Network Integrity
and
Information Assurance
Dr. Stewart Personick
sdp@ece.drexel.edu
Copyright 2002 Stewart D. Personick. All rights reserved
Historical perspective
• Ever since people began competing for power,
territorial control, physical assets, and money
they have recognized the importance of timely
and accurate information
- lifting the “fog of war”
- “getting inside the enemy’s decision cycle”
- “loose lips sink ships”
- understanding the customer’s needs
- understanding the competition
Copyright 2002 Stewart D. Personick. All rights reserved
Historical perspective
• Ever since people began competing for power,
territorial control, physical assets, and money
they have recognized the importance of timely
and accurate information
- lifting the “fog of war”
- “getting inside the enemy’s decision cycle”
- “loose lips sink ships”
- understanding the customer’s needs
- understanding the competition
Copyright 2002 Stewart D. Personick. All rights reserved
Information Assurance and Network
Integrity: the Present
• In developed countries, more and more people and
organizations are becoming dependent upon
computers, networks, and network-based
applications
(e.g., transactions conducted, worldwide, via
electronic commerce: moving toward $1T/year)
Copyright 2002 Stewart D. Personick. All rights reserved
Information Assurance and Network
Integrity: the Present
• In developed countries, more and more people and
organizations are becoming dependent upon
computers, networks, and network-based
applications
(e.g., transactions conducted, worldwide, via
electronic commerce: moving toward $1T/year)
Copyright 2002 Stewart D. Personick. All rights reserved
Recent examples of information assurance
and network integrity problems:
-Increasing numbers of virus/worm incidents
-Intrusions into government/DoD systems
-Denial of Service (DoS) attacks
-Major loss of paging systems in the US (single
satellite failure)
-Corrupted data downloaded into the Internet’s
Domain Name System (DNS) root servers*
*disrupted conversion of Internet “names” (cbis.ece.drexel.edu)
into Internet addresses (144.118.31.1) for ~several hours
Copyright 2002 Stewart D. Personick. All rights reserved
Recent examples of information assurance
and network integrity problems:
-Increasing numbers of virus/worm incidents
-Intrusions into government/DoD systems
-Denial of Service (DoS) attacks
-Major loss of paging systems in the US (single
satellite failure)
-Corrupted data downloaded into the Internet’s
Domain Name System (DNS) root servers*
*disrupted conversion of Internet “names” (cbis.ece.drexel.edu)
into Internet addresses (144.118.31.1) for ~several hours
Copyright 2002 Stewart D. Personick. All rights reserved
Recent examples of information assurance
and network integrity problems:
-Increasing numbers of virus/worm incidents
-Intrusions into government/DoD systems
-Denial of Service (DoS) attacks
-Major loss of paging systems in the US (single
satellite failure)
-Corrupted data downloaded into the Internet’s
Domain Name System (DNS) root servers*
*disrupted conversion of Internet “names” (cbis.ece.drexel.edu)
into Internet addresses (144.118.31.1) for ~several hours
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• Eavesdropping:
- I read your message while it is passing through a
network
- I listen in on your conversation with one or more
other person(s)
- I monitor which Web pages you are accessing
- I monitor how many messages you send, and to
whom they are sent (traffic analysis)
- I monitor where you are, by looking at your
messages
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• Unauthorized “read” access:
I read a file that is stored on one of your servers or
other computers
This requires that I obtain access to your computer,
either via a network, or by some other means. E.g., I
physically access your computer; I loan you a floppy
disk that contains a malicious application, that copies
your files on to the disk…which you return to me
(Trojan horse attack)
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• Content tampering:
-I change the content of a message passing through
a network, or I change the contents of a database
(e.g., I change the information on one of your Web
pages)
Tampering with a message in transit can be done by
substitution
Tampering with the contents of a computer requires
access and “write” privileges
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• Impersonation:
-I send you a document or a message that appears to
have been sent by someone else
The ability to prove that a message is “authentic” :
the sender is who he or she claims to be, and the
content has not been modified since it was created
by the authentic sender is called “non-repudiation”
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• “Denial-of-service”:
-I prevent your messages from being delivered by
attacking one or more routers or by attacking the
domain name system
-I cause congestion your network that prevents you
from doing what you want to do (e.g., I send you a
gigantic E-mail file, and clog your mail server)
-I bombard you with junk messages
-I disable your network’s password authentication
system
Copyright 2002 Stewart D. Personick. All rights reserved
Types of attacks
• “Insider” attacks:
-I have access privileges that I abuse
-I steal the access privileges of a trusted person
Copyright 2002 Stewart D. Personick. All rights reserved
Prognosis
• Of all of these attacks, denial-of-service attacks, and
insider attacks are the most problematic, on a
forward-looking basis
• The attacker has the advantage. He or she only has
to find one vulnerability to exploit. The defender
needs to anticipate all possible attacks.
