Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intruders and Viruses.

Published byMadeleine Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Intruders and Viruses."— Presentation transcript:

1 Intruders and Viruses

2 Outline Intruders Viruses and Related Threats
Intrusion Techniques Password Protection Password Selection Strategies Intrusion Detection Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques Recommended Reading and WEB Sites

3 Intruders Three classes of intruders (hackers or crackers): Masquerader, Misfeasor, and Clandestine user. Masquerader An unauthorized user who penetrates a computer system’s access control and gains acccess to user accounts.

4 Intruders Misfeasor >A legitimate user who accesses resources he is not authorized to access. >Who is authorized such access but misuses his privileges. Clandestine user A user who seizes the supervisory control of the system and uses it to evade auditing and access control.

5 Intrusion Techniques Objective: An intruder wants to gain access to a system. >>Access is generally protected by passwds. System maintains a file that associates a password with each authorized user. Password file can be protected with: One-way encryption and Access control

6 Intrusion Techniques One-way encryption:
>A system stores passwds only in encrypted form. >One-way transformation Access Control >Access to the passwd file is limited to very few people.

7 Intrusion Techniques Techniques for guessing passwords:
Try default passwords. (used with standard accounts that are shipped with systems.) Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the user’s hobbies, family names, birthday, etc.

8 Intrusion Techniques Techniques for guessing passwords:..
Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse (to bypass restrictions on access). Tap the line between a remote user and the host system.

9 UNIX Password Scheme Passwords are stored in crypted form.
User selects a password of chars. This password serves as the key to an encryption routine. Encryption routine is a modified version of DES. 12 bit Salt is used for modification. Salt: related to time the password is assigned.

10 UNIX Password Scheme Modified DES is used with data input as 64-bit block of zeros. This process is repeated 25 times. The resulting output is translated into an 11 chars sequence. (cipher passwd) Ciphertext password is stored in the table together with Salt.

11 UNIX Password Scheme Loading a new password

12 UNIX Password Scheme Verifying a password file

13 Storing UNIX Passwords
UNIX passwords were kept in a publicly readable file, etc/passwords. Now they are kept in a “shadow” directory and only visible to “root”.

14 ”Salt” The salt serves three purposes:
Prevents duplicate passwords from being visible in the password file. //even if two users choose the same password, their ciphertexts will differ// Effectively increases the length of the password (by two chars). //makes password guessing difficult// Prevents the use of hardware implementations of DES.

15 Password Selecting Strategies
Goal: Eliminate guessable passwords while allowing users to select passwords that are memorable. 1. User education >Told the importance of hard-to-guess passwds. >Provided guidelines to select strong passwords. >Many users ignore guidelines.

16 Password Selecting Strategies
2. Computer-generated passwords >Passwords will be random in nature and will be hard to memorize. 3. Reactive password checking >System runs its own password checker to find guessable passwords. >Users given a deadline to change the password //account is cancelled or frozen//

17 Password Selecting Strategies
4. Proactive password checking >A user is allowed to select his passwd. >At the time of selection, the system checks to see if the passwd is allowable. >It rejects the password if not allowable. >The most promising approach.

18 Proactive Password Checking
Problem: How to efficiently and effectively check for passwords. >It is not practical to maintain a list of bad passwords and check it. >Two compact ways: Markov model and Bloom filters.

19 Proactive Password Checking
Markov model: >Each state represents a chars. >The current state denotes the most recent char/letter. >Transition from a state to another state denotes the next char. >Transitions have probability associated to them.

20 Markov Model Henric Johnson

21 Markov Model Main problem: Building the transition matrix.
The Markov chain should reflect the structure of words in the dictionary. All strings generated by the MC denote bad passwords. A dictionary of guessable words is created. Transition matrix is computed as follows:

22 Transition Matrix Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. Example: Password firefly consists of the following trigrams: fir, ire, ref, efl, fly.

23 Transition Matrix 2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij. 3. Compute the entries of T as follows:

24 Markov Model Checking for a bad password:
>Passwords (strings) generated by the Markov model are rejected. >For a given password, transition probabilities of trigrams are looked up. >Statistical tests are performed to see if this password is likely by the model. >Passwords likely by the model are rejected.

