453 Network Security
Section 6: Intruders and Viruses
Dr. E.C. Kulasekere
Sri Lanka Institute of Information
Technology - 2006
Intruders
• significant issue for networked systems is
hostile or unwanted access either via
network or local
• can identify classes of intruders:
– masquerader
– misfeasor
– clandestine user
• varying levels of competence
• clearly a growing publicized problem
• may use compromised system to launch
other attacks
Intrusion Techniques
• aim to increase privileges on system
• basic attack methodology
– target acquisition and information gathering
– initial access
– privilege escalation
– covering tracks
• key goal often is to acquire passwords
• so then exercise access rights of owner
Intrusion Detection (1)
• inevitably will have security failures
• so need also to detect intrusions so can
– block if detected quickly
– act as deterrent
– collect info to improve security
• assume intruder will behave differently to a
legitimate user
– but will have imperfect distinction between
Intrusion Detection (1)
• An IDS will monitor and identify attempted
unauthorized system access or
manupulation.
• Most IDSs are software programs that are
installed over the OS.
• Network Sniffing IDSs are deployed as
hardware devices for the performance.
• IDSs range from the packet level
screening to application level screening.
Events that can be Detected by an IDS
• Impersonation
attempts
• Password cracking
• Protocol attacks
• Buffer overflows
• Installation of root kits
• Rogue commands
• Software vulnerability
exploits
• Malicious code like
viruses, worms and
Trojans
• Illegal data
manipulation
• Unauthorized file
access
• Denial of service
(DoS) attacks
Base-Rate Fallacy
• practically an intrusion detection system
needs to detect a substantial percentage
of intrusions with few false alarms
– if too few intrusions detected -> false security
– if too many false alarms -> ignore / waste time
• this is very hard to do
• existing systems seem not to have a good
record
Types of IDS
• Methods of detection
– Statistical Anomaly Detectors (behavior
based)
– Signature based (knowledge-based or pattern
matching)
• Types of implementation
– Host based (one detects anomalies on a
specific host)
– Network based (operates on network
segments and analyzes the segment traffic)
Distributed Intrusion Detection
• traditional focus is on single systems
• but typically have networked systems
• more effective defense has these working
together to detect intrusions
• issues
– dealing with varying audit record formats
– integrity & confidentiality of networked data
– centralized or decentralized architecture
Network Based IDSs (1)
• This resides on a discrete network
segment and monitors the traffic on that
segment.
• This is a computer with a NIC set to
promiscuous mode intercepting and
analyzing the packets in real time.
• The packets are identified to be of interest
if they match a particular signature.
Network Based IDSs (2)
• Three primary types of signatures are
– String signatures: String signatures look for a
text string that indicates a possible attack.
– Port signatures: Port signatures watch for
connection attempts to well known, frequently
attacked ports.
– Header condition signatures: Header
signatures watch for dangerous or illegal
combinations in packet headers.
Network Based IDSs (3)
• These types of IDSs provide reliable real
time information without consuming
network or host resources.
• This cannot detect an attack on the host if
the intruder is logged onto the hosts
terminal.
• Even if its detected the detection is
minimal since the packets cannot be
analyzed.
Host Based IDSs (1)
• These are small computer programs called
agents that reside on a host computer.
• They monitor the OS detecting
inappropriate activities, writing to log files
and triggering alarms.
• These can only detect activities on the
hosts and not on the network segment on
which the host resides.
• The detection capability is limited to the
completeness of the host logs.
Host Based IDSs (2)
• Host based IDSs have the following
characteristics:
– They monitor accesses and changes to
critical system files and changes to user
privileges.
– They detect trusted insider attacks better than
the network based IDSs
– Capability of detecting attacks from the
outside to a certain extent.
– They can be configured to look at all network
packets and connection attempts etc.
Signature Based IDSs (1)
• The signatures related to an attack have to
be stored so that they can be referred too.
• When the data from the host log or the
network monitoring is picked up, they are
compared with the attack signatures.
• If there is a match, then a response is
initiated.
• These have a low rate based fallacy
compared to behavior based IDSs.
Signature Based IDSs (2)
• One of the issues is that this cannot detect
attacks that are spread over along period
of time.
• The reason is that these IDSs do not
analyze a large history of data to
determine an attack.
• Another weakness is that only the
signatures stored will be recognized. No
new attack types will not be detected.
Signature Based IDSs (3)
• Another disadvantage is that these are
resource intense.
• Attacks are very focused. They are based
on the OS and the platform, the
application etc.
Statistical Anomaly Detection (1)
• This is a behavior based and dynamic
detection.
• The base is that if the user behaves
abnormally then an alarm is triggered and
a response sent.
• A ‘’normal’’ user profile is needed. This is
achieved by taking statistical samples.
• With this kind of IDS new attacks can be
detected since they will be considered to
be an anomaly.
Statistical Anomaly Detection (2)
• Advantages
– New situations can be detected.
– This is not dependent on a specific operating system
– They help detect abuse-of-privileges types of attacks
that do not actually involve exploiting any security
vulnerability
• Disadvantages
– It will not detect any attack that does not significantly
change the OS characteristics.
– Falsely detect a one time anomaly as an attack.
– High false alarm rate.
– Sometimes the behaviors of network users are not
static to be analyzed using statistical methods.
