Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 Deworming.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 8 Deworming."— Presentation transcript:

1 Chapter 8 Deworming

2 Deworming Deworming? Here, we discuss… Defenses
Capture and containment Automatic counter-measures

3 Example Network

4 Example Network Perimeter computer User --- self-explanatory
Dedicated router or other computer Shuffles packets back and forth May also perform defensive tasks User --- self-explanatory Internal network Some critical machines to protect Honeypot is optional (discussed later)

5 Defenses We consider defenses from perspective of… Users
Hosts (i.e., users’ computers) Perimeter

6 Defenses: User User education User might detect suspicious activity
worms User might detect suspicious activity E.g., slowdown in network response So, users might act as a type of IDS

7 Defenses: Host Most effective host-based defenses are the most mundane
Apply patches Limit available services Defend against likely attack vectors Anti-virus software

8 Patching Most worms exploit known problems
Patching follows curve something like this  Curve never reaches 0

9 Patching Many machines remain vulnerable long after patch is available
Some machines never patched Strangely, patching rate does not increase much when highly publicized attack occurs

10 Patching Why so slow? Modern OSs use automatic updates
Nobody available to install patch Don’t know about patch Some don’t want to install patch early (Why?) Modern OSs use automatic updates Is this a good idea?

11 Limit Available Services
Why limit services? Worms often exploit technical weaknesses in servers Technical weaknesses likely to be uniformly distributed in server code Other reasons? Which services to shut down?

12 Specific Countermeasures
Canaries, ASLR, and other buffer overflow prevention/detection Anomaly detection These are of little/no use against new vulnerabilities or attacks Might not catch worms that use social engineering to spread

13 Anti-Virus Software AV does look for worms
But 3 problems limit effectiveness Rapidly spreading worms may not be detected using signatures Integrity check and emulation might not work Worm could be injected into “clean” code Worm might reside in memory only

14 Memory Scanning Search for malware in memory
Once upon a time this was easy, now complicated due to… Memory protection, which keeps process memory separate Virtual memory, which is “extra” memory on disk, not readily available for scanning Aside: Hash check code in memory…

15 Memory Scanning How to scan? Use API available for debugging?
Challenging due to memory protection and virtual memory Use API available for debugging? Avoids memory protection, but slow if scan virtual memory Ideally, only scan memory that changes But not all processes can be debugged… …unless AV runs as part of kernel

16 Memory Scanning What to do when malware found?
Terminate infected process? Terminate infected thread(s)? Patch process as it runs? Scanning cannot be continuous Opens a window of vulnerability Philosophically speaking, is memory scanning a good idea?

17 Perimeter Perimeter is 1st line of defense
Perimeter computer might include… Firewall and/or IDS Discuss firewalls and IDS next

18 Firewalls

19 Firewalls Internet Internal network Firewall Firewall decides what to let in to internal network and/or what to let out Access control for the network

20 Firewall as Secretary A firewall is like a secretary
To meet with an executive First contact the secretary Secretary decides if meeting is important So, secretary filters out many requests You want to meet chair of CS department? Secretary does some filtering You want to meet the POTUS? Secretary does lots of filtering

21 Firewall Terminology No standard firewall terminology
Types of firewalls Packet filter  works at network layer Stateful packet filter  transport layer Application proxy  application layer Other terms often used E.g., “deep packet inspection”

22 Packet Filter Operates at network layer Can filters based on…
Source IP address Destination IP address Source Port Destination Port Flag bits (SYN, ACK, etc.) Egress or ingress application transport network link physical

23 Packet Filter Advantages? Disadvantages? Speed No concept of state
Cannot see TCP connections Blind to application data application transport network link physical

24 Packet Filter Configured via Access Control Lists (ACLs) Q: Intention?
Different meaning than at start of Chapter 8 Source IP Dest IP Source Port Dest Port Flag Bits Action Protocol Allow Inside Outside Any 80 HTTP > 1023 Deny All Any ACK All Q: Intention? A: Restrict traffic to Web browsing

25 TCP ACK Scan Attacker scans for open ports thru firewall
Port scanning is first step in many attacks Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol ACK packet pass thru packet filter firewall Appears to be part of an ongoing connection RST sent by recipient of such packet

26 TCP ACK Scan Attacker knows port 1209 open thru firewall
Packet Filter Trudy Internal Network ACK dest port 1207 ACK dest port 1208 ACK dest port 1209 RST Attacker knows port 1209 open thru firewall A stateful packet filter can prevent this Since scans not part of established connections

27 Stateful Packet Filter
Adds state to packet filter Operates at transport layer Remembers TCP connections, flag bits, etc. Can even remember UDP packets (e.g., DNS requests) application transport network link physical

28 Stateful Packet Filter
Advantages? Can do everything a packet filter can do plus... Keep track of ongoing connections (e.g., prevents TCP ACK scan) Disadvantages? Cannot see application data Slower than packet filtering application transport network link physical

29 Application Proxy A proxy is something that acts on your behalf
Application proxy looks at incoming application data Verifies that data is safe before letting it in application transport network link physical

