggering phase the virus is activated to
  perform the function for which it was intended
• Execution phase the function is performed

61
Virus Protection
Have a well-known virus protection program,
configured to
scan disks and downloads automatically for known
viruses.
Do not execute programs (or "macro's") from
unknown
sources (e.g., PS files, Hypercard files, MS
Office documents,
Avoid the most common operating systems and email
programs, if possible.
62
Virus Structure
63
A Compression Virus
64
Types of Viruses

• Parasitic Virus - attaches itself to executable
  files as part of their code. Runs whenever the
  host program runs.
• Memory-resident Virus - Lodges in main memory as
  part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a
  disk, and spreads when the operating system boots
  up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from
  Virus Scanning programs.
• Polymorphic Virus - mutates with every new host
  to prevent signature detection.

65
Macro Viruses

• Microsoft Office applications allow macros to
  be part of the document. The macro could run
  whenever the document is opened, or when a
  certain command is selected (Save File).
• Platform independent.
• Infect documents, delete files, generate email
  and edit letters.

66
Antivirus Approaches

• 1st Generation, Scanners searched files for any
  of a library of known virus signatures. Checked
  executable files for length changes.
• 2nd Generation, Heuristic Scanners looks for
  more general signs than specific signatures (code
  segments common to many viruses). Checked files
  for checksum or hash changes.
• 3rd Generation, Activity Traps stay resident in
  memory and look for certain patterns of software
  behavior (e.g., scanning files).
• 4th Generation, Full Featured combine the best
  of the techniques above.

67
Advanced Antivirus Techniques

• Generic Decryption (GD)
• CPU Emulator a software based virtual computer
  use to execute the exe file.
• Virus Signature Scanner module that scans the
  target code
• Emulation Control Module control the execution
  target code
• For how long should a GD scanner run each
  interpretation?

68
Advanced Antivirus Techniques
69
Network Antivirus Softwares
70
Recommended Reading and WEB Sites

• Denning, P. Computers Under Attack Intruders,
  Worms, and Viruses. Addison-Wesley, 1990
• CERT Coordination Center (WEB Site)
• AntiVirus Online (IBMs site)