SystemsSec 2018W Lecture 16: Difference between revisions
| No edit summary |  separated definitions of signature based/specification based/anomaly dection intrusion detection from host based/network based/hybrid. Updated definitions. | ||
| (4 intermediate revisions by one other user not shown) | |||
| Line 12: | Line 12: | ||
| Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.    | Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.    | ||
| == | ==Intrusion vs. malware== | ||
|                  -ex. industrial espionage: We want access to a competitors system. |                  -ex. industrial espionage: We want access to a competitors system. | ||
| Line 22: | Line 22: | ||
|                   - In each example our goals have been satisfied but the means are different.   |                   - In each example our goals have been satisfied but the means are different.   | ||
|                   - intrusion detection focuses on the goals of the attacker and to stop them.          |                   - intrusion detection focuses on the goals of the attacker and to stop them.          | ||
|                   -  |                   - The attacker can still gain access by intrusion without using malware.                   | ||
| IDS  | ==Three main methods of Intrusion Detection== | ||
| 1)Snort - Signature Based Detection | |||
| 2)Bro - Specification Based Detection     |                           1) Signature based - pattern recognition. You have a blacklist of signatures of attacks, and if it matches a signature, a warning is issued. | ||
|                           2) Specification based - based on rules. A whitelist of normal system specifications. If something not on your list is detected, a warning is issued. | |||
|                           3) Anomaly Detection - Normal vs abnormal. You have some way of detecting "weird". Implies something adaptive. | |||
| Any of these 3 types of intrusion detection can be host based, network based, or hybrid (combination of host and network) | |||
| ==IDS In Linux== | |||
|                           1) Snort - Signature Based Detection | |||
|                           2) Bro - Specification Based Detection     | |||
| Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc. | Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc. | ||
| ==Signature Based== | |||
| Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets | |||
|                        - Involves white list   | |||
|                         - We must know what signatures belong to the list there is no limit to bad signatures.    | |||
|                         - Only “known” attacks can be caught. | |||
|                        - How do you match bad code with legit behaviours? | |||
|                        - Easily evaded. Can hide code signature???  | |||
|                         Why not update to defend code signatures? May effect existing software. |                         - Since we don't know for sure which signatures belong on the list. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may   | ||
|                          compromise the system. | |||
|                        - Why not update to defend code signatures? May effect existing software. | |||
| ==Specification based==  | |||
| For Example:   | We know how the systems behaviour and rules on how it operate. Involves blacklists | ||
|    For Example: Assume three clients: A,B,C | |||
|    Client A and B can communicate to each other:  Client A <----> Client B | |||
|    Client A and C can communicate to each other:  Client A <----> Client C              | |||
| Client  |    But Client B can not talk to C  | ||
|    -If packets are rerouted throught Client B <------> Client C then we consider an attack took place. | |||
|    -Can detect forged packets, specify the behaviour of every application.  | |||
|    -Each client needs a separate installation and is a different specification.  | |||
|    -In order for Specification Intrusion Detection to work we need to understand what are the networks need and to specify the rules.  | |||
|   -Vary rare that one person understand the entire network and is able to write the rules for every client.  | |||
|   -Borders on access control: Users will enable/disable permissions and will find methods to bypass access control. | |||
| ==Anomaly Detection==  | |||
| Whats normal vs whats abnormal? ie. computer is suddenly not running is it a driver issue? or actually malware?. Its adaptive, statistical information how the system behaves and deviations, involves some training.    | |||
|                        Example someone wearing a fluorescent shirt? But is it dangerous? |                        -Example someone wearing a fluorescent shirt? But is it dangerous? | ||
|                        We care only if its dangerous, a mix of dangerous and weird   |                        -We care only if its dangerous, a mix of dangerous and weird   | ||
|                        We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing   |                        -We Must define whats weird and its connection to dangerous ie. a person walking in with a bazooka vs awkard guy wearing the fluorescent shirt. | ||
| ==History ( Anomaly Detection )== | |||
| In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea. | In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea. | ||
| Line 102: | Line 104: | ||
| That's why audits were invented.   | That's why audits were invented.   | ||
| ''Audit''' | |||
| An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc. | An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc. | ||
| Line 113: | Line 115: | ||
|                         3) The computer does not have sufficient data to analyze. |                         3) The computer does not have sufficient data to analyze. | ||
| Possible solutions: machine learning ?? neuronetworks?? Spy on your email (  | Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( foolish idea)!!!! | ||
|                      Why is it  |                      Why is it "foolish" 1) We must be able to model the real world    | ||
|                                         2) We can't learn everything based on the limited scope. | |||
|                                         3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises?? | |||
| The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows. | The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows. | ||
Latest revision as of 03:58, 25 March 2018
Audio
Intrusion Detection
Intrusion detection is normally an underappreciated aspect of Internet Security. Alerts are sent when we don’t know or we're not confident what the network traffic is. Why Intrusion detection matters:
                        1) Firewalls are not as effective.
                        2) Firewalls have limitations.      
Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.
Intrusion vs. malware
               -ex. industrial espionage: We want access to a competitors system.
                  OPTIONS:
                         1) Gain access by malware via email or link etc.
                         2) Password hack as alternative.
                         3) Call help desk and impersonate.
                - In each example our goals have been satisfied but the means are different. 
                - intrusion detection focuses on the goals of the attacker and to stop them.        
                - The attacker can still gain access by intrusion without using malware.                 
Three main methods of Intrusion Detection
                         1) Signature based - pattern recognition. You have a blacklist of signatures of attacks, and if it matches a signature, a warning is issued.
                         2) Specification based - based on rules. A whitelist of normal system specifications. If something not on your list is detected, a warning is issued.
                         3) Anomaly Detection - Normal vs abnormal. You have some way of detecting "weird". Implies something adaptive.
Any of these 3 types of intrusion detection can be host based, network based, or hybrid (combination of host and network)
IDS In Linux
                         1) Snort - Signature Based Detection
                         2) Bro - Specification Based Detection   
 
Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.
Signature Based
Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets
                      - Involves white list  
                      - We must know what signatures belong to the list there is no limit to bad signatures.   
                      - Only “known” attacks can be caught.
                      - How do you match bad code with legit behaviours?
                      - Easily evaded. Can hide code signature??? 
                      - Since we don't know for sure which signatures belong on the list. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may  
                        compromise the system.
- Why not update to defend code signatures? May effect existing software.
               
Specification based
We know how the systems behaviour and rules on how it operate. Involves blacklists
For Example: Assume three clients: A,B,C
Client A and B can communicate to each other: Client A <----> Client B Client A and C can communicate to each other: Client A <----> Client C
  But Client B can not talk to C 
         
  -If packets are rerouted throught Client B <------> Client C then we consider an attack took place.
  -Can detect forged packets, specify the behaviour of every application. 
  -Each client needs a separate installation and is a different specification. 
  -In order for Specification Intrusion Detection to work we need to understand what are the networks need and to specify the rules. 
-Vary rare that one person understand the entire network and is able to write the rules for every client. -Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.
Anomaly Detection
Whats normal vs whats abnormal? ie. computer is suddenly not running is it a driver issue? or actually malware?. Its adaptive, statistical information how the system behaves and deviations, involves some training.
                     -Example someone wearing a fluorescent shirt? But is it dangerous?
                     -We care only if its dangerous, a mix of dangerous and weird 
             
                     -We Must define whats weird and its connection to dangerous ie. a person walking in with a bazooka vs awkard guy wearing the fluorescent shirt.
History ( Anomaly Detection )
In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.
MOS was then implemented to allow some users privileges to view these files based on levels.
The level of clearance according to level:
        Top secret
        secret   
        unclassified
Problem: The document may become top secret if only one word needs to be kept secret. The rest of the document may not have to be classified but the one word whould make the document classified. Gets complicated!!!.
Didn't work since it the level of clearance can be bypassed the same way passwords can be bypassed.
That's why audits were invented.
Audit' An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.
The idea was a security officer whould monitor and view the audit logs then investigate if suspicious activity was detected.The process was simmilar to a financial audit but the pattern recognition was based on computers.
Statistics based on a the audit trail whould be used to determine the users activities ie. how many times a user logged in.
The fundamental issue: 1) Creating a model of what a human is doing is difficult.
                      2) Auditing was created with the intention of a human doing the processing.  
                      3) The computer does not have sufficient data to analyze.
Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( foolish idea)!!!!
                   Why is it "foolish" 1) We must be able to model the real world  
                                       2) We can't learn everything based on the limited scope.
                                       3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
                                  
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.