Intrusion Detection State of the Art/Practice Anita Jones University of Virginia

10/062 Introduction Intrusion Detection –determining whether or not some entity, the intruder, has attempted to gain, or has gained unauthorized access to the system Intruder Types –External –Internal

10/063 State of Practice Assume the Operating System as the basis Use what an OS knows about -- OS semantics –users, processes, devices –controls on access and resource usage –network traffic management Record events in the life of the OS Use OS audit records OS Intrusion Detection Systems -- OS IDS

10/064 OS IDS - the two Approaches Anomaly Detection –assume that behavior can be characterized statically -- by known, fixed data encoding dynamically -- by patterns of event sequences or by threshold limits on event occurrences (e.g. system calls) –detect errant behavior that deviates from expected, normal behavior Misuse Detection –look for known patterns (signatures) of intrusion, typically as the intrusion unfolds

10/065 OS IDS - the two Approaches Anomaly Detection –Static: e.g. Tripwire, Self-Nonself –Dynamic: e.g. Rule-based (thresholds) –see GrIDS Misuse Detection –e.g. USTAT Networks are handled as “extensions” –I.e. Use same two approaches listed above –Centralized: e.g. DIDS, NADIR, NSTAT –Decentralized: e.g. GrIDS, EMERALD

10/066 Audit Records Most IDS depend on audit records What do OS audit records record? Can the OS assure integrity of the audit records? What techniques would an intruder use to cover his tracks that might be found in an audit trail? “Clandestine intruders” Forensics

10/067 User Profiles What can you use to characterize user activity? Measures (absolute amounts; fluctuation; duration: –use of memory –use of processors –network traffic Absolute measures Statistical measures -- thresholds

CPU usagecount elapsed CPU execution -- seconds I/O usage# of devices; duration of use of each; # commands Location of Use# connection from each location Mailer Usage# invocations Editor Usage# invocations Compiler Usage# invocations Shell Usage# invocations Directory Usage# directories accessed; # accesses per directory Commands Used# command; # repetitions per command Directories Created# created Directories Read# accessed; # at end of path Directories Modified# directories changed; # mods/dir.; size increase decrease File Usage# accesses; # mods; magnitude of mods Temp files created# average size; standard deviation of size User Ids accessed# time ID is changed System errors# System Errors by Type# per type Audit Record Activitycategories of records; # of each category; # per hour Hourly activitypatterns of CPU, files, memory used per hour Time of day usepattern of average on-line use per day Remote network activity# packets sent; packets per hour Network activity by Hostshosts contacted Local Network activitytraffic within local network Local network activity by hosttraffic by host inside local network

10/069 Signatures Signature is some data or pattern of data that captures distinctive behavior Many IDS systems depend upon the development of a signature Large variety Formats of signatures may differ What is “summarized”?

10/0610 OS IDS -- a Particular Problem OS IDS has problems when –anomalous & normal behavior can’t be distinctly characterized –OS IDS has no pattern for a newly invented intrusion (misuse) But, the greatest problem is –to distinguish abusive internal (legit user) activity

An OS IDS is inherently limited by the semantics of the OS You can’t talk about something for which you have no words!

10/0612 Alarms Who do you call? How do they respond? Quality of the IDS: –False positives –False negatives