The pseudo internal intruder a new access oriented intruder category
Sponsored Links
This presentation is the property of its rightful owner.
1 / 29

The Pseudo-Internal Intruder: A New Access Oriented Intruder Category PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

The Pseudo-Internal Intruder: A New Access Oriented Intruder Category. Master’s Thesis Presentation Brownell K. Combs May 7, 1999. Outline. Why are we concerned with intruders and what can we do about them? How does categorizing intruders help intrusion detection research?

Download Presentation

The Pseudo-Internal Intruder: A New Access Oriented Intruder Category

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

The pseudo internal intruder a new access oriented intruder category

The Pseudo-Internal Intruder: A New Access Oriented Intruder Category

Master’s Thesis Presentation

Brownell K. Combs

May 7, 1999



  • Why are we concerned with intruders and what can we do about them?

  • How does categorizing intruders help intrusion detection research?

  • What is the Pseudo-Internal Intruder?

  • What can the Pseudo-Internal Intruder do?

  • How can we defend against it?

  • How do these defenses work?

The problem of intrusions

The Problem of Intrusions

  • CSI/FBI 1999 Computer Crime and Security Survey (4th Annual Report)

    • Approx. $124,000,000 in Financial Losses

    • Only 1% Claimed No Security Incident

  • CERT statistics show 67% increase in incidents handled annually from ‘94 to ‘98

Intrusion detection systems

Intrusion Detection Systems

  • Many think that it may never be possible to create ‘completely secure’ systems

  • IDS is the next best thing

  • Owners of systems want one or more of the following:

    • recognize presence of an intruder

    • prevent them from doing harm

    • make similar future intrusion more difficult

    • attempt to catch the intruder

Ids research

IDS Research

  • Studying Intruders (techniques, habits, etc) is an important area of IDS research

  • Researchers in the field and IDS builders in industry must have some scheme with which to categorize intruders

  • These schemes serve as a basic framework for discussing and thinking about the issue of Intrusion Detection

Intruder categories

Intruder Categories

  • 2 main approaches to placing intruders into different categories

  • Intruder oriented: focus on the intruder’s access to the system

    • Anderson’s classic external/internal scheme

  • Attack oriented: focus on the attack the intruder executes

    • Neumann’s modes of compromise scheme

What scheme do we need

What scheme do we need?

  • Least amount of category ambiguity for IDS Designers and SysAdmins

  • This best provided by narrowly defined categories that are distinct from one another

    • Example: How useful is it to have an ‘external intruder’ category that refers to both Internet Hackers and janitors inside the building?



  • Physical Configuration - all of the hardware used in a distributed system included the location of each item

  • Network Configuration - how all of those hardware items are connected and how they interact with each other

  • Net/Phy Perimeter - separation between a distributed system’s net/phy configuration and the rest of the world.

Sample physical configuration

Sample Physical Configuration

Sample network configuration

SampleNetwork Configuration

Pseudo internal intruder

Pseudo-Internal Intruder

  • A new distinct category for the access oriented intruder categorization scheme

  • P-I Intruder is an intruder without the privileges of an authorized user and who has circumvented the perimeter defenses of a system to attack the system via its internal network (network configuration)

Box diagram of access oriented categories

Box Diagram of Access Oriented Categories

3 kinds of p i intruders

3 kinds of P-I Intruders

  • Insiders with physical access (desktop connection, wiring closets, server rooms)

  • Outsiders with same physical access as above (gained through subterfuge or force)

  • Outsiders with special data access (personal modems that circumvent perimeter defense)

Tools and techniques

Tools and Techniques

  • 1) Network Assessment Tools

    • Active and Passive

  • 2) Packet Sniffers

    • Hardware and Software

  • 3) Exploits

    • Steps executed in a certain order

  • 4) Denial of Service Attacks

    • Network Saturation and Traffic Misdirection

Example scenario 1 industrial espionage agent

Example Scenario #1: Industrial Espionage Agent

  • #1 gains employment with custodial services and has access to wiring closets

  • Connects a hardware sniffer to the network for several days

  • Removes the sniffer and finds it captured sensitive communications between senior company executives

  • Mission Accomplished

Example scenario 2 disgruntled employee

Example Scenario #2: Disgruntled Employee

  • #2 is a basic network user with access to multiple desktop connection

  • Runs a network assesment tool and software sniffer off of a shared machine

  • Finds multiple vulnerabilities and an account and password of a SysAdmin

  • Logs in as SysAdmin (becomes an Internal Intruder) and deletes databases.

