USTAT A Real-time Intrusion Detection System for UNIX By: Koral Ilgun

/ 20 []
Download Presentation
(1082) |   (0) |   (0)
Views: 60 | Added:
Rate Presentation: 0 0
USTAT A Real-time Intrusion Detection System for UNIX By: Koral Ilgun. Overview:. Introduction to USTAT -- State Transition Analysis Tool for Unix Key issues System components Implementation issues Evaluation of USTAT. Introduction to USTAT. Misuse detector
USTAT A Real-time Intrusion Detection System for UNIX By: Koral Ilgun

An Image/Link below is provided (as is) to

Download Policy: Content on the Website is provided to you AS IS for your information and personal use only and may not be sold or licensed nor shared on other sites. SlideServe reserves the right to change this policy at anytime. While downloading, If for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Slide1 l.jpgSlide 1


A Real-time Intrusion Detection System for UNIX

By: Koral Ilgun

Overview l.jpgSlide 2


  • Introduction to USTAT --

    • State Transition Analysis Tool for Unix

  • Key issues

  • System components

  • Implementation issues

  • Evaluation of USTAT

Introduction to ustat l.jpgSlide 3

Introduction to USTAT

  • Misuse detector

  • A penetration is (viewed as) a sequence of signature actions and a corresponding sequence of state changes that lead the computer from some initial state to a target compromised state

  • Basic Properties of USTAT

    • Real-time expert system intrusion detection tool

    • Rule-based analysis

    • Only for known penetrations

    • Targets abusive insiders

Comparison between ustat and other intrusion detection systems l.jpgSlide 4

Comparison between USTAT and other intrusion detection systems

  • Statistical anomaly detection

    • threshold detection

    • profile-based

  • Rule-based misuse detection

    • it is an expert system

  • Most current intrusion detection tools employ both the anomaly detection and (rule-based) misuse detection components

State transition analysis l.jpgSlide 5

State Transition Analysis

  • View a penetration as

  • a (known) sequence of actions S1, S2, …,Sn

  • that lead from an initial (limited authorized) access state, S1

  • to a final compromised state, Sn

State transition analysis cont l.jpgSlide 6

State Transition Analysis (cont)

  • State really represents some attribute of the system – not the whole system state

  • State is generic, e.g. “user is now root”

  • Penetration sequence represented by finite state machine

    • node is a state

    • arc is an action (or transition)

Examples l.jpgSlide 7


  • % ln target -x

  • % -x

User creates link

User executes file

euid(user) = root

euid(user) = not root

File ‘target’ is root’s setuid shell script that contains

the #!/bin/sh mechanism

Examples cont l.jpgSlide 8

Examples (cont):

  • 1. Attacker creates hard link starting with dash to root’s setuid shell script that contains the #!/bin/sh mechanism

  • 2. Attacker executes “-x”

  • Insight: Creating hard link ==> new directory entry is created with target’s original privileges and ownership information

  • Target can be accessed via any link to it

  • Executing shell script containing #!/bin/sh invokes a sub-shell

  • Sub-shell becomes interactive (because of the “-”)

  • Attacker is thus executing a setuid file owned by root, so shell has effective ID of root

Examples cont9 l.jpgSlide 9

Examples (cont):

  • Two actions/transitions:

    • make hardlink

    • execute “-x”

  • Three states:

    • Initial state: euid = user (not root)

    • Intermediate state: hardlink established

    • Final compromise state: not euid = user

I.e. a user (non-root) running an interactive shell

with an effective user id of root

Features of ustat l.jpgSlide 10

Features of USTAT

  • Preempts attacks:

    • USTAT monitors state transitions

      • Note that they can span multiple sessions

    • It foresees impending compromise -- at least one transition away

  • Recognizes cooperative attacks

    • Note that USTAT is not tied to users or processes

    • It reflects state of the system

    • So, it can detect state resulting from actions by multiple users

Ustat input l.jpgSlide 11

USTAT input

  • Audit records of the form, <subject, action, object>

  • Subject is <real userID, effective userID, groupID>

  • Action is <action, time, processID>

  • Object is <object name, permissions, owner, group owner, inode #, device #, file systemID, target>

  • All information can be obtained directly from Unix audit records

Ustat input cont l.jpgSlide 12

USTAT input (cont)

  • Unix audits 239 event types

  • Only 28 are useful to USTAT

  • They are mapped down to 10 USTAT action types

  • Filters out all failed command events early, i.e. all the events with a return value of -1

Ustat simplifications cont l.jpgSlide 13

USTAT simplifications (cont)

  • All (audited) actions mapped to a small set:

    • read write create execute

    • exit delete modify-owner rename

    • modify-permission hardlink

  • Files are categorized: E.g. all files that should not be accessed via regular utilities (because they hold sensitive data) are mapped to “Fileset1”

    • 5 “filesets”

  • Ustat monitoring l.jpgSlide 14

    USTAT monitoring

    • Monitors for all known penetrations simultaneously

    • Finite state machine for each known penetration

    • Maintains state tables

      • Row represents instance of not yet completed penetration

      • Column represents states in penetration scenario

      • Cell holds detailed info, e.g. userID, actual file names, etc

    Ustat initial state table l.jpgSlide 15

    USTAT INITIAL state table

    • One row for each known penetration, I.e. each possible penetration is in its initial state

    • Initial action/transition for each is anticipated

    • Inference Engine accepts audit input

      • For each row, it asks: does this audit event match the “next transition” anticipated for this row such that the next state is satisfied

      • If so, duplicate the row and mark “details” for the now satisfied state

    Decision engine l.jpgSlide 16

    Decision Engine

    Informs sys admin about results of the inference engine

    Is compromise about to occur?

    Has compromise occurred?

    Play an active role in preempting the attack!

    However, note that USTAT input comes from

    the OS (Unix) audit log

    Strength and weakness of ustat l.jpgSlide 17

    Strength and weakness of USTAT

    • Strength:

      • Flexibility

      • Real-time -- preempts attack before system is damaged

      • Detects cooperative attacks

    • Weakness - Cannot cope with the following attacks:

      • Manipulation of components outside the system’s execution domain, e.g., wiretapping

      • Denial of service attacks

      • Failures

    Evaluation of ustat l.jpgSlide 18

    Evaluation of USTAT

    • Massive amount of data that was collected by the audit daemon limited extensive testing

    • Limiting factor is the transfer rate of the disk that is extensively used by USTAT and the audit daemon

    • USTAT functionality costs 13% of machine

    • Papers do not indicate number of penetrations that can be described as state transition diagram

    Nstat ustat for distributed systems l.jpgSlide 19

    NSTAT – USTAT for Distributed Systems

    • Similar “state-based” approach

    • Input: audit data from multiple hosts

    • Objective: detect coordinate attack

    • Central server processes input

    • Time – how to deal with skewed clocks?

    • Vulnerability of NSTAT server

    Compare l.jpgSlide 20


    • Tripwire -- Integrity of file data

    • GrIDs -- graph nodes (or accumulated groups of nodes) with arcs depicting message traffic

    • USTAT -- monitor for known penetrations, tracking state changes that progress toward compromise

    Copyright © 2015 SlideServe. All rights reserved | Powered By DigitalOfficePro