SystemsSec 2018W Lecture 16
Intrusion detection is normally an underappreciated aspect of Internet Security. Alerts are sent when we don’t know or we're not confident what the network traffic is. Why Intrusion detection matters:
1) Firewalls are not as effective. 2) Firewalls have limitations.
Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.
Intrusion vs. malware
-ex. industrial espionage: We want access to a competitors system. OPTIONS: 1) Gain access by malware via email or link etc. 2) Password hack as alternative. 3) Call help desk and impersonate.
- In each example our goals have been satisfied but the means are different. - intrusion detection focuses on the goals of the attacker and to stop them. - The attacker can still gain access by intrusion without using malware.
Three main methods of Intrusion Detection
1) Signature based - pattern recognition. You have a blacklist of signatures of attacks, and if it matches a signature, a warning is issued. 2) Specification based - based on rules. A whitelist of normal system specifications. If something not on your list is detected, a warning is issued. 3) Anomaly Detection - Normal vs abnormal. You have some way of detecting "weird". Implies something adaptive.
Any of these 3 types of intrusion detection can be host based, network based, or hybrid (combination of host and network)
IDS In Linux
1) Snort - Signature Based Detection 2) Bro - Specification Based Detection
Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.
Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets
- Involves white list - We must know what signatures belong to the list there is no limit to bad signatures. - Only “known” attacks can be caught. - How do you match bad code with legit behaviours? - Easily evaded. Can hide code signature???
- Since we don't know for sure which signatures belong on the list. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may compromise the system.
- Why not update to defend code signatures? May effect existing software.
We know how the systems behaviour and rules on how it operate. Involves blacklists
For Example: Assume three clients: A,B,C
Client A and B can communicate to each other: Client A <----> Client B Client A and C can communicate to each other: Client A <----> Client C
But Client B can not talk to C -If packets are rerouted throught Client B <------> Client C then we consider an attack took place. -Can detect forged packets, specify the behaviour of every application. -Each client needs a separate installation and is a different specification. -In order for Specification Intrusion Detection to work we need to understand what are the networks need and to specify the rules.
-Vary rare that one person understand the entire network and is able to write the rules for every client. -Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.
Whats normal vs whats abnormal? ie. computer is suddenly not running is it a driver issue? or actually malware?. Its adaptive, statistical information how the system behaves and deviations, involves some training.
-Example someone wearing a fluorescent shirt? But is it dangerous? -We care only if its dangerous, a mix of dangerous and weird -We Must define whats weird and its connection to dangerous ie. a person walking in with a bazooka vs awkard guy wearing the fluorescent shirt.
History ( Anomaly Detection )
In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.
MOS was then implemented to allow some users privileges to view these files based on levels.
The level of clearance according to level:
Top secret secret unclassified
Problem: The document may become top secret if only one word needs to be kept secret. The rest of the document may not have to be classified but the one word whould make the document classified. Gets complicated!!!.
Didn't work since it the level of clearance can be bypassed the same way passwords can be bypassed.
That's why audits were invented.
Audit' An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.
The idea was a security officer whould monitor and view the audit logs then investigate if suspicious activity was detected.The process was simmilar to a financial audit but the pattern recognition was based on computers.
Statistics based on a the audit trail whould be used to determine the users activities ie. how many times a user logged in.
The fundamental issue: 1) Creating a model of what a human is doing is difficult.
2) Auditing was created with the intention of a human doing the processing. 3) The computer does not have sufficient data to analyze.
Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( foolish idea)!!!!
Why is it "foolish" 1) We must be able to model the real world 2) We can't learn everything based on the limited scope. 3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.