  • Mission Accomplished

Defending against the pseudo internal intruder

Defending Against the Pseudo-Internal Intruder

  • Three phases:

    • Deny intruders access to the system

    • Mitigate the consequences of intruders gaining access to the system

    • Detect, Monitor, and Record any intrusions

  • Since Pseudo-Internal Intruders require access to the internal network, we will focus on it when examining these steps

Preventing intruder access

Preventing Intruder Access

  • Physical Perimeter Security: stop as many potential intruders as possible from gaining physical access to the system (Guards, Gates, Locked Doors, etc.)

  • Physical configuration control: ensuring that unauthorized hardware is not introduced to the system and authorized hardware is not used for unauthorized actions (TEMPEST, Conduit, Metal Cases)

Mitigating intruder access

Mitigating Intruder Access

  • If an intruder cannot read information or write (affect a change) to the system then the danger of an intruder is diminished

  • Network configuration control: managing the aspects of the network configuration to ensure the highest degree of security

    • Encrypt Communications, Switched-Intelligent hubs and routers, smaller segments, etc.

Detecting intruder access

Detecting Intruder Access

  • Network configuration monitoring: continuously observing all aspects of the network configuration searching for evidence of intruders

  • If an intruder does gain access to the system the most effective response will be a human one. Successful monitoring and reporting allows a quick response from SysAdmins

Case study two phases

Case Study - Two Phases

  • Execute a set of Pseudo-Internal Intruder attacks against a testbed system with state of practice security measures

    • CSI/FBI ‘99 Survey showed only 42 out of 501 respondents used any intrusion detection

  • Execute the same set of attacks against the testbed system after implementing the security recommendations of the thesis

Case study the attacks

Case Study - The Attacks

  • 1)Packet Sniffer – Software [Laptop]

  • 2)Network Assessment Tool – Active [Rogue Outside Connect]

  • 3)Exploit – Ping of Death [Laptop]

  • 4)Exploit (Hacker Program) – WinNuke (Ping of Death) [Laptop]

  • 5)Denial of Service Attack – Ping Flood [Laptop]

  • 6)Denial of Service Attack – Smurf Attack [Rogue Outside Connect]

Case study phase 1 network configuration

Case Study Phase 1 - Network Configuration

Case study changes made for phase 2

Case Study - Changes made for Phase 2

  • Network divided into 2 segments

  • All Mission Crit. Communication Encrypted

  • Network Intrusion Detection Monitoring Device placed in Mission Crit. Segment

  • Network scanned for unknown IP and MAC addresses

  • RMON monitoring utilities used

Case study phase 2 network configuration

Case Study Phase 2 - Network Configuration

Case study the results

Case Study - The Results

  • Security Changes addressed the vulnerabilities discovered in phase 1

    • No access control for devices using network

    • No network traffic control mechanisms

    • No internal network monitoring for intruders

  • Network Configuration Monitoring and Network Configuration Control decrease the danger of a P-I Intruder to systems



  • The Pseudo-Internal Intruder Category addresses an area of system security that did not exist prior to the proliferation of distributed systems

  • The category provides a platform on which to understand and define the capabilities of this new type of intruder, thereby facilitating the detection and defense against such intruders

Access oriented anderson

Access Oriented: Anderson

  • External: unauthorized users attacking a system through external data connections

  • Internal:

    • Legitimate: authorized for part of system

    • Masqueraders: unauthorized users logged in as legitimate users

    • Clandestine: users logged in that have the power to turn off some audit logs

Attack oriented neumann

Attack Oriented: Neumann

  • Compromise from outside: come from above or laterally at same abstraction layer (security and logic flaws)

  • Compromises from within: obtained with privileges of the given layer

  • Compromises from below: come from a lower layer of abstraction (OS, hardware based attacks)

  • Login