1 / 55

Intruders and Viruses

Henric Johnson. 2. Outline. IntrudersIntrusion TechniquesPassword ProtectionPassword Selection StrategiesIntrusion DetectionViruses and Related ThreatsMalicious ProgramsThe Nature of VirusesAntivirus ApproachesAdvanced Antivirus TechniquesRecommended Reading and WEB Sites. Henric Johnso

rusk
Download Presentation

Intruders and Viruses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Henric Johnson 1 Chapter 9 Intruders and Viruses

    2. Henric Johnson 2 Outline Intruders Intrusion Techniques Password Protection Password Selection Strategies Intrusion Detection Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques Recommended Reading and WEB Sites

    3. Henric Johnson 3 Intruders Three classes of intruders (hackers or crackers): Masquerader, Misfeasor, and Clandestine user. Masquerader An unauthorized user who penetrates a computer system’s access control and gains acccess to user accounts.

    4. Henric Johnson 4 Intruders Misfeasor >A legitimate user who accesses resources he is not authorized to access. >Who is authorized such access but misuses his privileges. Clandestine user A user who seizes the supervisory control of the system and uses it to evade auditing and access control.

    5. Henric Johnson 5 Intrusion Techniques Objective: An intruder wants to gain access to a system. >>Access is generally protected by passwds. System maintains a file that associates a password with each authorized user. Password file can be protected with: One-way encryption and Access control

    6. Henric Johnson 6 Intrusion Techniques One-way encryption: >A system stores passwds only in encrypted form. >One-way transformation //not invertible.// Access Control >Access to the passwd file is limited to very few people.

    7. Henric Johnson 7 Intrusion Techniques Techniques for guessing passwords: Try default passwords. (used with standard accounts that are shipped with systems.) Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the user’s hobbies, family names, birthday, etc.

    8. Henric Johnson 8 Intrusion Techniques Techniques for guessing passwords:.. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse (to bypass restrictions on access). Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)

    9. Henric Johnson 9 UNIX Password Scheme Passwords are stored in crypted form. User selects a password of chars. This password serves as the key to an encryption routine. Encryption routine is a modified version of DES. 12 bit Salt is used for modification. Salt: related to time the password is assigned.

    10. Henric Johnson 10 UNIX Password Scheme Modified DES is used with data input as 64-bit block of zeros. This process is repeated 25 times. The resulting output is translated into an 11 chars sequence. (cipher passwd) Ciphertext password is stored in the table together with Salt.

    11. Henric Johnson 11 UNIX Password Scheme

    12. Henric Johnson 12 UNIX Password Scheme

    13. Henric Johnson 13 Storing UNIX Passwords UNIX passwords were kept in a publicly readable file, etc/passwords. Now they are kept in a “shadow” directory and only visible to “root”.

    14. Henric Johnson 14 ”Salt” The salt serves three purposes: Prevents duplicate passwords from being visible in the password file. //even if two users choose the same password, their ciphertexts will differ// Effectively increases the length of the password (by two chars). //makes password guessing difficult// Prevents the use of hardware implementations of DES.

    15. Henric Johnson 15 Password Selecting Strategies Goal: Eliminate guessable passwords while allowing users to select passwords that are memorable. 1. User education >Told the importance of hard-to-guess passwds. >Provided guidelines to select strong passwords. >Many users ignore guidelines.

    16. Henric Johnson 16

    17. Henric Johnson 17

    18. Henric Johnson 18 Proactive Password Checking Problem: How to efficiently and effectively check for passwords. >It is not practical to maintain a list of bad passwords and check it. >Two compact ways: Markov model and Bloom filters.

    19. Henric Johnson 19 Proactive Password Checking Markov model: >Each state represents a chars. >The current state denotes the most recent char/letter. >Transition from a state to another state denotes the next char. >Transitions have probability associated to them.

    20. Henric Johnson 20 Markov Model

    21. Henric Johnson 21 Markov Model Main problem: Building the transition matrix. The Markov chain should reflect the structure of words in the dictionary. All strings generated by the MC denote bad passwords. A dictionary of guessable words is created. Transition matrix is computed as follows:

    22. Henric Johnson 22 Transition Matrix Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. Example: Password firefly consists of the following trigrams: fir, ire, ref, efl, fly.