– The network may experience an attack at the same
time the IDS is learning the behavior.
Issues Related to Effective Use of IDSs (1)
• From the point of view of the attacker he
will be compelled to use better techniques
to attack systems.
• Will use encrypted means to transmit
malicious material.
• One needs to interoperate and correlate
data across many networks if you need
effective use of an IDS.
• Increased network traffic is a problem.
Issues Related to Effective Use of IDSs (2)
• Risks inherent in taking inappropriate
automated response actions.
• Attacks on IDSs themselves.
• Lack of objectives in evaluating the
suitability of an IDS.
• Most computer infrastructure is not
designed to operate securely.
Honeypots
• This is a different manner in which intrusion
detection can be done.
• decoy systems to lure attackers
– away from accessing critical systems
– to collect information of their activities
– to encourage attacker to stay on system so
administrator can respond
• are filled with fabricated information
• instrumented to collect detailed information on
attackers activities
• may be single or multiple networked systems
Honeypot Operations (1)
• There are main uses of honeypots
– Preventing attacks
– Detecting attacks
– Responding to attacks
• Preventing attacks
– Slowing or impeding scans initiated by worms or
automated attacks by monitoring unused IP space
and detecting scanning activities.
– Consuming the attackers energy through interaction
with a honeypot while the attack is detected, analyzed
and handled.
– Deterring an attack by a cracker who suspects a
network employs honeypots and is concerned about
getting caught
Honeypot Operations (2)
• Detecting attacks
– The ability to capture new and unknown
attacks.
– The ability to capture polymorphic code.
– They reduce the amount of data that has to
be analyzed by capturing only attack
information.
• Responding to attacks
– Honeypots can be taken offline to analyze and
make a response.
Viruses and Other Malicious Content
•
•
•
•
computer viruses have got a lot of publicity
one of a family of malicious software
effects usually obvious
have figured in news reports, fiction,
movies (often exaggerated)
• getting more attention than deserve
• are a concern though
Malicious Software
Trapdoors
• secret entry point into a program
• allows those who know access bypassing
usual security procedures
• have been commonly used by developers
• a threat when left in production programs
allowing exploited by attackers
• very hard to block in O/S
• requires good s/w development & update
Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• when triggered typically damage system
– modify/delete files/disks
Trojan Horse
• program with hidden side-effects
• which is usually superficially attractive
– eg game, s/w upgrade etc
• when run performs some additional tasks
– allows attacker to indirectly gain access they
do not have directly
• often used to propagate a virus/worm or
install a backdoor
• or simply to destroy data
Zombie
• program which secretly takes over another
networked computer
• then uses it to indirectly launch attacks
• often used to launch distributed denial of
service (DDoS) attacks
• exploits known flaws in network systems
Viruses
• a piece of self-replicating code attached to
some other code
– cf biological virus
• both propagates itself & carries a payload
– carries code to make copies of itself
– as well as code to perform some covert task
Virus Operation
• virus phases:
– dormant – waiting on trigger event
– propagation – replicating to programs/disks
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific
– exploiting features/weaknesses
Virus Structure
program V :=
{goto main;
1234567;
subroutine infect-executable :=
{loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled := {return true if some condition holds}
main: main-program :=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
Types of Viruses
•
•
•
•
•
•
•
can classify on basis of how they attack
parasitic virus
memory-resident virus
boot sector virus
stealth
polymorphic virus
macro virus
Macro Virus
• macro code attached to some data file
• interpreted by program using file
– eg Word/Excel macros
– esp. using auto command & command macros
• code is now platform independent
• is a major source of new viral infections
• blurs distinction between data and program files
making task of detection much harder
• classic trade-off: "ease of use" vs "security"
Email Virus
• spread using email with attachment
containing a macro virus
– cf Melissa
• triggered when user opens attachment
• or worse even when mail viewed by using
scripting features in mail agent
• usually targeted at Microsoft Outlook mail
agent & Word/Excel documents
Worms
• replicating but not infecting program
• typically spreads over a network
– cf Morris Internet Worm in 1988
– led to creation of CERTs
• using users distributed privileges or by exploiting
system vulnerabilities
• widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS
• major issue is lack of security of permanently
connected systems, esp PC's
Worm Operation
• worm phases like those of viruses:
– dormant
– propagation
• search for other systems to infect
• establish connection to target remote system
• replicate self onto remote system
– triggering
– execution
Virus Countermeasures
• viral attacks exploit lack of integrity control
on systems
• to defend need to add such controls
• typically by one or more of:
– prevention - block virus infection mechanism
– detection - of viruses in infected system
– reaction - restoring system to clean state
Anti-Virus Software
• first-generation
– scanner uses virus signature to identify virus
– or change in length of programs
• second-generation
– uses heuristic rules to spot viral infection
– or uses program checksums to spot changes
• third-generation
– memory-resident programs identify virus by actions
• fourth-generation
– packages with a variety of antivirus techniques
– eg scanning & activity traps, access-controls
Advanced Anti-Virus Techniques
• generic decryption
– use CPU simulator to check program
signature & behavior before actually running it
• digital immune system (IBM)
– general purpose emulation & virus detection
– any virus entering org is captured, analyzed,
detection/shielding created for it, removed