SystemsSec 2018W Lecture 16: Difference between revisions
Created page with "==Audio== [https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec16-12Mar2018.m4a Lecture 16 Audio] ==Notes==" |
|||
Line 3: | Line 3: | ||
[https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec16-12Mar2018.m4a Lecture 16 Audio] | [https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec16-12Mar2018.m4a Lecture 16 Audio] | ||
== | '''Intrusion Detection''' | ||
- Intrusion detection is normally an underappreciated aspect of Internet Security | |||
- Intrusion detection: Alerts are sent when we don’t know or were not confident what the network traffic is. | |||
- Why Intrusion detection matters: | |||
1) Firewalls are not as effective. | |||
2) Firewalls have limitations. | |||
- Intrusion detection is not anti-malware. | |||
- Intrusion detection is meant to detect intrusions, but it may involve malware. | |||
- Intrusion vs. malware | |||
-> ex. industrial espionage: We want access to a competitors system. | |||
OPTIONS: | |||
1) Gain access by malware via email or link etc. | |||
2) Password hack as alternative. | |||
3) Call help desk and impersonate. | |||
-> In each example our goals have been satisfied but the means are different. | |||
-> intrusion detection focuses on the goals of the attacker and to stop them. | |||
-> For option 3 the attacker was able to gain access by intrusion not malware. | |||
== '''Three main methods of Intrusion Detection: ==''' | |||
'''1)Signature based:''' Takes place with the Host. | |||
'''2)Specification based:'''Takes place with at the Network. | |||
'''3)Anomaly Detection:''' Hybrid (Combination of the Host and the Network). | |||
'''IDS in Linux''' | |||
1)Snort - Signature Based Detection | |||
2)Bro - Specification Based Detection | |||
Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc. | |||
'''Signature Based:''' Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets | |||
Involves white list | |||
We must know what signatures belong to the Blacklists there is no limit to bad signatures. | |||
Only “known” attacks can be caught. | |||
How do you match bad code with legit behaviours? | |||
Easily evaded. Can hide code signature??? | |||
Since we don't know for sure which signatures belong on the blacklist. The network will generate lots of alarms, to | |||
lower false positives the detection rules may be adjusted which may compromise the system. | |||
Why not update to defend code signatures? May effect existing software. | |||
'''Specification based:''' We know how the system behaviour and rules on how it operates. Ie | |||
Involves blacklists | |||
For Example: | |||
Assume three clients: A,B,C | |||
Client A and B can communicate to each other: Client A <----> Client B | |||
Client A and C can communicate to each other: Client A <----> Client C | |||
But Client B can not talk to C | |||
-If packets are rerouted throught Client B <------> Client C then we consider an attack took place. | |||
-Can detect forged packets, specify the behaviour of every application. | |||
-Each client needs a separate installation and is a different specification. In order for Specification intrusion detection to work we need to understand what your networks need and specify the rules. | |||
-Vary rare that one person understand the entire network and is able to write the rules for every client. | |||
-We are not confident with the network traffic and want to set an alarm. | |||
-Borders on access control: Users will enable/disable permissions and will find methods to bypass access control. | |||
'''Anomaly Detection:''' Whats normal vs whats abnormal ie. computer is suddenly not running is it a driver issue? or actually malware? | |||
adaptive, statistical information how the system behaves and deviations, training | |||
Example someone wearing a fluorescent shirt? But is it dangerous? | |||
We care only if its dangerous, a mix of dangerous and weird | |||
We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing | |||
the fluorescent shirt. | |||
'''History''' | |||
In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea. | |||
MOS was then implemented to allow some users privileges to view these files based on levels. | |||
The level of clearance according to level: | |||
Top secret | |||
secret | |||
unclassified | |||
Problem: The document may become top secret if only one word needs to be kept secret. The rest of the document may not have to be classified but the one word whould make the document classified. Gets complicated!!!. | |||
Didn't work since it the level of clearance can be bypassed the same way passwords can be bypassed. | |||
That's why audits were invented. | |||
'''Audit''' | |||
An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc. | |||
The idea was a security officer whould monitor and view the audit logs then investigate if suspicious activity was detected.The process was simmilar to a financial audit but the pattern recognition was based on computers. | |||
Statistics based on a the audit trail whould be used to determine the users activities ie. how many times a user logged in. | |||
The fundamental issue: 1) Creating a model of what a human is doing is difficult. | |||
2) Auditing was created with the intention of a human doing the processing. | |||
3) The computer does not have sufficient data to analyze. | |||
Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( all dumb ideas)!!!! | |||
Why is it dumb 1) We must be able to model the real world | |||
2) We can't learn everything based on the limited scope. | |||
3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises?? | |||
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows. |
Revision as of 20:06, 12 March 2018
Audio
Intrusion Detection
- Intrusion detection is normally an underappreciated aspect of Internet Security - Intrusion detection: Alerts are sent when we don’t know or were not confident what the network traffic is. - Why Intrusion detection matters:
1) Firewalls are not as effective. 2) Firewalls have limitations.
