Computer Security & Cyber Law

Compiled By: Krishna Bhandari

www.genuinenotes.com 1
 UNIT 7
Intrusion Detection

www.genuinenotes.com 2
 Intruders & Intrusion
Techniques
• Intrusion is a phenomenon that performs
an activity that compromises a computer
system by breaking the security or causing
it to enter into an insecure state.
• A set of attempts to compromise a
computer or a computer network resource
security is regarded as an intrusion.
• The entity involved to perform such
activity is called intruder.
• Intruders are also referred as attackers,
www.genuinenotes.com 3
interceptors or hackers.
Types of Intruders:
1. Masquerader
• An unauthorized user who penetrates a system's
access control to exploit other's account
• Most likely an outsider to the system
2. Misfeasor
• A legitimate user but accesses data, program or
resources for which he/she is not authorized
• Generally an insider
3. Clandestine
• An individual who seizes supervisory control and
evades auditing and access control
• May be an insider or outsider
www.genuinenotes.com 4
• Again there are two levels of Intruders:
➢ People with high level of system expertise:
personally constructed methods for breaking
into systems.
➢ Others are “foot soldiers”, uses cracking
programs developed and distributed by others:
willing to spend countless hours looking for
weakest links.
• Another classification scheme, based on
intrusion types, classifies intrusions into the
following six types:
• Attempted break-in: often detected by
atypical behavior profiles or violations of
security constraints.
www.genuinenotes.com 5
• Masquerade attack: often detected by a
typical behavior profiles or violations of
security constraints.
• Penetration of the security control
system: usually detected by monitoring for
specific patterns of activity.
• Leakage: often detected by a typical usage
of I/O resources.
• Denial of Service: often detected by
atypical usage of system resources.
• Malicious use: often detected by a typical
behavior profiles, violations of security
constraints, or use of special privileges. 6
www.genuinenotes.com
• Some common techniques for intrusion are:
▪ Buffer overflows
▪ Unexpected combinations
▪ Unhandled inputs
▪ Race conditions

www.genuinenotes.com 7
Intrusion Detection:
• In addition to security services (e.g. data
confidentiality, integrity, authentication,
etc.), intrusion detection (ID) techniques
are used to strengthen the system security
and increase its resistance to internal and
external attacks.
• These techniques are implemented by
an intrusion detection system (IDS).
• Generally, IDS main task is to detect an
intrusion and, if necessary or possible, to
undertake some measures eliminating it.
www.genuinenotes.com 8
• The goals of intrusion detection system
are:
▪ Detect a wide variety of intrusions.
▪ Detect intrusions in a timely fashion.
▪ Present the analysis in a simple, easy-to-
understand format.
▪ Be accurate.
• Formalizing this type of analysis provides a
statistical and analytical basis for
monitoring a system for intrusions.
• Three types of analyses—anomaly
detection, misuse (or signature) detection,
and specification detection.
www.genuinenotes.com 9
Anomaly Modeling:
• Anomaly detection analyzes a set of
characteristics of the system and
compares their behavior with a set of
expected values.
• It reports when the computed statistics
do not match the expected measurements.
• Anomaly detection uses the assumption
that unexpected behavior is evidence of an
intrusion.
• There are three different statistical
models.
www.genuinenotes.com 10
• The first model uses a threshold metric. A
minimum of m and a maximum of n events
are expected to occur (for some event and
some values m and n).
• If, over a specific period of time, fewer
than m or more than n events occur, the
behavior is considered anomalous.
• Determining the threshold complicates use
of this model.
• The threshold must take into account of
differing levels of characteristics of the
users.
www.genuinenotes.com 11
• The second model uses statistical moments.
The analyzer knows the mean and standard
deviation (first two moments) and possibly
other measures of correlation (higher
moments).
• If values fall outside the expected interval
for that moment, the behavior that the values
represent is considered anomalous.
• Because the profile, or description of the
system, may evolve over time, anomaly-based
intrusion detection systems take these
changes into account by aging (or weighting)
data or altering the statistical rule base on
which they make decisions.
www.genuinenotes.com 12
• The statistical moments model provides
more flexibility than the threshold model.
• Administrators can tune it to discriminate
better than the threshold model.
• But with flexibility comes complexity.
• Third model is a Markov model.
• Examine a system at some particular point
in time.
• Events preceding that time have put the
system into a particular state.
• When the next event occurs, the system
transitions into awww.genuinenotes.com
new state. 13
• Over time, a set of probabilities of transition
can be developed.
• When an event occurs that causes a transition
that has a low probability, the event is
deemed anomalous.
• This model suggests that a notion of “state,”
or past history, can be used to detect
anomalies.
• The anomalies are now no longer based on
statistics of the occurrence of individual
events, but on sequences of events.
• This approach promoted misuse detection and
was used to develop effective anomaly
www.genuinenotes.com 14
detection mechanisms.
• The effectiveness of Markov-based models
depends on the adequacy of the data used
to establish the model.
• This data (called training data) is obtained
experimentally, usually from populations
that are believed to be normal (not
anomalous).