30 Application Proxy Advantages? Disadvantages?
Complete view of connections and applications data Filter bad data at application layer (viruses, Word macros) Disadvantages? Speed application transport network link physical

31 Application Proxy Creates a new packet before sending it thru to internal network Attacker must talk to proxy and convince it to forward message Proxy has complete view of connection Prevents some scans stateful packet filter cannot  next slides

32 Firewalk Tool to scan for open ports thru firewall
Attacker knows IP address of firewall and IP address of one system inside firewall Set TTL to 1 more than number of hops to firewall, and set destination port to N If firewall allows data on port N thru firewall, get time exceeded error message Otherwise, no response

33 Firewalk and Proxy Firewall
Dest port 12345, TTL=4 Dest port 12344, TTL=4 Dest port 12343, TTL=4 Time exceeded Trudy Packet filter Router This will not work thru an application proxy (why?) The proxy creates a new packet, destroys old TTL

34 Deep Packet Inspection
Many buzzwords used for firewalls One example: deep packet inspection What could this mean? Look into packets, but don’t really “process” the packets Like an application proxy, but faster

35 Firewalls and Defense in Depth
Typical network security architecture Internet Intranet with additional defense Packet Filter Application Proxy DMZ FTP server DNS server Web server

36 Intrusion Detection Systems

37 Intrusion Prevention Want to keep bad guys out
Intrusion prevention is a traditional focus of computer security Authentication is to prevent intrusions Firewalls a form of intrusion prevention Virus defenses aimed at intrusion prevention Like locking the door on your car

38 Intrusion Detection In spite of intrusion prevention, bad guys will sometime be successful Intrusion detection systems (IDS) Detect attacks in progress (or soon after) Look for unusual or suspicious activity IDS evolved from log file analysis IDS is currently a hot research topic How to respond when intrusion detected? We don’t deal with this topic here…

39 Intrusion Detection Systems
Who is likely intruder? May be outsider who got thru firewall May be evil insider What do intruders do? Launch well-known attacks Launch variations on well-known attacks Launch new/little-known attacks “Borrow” system resources Use compromised system to attack others. etc.

40 IDS Intrusion detection approaches Intrusion detection architectures
Signature-based IDS Anomaly-based IDS Intrusion detection architectures Host-based IDS Network-based IDS Any IDS can be classified as above In spite of marketing claims to the contrary!

41 Host-Based IDS Monitor activities on hosts for
Known attacks Suspicious behavior Designed to detect attacks such as Buffer overflow Escalation of privilege, … Little or no view of network activities

42 Network-Based IDS Monitor activity on the network for…
Known attacks Suspicious network activity Designed to detect attacks such as Denial of service (DoS) Network probes (e.g., port scanning) Malformed packets, etc. Some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS

43 Signature Detection Example
Failed login attempts may indicate password cracking attack IDS could use the rule “N failed login attempts in M seconds” as a signature So, if N or more failed login attempts in M seconds, IDS warns of attack Note that such a warning is specific Admin knows what attack is suspected Easy to verify attack (or false alarm)

44 Signature Detection Suppose IDS warns whenever N or more failed logins in M seconds Set N and M so false alarms not common Can do this based on “normal” behavior But, if Trudy knows signature threshold, she can try N − 1 logins every M seconds… Then signature detection could slow down Trudy, but might not stop her

45 Signature Detection Many techniques used to make signature detection more robust Goal is to detect “almost” signatures For example, if “about” N login attempts in “about” M seconds Warn of possible password cracking attempt What are reasonable values for “about”? Can use statistical analysis, heuristics, etc. Must not increase false alarm rate too much

46 Signature Detection Advantages of signature detection
Simple Detect known attacks Know which attack at time of detection Efficient (if reasonable number of signatures) Disadvantages of signature detection Signature files must be kept up to date Number of signatures may become large Can only detect known attacks Variation on known attack may not be detected

47 Anomaly Detection Anomaly detection systems look for unusual or abnormal behavior There are (at least) two challenges What is normal for this system? How “far” from normal is abnormal? No avoiding statistics here! mean defines normal variance gives distance from normal to abnormal

48 How to Measure Normal? How to measure normal?
Must measure during “representative” behavior Must not measure during an attack… …or else attack will seem normal! Normal is statistical mean Must also compute variance to have any reasonable idea of abnormal

49 How to Measure Abnormal?
Abnormal is relative to some “normal” Abnormal indicates possible attack Statistical discrimination techniques include Bayesian statistics Linear discriminant analysis (LDA) Quadratic discriminant analysis (QDA) Neural nets, hidden Markov models (HMMs), etc. Fancy modeling techniques also used Artificial intelligence Artificial immune system principles Many, many, many others

50 Anomaly Detection (1) Spse we monitor use of three commands:
open, read, close Under normal use we observe Alice: open, read, close, open, open, read, close, … Of the six possible ordered pairs, we see four pairs are normal for Alice, (open,read), (read,close), (close,open), (open,open) Can we use this to identify unusual activity?

