Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Real-time Intrusion Detection System for UNIX

Published byDylan Young Modified over 5 years ago

Similar presentations

Presentation on theme: "A Real-time Intrusion Detection System for UNIX"— Presentation transcript:

1 A Real-time Intrusion Detection System for UNIX
USTAT A Real-time Intrusion Detection System for UNIX By: Koral Ilgun Nov-18

2 Overview: Introduction to USTAT -- Key issues System components
State Transition Analysis Tool for Unix Key issues System components Implementation issues Evaluation of USTAT Nov-18

3 Introduction to USTAT Misuse detector
A penetration is (viewed as) a sequence of signature actions and a corresponding sequence of state changes that lead the computer from some initial state to a target compromised state Basic Properties of USTAT Real-time expert system intrusion detection tool Rule-based analysis Only for known penetrations Targets abusive insiders Nov-18

4 Comparison between USTAT and other intrusion detection systems
Statistical anomaly detection threshold detection profile-based Rule-based misuse detection it is an expert system Most current intrusion detection tools employ both the anomaly detection and (rule-based) misuse detection components Nov-18

5 State Transition Analysis
View a penetration as a (known) sequence of actions S1, S2, …,Sn that lead from an initial (limited authorized) access state, S1 to a final compromised state, Sn Nov-18

6 State Transition Analysis (cont)
State really represents some attribute of the system – not the whole system state State is generic, e.g. “user is now root” Penetration sequence represented by finite state machine node is a state arc is an action (or transition) Nov-18

7 Examples: % ln target -x % -x
User creates link User executes file euid(user) = root euid(user) = not root File ‘target’ is root’s setuid shell script that contains the #!/bin/sh mechanism Nov-18

8 Examples (cont): 1. Attacker creates hard link starting with dash to root’s setuid shell script that contains the #!/bin/sh mechanism 2. Attacker executes “-x” Insight: Creating hard link ==> new directory entry is created with target’s original privileges and ownership information Target can be accessed via any link to it Executing shell script containing #!/bin/sh invokes a sub-shell Sub-shell becomes interactive (because of the “-”) Attacker is thus executing a setuid file owned by root, so shell has effective ID of root Nov-18

9 Examples (cont): Two actions/transitions: Three states: make hardlink
execute “-x” Three states: Initial state: euid = user (not root) Intermediate state: hardlink established Final compromise state: not euid = user I.e. a user (non-root) running an interactive shell with an effective user id of root Nov-18

10 Features of USTAT Preempts attacks: USTAT monitors state transitions
Note that they can span multiple sessions It foresees impending compromise -- at least one transition away Recognizes cooperative attacks Note that USTAT is not tied to users or processes It reflects state of the system So, it can detect state resulting from actions by multiple users Nov-18

11 USTAT input Audit records of the form, <subject, action, object>
Subject is <real userID, effective userID, groupID> Action is <action, time, processID> Object is <object name, permissions, owner, group owner, inode #, device #, file systemID, target> All information can be obtained directly from Unix audit records Nov-18

12 USTAT input (cont) Unix audits 239 event types
Only 28 are useful to USTAT They are mapped down to 10 USTAT action types Filters out all failed command events early, i.e. all the events with a return value of -1 Nov-18

13 USTAT simplifications (cont)
All (audited) actions mapped to a small set: read write create execute exit delete modify-owner rename modify-permission hardlink Files are categorized: E.g. all files that should not be accessed via regular utilities (because they hold sensitive data) are mapped to “Fileset1” 5 “filesets” Nov-18

14 USTAT monitoring Monitors for all known penetrations simultaneously
Finite state machine for each known penetration Maintains state tables Row represents instance of not yet completed penetration Column represents states in penetration scenario Cell holds detailed info, e.g. userID, actual file names, etc Nov-18

15 USTAT INITIAL state table
One row for each known penetration, I.e. each possible penetration is in its initial state Initial action/transition for each is anticipated Inference Engine accepts audit input For each row, it asks: does this audit event match the “next transition” anticipated for this row such that the next state is satisfied If so, duplicate the row and mark “details” for the now satisfied state Nov-18

16 Decision Engine Informs sys admin about results of the inference engine Is compromise about to occur? Has compromise occurred? Play an active role in preempting the attack! However, note that USTAT input comes from the OS (Unix) audit log Nov-18

17 Strength and weakness of USTAT
Flexibility Real-time -- preempts attack before system is damaged Detects cooperative attacks Weakness - Cannot cope with the following attacks: Manipulation of components outside the system’s execution domain, e.g., wiretapping Denial of service attacks Failures Nov-18

18 Evaluation of USTAT Massive amount of data that was collected by the audit daemon limited extensive testing Limiting factor is the transfer rate of the disk that is extensively used by USTAT and the audit daemon USTAT functionality costs 13% of machine Papers do not indicate number of penetrations that can be described as state transition diagram Nov-18

19 NSTAT – USTAT for Distributed Systems
Similar “state-based” approach Input: audit data from multiple hosts Objective: detect coordinate attack Central server processes input Time – how to deal with skewed clocks? Vulnerability of NSTAT server Nov-18

20 Compare! Tripwire -- Integrity of file data
GrIDs -- graph nodes (or accumulated groups of nodes) with arcs depicting message traffic USTAT -- monitor for known penetrations, tracking state changes that progress toward compromise Nov-18

Download ppt "A Real-time Intrusion Detection System for UNIX"

Similar presentations

Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Access Control Methodologies

Access Control Methodologies
Copyright W. Howden1 Lecture 7: Functional and OO Design Descriptions.

Copyright W. Howden1 Lecture 7: Functional and OO Design Descriptions.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
seminar on Intrusion detection system

seminar on Intrusion detection system
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Oracle10g RAC Service Architecture Overview of Real Application Cluster Ready Services, Nodeapps, and User Defined Services.

Oracle10g RAC Service Architecture Overview of Real Application Cluster Ready Services, Nodeapps, and User Defined Services.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.

The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
Silberschatz, Galvin and Gagne  2002 3.1 Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.

Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Systems II San Pham CS 490 10/20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

Similar presentations

Ads by Google