Intruder Detection

Bryan Pearsaul

Outline

Overview Intruder Detection Intruder Prevention Intruder Detection Systems

Overview

Intrusion when a user takes an action that they are not legally allowed to take Whether they meant to take that action or not Increasingly important as we rely more and more on computer systems for the correct functioning of society

Intruder Detection

Determining whether an intruder has gain or has attempted to gain unauthorized access to the system Two groups of intruders:
External Internal

Ways to combat intrusion:

Intruder Prevention

Requiring passwords to be submitted before users can access the system Fixing or patching known vulnerabilities Blocking network access Restricting physical access

Intruder Detection Systems

First became needed in late 70s Originally used with single systems OS produced audit records that were process by the IDS IDS has expanded to distributed systems and networks Two main approaches:
Anomaly Detection Misuse Detection

IDS Anomaly Detection

Static and Dynamic Anomalies IDS distinguishes between normal and the anomaly Define normal behavior or correct static form Detect changes in form or anomalous behavior

Static Anomaly Detection

Some part of the system should remain constant Determines intrusions based on data integrity Define static part as strings of binary bits If the strings are ever modified then there has been an error or an intrusion

Static Anomaly Detection

System bit strings are compressed into representations of the system called signatures Signature is then compared at certain time intervals to the current system signature Knowledge about structure of objects in the system, meta-data, can also be incorporated into the system

Tripwire

Performs intruder detection using file integrity checking Uses signatures and UNIX file metadata Configuration file specifies attributes of files Builds a selection mask for each file and directory that contains a flag for each distinct field in a UNIX i-node

Tripwire

Each file has at least one signature computed based off bit string of file Selection masks and set of signatures are stored in a database User-scheduled integrity checks are performed on the signatures and the attributes Any changes are pointed out and security staff can be notified

Dynamic Anomaly Detection

Also known as Statistical-Based IDS More difficult than detecting static string changes Define profiles for each user to characterize normal behavior
User choices: Log-in Time, favorite programs User sequence of actions User CPU usage / network activity

Dynamic Anomaly Detection

Statistical Distributions are formed from profiles and compared to current user profile Anomalous boundary is established using some number of standard deviations off the mean Profiles can be gradually changed to reflect user behavioral changes over time

NIDES

Next-Generation Intrusion Detection Expert System Build statistical profiles of users by taking measures that fall into three classes:
Audit record distributions types of audit records generated over a period of time Categorical user name, names of files accessed Continuous any measure in which the outcome is how often something occurred: total number of open files, number of pages read off secondary storage

NIDES

Stores user statistics in profiles such as frequencies, means, variances Detects anomalous behaviors by comparing measures of current user profile to measures in stored user profile Uses a weighted decay factor for older audit records

Anomaly Detection Limitations

An insider could slowly modify their behavior from over time until it is possible to mount an attack without being flagged as anomalous Users with erratic schedules or hours can be difficult to profile Determining the deviation threshold can be difficult

IDS Misuse Detection

Also known as Rule-Based IDS Sometimes vulnerabilities are fixed, however other times fixing a vulnerability is just not feasible Define intrusion scenarios which are a known sequence of events that leads to intrusion Compare known scenarios to current activity to determine whether an intrusion attempt is in progress

IDS Misuse Detection

First generation used rules to describe what should be considered an intrusion Rules accumulated and became difficult to read or modify Second generation use state transition diagrams and model-based rule organizations

USTAT

UNIX State Transition Analysis Tool Each intrusion scenario is represented in a state transition diagram Actions serve as the transition from one state to the next Mapped all BSM Events into USTAT Actions: Read, Write, Modify_Owner

USTAT

Each state in the transition diagram consists of one or more state assertions State assertions contain a function name and will evaluate to true or false Ex. owner(file_var) = user_id, shell_script(file_var)

USTAT

Inference engine uses a table to detect all possible intrusions Each row represents one intrusion possibly in progress Maps each BSM event to corresponding USTAT action and checks if the action will change the current state to a successor state in a known intrusion state diagram

USTAT

If this is so, then the row is copied and marked as being in the successor state Original row is left until the state no longer exists because another user could repeat the same action from before Once a compromised state is reached the decision engine alerts administrators

Misuse Detection Limitations

Only known vulnerabilities and attacks are protected against Administrators are always playing catch-up with intruders Representation of intrusion scenarios is not always intuitive

Summary

Intruder Detection Intruder Prevention Intruder Detection Systems

References

Anderson, D., T. Lunt, H. Javitz, A. Tamaru, and A. Valdes. Safeguard Final Report: Detecting Unusual Program Behavior Using the NIDES Statistical Component, SRI International Computer Science Laboratory Technical Report, December 1993. Ilgun, K. "USTAT: A Real-time Intrusion Detection System for UNIX", Proceedings of the 1993 Computer Society Symposium on Research in Security and Privacy, May 1993. Jones, A. K., Sielken R.S. Computer System Intrusion Detection: A Survey, University of Virginia, September 2000. http://www.cs.virginia.edu/~jones/IDSresearch/Documents/jones-sielken-survey-v11.pdf Kemmerer, R. A. Computer Security, Encyclopedia of Software Engineering, John Wiley and Sons, 1994. Kim, G. H. and Spafford, E. H. A Design and Implementation of Tripwire, Purdue Technical Report CSDTR-93-071, November 1993. Sundaram, A. An Introduction to Intrusion Detection. http://www.acm.org/crossroads/xrds2-4/intrus.html