51 Anomaly Detection (1) We monitor use of the three commands
open, read, close If the ratio of abnormal to normal pairs is “too high”, warn of possible attack Could improve this approach by Also use expected frequency of each pair Use more than two consecutive commands Include more commands/behavior in the model More sophisticated statistical discrimination

52 Anomaly Detection (2) Over time, Alice has accessed file Fn at rate Hn
Recently, “Alice” has accessed Fn at rate An H0 H1 H2 H3 .10 .40 A0 A1 A2 A3 .10 .40 .30 .20 Is recent activity normal for Alice? We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02 We consider S < 0.1 to be normal, so this is normal How to account for use that varies over time?

53 Anomaly Detection (2) To allow “normal” to adapt to new use, we update averages: Hn = 0.2An + 0.8Hn In this example, Hn are updated… H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12 And we now have new long-term averages: H0 H1 H2 H3 .10 .40 .38 .12

54 Anomaly Detection (2) The updated long term average is
Suppose new observed rates… H0 H1 H2 H3 .10 .40 .38 .12 A0 A1 A2 A3 .10 .30 Is this normal use? Compute S = (H0A0)2+…+(H3A3)2 = .0488 Since S = < 0.1 we consider this normal And we again update the long term averages: Hn = 0.2An + 0.8Hn

55 Anomaly Detection (2) The starting averages were:
After 2 iterations, averages are: H0 H1 H2 H3 .10 .40 H0 H1 H2 H3 .10 .38 .364 .156 Statistics slowly evolve to match behavior This reduces false alarms… …but also opens an avenue for attack Suppose Trudy always wants to access F3 Can she convince IDS this is normal for Alice?

56 Anomaly Detection (2) To make this approach more robust, must incorporate the variance Can also combine N stats Si as, say, T = (S1 + S2 + S3 + … + SN) / N to obtain a more complete view of “normal” Similar (but more sophisticated) approach is used in an IDS known as NIDES NIDES combines anomaly & signature IDS

57 Anomaly Detection Issues
Systems constantly evolve and so must IDS Static system would place huge burden on SAs But evolving IDS makes it possible for attacker to (slowly) convince IDS that an attack is normal Attacker may win by simply “going slow” What does “abnormal” really mean? Indicates there may be an attack Might not be any specific info about “attack” How to respond to such vague information? In contrast, signature detection is very specific

58 Anomaly Detection Advantages? Disadvantages?
Chance of detecting unknown attacks Disadvantages? Cannot use anomaly detection alone… …must be used with signature detection Reliability is unclear May be subject to attack Anomaly detection indicates “something unusual”, but lacks specific info on possible attack

59 Anomaly Detection: The Bottom Line
Anomaly-based IDS is active research topic Many people have high hopes for its ultimate success Often cited as key future security technology Hackers are not convinced Title of a talk at Defcon: “Why Anomaly-based IDS is an Attacker’s Best Friend” Anomaly detection is difficult and tricky As hard as AI?

60 Capture and Containment
Defense --- keep worms out Capture and contain --- keep worms in That is, prevent further spread Might “sacrifice” some machines Early capture is useful Honeypot Containment measures? Reverse firewalls and throttling

61 Honeypots Designed to look like a good target
Originally aimed at human attackers But now, for viruses, worms, etc. Used by researchers and AV vendors AV vendor sees new attacks Researchers study new attacks, attack patterns, malware development cycle, etc.

62 Honeypots Properties of honeypot? How is honeypot built?
Must be complete enough to look real Impossible for worm to “break out” Easy to restore after attack How is honeypot built? Emulation --- many of same difficulties as in virus detection

63 Honeypots How do you know if it’s a worm in the honeypot?
Perhaps honeypot does not attract any legitimate traffic This won’t attract passive scanning worm For random scanning worm, need lots of honeypots For “smart” worm, honeypot must make itself look attractive --- how?

64 Honeypots What does honeypot do with worm?
Samples for analysis Early warning Measure of worm activity Honeypot might act as a “tarpit” Respond slowly --- slow down rapid worm No response --- could be devastating to “hit list” worm

65 Reverse Firewalls Filter outgoing traffic Host-based reverse firewall
Same principles as inbound firewalls Host-based reverse firewall Can limit activity based on application Worm might still succeed… Use shared network directories Subvert previously-checked code Use social engineering Take advantage of false positives

66 Throttling Limit rate of connections For outbound connections
Throttle all applications

67 Throttling Can be refined Load balancing/fair share?
Allow more connections to those recently connected to Take success into account “Safe” connections delayed by a little Lots of waiting connections is suspicious Load balancing/fair share? Might adversely affect fast worms

68 Automatic Countermeasures
How to respond automatically? I.e., no human intervention required Why would we want to do this? Two questions to consider… How to detect worm activity? What countermeasures to take?

69 How to Detect Worms? Automatic detection, that is
Already considered honeypots, throttling issues, IDS, etc. Others? Lots of traffic on one port with many different destination IPs (Why?) Few DNS queries relative to number of connection attempts (Why?)

70 Worm Detected? Automatic countermeasures?
Isolate affected machines Isolate critical networks Shut down targeted servers Automatically insert filtering rules into firewalls Drop traffic to affected servers Risks of automatic countermeasures?

Download ppt "Chapter 8 Deworming."

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google