Misuse Modeling:
• Misuse detection determines whether a
sequence of instructions being executed is
known to violate the site security policy
being executed.
www.genuinenotes.com 15
• If so, it reports a potential intrusion.
• In some contexts, the term “misuse”
refers to an attack by an insider or
authorized user.
• In the context of intrusion detection
systems, it means “rule-based detection.”
• Modeling of misuse requires a knowledge of
system vulnerabilities or potential
vulnerabilities that attackers attempt to
exploit.
• The intrusion detection system
incorporates this knowledge into a rule set.
www.genuinenotes.com 16
• When data is passed to the intrusion
detection system, it applies the rule set to
the data to determine if any sequences of
data match any of the rules.
• If so, it reports that a possible intrusion is
underway.
• Misuse-based intrusion detection systems
often use expert systems to analyze the
data and apply the rule set.
• These systems cannot detect attacks that
are unknown to the developers of the rule
set.
www.genuinenotes.com 17
• Previously unknown attacks, or even variations
of known attacks, can be difficult to detect.

Specification Modeling:
• Specification-based detection determines
whether or not a sequence of instructions
violates a specification of how a program, or
system, should execute. If so, it reports a
potential intrusion.
• Anomaly detection has been called the art of
looking for unusual states.
• Misuse detection, similarly, is the art of
looking for stateswww.genuinenotes.com
known to be bad. 18
• Specification detection takes the opposite
approach; it looks for states known not to
be good, and when the system enters such
a state, it reports a possible intrusion.
• For security purposes, only those programs
that in some way change the protection
state of the system need to be specified
and checked.
• For example, because the policy editor in
Windows NT changes security-related
settings, it needs to have an associated
specification.
www.genuinenotes.com 19
Architecture of IDS:
• An intrusion detection system consists of
three parts.
• The agent corresponds to the logger. It
acquires information from a target (such as
a computer system).
• The director corresponds to the analyzer.
It analyzes the data from the agents as
required (usually to determine if an attack
is in progress or has occurred).
• The director then passes this information
to the notifier, which determines whether,
and how, to notify the requisite entity.
www.genuinenotes.com 20
• The notifier may communicate with the
agents to adjust the logging if appropriate.

Fig: Architecture of an
intrusion www.genuinenotes.com
detection system 21
Agent:
• An agent obtains information from a data
source (or set of data sources).
• The source may be a log file, another
process, or a network.
• The information, once acquired, may be
sent directly to the director.
• Usually, however, it is preprocessed into a
specific format to save the director from
having to do this.
• Also, the agent may discard information
that it considerswww.genuinenotes.com
irrelevant. 22
• The director may determine that it needs
more information from a particular
information source.
• In that case, the director can instruct the
agent to collect additional data, or to
process the data it collects differently.
• The director can use this to cut down on
the amount of processing it must do, but
can increase the level of information it
receives when an attack is suspected.
• An agent can obtain information from a
single host, from a set of hosts or from a
network.
www.genuinenotes.com 23
Host-Based Information Gathering:
• Host-based agents usually use system and
application logs to obtain records of
events, and analyze them to determine
what to pass to the director.
• The events to look for, and to analyze, are
determined by the goals of the intrusion
detection mechanism.
• The logs may be security-related logs or
other logs such as accounting logs.
• A variant of host-based information
gathering occurs when the agent generates
its own information.
www.genuinenotes.com 24
• Policy checkers do this. They analyze the
state of the system, or of some objects in
the system, and treat the results as a log
(to reduce and forward).

