Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Eric Breimer Computer Science Department Siena College

Published byGretel Geier Modified over 6 years ago

Similar presentations

Presentation on theme: "Dr. Eric Breimer Computer Science Department Siena College"— Presentation transcript:

1 Dr. Eric Breimer Computer Science Department Siena College
Intrusion Detection Dr. Eric Breimer Computer Science Department Siena College

2 What is Intrusion Detection?
Monitoring a computer network to detect a variety of security attacks Including Hacker attacks Insider attacks Masquerade attacks 11/16/2018 Intrusion Detection

3 What is Intrusion Detection?
Monitoring a computer network to detect a variety of security attacks Including Hacker attacks Insider attacks Masquerade attacks This talk focuses on the masquerade attack 11/16/2018 Intrusion Detection

4 Types of Attacks Hacker Attack Unauthorized user
Bogus account and privileges Recognizable: system administrator may notice intrusion before a malicious action is committed 11/16/2018 Intrusion Detection

5 Types of Attacks Insider Attack Authorized user
Legitimate account and privileges Malicious activities No repudiation: Once discovered, its hard for the insider to cover his tracks. 11/16/2018 Intrusion Detection

6 Types of Attacks Masquerade Attack
Hacker assumes the identity of an authorized user Malicious activities are attributed to an innocent user Repudiation: Easier for the hacker to cover his trail. 11/16/2018 Intrusion Detection

7 Malicious Activities Data Disclosure Accessing proprietary information
Leading to Fraud Data insertion, removal & modification Modifying proprietary information Denial of Service (DoS) Sabotage 11/16/2018 Intrusion Detection

8 Masquerade Attack Methods Remote Attack On-site Attack Packet sniffer
Spyware Used simply to gain user password On-site Attack Computer left logged-in Insider with physical access 11/16/2018 Intrusion Detection

9 Masquerade Attack Challenges
Password disclosure may be impossible to detect Physical disclosure, simple eavesdropping Access as a legitimate user with authorized privileges such as remote access permission to turn off security systems such as firewalls or intrusion detection software 11/16/2018 Intrusion Detection

10 Masquerade Attack Challenges
Data disclosure can be impossible to detect If legitimate user has access to proprietary information Scapegoat Legitimate user takes the heat Minimizes risk in an insider attack 11/16/2018 Intrusion Detection

11 Masquerade Detection How can you detect a masquerader on your computer system? To answer this question, we need to ask a more basic question: How can you distinguish two users based on their computer usage? 11/16/2018 Intrusion Detection

12 Command Recording Command-line operating systems like UNIX can easily record and archive every command typed at a prompt. Example: >pine >ls >cd.. >g++ main.cpp 11/16/2018 Intrusion Detection

13 Event Recording GUI-based operating systems like Windows or MacOS respond to every input event Mouse move Key press Button click Every event can be recorded. 11/16/2018 Intrusion Detection

14 Event Recording Primitive input events can be merged into high-level events <program opened> <program name> <file saved> <file name> <time stamp> <editfind selected> <search string> <query executed> <query name> Recorded in real time. Archived in log files. 11/16/2018 Intrusion Detection

15 Computer Usage Individuals use computers in different ways. Examples:
Every morning the first program I open is Outlook (95% of the time) Two of my co-workers rarely use Outlook (10%); they prefer Web-base Outlook I use CTRL-C to copy text (99%). A co-worker frequently (50%) uses the EditCopy menu option to copy text. 11/16/2018 Intrusion Detection

16 Computer Usage More Examples:
For three years, Cynthia, the receptionist, has never open a command prompt in Windows She has never typed the command nslookup On Thursday, she typed nslookup 30 times. 11/16/2018 Intrusion Detection

17 Computer Usage Subtle signs can identify a user Users have habits
I always keep Outlook Open in the background Users exhibit patterns I always type g++ main.cpp -o test.exe I never type g++ -o test.ext main.cpp User frequently repeat tasks Daily basis Weekly basis 11/16/2018 Intrusion Detection

18 Identifying Users Build A Signature for Each User
Record a user’s behavior (commands or events) over a period of time A Signature somehow captures a users normal behavior In real-time compare a user’s current behavior with the Signature If the current behavior does not match the signature, assume its a masquerade attack. 11/16/2018 Intrusion Detection

19 Building Signatures Assumptions You are recording a legitimate user
Physical verification or Closed environment Duration of recording is long enough to capture user’s unique traits summarize a variety of common tasks 11/16/2018 Intrusion Detection

20 Real-time Detection Assumptions Use a “window” of time
i.e., events from the last 10 minutes “Event window” can be efficiently compared to the signature Negligible effect on the system Testing or Sampling can be done at random or at periodic intervals 11/16/2018 Intrusion Detection

21 Challenges Building Signatures is difficult
Data Mining can be used to identify patterns or traits Rules can be developed to identify masqueraders Inherent Problem: The rules depend on the system and the software, which constantly change May stop working over time. 11/16/2018 Intrusion Detection

22 Challenges Is there a more generic way to compare user behavior?
Signature Sequence: Think of the signature as just a sequence of events for a valid user recorded over a long time confirmed to be the true valid user Current Sequence: Think of the current sequence as any moment of real-time computer usage. 11/16/2018 Intrusion Detection

23 Sequence Comparison Compare Signature Sequence with Current Sequence
If they are sufficiently similar, sequences come from the same users  No Masquerade If they are different, sequence come from different users  Masquerade 11/16/2018 Intrusion Detection

