1. Application Intrusion Detection
Robert S. Sielken
In Fulfillment Of
Master of Computer Science Degree
School of Engineering and Applied Science
University of Virginia
May 4, 1999
Application Intrusion Detection

2. Application Intrusion Detection
Outline
Introduction
State of Practice - OS IDS
Case Studies
Application Intrusion Detection
Construction of an Application Intrusion Detection System (AppIDS)
Conclusion
May 4, 1999
Application Intrusion Detection

3. Application Intrusion Detection
Introduction
Intrusion Detection
determining whether or not some entity, the intruder, has attempted to gain, or worse, has gained unauthorized access to the system
Intruders
Internal
External
Objectives
Confidentiality
Integrity
Availability
Accountability
Current State
done at the OS level, but diminishing returns
opportunities and limits of utilizing application semantics?
May 4, 1999
Application Intrusion Detection

4. State of Practice - OS IDS
Audit records
operating system generated collections of the events that have happened in the system over a period of time
Events
results of actions taken by users, processes, or devices that may be related to a potential intrusion
Threat Categories
Denial of Service
Disclosure
Manipulation
Masqueraders
Replay
Repudiation
Physical Impossibilities
Device Malfunctions
May 4, 1999
Application Intrusion Detection

5. Application Intrusion Detection
OS IDS - Approaches
Anomaly Detection
Static
Tripwire, Self-Nonself
Dynamic
NIDES, Pattern Matching (UNM)
Misuse Detection
NIDES, MIDAS, STAT
Extensions - Networks
Centralized
DIDS, NADIR, NSTAT
Decentralized
GrIDS, EMERALD
May 4, 1999
Application Intrusion Detection

6. OS IDS - Generic Characteristics
Relation - expression of how two or more values are associated
Statistical
Rule-Based
Observable Entities - any object (user, system device, etc.) that has or produces a value in the monitored system that can be used in defining a relation
Thresholds - determine how the result of the relation will be interpreted
May 4, 1999
Application Intrusion Detection

7. OS IDS - Generic Characteristics
Effectiveness
fine-tuning of thresholds
frequency of relation evaluation
number of correlated values
hierarchy
May 4, 1999
Application Intrusion Detection

8. Application Intrusion Detection
AppIDS
Guiding Questions
Opportunity – what types of intrusions can be detected by an AppIDS?
Effectiveness – how well can those intrusions be detected by an AppIDS?
Cooperation – how can an AppIDS cooperate with the OS IDS to be more effective than either alone?
May 4, 1999
Application Intrusion Detection

9. Application Intrusion Detection
Case Studies
Electronic Toll Collection
numerous devices distributed
complementary device values
hierarchical
gathers data about monitored external behavior
accounting component
Health Record Management
non-hierarchical
no devices beyond controlling computer
no financial component
limited access
contains physical realities
data collection and scheduling components
May 4, 1999
Application Intrusion Detection

10. Electronic Toll Collection (ETC)
Devices
Toll Lane
Tag Sensor
Automated Coin Basket
Toll Booth Attendant
Loop Sensor
Axle Reader
Weigh-In-Motion Scale
Traffic Signal
Video Camera
Vehicle
Tag (Active/Passive)
May 4, 1999
Application Intrusion Detection

11. Application Intrusion Detection
ETC - Hierarchy
May 4, 1999
Application Intrusion Detection

12. ETC - Application Specific Intrusions
Threat Categories
Specific Intrusions
Methods
Relations
Annoyance (3 methods)
Steal Electronic Money (10 methods)
Steal Vehicle (4 methods)
Device Failure (1 method)
Surveillance (2 methods)
May 4, 1999
Application Intrusion Detection

13. Application Intrusion Detection
ETC - Steal Service
May 4, 1999
Application Intrusion Detection

14. Application Intrusion Detection
Similarities
detect intrusions by evaluating relations to differentiate between anomalous and normal behavior
centralized or decentralized (hierarchical)
same threat categories
Differences
anomaly detection using statistical and rule-based relations
internal intruders
event causing entity
resolution
tightness of thresholds
event records
periodic
code triggers
May 4, 1999
Application Intrusion Detection

15. Application Intrusion Detection
AppID (cont’d)
Dependencies
OS IDS on AppIDS
None
AppIDS on OS IDS
basic security services
prevention of bypassing application to access application components
Cooperation
audit/event record correlation
communication
bi-directional
request-response bundles
complications
terms of communication
resource usage - lowest common denominator
May 4, 1999
Application Intrusion Detection

16. Construction of an AppIDS
Event Record Manager
Relation Evaluator
Anomaly Alarm Handler
TOOLS
Relation Specifier
Relations
Event Record Specifier
Event Record Structure
Timings
Relation – Code Connector
Observable Entity Locations in the Application
GENERIC COMPONENTS
May 4, 1999
Application Intrusion Detection

17. Application Intrusion Detection
Conclusion
Opportunity
internal intruders (abusers)
anomaly with statistical and rule-based relations
same threat categories
Effectiveness
resolution
tightness of thresholds
Cooperation
detection
Construction
tools
generic components
May 4, 1999
Application Intrusion Detection

18. Health Record Management (HRM)
Components
Patient Records
Orders – lists of all requests for drugs, tests, or procedures
Schedule – schedule for rooms for patient occupancy, laboratory tests, or surgical procedures (does not include personnel)
Users
doctors, laboratory technicians, and nurses
May 4, 1999
Application Intrusion Detection

19. HRM - Application Specific Intrusions
Threat Categories
Specific Intrusions
Methods
Relations
Annoyance (4 methods)
Steal Drugs (1 method)
Patient Harm (6 methods)
Surveillance (2 methods)
May 4, 1999
Application Intrusion Detection

20. Application Intrusion Detection
HRM - Patient Harm
May 4, 1999
Application Intrusion Detection

21. Application Intrusion Detection
ETC - Steal Service
May 4, 1999
Application Intrusion Detection

22. Steal Service (cont’d)
May 4, 1999
Application Intrusion Detection

23. Application Intrusion Detection
HRM - Patient Harm
May 4, 1999
Application Intrusion Detection