Network-Based Information Gathering:

• Network-based agents use a variety of
devices and software to monitor network
traffic.
• This technique provides information of a
different flavor than host-based
monitoring provides.
www.genuinenotes.com 25
• It can detect network-oriented attacks, such as a
denial of service attack introduced by flooding a
network.
• It can monitor traffic for a large number of
hosts. It can also examine the contents of the
traffic itself (called content monitoring).
• Network-based agents may use network sniffing
to read the network traffic.
• In this case, a system provides the agent with
access to all network traffic passing that host.
• If the medium is point-to-point (such as a token
ring network), the agents must be distributed
to obtain a complete view of the network
messages. www.genuinenotes.com 26
• If the medium is a broadcast medium (such as
Ethernet), typically only one computer needs to
have the monitoring agent.

Combining Sources:
• The goal of an agent is to provide the director
with information so that the director can
report possible violations of the security
policy (intrusions).
• An aggregate of information is needed.
However, the information can be viewed at
several levels.
www.genuinenotes.com 27
• The difference between application and
system views (which is, essentially, a
problem of layers of abstraction) affects
what the agent can report to the director
and what the director can conclude from
analyzing the information.
• The agent, or the director, must either
obtain information at the level of
abstraction at which it looks for security
problems or be able to map the information
into an appropriate level.

www.genuinenotes.com 28
Director:
• The director itself reduces the incoming
log entries to eliminate unnecessary and
• redundant records. It then uses an analysis
engine to determine if an attack (or the
precursor to an attack) is underway.
• The analysis engine may use any of, or a
mixture of, several techniques to perform
its analysis.
• Because the functioning of the director is
critical to the effectiveness of the
intrusion detection system, it is usually run
on a separate system.
www.genuinenotes.com 29
• This allows the system to be dedicated to
the director’s activity.
• It has the side effect of keeping the
specific rules and profiles unavailable to
ordinary users.
• Then attackers lack the knowledge needed
to evade the intrusion detection system by
conforming to known profiles or using only
techniques that the rules do not include.
• The director must correlate information
from multiple logs.
• Many types of directors alter the set of
rules that they use to make decisions.
www.genuinenotes.com 30
• These adaptive directors alter the
profiles, add (or delete) rules, and
otherwise adapt to changes in the systems
being monitored.
• Typical adaptive directors use aspects of
machine learning or planning to determine
how to alter their behavior.
• Directors rarely use only one analysis
technique, because different techniques
highlight different aspects of intrusions.
• The results of each are combined, analyzed
and reduced, and then used.
www.genuinenotes.com 31
Notifier:
• The notifier accepts information from the
director and takes the appropriate action.
• In some cases, this is simply a notification to
the system security officer that an attack is
believed to be underway.
• In other cases, the notifier may take some
action to respond to the attack.
• Many intrusion detection systems use graphical
interfaces.
• A well-designed graphics display allows the
intrusion detection system to convey
information in an easy-to-grasp image or set of
images.
www.genuinenotes.com 32
• It must allow users to determine what
attacks are underway (ideally, with some
notion of how likely it is that this is not a
false alarm).
• This requires that the GUI be designed
with a lack of clutter and unnecessary
information.
• The notifier may send electronic mail to
the appropriate person or make entries into
the appropriate log files.

