Application Intrusion Detection Robert S. Sielken In Fulfillment Of Master of Computer Science Degree School of Engineering and Applied Science University of Virginia May 4, 1999 Application Intrusion Detection
Application Intrusion Detection Outline Introduction State of Practice - OS IDS Case Studies Application Intrusion Detection Construction of an Application Intrusion Detection System (AppIDS) Conclusion May 4, 1999 Application Intrusion Detection
Application Intrusion Detection Introduction Intrusion Detection determining whether or not some entity, the intruder, has attempted to gain, or worse, has gained unauthorized access to the system Intruders Internal External Objectives Confidentiality Integrity Availability Accountability Current State done at the OS level, but diminishing returns opportunities and limits of utilizing application semantics? May 4, 1999 Application Intrusion Detection
State of Practice - OS IDS Audit records operating system generated collections of the events that have happened in the system over a period of time Events results of actions taken by users, processes, or devices that may be related to a potential intrusion Threat Categories Denial of Service Disclosure Manipulation Masqueraders Replay Repudiation Physical Impossibilities Device Malfunctions May 4, 1999 Application Intrusion Detection
Application Intrusion Detection OS IDS - Approaches Anomaly Detection Static Tripwire, Self-Nonself Dynamic NIDES, Pattern Matching (UNM) Misuse Detection NIDES, MIDAS, STAT Extensions - Networks Centralized DIDS, NADIR, NSTAT Decentralized GrIDS, EMERALD May 4, 1999 Application Intrusion Detection
OS IDS - Generic Characteristics Relation - expression of how two or more values are associated Statistical Rule-Based Observable Entities - any object (user, system device, etc.) that has or produces a value in the monitored system that can be used in defining a relation Thresholds - determine how the result of the relation will be interpreted May 4, 1999 Application Intrusion Detection
OS IDS - Generic Characteristics Effectiveness fine-tuning of thresholds frequency of relation evaluation number of correlated values hierarchy May 4, 1999 Application Intrusion Detection
Application Intrusion Detection AppIDS Guiding Questions Opportunity – what types of intrusions can be detected by an AppIDS? Effectiveness – how well can those intrusions be detected by an AppIDS? Cooperation – how can an AppIDS cooperate with the OS IDS to be more effective than either alone? May 4, 1999 Application Intrusion Detection
Application Intrusion Detection Case Studies Electronic Toll Collection numerous devices distributed complementary device values hierarchical gathers data about monitored external behavior accounting component Health Record Management non-hierarchical no devices beyond controlling computer no financial component limited access contains physical realities data collection and scheduling components May 4, 1999 Application Intrusion Detection
Electronic Toll Collection (ETC) Devices Toll Lane Tag Sensor Automated Coin Basket Toll Booth Attendant Loop Sensor Axle Reader Weigh-In-Motion Scale Traffic Signal Video Camera Vehicle Tag (Active/Passive) May 4, 1999 Application Intrusion Detection
Application Intrusion Detection ETC - Hierarchy May 4, 1999 Application Intrusion Detection
ETC - Application Specific Intrusions Threat Categories Specific Intrusions Methods Relations Annoyance (3 methods) Steal Electronic Money (10 methods) Steal Vehicle (4 methods) Device Failure (1 method) Surveillance (2 methods) May 4, 1999 Application Intrusion Detection
Application Intrusion Detection ETC - Steal Service May 4, 1999 Application Intrusion Detection
Application Intrusion Detection Similarities detect intrusions by evaluating relations to differentiate between anomalous and normal behavior centralized or decentralized (hierarchical) same threat categories Differences anomaly detection using statistical and rule-based relations internal intruders event causing entity resolution tightness of thresholds event records periodic code triggers May 4, 1999 Application Intrusion Detection
Application Intrusion Detection AppID (cont’d) Dependencies OS IDS on AppIDS None AppIDS on OS IDS basic security services prevention of bypassing application to access application components Cooperation audit/event record correlation communication bi-directional request-response bundles complications terms of communication resource usage - lowest common denominator May 4, 1999 Application Intrusion Detection
Construction of an AppIDS Event Record Manager Relation Evaluator Anomaly Alarm Handler TOOLS Relation Specifier Relations Event Record Specifier Event Record Structure Timings Relation – Code Connector Observable Entity Locations in the Application GENERIC COMPONENTS May 4, 1999 Application Intrusion Detection
Application Intrusion Detection Conclusion Opportunity internal intruders (abusers) anomaly with statistical and rule-based relations same threat categories Effectiveness resolution tightness of thresholds Cooperation detection Construction tools generic components May 4, 1999 Application Intrusion Detection
Health Record Management (HRM) Components Patient Records Orders – lists of all requests for drugs, tests, or procedures Schedule – schedule for rooms for patient occupancy, laboratory tests, or surgical procedures (does not include personnel) Users doctors, laboratory technicians, and nurses May 4, 1999 Application Intrusion Detection
HRM - Application Specific Intrusions Threat Categories Specific Intrusions Methods Relations Annoyance (4 methods) Steal Drugs (1 method) Patient Harm (6 methods) Surveillance (2 methods) May 4, 1999 Application Intrusion Detection
Application Intrusion Detection HRM - Patient Harm May 4, 1999 Application Intrusion Detection
Application Intrusion Detection ETC - Steal Service May 4, 1999 Application Intrusion Detection
Steal Service (cont’d) May 4, 1999 Application Intrusion Detection
Application Intrusion Detection HRM - Patient Harm May 4, 1999 Application Intrusion Detection