Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,

Published byMeryl Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,"— Presentation transcript:

1 Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop, 7-9 October 2002 Published in LNCS 2578, pp1-17, Springer-Verlag, 2002 “We were hoping to gain insights that might move toward a more theoretical basis for understanding intrusions. Instead, we seem to have discovered an interesting approach for serious intruders.” Presented by Anne Crockett

2 Host-based Intrusion Detection There are two types of host-based IDS: 1. Signature-based matches attack descriptions to sensed data (like virus checkers) 2. Anomaly-based sensors produce a trace log of data that is analysed for anomalies equate “unusual or abnormal [behaviour] with intrusions” John McHugh: “Intrusion and Intrusion Detection” International Journal of Information Security 1, 2001, p14-35 require training data to determine normal behaviour

3 Summary The authors believe this assumption is wrong and try to prove it by describing attacks that are not detectable by an anomaly based Intrusion Detection System (IDS): 1)First they describe the attacks and the system being attacked UNIX running an anomaly detector called “Stide” 2)Next they describe how Stide detects attacks They detail the weakness in Stide that they exploited 3)Lastly they show how the attack code is modified to prevent Stide detecting it This paper addresses the assumption of anomaly detectors that intrusions cause “anomalous manifestations”

4 Critical Comment 1 In fact, some sentences were identical! Why don’t you read the other paper and compare them. –“Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”, 5 th International Symposium, RAID 2002, LNCS 2516, Springer-Verlag, pp54-73 –RAID = Recent Advances in Intrusion Detection One term they used extensively is “manifestations” but they never define it in “Hiding Intrusions…” –The omission of the definition makes their argument harder to understand. –They did define it in their earlier paper: “sequence of system calls issued by the exploited/privileged system program, and due to the presence and activity of the exploit.” The paper was very similar to an earlier article written by Tan, Killourhy & Roy

5 Appreciative Comment identified a weakness (blind spot) in Stide exploited it using several simple and well described attacks which they downloaded from the Internet described how they evaded detection by either making the attack’s manifestations appear normal or finding a blind spot to hide it in. The authors dared to challenge the long held view that all intrusions produce anomalies Their argument was convincing and logically structured:

6 Examining the Argument (1) Dorothy Denning (1987) “exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage.” Tan, McHugh & Killourhy (2002) “we discovered techniques whereby intrusive activities with anomalous manifestations could be modified in such a way as to be indistinguishable from arguable normal activities” Do all intrusions cause “anomalous manifestations”?

7 Examining the Argument (2) Tan et al demonstrate convincingly that their attacks can be hidden. Then they extend their argument by saying: “We speculate that similar attacks are possible against other anomaly based IDS…” Given I = Intrusion (exploitation of vulnerability) E = Evidence of abnormal use Denning states:  I  E Tan et al claim:  I ¬  E

8 Examining the Argument (3) Tan et al speculate X Y I ¬ E Consider these two elements in the attack situation X = anomaly detector Y = operating system But consider that… Stide is an open source anomaly detector but not all other IDSs are Their approach requires the attacker to understand intimately the weaknesses of Stide They must carefully manipulate the manifestations to avoid being detected

9 Critical Comment 2 Main criticism: It is unclear whether the kernel attack was run on Linux or Unix. Side issue: The three programs they exploited can be patched with packs downloadable from RedHat Linux. –So, is Linux equally vulnerable to all three attacks? Their attacks are designed to exploit privileged Unix system processes, however their description of the “kernel” attack refers to how the Linux kernel enforces security.

10 Conclusion and Question If so, they state “[our] results have implications for both detector design and for detector evaluation” but fail to explain what those implications are. What are the implications of their research? Are you convinced that their intrusion hiding approach is a threat to other anomaly detectors? The authors prove that hiding evidence of an intrusion is possible in their particular case.

Download ppt "Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,"

Similar presentations

Critical Reading Strategies: Overview of Research Process

Critical Reading Strategies: Overview of Research Process
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
© Cambridge International Examinations 2013 Component/Paper 1.

© Cambridge International Examinations 2013 Component/Paper 1.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Structuring the argument of a theoretical paper For bachelor’s theses and master’s seminars in social sciences and humanities Richard Parncutt, Uni Graz.

Structuring the argument of a theoretical paper For bachelor’s theses and master’s seminars in social sciences and humanities Richard Parncutt, Uni Graz.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.
Handling Security Incidents

Handling Security Incidents
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
seminar on Intrusion detection system

seminar on Intrusion detection system
Project Workshops Results and Evaluation. General The Results section presents the results to demonstrate the performance of the proposed solution. It.

Project Workshops Results and Evaluation. General The Results section presents the results to demonstrate the performance of the proposed solution. It.
Types of Essays... and why we write them.. Why do we write essays? Hint: The answer is NOT ‘because sir/miss told me to’

Types of Essays... and why we write them.. Why do we write essays? Hint: The answer is NOT ‘because sir/miss told me to’
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Structuring an essay. Structuring an Essay: Steps 1. Understand the task 2.Plan and prepare 3.Write the first draft 4.Review the first draft – and if.

Structuring an essay. Structuring an Essay: Steps 1. Understand the task 2.Plan and prepare 3.Write the first draft 4.Review the first draft – and if.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
SAT Prep- Reading Comprehension Strategies- Short Passages

SAT Prep- Reading Comprehension Strategies- Short Passages

Similar presentations

Ads by Google