Copyright 2002 Stewart D. Personick. All rights reserved
Cryptography
• Using mathematically-based methods to protect
information from being read and/or modified by
unauthorized persons
Copyright 2002 Stewart D. Personick. All rights reserved
Cryptography
Secret Key
Secret Key
Encrypt
Decrypt
Copyright 2002 Stewart D. Personick. All rights reserved
The concept of a cipher
Four score and seven years ago …
Gpvs tdpsf boe tfwfo zfbst bhp ...
Copyright 2002 Stewart D. Personick. All rights reserved
Cryptography
• The simple substitution cipher is easy to
“break”
• We need a much more secure approach for
real-world applications
Copyright 2002 Stewart D. Personick. All rights reserved
Cryptography
• Most cryptographic methods are based on
-A cryptographic algorithm that is assumed to be
widely known (the algorithm itself is not secret)
-A secret cryptographic “key” that is known only to
those who are authorized to have the secret key
Copyright 2002 Stewart D. Personick. All rights reserved
Cryptography
• Most cryptographic methods are based on
-A cryptographic algorithm that is assumed to be
widely known (the algorithm itself is not secret)
-A secret cryptographic “key” that is known only to
those who are authorized to have the secret key
Copyright 2002 Stewart D. Personick. All rights reserved
Details
• Nobody knows for sure how “hard” it is to “break”
modern encryption methods … however
mathematicians are able to make statements about
the comparative difficulty of breaking one method vs.
another
• Increasing computing power makes brute force
methods feasible… leading to the need for longer
keys
Copyright 2002 Stewart D. Personick. All rights reserved
Desired Properties of an Encryption
Algorithm
• It should be very difficult (computationally) to decrypt
a message without having the secret key
• It should be reasonably easy to encrypt and decrypt a
message, if you have the secret key
Problem: secret key distribution
Copyright 2002 Stewart D. Personick. All rights reserved
Public-key Cryptography
• In the 1970’s cryptographic researchers came
up with some amazing results/concepts that
have had a remarkable impact on the ability
to build practical cryptographic systems
• These results/concepts helped address the
key management problem
Copyright 2002 Stewart D. Personick. All rights reserved
The concept of a 1-way function
• A one-way function is one for which it is easy to
compute y = f(x), where y and x are sequences of
binary digits (1s and 0s) …
… but it is very “hard” to compute what x is, given
that you have access to y
• A one way function is analogous to a padlock…
… I can easily snap it shut, but I can’t open it
(without a key or a combination)
Copyright 2002 Stewart D. Personick. All rights reserved
The Concept of Public-key
Cryptography
• Public key encryption
Public Key
Secret Key
Encrypt
Decrypt
Copyright 2002 Stewart D. Personick. All rights reserved
Digital Signatures
• Problem
-How can I be sure that a message with your name
associated with it:
really came from you
hasn’t been altered since you sent it
Copyright 2002 Stewart D. Personick. All rights reserved
Digital Signatures
Sender’s private key
Message
Hash
Misc
Encrypt
Copyright 2002 Stewart D. Personick. All rights reserved
Digital Signatures
Sender’s private key
Message
Hash
Misc
Encrypt
Copyright 2002 Stewart D. Personick. All rights reserved
Digital Signatures
• The hash is a summary of my message
• Given the message, anyone can compute the hash
• When I encrypt the hash and my signature, using my
secret key, anyone can decrypt it using my public key
• However, no one can change the message without
producing a mismatch between the hash derived
from the changed message, and the hash that I sent
in my encrypted hash/signature file
• Furthermore, no one can create a fake hash/
signature file that will decrypt properly with my public
key
Copyright 2002 Stewart D. Personick. All rights reserved
Access Control
• Control access using some combination of:
-what you know (e.g. a password)
-who you are (e.g., your fingerprints)
-what you have (e.g., a smart card)
Copyright 2002 Stewart D. Personick. All rights reserved
Passwords
• A basic method of protecting individual files or
information systems from unauthorized
access is through the use of passwords
• There are numerous pitfalls associated with
the use of passwords in real world
applications…e.g., Guessing passwords
• A basic problem with passwords is that we
can’t remember them unless they are also
relatively easy to guess
Copyright 2002 Stewart D. Personick. All rights reserved
Biometric Access Controls
•
•
•
•
•
Voice recognition
Fingerprint scanning/recognition
Face scanning/recognition
Iris scanning/recognition
DNA analysis
Copyright 2002 Stewart D. Personick. All rights reserved
Iris Scanning
sdp Feb22 scan parameters
Iris Scanner
Data base of
Iris Scan parameters
associated
with ID’s
Iris
Copyright 2002 Stewart D. Personick. All rights reserved
Iris Scanning
sdp Feb22 scan parameters
Iris Scanner
Data base of
Iris Scan parameters
associated
with ID’s
Iris
Copyright 2002 Stewart D. Personick. All rights reserved
Smart Cards: Electronic Commerce
ABC Bank
Transaction
data (from
merchant)
Encrypted
output (to
bank)
Microprocessor, memory, I/O, secret key, OS,
applications, private data, other data
Copyright 2002 Stewart D. Personick. All rights reserved
Malicious Code
• What’s the problem we are trying to address?
