DERBI 13 December 1999 1999 Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

15 December 1998DARPA Information Survivability Program Intrusion Detection PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Understand Database Security Concepts
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
System Security Scanning and Discovery Chapter 14.
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Intrusion Detection Systems and Practices
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
Firewall End-to-End Network Access Protection for IBM i.
Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-
Linux Networking and Security
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Network Programming and Network Security Lane Thames Graduate Research Assistant.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
SCSC 455 Computer Security Chapter 3 User Security.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
Agenda The Bourne Shell – Part I Redirection ( >, >>,
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Chapter 9 Intruders.
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
12: Security The Security Problem Authentication Program Threats
A Real-time Intrusion Detection System for UNIX
CE Operating Systems Lecture 21
Chapter 9 Intruders.
Operating System Security
Security.
Operating System Concepts
16. Account Monitoring and Control
Operating System Concepts
6. Application Software Security
Intrusion Detection Systems
Race Condition Vulnerability
Presentation transcript:

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 1 DERBI: Diagnosis, Explanation and Recovery from Break-Ins Mabry Tyson Pauline Berry Nate Williams Doug Moran David Blei Artificial Intelligence Center SRI International 333 Ravenswood Avenue Menlo Park CA

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 2 DERBI Objective Assist SysAdmin after an attack –No special security expertise required –Detailed system analysis as though by a OS/security expert –For sites that didn’t think they needed a real-time ID system Require nothing beyond off-the-shelf OS –No special logging or monitoring Provide guidance on what happened and how to recover How much info can be detected after-the-fact?

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 3 System Description Rules specify bits of evidence and associated exploit Rule Graph embodies relationships of evidence and attack goals –Beliefs of evidence combined to generate overall belief of attack Anthropomorphic characterization of system –Head - High level control –Body - Passes messages between Head and Feet –Feet - Runs around and does the work

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 4 Head Uses PRS (Procedural Reasoning System) Operates on rule graph –Goal is to determine whether attack happened –Goal is achieved by acquiring evidence Handles user interaction –User can add evidence –Rules can query user –Results presented to user –User can drill down

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 5 Body Allows Head to deal with abstract queries Allows Feet to deal with O/S specific queries Deals with multiple hosts –Network communications –Time differences –File system differences

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 6 Feet O/S specific –Knows how to traverse file system Careful to collect file info before altering it –Understands special file locations –Parses log files ID Evaluation primarily exercises the Feet Solaris & Linux –Only Solaris used in ID Evaluation

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 7 Rule Graph The presented slide is not included here -- it could not be adequately converted into a graphic that could be included in a MS PowerPoint file. This slide showed a graph with a large number of nodes representing rules, and was intended to show that although the rules formed a predominantly hierarchical structure, there was substantial crossing-over of the boundaries. A PostScript version of this graph can be found at graph-1999dec.ps

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 8 Example Evidence Rule: EJECT buffer overflow EVIDENCE-TYPE (exploit (setuid root) buffer-overflow) UNIQUE-NAME eject-1 EVALUATION-NAME eject PATHS (follow-links '("/usr/bin/eject")) EVIDENCE ( ((not (and (command-version-vulnerable-p DIR FILE) ;; not vulnerable command or (window-of-opportunity (TimeAccessed PATH)))) ;; not used in interval of interest 0 0) ;;; assign 0% probability to command being used and 0% believe that it was ((greater-than (TimeAccessed PATH) ;;; use is later than (max (TimeModified "/cdrom") (TimeModified "/floppy"))) ;;; expected effects )) ;;; 40% probability of exploit, no change in believe about whether it was exploited POSIT ((posit ((TIME (TimeAccessed PATH))) (compromised-shell "root" TIME *unknown-time*))) EXPLANATION (next slide)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 9 Evidence Rule: EJECT buffer overflow (cont) UNIQUE-NAME eject-1 PATHS (follow-links '("/usr/bin/eject")) EXPLANATION (explain-evidence ( PATH ;;; variable declarations (TIME (print-unix-time (TimeAccessed PATH))) (TIME2 (print-unix-time (TimeModified "/cdrom"))) (TIME3 (print-unix-time (TimeModified "/floppy"))) ) (TimeAccessed PATH) ;;; “as-of” time "The command ~S is version vulnerable to a buffer overflow attack and appears to have been used at time ~A which is more recent than two associated files: /cdrom (~A) and /floppy (~A)." PATH TIME TIME2 TIME3)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 10 Example Output for an Attack Time: 08-Apr :11:57 EDT Exploit: Suspicious-login (Suspicious-login) Login was found for user "doireano" from host This user not seen before :12:05 later Time: 08-Apr :24:02 EDT Exploit: FORMAT (FORMAT-1) The command "/usr/bin/fdformat" is a version vulnerable to a buffer overflow attack and appears to have been used at time 08-Apr :24:02 EDT which is more recent than the associated device: aw" (04-Mar :52:23 EST). +00:02:17 later Time: 08-Apr :26:19 EDT Exploit: Unauthorized/nonstandard file activity (FILEACT) 1 files were created with no obvious legitimate user having access. Root users currently are *None*. Normal users are (erink doireano ulandusm grzegors). Groups with a member logged in are *None*. Ignored logins are *None*. Groups with an ignored login are *None*. Files' owner: root Files's group: staff Protection: -rw /.sh_history

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 11 Checking a Suspect System DERBI

13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 12 Data Sources for ID Evaluation File system is only source of information –System files –Log files –File system DERBI has capability to query operator –For example, compare file to backup version –Allow operator to indicate remote login normal or suspicious

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 13 Target System Configuration Files Passwd –Notes crackable passwords Hosts.equiv,.rhosts –Notes capability for passwordless logins –Notes world-writable system directories Crontab files –Notes programs run from crontab

