Intruders and Viruses - PowerPoint PPT Presentation

intruders and viruses l.
Skip this Video
Loading SlideShow in 5 Seconds..
Intruders and Viruses PowerPoint Presentation
Download Presentation
Intruders and Viruses

play fullscreen
1 / 39
Download Presentation
Intruders and Viruses
Download Presentation

Intruders and Viruses

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Intruders and Viruses • Intruders • Password protection • Password selection strategies • Intrusion detection • Malicious Programs • The Nature of Viruses • Types of Viruses • Macro Viruses • Antivirus Approaches

  2. Intruders Intruders • Want to gain access to a system or to increase the range of privileges accessible on a system • Three classes of intruders • Masquerader • likely to be an outsider • penetrates a system’s access controls to exploit a legitimate user’s account • Misfeasor • generally an insider • performs unauthorized accesses to data, programs, or resources • misuses his or her privileges • Clandestine user • can be either an insider or an outsider • seizes supervisory control of the system and uses it to evade auditing and access controls or to suppress audit collection

  3. Intruders Intrusion Techniques • Usually user password or password file is essential to intrude • Protection of password file • One-way encryption : the system stores an encrypted form of the user’s password, and compares it with the encrypted output of presented password • Access control : access to the password file is limited to one or a very few accounts UNIX Password Scheme

  4. Intruders Intrusion Techniques • Techniques for learning passwords • Try default passwords used with standard accounts that are shipped with the system. • Exhaustively try all short passwords ( 1~3 characters). • Try words in the system’s on-line dictionary of a list of likely passwords. • Collect information about users (names, books, hobbies, etc) • Try users’ phone numbers, Social Security numbers, and room numbers. • Try all legitimate license plate numbers. • Use a Trojan horse. • Tap the line between a remote user and the host system.

  5. Password Protection Password Protection • Unix password scheme • Crypt(3) • 25 times DES encryptions • Salt • Related to time • Prevents duplicate passwords from being visible in the password file • Increase the length of the passwords ( 2 characters) • Prevent the use of a hardware implementation of DES, which would ease the difficulty of a brute-force guessing attack

  6. Password Protection Unix Password Scheme Example • username:passwd:UID:GID:full_name:directory:shell usernameThe User Name passwdThe Encoded password lastDays since Jan 1, 1970 that password was last changed mayDays before password may be changed must Days after which password must be changed warnDays before password is to expire that user is warned expire Days after password expires that account is disabled disableDays since Jan 1, 1970 that account is disabled reservedA reserved field

  7. Password Protection Password Protection • The vulnerability of Passwords • Two threat to the UNIX password scheme • Gaining access on a machine and then run a password guessing program on that machine with little resource consumption • Obtaining a copy of the password file, then a cracker program can be run on another machine • Not yet feasible to use a brute-force technique of trying all possible combinations of characters • Passwords must NOT be too short, NOT be too easy to guess • Access Control • Denies the opponent access to the password file • Has several flaws • Many systems are susceptible to unanticipated break-ins • An accident of protection might render the password file readable • Some users use the same password on other machines

  8. Password Selection Strategies Password Selection Strategies • Eliminate guessable passwords, while allow memorable passwords • Four basic techniques • User education • Ignoring guidelines, misunderstanding what a strong password is • Computer-generated passwords • Hard to remember even if they are pronounceable • Reactive password checking • The system periodically runs its password cracker to find guessable passwords • Resource intensive • Unchecked passwords remains vulnerable • Proactive password checking • When a user selects his or her own password, the system checks to see if the password is allowable

  9. Password Selection Strategies Proactive Password Checking • Rule enforcement • All passwords must be at least eight characters long • In the first eight characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks • Compiling a large dictionary of “bad” passwords • When a user selects a password, the system checks • Large space (storage) and time consumption • Two techniques for developing an effective and efficient password checker • Markov model • Bloom filter • Based on rejecting words on a list show promise

  10. Password Selection Strategies Markov Model • [m, A, T, k]where m : number of states A : state space T : matrix of transition prob. k : order of the model prob. depends on previous k characters Example

  11. Password Selection Strategies 2nd order Markov Model • Calculating transition matrix • When a dictionary of guessable passwords is constructed • Determine the freq. matrix f(i,j,k) which is the number of occurrences of the trigram consisting of the ith, jth ,and kth character • For each bigram ij, calculate f(i,j,¥)as the total number of trigrams beginning with ij • Compute the entries of T T(i,j,k) = f(i,j,k) / f(i,j,¥) • T reflects the structure of the words in the dictionary • “Is this a bad password?” “Was this password generated by this model?” • Passwords likely to be generated by the model are rejected.

