Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,

Slides:



Advertisements
Similar presentations
Critical Reading Strategies: Overview of Research Process
Advertisements

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
© Cambridge International Examinations 2013 Component/Paper 1.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Structuring the argument of a theoretical paper For bachelor’s theses and master’s seminars in social sciences and humanities Richard Parncutt, Uni Graz.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Intrusion Detection Systems and Practices
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.
Handling Security Incidents
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
School of Computer Science and Information Systems
seminar on Intrusion detection system
Project Workshops Results and Evaluation. General The Results section presents the results to demonstrate the performance of the proposed solution. It.
Types of Essays... and why we write them.. Why do we write essays? Hint: The answer is NOT ‘because sir/miss told me to’
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Structuring an essay. Structuring an Essay: Steps 1. Understand the task 2.Plan and prepare 3.Write the first draft 4.Review the first draft – and if.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
SAT Prep- Reading Comprehension Strategies- Short Passages
CHAPTER 3: DEVELOPING LITERATURE REVIEW SKILLS
Discussion Gitanjali Batmanabane MD PhD. Do you look like this?
How to Write a Literature Review
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
UNLOCKING THE PERSUASIVE ESSAY Thayer’s “Essay By Numbers” Approach to the Persuasive Essay.
Paper 2 Source Skills. Candidates’ weaknesses (according to examiners’ reports) Not supporting your answers with source detail Simply reproducing knowledge.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
The Method Argumentative or Persuasive writings act as an exchange between two or more parties (the Writer and Reader) where one side tries to convince.
Responding Critically to Texts
Operating system Security By Murtaza K. Madraswala.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
How to Satisfy Reviewer B and Other Thoughts on the Publication Process: Reviewers’ Perspectives Don Roy Past Editor, Marketing Management Journal.
Topic 5: Basic Security.
From description to analysis
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
English Language Services
Beyond Blooms – Socratic Questioning Extension from the training day
10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
 An article review is written for an audience who is knowledgeable in the subject matter instead of a general audience  When writing an article review,
Cryptography and Network Security Sixth Edition by William Stallings.
IR 202 Research Methods This course aims to introduce students what is social research, what are the different types of research and the research process.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Fingerprinting Text in Logical Markup Languages Author : Christian D. Jensen Department of Computer Science Trinity College Dublin ©Springer-Verlag Heidelberg.
ELA What is an essay? An essay is an extended piece of writing in which an author explores a subject in some detail. Skilled essayists do the following:
Writing Exercise Try to write a short humor piece. It can be fictional or non-fictional. Essay by David Sedaris.
Intrusion and intrusion detection Published online 27 July 2001 by John McHugh, © Springer-Verlag 2001 Presented by Po-yuan Peng.
CAS Managebac update CAS opportunity for someone with a scanner. Cambodia?
How to read a scientific paper Professor Mark Pallen Acknowledgements : John W. Little and Roy Parker, University of Arizona.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Persuasive Writing Persuasive writing attempts to inform, persuade, and convince readers to agree with the writer’s point of view.
Consciousness & Causality Revision Lecture. Questions (open or closed?) Is there good evidence for learning while sleeping? Describe and discuss dualist.
E NGLISH 104 Expository vs. Argumentative. P URPOSE Expository – Used to inform, describe, explain, compare, or summarize in a neutral and objective way.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
Part 4 Reading Critically
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Operating system Security
The Final Exam.
Critical / Academic Reading
Backtracking Intrusions
The In-Class Critical Essay
The Argumentative Essay
The In-Class Critical Essay
Chapter 4 Summary.
Presentation transcript:

Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop, 7-9 October 2002 Published in LNCS 2578, pp1-17, Springer-Verlag, 2002 “We were hoping to gain insights that might move toward a more theoretical basis for understanding intrusions. Instead, we seem to have discovered an interesting approach for serious intruders.” Presented by Anne Crockett

Host-based Intrusion Detection There are two types of host-based IDS: 1. Signature-based matches attack descriptions to sensed data (like virus checkers) 2. Anomaly-based sensors produce a trace log of data that is analysed for anomalies equate “unusual or abnormal [behaviour] with intrusions” John McHugh: “Intrusion and Intrusion Detection” International Journal of Information Security 1, 2001, p14-35 require training data to determine normal behaviour

Summary The authors believe this assumption is wrong and try to prove it by describing attacks that are not detectable by an anomaly based Intrusion Detection System (IDS): 1)First they describe the attacks and the system being attacked UNIX running an anomaly detector called “Stide” 2)Next they describe how Stide detects attacks They detail the weakness in Stide that they exploited 3)Lastly they show how the attack code is modified to prevent Stide detecting it This paper addresses the assumption of anomaly detectors that intrusions cause “anomalous manifestations”

Critical Comment 1 In fact, some sentences were identical! Why don’t you read the other paper and compare them. –“Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”, 5 th International Symposium, RAID 2002, LNCS 2516, Springer-Verlag, pp54-73 –RAID = Recent Advances in Intrusion Detection One term they used extensively is “manifestations” but they never define it in “Hiding Intrusions…” –The omission of the definition makes their argument harder to understand. –They did define it in their earlier paper: “sequence of system calls issued by the exploited/privileged system program, and due to the presence and activity of the exploit.” The paper was very similar to an earlier article written by Tan, Killourhy & Roy

Appreciative Comment identified a weakness (blind spot) in Stide exploited it using several simple and well described attacks which they downloaded from the Internet described how they evaded detection by either making the attack’s manifestations appear normal or finding a blind spot to hide it in. The authors dared to challenge the long held view that all intrusions produce anomalies Their argument was convincing and logically structured:

Examining the Argument (1) Dorothy Denning (1987) “exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage.” Tan, McHugh & Killourhy (2002) “we discovered techniques whereby intrusive activities with anomalous manifestations could be modified in such a way as to be indistinguishable from arguable normal activities” Do all intrusions cause “anomalous manifestations”?

Examining the Argument (2) Tan et al demonstrate convincingly that their attacks can be hidden. Then they extend their argument by saying: “We speculate that similar attacks are possible against other anomaly based IDS…” Given I = Intrusion (exploitation of vulnerability) E = Evidence of abnormal use Denning states:  I  E Tan et al claim:  I ¬  E

Examining the Argument (3) Tan et al speculate X Y I ¬ E Consider these two elements in the attack situation X = anomaly detector Y = operating system But consider that… Stide is an open source anomaly detector but not all other IDSs are Their approach requires the attacker to understand intimately the weaknesses of Stide They must carefully manipulate the manifestations to avoid being detected

Critical Comment 2 Main criticism: It is unclear whether the kernel attack was run on Linux or Unix. Side issue: The three programs they exploited can be patched with packs downloadable from RedHat Linux. –So, is Linux equally vulnerable to all three attacks? Their attacks are designed to exploit privileged Unix system processes, however their description of the “kernel” attack refers to how the Linux kernel enforces security.

Conclusion and Question If so, they state “[our] results have implications for both detector design and for detector evaluation” but fail to explain what those implications are. What are the implications of their research? Are you convinced that their intrusion hiding approach is a threat to other anomaly detectors? The authors prove that hiding evidence of an intrusion is possible in their particular case.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.