How do we keep people from inserting
harmful computer code into our computers?
Copyright 2002 Stewart D. Personick. All rights reserved
Viruses and Worms
• Virus: extraneous executable code that
attaches itself to an executable file (e.g., a
Word document) or an application, and can
reproduce itself (when the host application
executes) to infect other files or applications
• Worm: a stand-alone executable program
that can replicate itself, and that can utilize
system/network resources to spread to
multiple systems
Copyright 2002 Stewart D. Personick. All rights reserved
Polymorphic Viruses
• Change with each new infection
• Are (for example) comprised of two parts
– A decryptor
– An encrypted virus file
• Both the decryptor and the encrypted file
change each time the virus replicates…so
that neither one has a fixed signature
Copyright 2002 Stewart D. Personick. All rights reserved
Infected application
Decryptor
Encrypted virus
file
App. 1
Copyright 2002 Stewart D. Personick. All rights reserved
How does it work?
Infected app.
Decryptor
Executing
1
Decryptor
Encrypted virus
file
Virus version xyz
App. 1
App. 1
Mutator Engine
1. The decryptor executable will decrypt the encrypted virus file
Copyright 2002 Stewart D. Personick. All rights reserved
How does it work?
Decryptor
New Decryptor
Virus version
xyz
App. 1
New Decryptor
Virus version
xyz+1
Mutator Engine
Mutator Engine
2
3
4
Encrypted
virus file
New Decryptor
Encrypted
virus file
2. Virus1 finds the victim(App.2)
3. Mutator Engine creates a new Decryptor,
a new virus file, and encrypts the new
virus file
4. Virus2 is prepended to App. 2
App. 2
Copyright 2002 Stewart D. Personick. All rights reserved
Detecting Viruses
ref: Stalling pp 510-514
• Look for a known virus signature
• Heuristic methods: look for structures in a file
that look like they may be associated with a
virus (e.g., an decryption loop)
• Checksums (easily defeated using
compression and de-compression techniques
or by changing the checksum)
• Digital signatures
Copyright 2002 Stewart D. Personick. All rights reserved
Detecting Viruses
ref: Stalling pp 510-514
• Look for a known virus signature
• Heuristic methods: look for structures in a file
that look like they may be associated with a
virus (e.g., an decryption loop)
• Checksums (easily defeated using
compression and de-compression techniques
or by changing the checksum)
• Digital signatures
Copyright 2002 Stewart D. Personick. All rights reserved
Protecting Against Malicious Code
• Applications from Trusted Sources
-Trusted sources can use digital signatures or
other means to protect against unauthorized
changes to their software
But… how does the trusted source ensure
that its own, authorized employees and
contractors have not inserted malicious code
into its products?