  12. Password Selection Strategies Approach Using Bloom Filter • Order of bloom filter : the number of independent hash functions where each function maps a password into a hash value • Hash function • Procedure applied to the dictionary • A hash table of N bits with all bits initially set to 0 • For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1 • If the bit already has the value 1, it remains at 1

  13. Password Selection Strategies Approach Using Bloom Filter • Password checking • k hash values are calculated for presented password • If all corresponding bits of the hash table are equal to 1  reject • Possible existence of FALSE POSITIVE • H1(understand) = 25, H2(understand) = 998 H1(hulkmask) = 83, H2(hulkmask) = 665H1(xG%#jj84) = 665, H2(xG%#jj84) = 998  rejected • To minimize false positive • The probability of a false positive

  14. Password Selection Strategies Performance of Bloom Filter • Number of words in the dictionary : 1 million words (10^6)Prob. of false positive : 0.01 • If 6 hash functions, R=9.6  hash table : 9.6*10^6 bits(1.2MB) • Storing the entire dictionary : order of 8 MB • Advantages • Compression : factor of 7 • Password checking is • Involves straightforwardcalculation of 6 hashfunction • independent of sizeof the dictionary

  15. Intrusion Detection Intrusion Detection • A system’s second line of defense • The intruder can be identified and ejected from the system. • An effective intrusion detection can prevent intrusion. • The collection of information about intrusion techniques can be used. to strengthen the intrusion prevention facility. • Assume that the behavior of the intruder differs from that of a legitimate user • There can be false positive and false negative

  16. Intrusion Detection Intrusion Detection • Approaches to intrusion detection • Statistical anomaly detection : collecting data on behavior of legitimate users over a period of time • Threshold detection : defining thresholds for the frequency of occurrence of various events (independent of user) • Profile based : using a profile of the activity of each user to detect changes in the behavior of individual accounts • Rule-based detection : defining a set of rules to decide that a given behavior is that of an intruder • Anomaly detection : rules are developed to detect deviation from previous usage patterns • Penetration identification : an expert system searches for suspicious behavior • Statistical approach : defines normal, or expected behavior Rule-based approach : defines proper behavior

  17. Intrusion Detection Audit Records • Records of ongoing activity used as input to an intrusion detection system • Native audit records • accounting software collects information on user activity (no additional collection software) • Detection-specific audit records • a collection facility collects information required by the intrusion detection system • Ex) subject, action, object, exception-condition, resource-usage, time stamp

  18. Intrusion Detection Statistical Anomaly Detection • Threshold detection • Counting the number of occurrences of a specific event type over an interval of time • If the count surpasses threshold, then intrusion is assumed • Variability across users  a lot of false positive, false negative • Profile-based system • Characterizing the past behavior of individual users or related groups of users • determine the activity profile of the average user by analyzing audit records over a period of time • Detecting significant deviations • current audit records are used • Mean and std., multivariate, Markov process, time series, etc.

  19. Intrusion Detection Rule-Based Intrusion Detection • Observe events in the system  apply rules • Rule-based anomaly detection • Analyze historical audit records  generate automatically rules • Rules represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. • Then observe current behavior • Rule-based penetration identification • Use rules to identify suspicious behavior, known penetrations or penetrations that would exploit known weaknesses. • Rules are generated by experts • Ex) assign degrees of suspicion to activities • Users should not read files in other users’ personal directories. • Users who log in after hours often access the same file they used earlier. • Users do not make copies of system programs.

  20. Intrusion Detection Distributed Intrusion Detection • Example • Host agent module • Collects data on security-related events and transmit them to the central manager • LAN monitor agent module • Same as a host agent module except that it analyzes LAN traffic and reports to the central manager • Central manager module • Receives reports from LAN monitor and host agents • Processes and correlates these reports to detect intrusion

  21. Intrusion Detection Distributed Intrusion Detection • Agent analyze records forsuspicious activity

  22. Intruders and Viruses (2) • Malicious Programs • The Nature of Viruses • Types of Viruses • Macro Viruses • Antivirus Approaches

  23. Malicious Programs (1) • Viruses have the ability to replicate themselves • Other Malicious programs may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. (Trojan Horse, Trap Doors and Logic Bombs)

  24. Malicious Programs (2) • Taxonomy of Malicious Programs

  25. Malicious Programs (3) • Trap doors • A trap door is a secret entry point into a program that allows someone that is aware of the trap doors to gain access without going through the usual security access procedures. • They have been used legitimately for many years by programmers to debug and test programs. • It is code that recognizes some special sequence of input or is triggered by being run from a certain user ID or by an unlikely sequence of events. • They become threats when they are used by unscrupulous programmers to gain unauthorized access. • It is difficult to implement operating system controls for trap doors • Logic Bomb • It si code embedded in some legitimate program that is set to “explode” when certain conditions are met. • Examples of conditions are the presence or absence of certain files, a particular day of the week or date, or a particular user running the application.