www.genuinenotes.com 33
Organization of Intrusion Detection Systems:
• An intrusion detection system can be
organized in several ways.
• The organization of IDS explores three such
paradigms using research intrusion detection
systems.
• The first system examines network traffic
only.
• The second explores how to combine network
and host sources.
• The third system distributes the director
among multiple systems to enhance security
and reliability. www.genuinenotes.com 34
Monitoring Network Traffic for Intrusions:
NSM
• The Network Security Monitor (NSM)
develops a profile of expected usage of a
network and compares current usage with
that profile.
• It also allows the definition of a set of
signatures to look for specific sequences of
network traffic that indicate attacks.
• It runs on a local area network and assumes
a broadcast medium.
www.genuinenotes.com 35
• The monitor measures network utilization
and other characteristics and can be
instructed to look at activity based on a
user, a group of users, or a service. It
reports anomalous behavior.
• The NSM monitors the source, destination,
and service of network traffic.
• It assigns a unique connection ID to each
connection.
• The source, destination, and service are
used as axes for a matrix.
www.genuinenotes.com 36
• Each element of the matrix contains the
number of packets sent over that
connection for a specified period of time,
and the sum of the data of those packets.
• NSM also generates expected connection
data from the network.
• The data in the array is “masked” by the
expected connection data, and any data
not within the expected range is reported
as an anomaly.
• The NSM is important for two reasons.
• First, it served as the basis for a large
number of intrusion detection systems.
www.genuinenotes.com 37
• Second, it proved that performing
intrusion detection on networks was
practical.

Combining Host and Network Monitoring:

DIDS
• The Distributed Intrusion Detection
System (DIDS) combined the abilities of
the NSM with intrusion detection
monitoring of individual hosts.
• It sprang from the observation that
neither network-based monitoring nor
host-based monitoring was sufficient.
www.genuinenotes.com 38
• An intruder attempting to log into a system
through an account without a password
would not be detected as malicious by a
network monitor.
• Subsequent actions, however, might make a
host-based monitor report that an intruder
is present.
• Similarly, if an attacker tries to telnet to a
system a few times, using a different login
name each time, the host-based intrusion
detection mechanism would not report a
problem, but the network-based monitor
could detect repeated failed login attempts.
www.genuinenotes.com 39
• DIDS used a centralized analysis engine (the
DIDS director) and required that agents be
placed on the systems being monitored as well as
in a place to monitor the network traffic.
• The agents scanned logs for events of interest
and reported them to the DIDS director.
• The DIDS director invoked an expert system
that performed the analysis of the data.
• The expert system was a rule-based system that
could make inferences about individual hosts and
about the entire system (hosts and networks).
• It would then pass results to the user interface,
which displayed them in a simple, easy-to-grasp
manner for the system security officer.
www.genuinenotes.com 40
Autonomous Agents: AAFID
• An autonomous agent is a process that can
act independently of the system of which it
is a part.
• In 1995, Crosbie and Spafford examined
intrusion detection systems in light of fault
tolerance.
• They noted that an intrusion detection
system that obtains information by
monitoring systems and networks is a single
point of failure.
• If the director fails, the IDS will not
function.
www.genuinenotes.com 41
• Their suggestion was to partition the
intrusion detection system into multiple
components that function independently of
one another, yet communicate to correlate
information.
• Crosbie and Spafford suggested developing
autonomous agents each of which performed
one particular monitoring function.
• Each agent would have its own internal model,
and when the agent detected a deviation
from expected behavior, a match with a
particular rule, or a violation of a
specification, it would notify other agents.
www.genuinenotes.com 42
• The agents would jointly determine
whether the set of notifications were
sufficient to constitute a reportable
intrusion.
• The beauty of this organization lies in the
cooperation of the agents.
• No longer is there a single point of failure.
• If one agent is compromised, the others
can continue to function.