    23. Henric Johnson 23 Transition Matrix 2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij. 3. Compute the entries of T as follows:

    24. Henric Johnson 24 Markov Model Checking for a bad password: >Passwords (strings) generated by the Markov model are rejected. >For a given password, transition probabilities of trigrams are looked up. >Statistical tests are performed to see if this password is likely by the model. >Passwords likely by the model are rejected.

    25. Henric Johnson 25 Spafford (Bloom Filter) where

    26. Henric Johnson 26 Bloom Filter False positive: A password that is not in the dictionary but it produces a match in the table. Example: hogan and bogan are present in the dictionary, but logan is not. H1(hogan)=32, H1(bogan)=76, H1(logan)=45 H2(hogan)=45, H2(hogan)=91, H2(logan)=32 >False positive cause a valid password to be rejected. >False positive should be minimized.

    27. Henric Johnson 27 Spafford (Bloom Filter) Design the hash scheme to minimize false positive. Probability of false positive:

    28. Henric Johnson 28 Performance of Bloom Filter

    29. Henric Johnson 29 The Stages of a Network Intrusion 1. Scan the network to: • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast.

    30. Henric Johnson 30 Intusion Detection Intrusion prevent may fail and intrusion detection is the next best defense. Motivations: If the intruder can be identified quickly enough, he can be ejected from the system and damage can be minimized. An effective intrusion detection can prevent intrusions. //can act as a deterrent//

    31. Henric Johnson 31 Intusion Detection Motivations:... Collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Intrusion detection basis: “The behavior of intruders differs from that of a legitimate user in a quantifiable way.”

    32. Henric Johnson 32 Profiles of Behavior of Intruders and Authorized Users

    33. Henric Johnson 33 Intrusion Detection There is likely to be some overlap in the behavior. Will generate “false positives”: Some authorized users will be branded as intruders. >If false positives are completely eliminated, some intruders will go undetected.

    34. Henric Johnson 34 Intrusion Detection Two approaches are used: 1. Statistical anomaly detection >History of legitimate users is collected and a user profile is built. >Statistical tests are applied to the observed behavior to determine if it is an intrusion. --Two approaches are used.

    35. Henric Johnson 35 Intrusion Detection Treshold detection Uses thresolds for the frquency of occurrence of various events. Profile based User profile is used to detect changes in the behavior of a user. 2. Rule based detection Defines a set of rules that can be used to decide if a behavior is that of an intruder.

    36. Henric Johnson 36 Intrusion Detection 2. Rule based detection... >Two approaches. Anomaly detection Rules detect deviation from previous usage patterns. Penetration identification An expert system-based approach that searches for suspicious behavior.

    37. Henric Johnson 37 Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Data transfers Read, write, create, delete frequency. Failure count for read, write, create and delete.

    38. Henric Johnson 38 Distributed Intrusion Detection Early IDSs were for single-stand alone systems (centralized IDS). A more effective defense can be achieved by cooperation among several intrusion detection systems across the network. >A diagram of such system (next slide)

    39. Henric Johnson 39 Distributed Intrusion Detection

    40. Henric Johnson 40 Distributed ID Consists of three components: 1. Host agent module: Collects data on security related events on the host and passes them to the central manager. 2. LAN Monitor agent module: It analyzes LAN traffic and reports results to the central manager. (host-host connections, services used, volume of traffic, rlogin activity, etc.)

    41. Henric Johnson 41 Distributed ID… 3. Central Manager module: >Receives reports from host agents and LAN monitor. >Processes and correlates the reports to detect intrusions. >Typically includes an expert system that draws inferences from the received data.

    42. Henric Johnson 42 Distributed Intrusion Detection

    43. Henric Johnson 43 Viruses and ”Malicious Programs” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

    44. Henric Johnson 44 Taxanomy of Malicious Programs

    45. Henric Johnson 45 Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).

    46. Henric Johnson 46 Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

    47. Henric Johnson 47 Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed

    48. Henric Johnson 48 Virus Protection

    49. Henric Johnson 49 Virus Structure

    50. Henric Johnson 50 A Compression Virus

    51. Henric Johnson 51 Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.

    52. Henric Johnson 52 Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate email and edit letters.

    53. Henric Johnson 53 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

    54. Henric Johnson 54 Advanced Antivirus Techniques Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run each interpretation?

    55. Henric Johnson 55 Advanced Antivirus Techniques

    56. Henric Johnson 56 Recommended Reading and WEB Sites Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 CERT Coordination Center (WEB Site) AntiVirus Online (IBM’s site)

More Related