  26. Malicious Programs (4) • Trojan Horses • It is a useful program or command procedure containing hidden ode that, when invoked, performs some unwanted or harmful function. • It can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. • Another common motivation for the Trojan horse is data destruction. • Viruses • It is a program that can “infect” other programs by modifying them. • A virus carries in its instructional code the recipe for making perfect copies of itself. • The infection can be spread form computer to computer by unsuspecting users • In a network environment, the ability to access applications and system services on other computers provides a perfect culture for the spread of a virus.

  27. Malicious Programs (5) • Worm • A program that replicates itself across the network riding the following • Electronic mail facility • Remote execution capability • Remote login capability • It exhibits the same characteristics as a computer virus • The propagation phase performs the following functions : • Search for other systems to infect by examining host tables • Establish a connection with a remote system. • Copy itself to the remote system and cause the copy to be run. • It may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. • Bacteria • It replicates until if fills all disk space, or CPU cycles.

  28. The Nature of Viruses (1) • During its lifetime, a typical virus goes through the following four stages • Dormant phase : The virus is idle • Propagation phase : The virus places an identical copy of itself into other programs or into certain system areas on the disk. • Triggering phase : The virus is activated to perform the function for which it was intended. • Execution phase : The function is performed.

  29. The Nature of Viruses (2) • Virus Structure program V := {go to main : 1234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if( first-line-of-file = 1234567 ) then goto loop else prepend V to file;} subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main : main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next; } - A simple virus - This virus is easily detected because an infected version of a program is longer than the corresponding uninfected one

  30. The Nature of Viruses (3) program CV := {go to main : 01234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if( first-line-of-file = 1234567 ) then goto loop (1) compress file; (2) prepend CV to file; } main : main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file; goto next;} next; } - A Compression virus - A way to thwart a means of detecting a simple virus is to compress the executable file so that both the infected and uninfected versions are of identical length.

  31. The Nature of Viruses (4)

  32. The Nature of Viruses (5) • Initial Infection • Viral infection can be completely prevented by preventing the virus from gaining entry in the first place.  extraordinarily difficult • Most viral infections initiate with a disk from which programs are copied onto a machine. • the disks that have games or simple utilities that employees obtain for their home computers . • the manufacturer of an applications. • across a network connection.

  33. Types of Viruses • Parasitic virus • it attaches itself to executable files and replicates. • Memory-resident virus • Lodges in main memory as part of a resident system program. • Boot sector virus • Infects a master boot record or boot record. • Stealth virus • A form of virus explicitly designed to hide itself from detection by antivirus software. • Polymorphic virus • A virus that mutates with every infection.

  34. Macro Viruses • Microsoft Office applications allow “macro” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected. • It is platform independent. • It infect documents, delete files • Autoexecuting macros • Autoexecute • Automacro • Command macro

  35. Antivirus Approaches (1) • First generation (simple scanners) • searched files for any of a library of known virus “signatures”. • checked executable files for length change. • Second generation (heuristic scanners) • use heuristic rules to search for probable virus infection • Checked files for checksum or hash changes. • Third generation (activity traps) • memory-resident programs that identify a virus by its actions • Fourth generation (full-featured protection) • combine the best of the techniques above.

  36. Antivirus Approaches (2) • Advenced Antivirus Techniques • Generic Decryption (GD) • Digital Immune System

  37. Antivirus Approaches (3) • Generic Decryption (GD) • CPU emulator • A software-based virtual computer. • Instructions are interpreted by the emulator • The underlying processor is unaffected by programs • Virus signature scanner • A module that scans the target code looking for known virus signatures. • Emulation control module • Controls the execution of the target code. • How long to run each interpretation.

  38. Antivirus Approaches (4) • Digital Immune System • It is a comprehensive approach to virus protection developed by IBM • The objective of this system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced

  39. Antivirus Approaches (5)