1. Chapter 18. Intruders

2. 2 Intruders  Three classes of intruders  Masquerader  likely to be an outsider  penetrates a system’s access controls to exploit a legitimate user’s account  Misfeasor  generally an insider  performs unauthorized accesses to data, programs, or resources  misuses his or her privileges  Clandestine user  can be either an insider or an outsider  seizes supervisory control of the system and uses it to evade auditing and access controls or to suppress audit collection

3. 3 Intruders  Intruder Techniques  aim to gain access and/or increase privileges on a system  Usually user password or password file is needed to intruder  Protection of password file  One-way encryption : the system stores an encrypted form of the user’s password, and compares it with the encrypted output of presented password  Access control : access to the password file is limited to one or a very few accounts

4. 4 Intruders  Techniques for learning passwords  Try default passwords used with standard accounts that are shipped with the system.  Exhaustively try all short passwords ( 1~3 characters).  Try words in the system’s on-line dictionary of a list of likely passwords.  Collect information about users (names, books, hobbies, etc)  Try users’ phone numbers, Social Security numbers, and room numbers.  Try all legitimate license plate numbers.  Use a Trojan horse.  Tap the line between a remote user and the host system. (use link encryption techniques) Guessing Passwords

5. 5 Intrusion Detection  A system’s second line of defense  second line of defense  Intrusion Detection  The intruder can be identified and ejected from the system.  An effective intrusion detection can prevent intrusions.  The collection of information about intrusion techniques can be used to strengthen the intrusion prevention facility.

6. 6 Intrusion Detection  An Assume that the behavior of the intruder differs from that of legitimate user  There can be false positive and false negative

7. 7 Intrusion Detection  Approaches to intrusion detection  Statistical anomaly detection : collecting data on behavior of legitimate users over a period of time  Threshold detection : defining thresholds for the frequency of occurrence of various events (independent of user)  Profile based : using a profile of the activity of each user to detect changes in the behavior of individual accounts  Rule-based detection : defining a set of rules to decide that a given behavior is that of an intruder  Anomaly detection : rules are developed to detect deviation from previous usage patterns  Penetration identification : an expert system searches for suspicious behavior  Statistical approach : effective against masqueraders, unable to deal with misfeasors Rule-based approach : able to recognize events and sequences (context, reveal penetration)

8. 8 Intrusion Detection  Audit Records  Records of ongoing activity used as input to an intrusion detection system  Native audit records  accounting software collects information on user activity (no additional collection software)  Detection-specific audit records  a collection facility collects information required by the intrusion detection system Ex) subject, action, object, exception-condition, resource-usage, time stamp

9. 9 Intrusion Detection  Statistical Anomaly Detection  Threshold detection  Counting the number of occurrences of a specific event type over an interval of time  If the count surpasses threshold, then intrusion is assumed  Variability across users  a lot of false positive, false negative  Profile-based system  Characterizing the past behavior of individual users or related groups of users  determine the activity profile of the average user by analyzing audit records over a period of time  Detecting significant deviations  current audit records are used  Mean that standard deviation, multivariate, Markov process, time series, operational.

10. 10 Intrusion Detection  Rule-Based Intrusion Detection  Observe events in the system  apply rules  Rule-based anomaly detection  Analyze historical audit records  generate automatically rules  Rules represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on.  Then observe current behavior

11. 11 Intrusion Detection  Rule-based penetration identification  Use rules to identify suspicious behavior, known penetrations or penetrations that would exploit known weaknesses.  Rules are generated by experts Ex) assign degrees of suspicion to activities Users should not read files in other users’ personal directories. Users must not write other user’s files Users who log in after hours often access the same file they used earlier. Users do not generally open disk devices directly Users should not be logged in more than once to the same system. Users do not make copies of system programs.

12. 12 Intrusion Detection  Base-Rate Fallacy  practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms  if too few intrusions detected  false security  if too many false alarms  ignore / waste time  this is very hard to do  existing systems seem not to have a good record

13. 13 Intrusion Detection  Distributed Intrusion Detection  traditional focus is on single systems  but typically have networked systems  more effective defense has these working together to detec t intrusions  issues  dealing with varying audit record formats  integrity & confidentiality of networked data  centralized or decentralized architecture

14. 14 Intrusion Detection  Architecture for Distributed Intrusion Detection  Host agent module  Collects data on security- related events and transmit them to the central manager  LAN monitor agent module  Same as a host agent module except that it analyzes LAN traffic and reports to the central manager  Central manager module  Receives reports from LAN monitor and host agents  Processes and correlates these reports to detect intrusion

15. 15 Intrusion Detection  Agent Architecture  Agent  capture each native O/S audit record & applies a filter  Template-driven logic module  Analyzes the records  Suspicious activity is detected  Send alert message to the central manager  Central manager  Include an expert system (can draw inferences from received data)  Query individual systems (copies of HAR(Host Audit Record)s to correlate with those from other agents.)

