Difference between revisions of "SystemsSec 2018W Lecture 16"

From Soma-notes
Jump to navigation Jump to search
Line 12: Line 12:
Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.   
Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.   


=='''Intrusion vs. malware'''==
==Intrusion vs. malware==
   
   
                 -ex. industrial espionage: We want access to a competitors system.
                 -ex. industrial espionage: We want access to a competitors system.
Line 24: Line 24:
                 - For option 3 the attacker was able to gain access by intrusion not malware.                 
                 - For option 3 the attacker was able to gain access by intrusion not malware.                 


=='''Three main methods of Intrusion Detection'''==
These are:
1) Signature based -> Takes place with the Host.
2) Specification based -> Takes place with at the Network.
3) Anomaly Detection -> Hybrid (Combination of the Host and the Network).


IDS in Linux
==Three main methods of Intrusion Detection==
1)Snort - Signature Based Detection
 
2)Bro - Specification Based Detection   
                          1) Signature based - Takes place with the Host.
                          2) Specification based - Takes place with at the Network.
                          3) Anomaly Detection - (Hybrid) Combination of the Host and the Network.
 
 
==IDS In Linux==
                          1) Snort - Signature Based Detection
                          2) Bro - Specification Based Detection   
    
    


Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.
Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.
        
        
'''Signature Based:'''  Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets
==Signature Based==
                        Involves white list   
 
                       
Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets
                       We must know what signatures belong to the Blacklists there is no limit to bad signatures.   
                      - Involves white list   
                       Only “known” attacks can be caught.
                       - We must know what signatures belong to the Blacklists there is no limit to bad signatures.   
                       How do you match bad code with legit behaviours?
                       - Only “known” attacks can be caught.
                       Easily evaded. Can hide code signature???  
                       - How do you match bad code with legit behaviours?
                       - Easily evaded. Can hide code signature???  


                       Since we don't know for sure which signatures belong on the blacklist. The network will generate lots of alarms, to  
                       - Since we don't know for sure which signatures belong on the list. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may
                      lower false positives the detection rules may be adjusted which may compromise the system.
                        compromise the system.


                       Why not update to defend code signatures? May effect existing software.
                       - Why not update to defend code signatures? May effect existing software.


                
                


'''Specification based:''' We know how the system behaviour and rules on how it operates. Ie
==Specification based==
              Involves blacklists


For Example:  
We know how the systems behaviour and rules on how it operate. Involves blacklists
 
  For Example: Assume three clients: A,B,C


Assume three clients: A,B,C
  Client A and B can communicate to each other: Client A <----> Client B
  Client A and C can communicate to each other:  Client A <----> Client C            


Client A and B can communicate to each other:  Client A <----> Client B
  But Client B can not talk to C
Client A and C can communicate to each other:  Client A <----> Client C           
         
  -If packets are rerouted throught Client B <------> Client C then we consider an attack took place.
  -Can detect forged packets, specify the behaviour of every application.
  -Each client needs a separate installation and is a different specification. In order for Specification intrusion detection to work we need to understand what your networks need and specify the rules.


But Client B can not talk to C
         
-If packets are rerouted throught Client B <------> Client C then we consider an attack took place.
-Can detect forged packets, specify the behaviour of every application.
-Each client needs a separate installation and is a different specification. In order for Specification intrusion detection to work we need to understand what your networks need and specify the rules.


  -Vary rare that one person understand the entire network and is able to write the rules for every client.
  -We are not confident with the network traffic and want to set an alarm.
  -Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.


-Vary rare that one person understand the entire network and is able to write the rules for every client.
-We are not confident with the network traffic and want to set an alarm.
-Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.


==Anomaly Detection==


'''Anomaly Detection:''' Whats normal vs whats abnormal ie. computer is suddenly not running is it a driver issue? or actually malware?
Whats normal vs whats abnormal? ie. computer is suddenly not running is it a driver issue? or actually malware?. Its adaptive, statistical information how the system behaves and deviations, involves some training.  
                        adaptive, statistical information how the system behaves and deviations, training   
   
   
                       Example someone wearing a fluorescent shirt? But is it dangerous?
                       -Example someone wearing a fluorescent shirt? But is it dangerous?
                       We care only if its dangerous, a mix of dangerous and weird  
                       -We care only if its dangerous, a mix of dangerous and weird  
                
                
                       We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing  
                       -We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing  
                       the fluorescent shirt.
                       the fluorescent shirt.




'''History''' 
==History ( Anomaly Detection )==


In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.
In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.
Line 102: Line 105:
That's why audits were invented.  
That's why audits were invented.  
   
   
'''Audit'''
''Audit'''
An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.
An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.


Line 113: Line 116:
                       3) The computer does not have sufficient data to analyze.
                       3) The computer does not have sufficient data to analyze.


Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( all dumb ideas)!!!!
Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( foolish idea)!!!!
                     Why is it dumb 1) We must be able to model the real world   
                     Why is it "foolish" 1) We must be able to model the real world   
                                  2) We can't learn everything based on the limited scope.
                                        2) We can't learn everything based on the limited scope.
                                  3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
                                        3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
                                    
                                    
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.
The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.

Revision as of 16:40, 12 March 2018

Audio

Lecture 16 Audio

Intrusion Detection

Intrusion detection is normally an underappreciated aspect of Internet Security. Alerts are sent when we don’t know or we're not confident what the network traffic is. Why Intrusion detection matters:

                        1) Firewalls are not as effective.
                        2) Firewalls have limitations.      

Intrusion detection is not anti-malware. It is meant to detect intrusions, but it may involve malware.

Intrusion vs. malware

               -ex. industrial espionage: We want access to a competitors system.
                  OPTIONS:
                         1) Gain access by malware via email or link etc.
                         2) Password hack as alternative.
                         3) Call help desk and impersonate.
                - In each example our goals have been satisfied but the means are different. 
                - intrusion detection focuses on the goals of the attacker and to stop them.        
                - For option 3 the attacker was able to gain access by intrusion not malware.                 


Three main methods of Intrusion Detection

                         1) Signature based - Takes place with the Host.
                         2) Specification based - Takes place with at the Network.
                         3) Anomaly Detection - (Hybrid) Combination of the Host and the Network.


IDS In Linux

                         1) Snort - Signature Based Detection
                         2) Bro - Specification Based Detection   
 

Each method has a cost which has to be weighed ie. cpu cycles, to many false alarms and etc.

Signature Based

Is based on code pattern and code expressions ie. worms and bytes associated the worm, regex and Bad packets

                      - Involves white list  
                      - We must know what signatures belong to the Blacklists there is no limit to bad signatures.   
                      - Only “known” attacks can be caught.
                      - How do you match bad code with legit behaviours?
                      - Easily evaded. Can hide code signature??? 
                      - Since we don't know for sure which signatures belong on the list. The network will generate lots of alarms, to lower false positives the detection rules may be adjusted which may  
                        compromise the system.
                      - Why not update to defend code signatures? May effect existing software.


Specification based

We know how the systems behaviour and rules on how it operate. Involves blacklists

  For Example: Assume three clients: A,B,C
  Client A and B can communicate to each other:  Client A <----> Client B
  Client A and C can communicate to each other:  Client A <----> Client C             
  But Client B can not talk to C 
         
  -If packets are rerouted throught Client B <------> Client C then we consider an attack took place.
  -Can detect forged packets, specify the behaviour of every application. 
  -Each client needs a separate installation and is a different specification. In order for Specification intrusion detection to work we need to understand what your networks need and specify the rules. 


 -Vary rare that one person understand the entire network and is able to write the rules for every client. 
 -We are not confident with the network traffic and want to set an alarm.
 -Borders on access control: Users will enable/disable permissions and will find methods to bypass access control.


Anomaly Detection

Whats normal vs whats abnormal? ie. computer is suddenly not running is it a driver issue? or actually malware?. Its adaptive, statistical information how the system behaves and deviations, involves some training.

                     -Example someone wearing a fluorescent shirt? But is it dangerous?
                     -We care only if its dangerous, a mix of dangerous and weird 
             
                     -We Must define whats weird and its connection to dangerous ie a person walking in with a bazooka vs awkard guy wearing 
                     the fluorescent shirt.


History ( Anomaly Detection )

In the 1970's Ross Anderson and the US Airforce had a problem. They had computers with sensitive data and were worried spies may extract information. Access control existed but wasn't the best idea.

MOS was then implemented to allow some users privileges to view these files based on levels.

The level of clearance according to level:

        Top secret
        secret   
        unclassified

Problem: The document may become top secret if only one word needs to be kept secret. The rest of the document may not have to be classified but the one word whould make the document classified. Gets complicated!!!.

Didn't work since it the level of clearance can be bypassed the same way passwords can be bypassed.

That's why audits were invented.

Audit' An audit whould produce an audit trail of all the computer activities ie. log in,log out, what applications are being accessed and etc.

The idea was a security officer whould monitor and view the audit logs then investigate if suspicious activity was detected.The process was simmilar to a financial audit but the pattern recognition was based on computers.

Statistics based on a the audit trail whould be used to determine the users activities ie. how many times a user logged in.

The fundamental issue: 1) Creating a model of what a human is doing is difficult.

                      2) Auditing was created with the intention of a human doing the processing.  
                      3) The computer does not have sufficient data to analyze.

Possible solutions: machine learning ?? neuronetworks?? Spy on your email ( foolish idea)!!!!

                   Why is it "foolish" 1) We must be able to model the real world  
                                       2) We can't learn everything based on the limited scope.
                                       3) Assuming we really know someone?? Can we really perdict there behaviour? even surprises??
                                  

The computer can understand programs but not humans. It can detect weird program behaviour but not weird users and programs acting weird ie. backdoors and memory overflows.