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 14 Log Files utmpx, wtmpx, utmp, wtmp, lastlog –All compared for inconsistencies –Note logins without logouts –Note inconsistencies in tty usage –Note currently unknown users –Note remote logins from a new host for that user –Note failed logins

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 15 Log File Information Relationships utmp utmpx wtmp wtmpx lastlog syslog messages authlog sulog File system Shell Init Files cronlogcrontabs Partial redundancy of info Redundancy a common result of the evolution & growth of systems Use to check for tampering Also exposes changes to system clock

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 16 Log Files (2) Syslog, messages, authlog –sendmail messages (mailbomb, locally sent mail) –su times –sshd messages (failures, successful logins/logouts) –ntp anomalies –Verify time of log messages monotonic

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 17 File System Info Executables –Access times usually means execution –Comparison of suid execute-time vs data file access time –Checksums checked for vulnerable or replaced versions Normal files –File access/creation, owner and protection recorded for every file –Files that indicate login/logout are specially noted (dot files, pty and window system files) Special files –Known cracker file names (included deleted files) –Rarely used files that crackers may use

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 18 Evidence Correlated by Time File access/creation and log information sorted by time Unauthorized access detected when no authorized user known to be logged in at time files accessed or created –Complications: Background processes, servers and scheduled jobs Suid executables Attacks usually evident by clustering of evidence –Often see evidence of an exploit –Followed by evidence of unauthorized access to files –However, attack can be inferred from a single anomaly

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 19 Detection of New Attacks “New attack” means new exploit DERBI spots the intentional and secondary effects of the cracker on the system, after the (new) exploit Crackers often leave a large trail of evidence –Exploit files touched –Camouflage attempts often leave footprints –Data collectors & back doors often detectable –However, ID Evaluation attacks often are hit-and-run

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 20 Detectable Attacks Detects R2L, U2R, Data attacks on Solaris (and Linux) Can detect some DoS attacks when logged (mailbomb, ssh, or telnet attempts) Generally can only detect latest use of executables (i.e., only the last eject attack could be detected) Cracker or normal activity can destroy evidence of attack Can’t detect network traffic but not blinded by encryption

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 21 ID Evaluation Results Test procedure artifacts complicated evaluation –Evaluation team affected file system (apparently including running attacks) outside of simulation runs but with clock set to times within simulation periods Dot files accessed and files written in a user’s directory but simulation contained no login Executables such as eject accessed without device accessed as though an attack was done, but no attack at that time during simulation –Also overwrote access times of all files on some days Simulated “attacks” were often just exercise exploit and leave –DERBI picks up evidence of usage of privileges

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 22 ID Evaluation Results 25 attacks in detectable classes 17 attacks detected –score of (68%) 47 false alarms –score of 25

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 23 ID Evaluation Results - Misses 8 misses –1 attack missed due to test procedure overwriting access times ffbconfig –5 attacks left no evidence guessftp, xsnoop, xlock, httptunnel usage (x2) –2 attacks indistinguishable from normal activity httptunnel setup - no recognizable suspicious indications ps - telnet from a new host, but otherwise nothing suspicious

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 24 ID Evaluation Results - False Alarms 47 total false alarms (total score of 25) 29 probably due to test procedure (total score 15.2) –18 definite test procedure artifacts (score 4.55) –11 probable test procedure artifacts (score 10.65) 18 other false alarms (total score 9.8) –7 pseudo-tty errors (looked like log file truncation) (score 5.1) –5 login/logout record problems (score 3.6) –3 dot files accessed when user not logged in (score 0.03) –2 root accessed secret files in a sweep of file system (score 1) –1 secret access while logged in locally and remotely (score 0.05)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 25 ROC - Overall Total Attacks: 25 Hits: 17 (16.98) Total FAs: 47 (25) Hits: 18 (17.98) Total FAs: 18 (9.8)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 26 ROC - Old vs Overall Total Attacks: 23 Hits: 15 (15) Total FAs: 47 (25) Hits: 16 (16) Total FAs: 18 (9.8)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 27 ROC - R2L Total Attacks: 12 Hits: 6 (6) Total FAs: 2 (1.7) Hits: 6 (6) Total FAs: 1 (0.7)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 28 ROC - U2R Total Attacks: 11 Hits: 9 (9) Total FAs: 21(18.45) Hits: 10 (10) Total FAs: 10 (7.5)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 29 ROC - Data Total Attacks: 3 Hits: 3 (2.98) Total FAs: 26 (6.53) Hits: 3 (2.98) Total FAs: 8 (2.28)

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 30 DERBI Project Ends DERBI has come to its end -- for now Experience at analyzing intrusions as a sysadmin led to the idea a system could be built to do this and to make it easier for less experienced sysadmins

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 31 DERBI is a Success Successful at detecting intrusions on a stock system –Original idea of a post-mortem analysis has been proven –Designed for real intrusions, it performs better the more the cracker does –Difficult to imagine how to further improve detection without modifying O/S

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 32 DERBI is Different The DERBI concept is orthogonal to most other ID systems –This diversity could be useful as the systems have different strengths and weaknesses –Didn’t fit too well with the design of the ID evaluation Not a substitute for intrusion monitoring systems, but can aid those sites that don’t want the overhead of such systems

DERBI 13 December Intrusion Detection Evaluation Joint DARPA ID/SIA PI Meeting 33 Parting Thoughts The problem of intrusions has a variety of responses for a variety of consumers –Read-only systems or network computers –Brick-up-the-door approach –“We can’t let it happen” approach (most IDS) –“It happens” approach (DERBI) ID shouldn’t be an after-market add-on to an OS –Watch for incoming and outgoing attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.