24 The Real Problems How do you measure the similarity?
What does it mean to be sufficiently similar? How do you develop a cut-off or threshold for defining “sufficiently similar?” 11/16/2018 Intrusion Detection

25 Sequence Comparison A much harder sequence comparison problem has already been solved Compare DNA Sequence A with DNA Sequence B If they are sufficiently similar, sequences A and B come from the same ancestor If they are different sequences A and B are unrelated. 11/16/2018 Intrusion Detection

26 DNA Sequence Comparison
Time Extinct Species Lion Tiger Dog Since a lion and tiger evolved from the same ancestor, their DNA will be similar But, Similar is a relative term 11/16/2018 Intrusion Detection

27 DNA Sequence Comparison
Time Extinct Species Lion Tiger Dog The DNA of a lion and a tiger will be more similar compared to Lion vs. Dog or Tiger vs. Dog 11/16/2018 Intrusion Detection

28 DNA Sequence Comparison
Time Extinct Species Extinct Species Lion Tiger Dog This type of DNA sequence comparison is used to generate evolutionary trees. 11/16/2018 Intrusion Detection

29 DNA Sequence Comparison
GENE A GENE B Ancestor CGTAGACAGATCATGGCTGATCCT ATAGACAGAGATTGGCTGATCT Tiger CGTAGACAGACAGTTGGCTGTAT Lion 11/16/2018 Intrusion Detection

30 DNA Sequence Comparison
To compare DNA sequences, you search for exactly matching segments, but there can be regions that don’t match at all. ATAGACAGAGATTGGCTGATCT Tiger CGTAGACAGACAGTTGGCTGTAT Lion 11/16/2018 Intrusion Detection

31 DNA Sequence Comparison
Comparison Score: Score increases for every matching symbol Score decreases for gaps that don’t match Comparison Score is just a relative measure of similarity 11/16/2018 Intrusion Detection

32 Event Sequence Comparison
Apply the same algorithm used to compare DNA sequences Only Difference: DNA is a sequence of nucleotides (AGCT) We have a sequence of events Each event can be given a label (ABCD...) 11/16/2018 Intrusion Detection

33 Event Sequence Comparison
Signature Sequence for USER A Unique traits, patterns, and process (like GENES) USER A real-time event sequence 9AM 9PM Possible intrusion 11/16/2018 Intrusion Detection

34 Event Sequence Comparison
Signature Sequence for USER A 9AM Current activity is sufficiently different than anything in the signature 9PM 11/16/2018 Intrusion Detection

35 Masquerade Detection Safe Comparison Scores
Record all users for a duration of time. For a given user, compare his/her event sequences. Take a random chunk of sequence and compare it to another random chunk Compute the average comparison score Do this for all users This gives you comparison scores that are “sufficiently similar” 11/16/2018 Intrusion Detection

36 Masquerade Detection Masquerader Scores
For a given user (USER A), compare his/her event sequences with another user (USER B) Take a random chunk from USER A and compare it to another random chunk from USER B Compute the average comparison score Do this for many random trials This gives you comparison scores that indicate possible masquerading. 11/16/2018 Intrusion Detection

37 Comparison Scores Low Comparison Score High Comparison Score
User X compared to User Y User X compared to User X 11/16/2018 Intrusion Detection

38 Advantages This system tunes itself based the users behavior
But, the system is generic It doesn’t matter what software you use what OS you use whether the events are low level or high level You just need some way of recording events and you need the comparison algorithm 11/16/2018 Intrusion Detection

39 How well does it work? A system based on a DNA-like comparison algorithm was developed by Bolek Szymanski, Scott Coull & Joel Branch from RPI’s Pervasive Computing Center which Detected 60% of all masquerade attempts with 2% False Alarms. 11/16/2018 Intrusion Detection

40 What else can it do? The system can be modified to identify inefficient computer usage for specific software packages. Modification: Record only events from a specific software program Inter-compare users who are know to be expert users Thus, you can develop a comparison score for automatically identifying expert users vs. “potential” novice users. 11/16/2018 Intrusion Detection

41 Implications If users do NOT exhibit the “right” kind of computer usage, Managers could recommend training System Administrators could initiate more detailed monitoring 11/16/2018 Intrusion Detection

42 Summary Detecting Masquerade Attacks is one of the most difficult computer security problems Event or command sequences can be used to discriminate users, and to discriminate types of computer usage The problem of comparing event sequences is surprisingly similar to the problem of comparing DNA sequences DNA comparison algorithms are very sensitive and can address the “relative nature” of what it means for sequences to be similar 11/16/2018 Intrusion Detection

Download ppt "Dr. Eric Breimer Computer Science Department Siena College"

Similar presentations

© PureTesting 2007Testing Thought Leadership Creating Real-World Test Cases using Extension to Noun and Verb technique.

© PureTesting 2007Testing Thought Leadership Creating Real-World Test Cases using Extension to Noun and Verb technique.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Welcome to the Award Winning Easiest to Use & Most Advanced View, Manage, and Control Security, Access Control, Video, Energy & Lighting Systems, & Critical.

Welcome to the Award Winning Easiest to Use & Most Advanced View, Manage, and Control Security, Access Control, Video, Energy & Lighting Systems, & Critical.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Lesson 10 Operating System Customization

Lesson 10 Operating System Customization
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
User Profiling for Intrusion Detection in Windows NT Tom Goldring R23.

User Profiling for Intrusion Detection in Windows NT Tom Goldring R23.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely presents:
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Similar presentations

Ads by Google