- Intrusion detection is not anti-malware. - Intrusion detection is meant to detect intrusions, but it may involve malware. - Intrusion vs. malware
-> ex. industrial espionage: We want access to a competitors system. OPTIONS: 1) Gain access by malware via email or link etc. 2) Password hack as alternative. 3) Call help desk and impersonate.
-> In each example our goals have been satisfied but the means are different. -> intrusion detection focuses on the goals of the attacker and to stop them. -> For option 3 the attacker was able to gain access by intrusion not malware.
== Three main methods of Intrusion Detection: ==
1)Signature based: Takes place with the Host.
2)Specification based:Takes place with at the Network.
3)Anomaly Detection: Hybrid (Combination of the Host and the Network).
IDS in Linux 1)Snort - Signature Based Detection 2)Bro - Specification Based Detection
Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.
Signature Based: Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets
Involves white list We must know what signatures belong to the Blacklists there is no limit to bad signatures. Only “known” attacks can be caught. How do you match bad code with legit behaviours? Easily evaded. Can hide code signature???
Since we don't know for sure which signatures belong on the blacklist. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may compromise the system.
Why not update to defend code signatures? May effect existing software.
Specification based: We know how the system behaviour and rules on how it operates. Ie
Involves blacklists
For Example:
Assume three clients: A,B,C
Client A and B can communicate to each other: Client A <----> Client B Client A and C can communicate to each other: Client A <----> Client C
But Client B can not talk to C
-If packets are rerouted throught Client B <------> Client C then we consider an attack took place. -Can detect forged packets, specify the behaviour of every application. -Each client needs a separate installation and is a different specification. In order for Specification intrusion detection to work we need to understand what your networks need and specify the rules.
-Vary rare that one person understand the entire network and is able to write the rules for every client.
-We are not confident with the network traffic and want to set an alarm.
-Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.
Anomaly Detection: Whats normal vs whats abnormal ie. computer is suddenly not running is it a driver issue? or actually malware?
adaptive, statistical information how the system behaves and deviations, training Example someone wearing a fluorescent shirt? But is it dangerous? We care only if its dangerous, a mix of dangerous and weird We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing the fluorescent shirt.
History
In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.
MOS was then implemented to allow some users privileges to view these files based on levels.
The level of clearance according to level:
Top secret secret unclassified
Problem: The document may become top secret if only one word needs to be kept secret. The rest of the document may not have to be classified but the one word whould make the document classified. Gets complicated!!!.
Didn't work since it the level of clearance can be bypassed the same way passwords can be bypassed.
That's why audits were invented.
Audit An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.
The idea was a security officer whould monitor and view the audit logs then investigate if suspicious activity was detected.The process was simmilar to a financial audit but the pattern recognition was based on computers.
Statistics based on a the audit trail whould be used to determine the users activities ie. how many times a user logged in.
The fundamental issue: 1) Creating a model of what a human is doing is difficult.
2) Auditing was created with the intention of a human doing the processing. 3) The computer does not have sufficient data to analyze.
Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( all dumb ideas)!!!!
Why is it dumb 1) We must be able to model the real world 2) We can't learn everything based on the limited scope. 3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.