16. 16 Intrusion Detection  Honeypots  decoy systems to lure attackers  away from accessing critical systems  to collect information of their activities  to encourage attacker to stay on system so administrator can respo nd  are filled with fabricated information  instrumented to collect detailed information on attackers activities  single or multiple networked systems

17. 17 Password Management  Password Protection  front-line defense against intruders  users supply both:  login – determines privileges of that user  password – to identify them  passwords often stored encrypted  Unix uses multiple DES (variant with salt)  more recent systems use crypto hash function  should protect password file on system

18. 18 Password Management  The vulnerability of Passwords  Two threat to the UNIX password scheme  Gaining access on a machine and then run a password guessing program on that machine with little resource consumption  Obtaining a copy of the password file, then a cracker program can be run on another machine  Passwords must NOT be too short, NOT be too easy to guess  Access Control  Denies the opponent access to the password file  Has several flaws  Many systems are susceptible to unanticipated break-ins  An accident of protection might render the password file readable  Some users use the same password on other machines

19. 19 Password Management  Unix Password scheme  Crypt(3)  25 times DES encryptions  Salt(12 bits)  Related to time at which the password is assigned to the user  Prevents duplicate passw- ords from being visible in the password file  [./0-9A-Za-zA-Z] select two char. It has 4096 possible ways.  If bit 12 of the salt is set, then bits 12 and 36 are swapped in the DES E-box output.

20. 20 Password Management  Password Selection Strategies  Eliminate guessable passwords, while allow memorable passwords  Four basic techniques  User education  Ignoring guidelines, misunderstanding what a strong password is  Computer-generated passwords  Hard to remember even if they are pronounceable  Reactive password checking  The system periodically runs its password cracker to find guessable passwords  Resource intensive  Unchecked passwords remains vulnerable  Proactive password checking  When a user selects his or her own password, the system checks to see if the password is allowable

21. 21 Password Management  Proactive Password Checking  Rule enforcement  All passwords must be at least eight characters long  In the first eight characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks  Compiling a large dictionary of “bad” passwords  When a user selects a password, the system checks  Large space (storage) and time consumption  Two techniques for developing an effective and efficient password checker - Based on rejecting words on a list show promise  Markov model  Bloom filter

22. 22 Password Management  Markov Model  Effective and efficient proactive password checker  [m, A, T, k] where m : number of states A : state space T : matrix of transition probabilities. k : order of the model k th -order model: probability of making a transition to a particular letter depends on previous k characters

23. 23 Password Management  Second-order Markov model  M = {9, {AA, AB, AC, BA, BB, BC, CA, CB, CC}, T, 2} ABC AA0.00 AB0.000.100.50 AC0.000.100.50 BA0.100.080.00 BB0.200.160.00 BC0.200.160.00 CA0.500.400.00 CB0.00 CC0.00 T = AA AB AC BA BB BC CA CB CC Pr(A|AA) Pr(B|AA) Pr(C|AA) 0.00 0.10 0.50 Pr(A|BA) Pr(B|BA) Pr(C|BA) 0.10 0.08 0.00 0.20 0.16 0.00 Pr(A|CA) Pr(B|CA) Pr(C|CA) 0.50 0.40 0.00

24. 24  second-order Markov model  Calculating transition matrix  When a dictionary of guessable passwords is constructed 1. Determine the frequency matrix f(i,j,k) which is the number of occurrences of the trigram consisting of the i th, j th,and k th character ex) abbbababbb  abb, bbb, bba, aba, aba, bab, abb, bbb 2. For each bigram ij, calculate f(i,j,∞) as the total number of trigrams beginning with ij ex) f(a, b, ∞)  aba, abb, … bigram : groups of two written letters, two syllables, or two words trigram : triples / pairs of letters or words Password Management AA AB BA BB Pr(A|AA) Pr(A|AB) Pr(B|AA) Pr(B|AB) Pr(A|BA) Pr(A|BB) Pr(B|BA) Pr(B|BB)

25. 25 Password Management 3. Compute the entries of T  T reflects the structure of the words in the dictionary  “Is this a bad password?”  “Was this password generated by this model?”  Passwords likely to be generated by the model are rejected. AB AA00 AB0.1250.25 BA0.00.25 BB0.1250.25

26. 26 Password Management  Bloom Filter  bloom filter :  Order k bloom filter consists of a set of k independent hash function.  Hash function  Each function maps a password into a hash value in the range 0 to N-1 H i (X j ) = y 1 ≤ i ≤ k; i ≤ j ≤ D; 0 ≤ y ≤ N-1; where X j = j th word in password dictionary D = Number of words in password dictionary k = order of Bloom filter  Procedure applied to the dictionary  A hash table of N bits with all bits initially set to 0  For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1  If the bit already has the value 1, it remains at 1

27. 27 Password Management  Bloom Filter  Password checking  k hash values are calculated for presented password  If all corresponding bits of the hash table are equal to 1  reject  Possible existence of FALSE POSITIVE  H1(undertaker) = 25, H2(undertaker) = 998 H1(hulkhogan) = 83, H2(hulkhogan) = 665 H1(xG%#jj98) = 665, H2(xG%#jj98) = 998  rejected … … … … … … … … … Password Dictionary Hash Table H1 H2 Hash Function 25 83 665 998 reject 0 0 0 0 1 1 1 1 undertaker hulkhogan xG%#jj98

28. 28 Password Management  Bloom Filter  To minimize false positive  The probability of a false positive or, equivalently

29. 29 Password Management  Performance of Bloom Filter  Suppose that number of words in the dictionary: 1 million words(10 6 ) We wish to Probability of false positive : 0.01  If select six hash functions, required ratio R=9.6  hash table : 9.6*10 6 bits or about 1.2MB of storage

30. 30 Password Management  Advantages  storage of the entire dictionary is 8MB, but, we need 1.2MB of storage. => Compression : factor of 7.  Password checking is  Involves straightforward calculation of six hash function  independent of size of the dictionary