25 Spafford (Bloom Filter)
where The following procedure is then applied to the dictionary: A hash table of N bits is defined, with all bits initially set to 0. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1

26 Bloom Filter False positive:
A password that is not in the dictionary but it produces a match in the table. Example: hogan and bogan are present in the dictionary, but logan is not. H1(hogan)=32, H1(bogan)=76, H1(logan)=45 H2(hogan)=45, H2(hogan)=91, H2(logan)=32 >False positive cause a valid password to be rejected. >False positive should be minimized.

27 Spafford (Bloom Filter)
Design the hash scheme to minimize false positive. Probability of false positive:

28 Performance of Bloom Filter

29 The Stages of a Network Intrusion
1. Scan the network to: • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. 29

30 Intusion Detection Intrusion prevent may fail and intrusion detection is the next best defense. Motivations: If the intruder can be identified quickly enough, he can be ejected from the system and damage can be minimized. An effective intrusion detection can prevent intrusions. //can act as a deterrent//

31 Intusion Detection Motivations:...
Collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Intrusion detection basis: “The behavior of intruders differs from that of a legitimate user in a quantifiable way.”

32 Profiles of Behavior of Intruders and Authorized Users
Henric Johnson

33 Intrusion Detection There is likely to be some overlap in the behavior. Will generate “false positives”: Some authorized users will be branded as intruders. >If false positives are completely eliminated, some intruders will go undetected.

34 Intrusion Detection Two approaches are used:
1. Statistical anomaly detection >History of legitimate users is collected and a user profile is built. >Statistical tests are applied to the observed behavior to determine if it is an intrusion. --Two approaches are used.

35 Intrusion Detection 2. Rule based detection
Treshold detection Uses thresolds for the frquency of occurrence of various events. Profile based User profile is used to detect changes in the behavior of a user. 2. Rule based detection Defines a set of rules that can be used to decide if a behavior is that of an intruder.

36 Intrusion Detection 2. Rule based detection... >Two approaches.
Anomaly detection Rules detect deviation from previous usage patterns. Penetration identification An expert system-based approach that searches for suspicious behavior.

37 Measures used for Intrusion Detection
Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Data transfers Read, write, create, delete frequency. Failure count for read, write, create and delete.

38 Distributed Intrusion Detection
Early IDSs were for single-stand alone systems (centralized IDS). A more effective defense can be achieved by cooperation among several intrusion detection systems across the network. >A diagram of such system (next slide)

39 Distributed Intrusion Detection
Developed at University of California at Davis

40 Distributed ID Consists of three components: 1. Host agent module:
Collects data on security related events on the host and passes them to the central manager. 2. LAN Monitor agent module: It analyzes LAN traffic and reports results to the central manager. (host-host connections, services used, volume of traffic, rlogin activity, etc.)

41 Distributed ID… 3. Central Manager module:
>Receives reports from host agents and LAN monitor. >Processes and correlates the reports to detect intrusions. >Typically includes an expert system that draws inferences from the received data.

42 Distributed Intrusion Detection
Henric Johnson

43 Viruses and ”Malicious Programs”
Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

44 Taxanomy of Malicious Programs
Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms

45 Definitions Virus - code that copies itself into other programs.
A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses).

46 Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

47 Virus Phases Dormant phase - the virus is idle
Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed

48 Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and programs, if possible.

49 Virus Structure Henric Johnson

50 A Compression Virus Henric Johnson

51 Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.

52 Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate and edit letters.

53 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

54 Advanced Antivirus Techniques
Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run each interpretation?

55 Advanced Antivirus Techniques

Download ppt "Intruders and Viruses."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Intruders.

1 Ola Flygt Växjö University, Sweden Intruders.
Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.

Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Security Chapter 15. Computer and Network Security Requirements Confidentiality –Requires information in a computer system only be accessible for reading.

Security Chapter 15. Computer and Network Security Requirements Confidentiality –Requires information in a computer system only be accessible for reading.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden
After this session, you should be able to:

After this session, you should be able to:
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Similar presentations

Ads by Google