Copyright 2002 Stewart D. Personick. All rights reserved
Protecting Against Malicious Code
• Finding non-specific malicious code within an
application
-A very difficult, unsolved problem...
e.g., malicious code could be activated by its
combination with specific data that is entered
at a future date
Copyright 2002 Stewart D. Personick. All rights reserved
Protecting Against Malicious Code
• The concept of a “sandbox”
Create a virtual machine on which the code executes
(runs). Ensure that the code can only have access to
tightly controlled and monitored (e.g., level of usage)
resources. Securely save the machine’s configuration
information. Don’t allow the code to leave behind any
remnants, other than data stored in carefully controlled
memory locations. Restore the rest of the machine
(system) to its original state
Copyright 2002 Stewart D. Personick. All rights reserved
Protecting Against Malicious Code
• The concept of a “sandbox”
Create a virtual machine on which the code executes
(runs). Ensure that the code can only have access to
tightly controlled and monitored (e.g., level of usage)
resources. Securely save the machine’s configuration
information. Don’t allow the code to leave behind any
remnants, other than data stored in carefully controlled
memory locations. Restore the rest of the machine
(system) to its original state
Copyright 2002 Stewart D. Personick. All rights reserved
Protecting Against Malicious Code
• The concept of a “sandbox”
Create a virtual machine on which the code executes
(runs). Ensure that the code can only have access to
tightly controlled and monitored (e.g., level of usage)
resources. Securely save the machine’s configuration
information. Don’t allow the code to leave behind any
remnants, other than data stored in carefully controlled
memory locations. Restore the rest of the machine
(system) to its original state
Copyright 2002 Stewart D. Personick. All rights reserved
Network-launched Denial-of-Service Attacks
• Distributed Denial of Service (DDNS) Attacks
The attacker places malicious code in “zombie
machines”; and then launches the attack by activating
the zombie machines and overloading networks and
servers with zombie-generated traffic (e.g., bytes or
transactions)
Copyright 2002 Stewart D. Personick. All rights reserved
Firewalls
• A firewall is a mechanism through which we can
attempt to protect a collection of computers and
networks within an enclave from attacks launched
from outside of the protected enclave
• Firewalls can also be used to provide barriers
between subsets of computers and networks within
an enclave
• With current Internet protocols, it is difficult to extract
enough trustworthy information from incoming
packets to push back denial of service attacks
Copyright 2002 Stewart D. Personick. All rights reserved
Firewalls
Gateway computer
The rest of cyberspace
ENCLAVE
Copyright 2002 Stewart D. Personick. All rights reserved
Firewalls
Gateway computer
The rest of cyberspace
ENCLAVE
Copyright 2002 Stewart D. Personick. All rights reserved
Time is Critical
• Note that, from the perspective of legitimate network
users…
An attack-induced outage that lasts 20 milliseconds
will probably be un-noticeable for most applications
An attack-induced outage that lasts 20 seconds will
be noticeable, but not serious, for most users and
applications
An attack-induced outage that lasts 5.5 hours (20,000
seconds) will generally be very serious for most users
Copyright 2002 Stewart D. Personick. All rights reserved
Responding
• How long it takes to recover is very much a
function of:
-the nature of the damage done
-the cause of the initial damage (e.g., how to
eliminate malicious code from trusted hosts)
-the availability, trustworthiness, and
accessibility of data that can be used to
diagnose the damage and the cause of the
damage
Copyright 2002 Stewart D. Personick. All rights reserved
Responding
• How long it takes to recover is very much a
function of:
-the nature of the damage done
-the cause of the initial damage (e.g., how to
eliminate malicious code from trusted hosts)
-the availability, trustworthiness, and
accessibility of data that can be used to
diagnose the damage and the cause of the
damage
Copyright 2002 Stewart D. Personick. All rights reserved
Generic Intrusion Detection &
Malicious Insider Detection System
Network System
or Network Element
Network System
or Network Element
Observations
Intrusion Detection Engine
Data
Policies
Reports, alerts,
autonomous actions
Copyright 2002 Stewart D. Personick. All rights reserved
Generic Intrusion Detection &
Malicious Insider Detection
A critical, but subtle aspect of the intrusion
detection and malicious insider detection
strategy is to neutralize the attacker’s advantage
by drawing on the concerted resources of large
numbers of defenders…both in terms of the data
they can provide, and in terms of the defense
mechanisms they can conceive
Copyright 2002 Stewart D. Personick. All rights reserved
Intrusion Detection Data
• Historical data related to (anonymous)
network traffic and usage patterns
• Historical data related to specific users or
applications
• User profiles: including trust levels, access
privileges and roles (job descriptions)
• Signatures of known attacks
• Signatures of patterns considered to indicate
a possible attack
Copyright 2002 Stewart D. Personick. All rights reserved
Intrusion Detection Data
• Signatures of activities or patterns considered
to indicate a possible attack:
Politician: “People say I am a crook; do you
think I am a crook”
Advisor “I don’t know if you are a crook, but I
know a lot of crooks who act like you”
Copyright 2002 Stewart D. Personick. All rights reserved