www.genuinenotes.com 43
Intrusion Response:
• Once an intrusion is detected, how can the
system be protected?
• The field of intrusion response deals with
this problem.
• Its goal is to handle the (attempted) attack
in such a way that damage is minimized (as
determined by the security policy).
• Some intrusion detection mechanisms may
be augmented to thwart intrusions.
• Otherwise, the security officers must
respond to the attack and attempt to repair
any damage.
www.genuinenotes.com 44
Incident Prevention:
• Ideally, intrusion attempts will be detected
and stopped before they succeed.
• This typically involves closely monitoring the
system (usually with an intrusion detection
mechanism) and taking action to defeat the
attack.
• In the context of response, prevention
requires that the attack be identified
before it completes.
• The defenders then take measures to
prevent the attack from completing.
• This may be done manually or automatically.
www.genuinenotes.com 45
Intrusion Handling:
• When an intrusion occurs, the security
policy of the site has been violated.
• Handling the intrusion means restoring the
system to comply with the site’s security
policy and taking any actions against the
attacker that the policy specifies.
• Intrusion handling consists of six phases.
1. Preparation for an attack. This step
occurs before any attacks are detected. It
establishes procedures and mechanisms for
detecting and responding to attacks.
www.genuinenotes.com 46
2. Identification of an attack. This triggers the
remaining phases.
3. Containment (confinement) of the attack. This
step limits the damage as much as possible.
4. Eradication of the attack. This step stops the
attack and blocks further similar attacks.
5. Recovery from the attack. This step restores
the system to a secure state (with respect to the
site security policy).
6. Follow-up to the attack. This step involves
taking action against the attacker, identifying
problems in the handling of the incident, and
recording lessons learned (or lessons not learned
that should be learned).
www.genuinenotes.com 47
Containment Phase:
• Containing or confining an attack means
limiting the access of the attacker to system
resources.
• The protection domain of the attacker is
reduced as much as possible.
• There are two approaches: passively
monitoring the attack, and constraining
access to prevent further damage to the
system.
• In this context, “damage” refers to any action
that causes the system to deviate from a
“secure” state as defined by the site security
policy.
www.genuinenotes.com 48
• Passive monitoring simply records the
attacker’s actions for later use.
• The monitors do not interfere with the
attack in any way.
• This technique is marginally useful.
• It will reveal information about the attack
and, possibly, the goals of the attacker.
• However, not only is the intruded system
vulnerable throughout, the attacker could
attack other systems.

www.genuinenotes.com 49
• The other approach, in which steps are
taken to constrain the actions of the
attacker, is considerably more difficult.
• The goal is to minimize the protection
domain of the attacker while preventing
the attacker from achieving her goal.
• But the system defenders may not know
what the goal of the attacker is, and thus
may misdirect the confinement so that the
data or resources that the attacker seeks
lie within the minimal protection domain of
the attacker.
www.genuinenotes.com 50
Eradication Phase:
• Eradicating an attack means stopping the
attack.
• The usual approach is to deny access to
the system completely (such as by
terminating the network connection) or to
terminate the processes involved in the
attack.
• An important aspect of eradication is to
ensure that the attack does not
immediately resume.
• This requires that attacks be blocked. 51
www.genuinenotes.com
• A common method for implementing
blocking is to place wrappers around
suspected targets.
• The wrappers implement various forms of
access control.
• Wrappers can control access locally on
systems or control network access.

www.genuinenotes.com 52
Follow-Up Phase:
• In the follow-up phase, the systems take
some action external to the system against
the attacker.
• The most common follow-up is to pursue
some form of legal action, either criminal
or civil.
• The requirements of the law vary among
communities, and indeed vary within
communities over time.
• Counterattacking, or attacking the
attacker, takes two forms.
www.genuinenotes.com 53
• The first form involves legal mechanisms,
such as filing criminal complaints.
• This requires protecting a “chain of
evidence” so that legal authorities can
establish that the attack was real (in other
words, that the attacked site did not
invent evidence) and that the evidence can
be used in court.
• The precise requirements of the law
change over time and jurisdictions, so this
first form of counterattacking lies outside
the scope of this discussion.
www.genuinenotes.com 54
• The second form is a technical attack, in
which the goal is to damage the attacker
seriously enough to stop the current attack
and discourage future attacks.
• This approach has several important
consequences that must be considered.
▪ The counterattack may harm an innocent
party.
▪ The counterattack may have side effects.
▪ The counterattack is antithetical to the
shared use of a network.
▪ The counterattack may be legally
actionable.
www.genuinenotes.com 55