cs.hofstra.edu

cs.hofstra.edu

Network Security Intruders and Viruses 05/01/06 Hofstra University Network Security Course, CSC290A 1 Evening With Berferd Impressions? Called a cracker Early Internet Gateway -1990 Password file SMTP protocol Lots of time timezone analysis rm rf / - Whoa! Now its personal! Chroot Jail Honeypot

If hacker gets a login, youre in trouble 05/01/06 Hofstra University Network Security Course, CSC290A 2 alt.security FAQs The only system that is truly secure is one that is switched off and unplugged, locked in a titanium lines safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldnt stake my life on it. 05/01/06

Hofstra University Network Security Course, CSC290A 3 Intruders When all kinds of trials and temptations crowd into your lives, my brothers, don't resent them as intruders, but welcome them as friends. Realize that they come to test your faith and to produce in you the quality of endurance. -Bible, James 1:2-3 05/01/06 Hofstra University Network

Security Course, CSC290A 4 Three Classes of Intruders Masquerader unauthorized user who penetrates a system exploiting a legitimate users account (outside) Misfeasor - legitimate user who makes unauthorized accesses or misuses his privileges (inside) Clandestine user - seizes supervisory control to evade auditing and access controls or suppress audit collection (inside|outside) 05/01/06 Hofstra University Network

Security Course, CSC290A 5 American Heritage Dictionary misfesance n, improper and unlawful execution of an act that in itself is lawful and proper 05/01/06 Hofstra University Network Security Course, CSC290A 6 Intruders Intruder attacks range from benign to

serious: Benign intruders tolerable but consume resources Difficult to know in advance the type of intruder Really growing problem globalization the move to Client/Server architectures hackers steep learning curve 05/01/06 Hofstra University Network Security Course, CSC290A 7 Types Of Hackers Old School Capt Crunch no malicious intent believe in open

system Script Kiddies 12-30 yrs old, mostly males limited knowledge too much time on their hands also called Cyber Punks brag and get caught 05/01/06 Hofstra University Network Security Course, CSC290A 8 Cyber Punk Took over all the telephone lines of Los Angeles KISS-FM radio station - he then made himself the 102nd

caller and won a $50,000 944 S2 Porche Kevin Poulsen 1990 05/01/06 Indicted for 19 counts of conspiracy, fraud, wiretapping and money laundering spent 3 years in prison Hofstra University Network Security Course, CSC290A 9 Types Of Hackers Professional Criminals Crackers careers built on criminal hacking

break into secure areas and sell information often involved in espionage and organized crime 05/01/06 Hofstra University Network Security Course, CSC290A 10 Crackers Russian mathematician led group that hacked into Citibank computers and extorted 10 million dollars. Vladimir Levin

1994 05/01/06 Caught in 1995 by Interpol - sentenced to three years in prison and forced to give up his share of the money. Hofstra University Network Security Course, CSC290A 11 Types Of Hackers Coders Virus Writers - see themselves as an elite group - they have a lot of programming

background and write code, but won't use it themselves They have their own networks to experiment with, which they call Zoos They leave it to others to introduce their codes into The Wild, or the Internet. 05/01/06 Hofstra University Network Security Course, CSC290A 12 Coder Crashes 6,000 computers on the internet with first worm program

Robert Morris 1988 05/01/06 He is fined $10,000 and the Federal computer Emergency Response team (CERT) is formed Hofstra University Network Security Course, CSC290A 13 Psychology Of Hackers Underlying the psyche of the criminal hacker

may be a deep sense of inferiority Consequently, the mastery of computer technology, or the shut down of a major site, might give them a sense of power "It's a population that takes refuge in computers because of their problems sustaining real world relationships. Causing millions of dollars of damage is a real power trip" - Jerrold M. Post, psychiatrist at George Washington University in Washington, D.C. http://tlc.discovery.com/convergence/hackers/hac kers.html - good overview - source of previous 6 slides 05/01/06 Hofstra University Network Security Course, CSC290A 14

Some Are Even Good Chloe Can Break Into Anything And Load It Down To Jack's PDA!!! 05/01/06 Hofstra University Network Security Course, CSC290A 15 Attack Sophistication vs. Intruder Technical Knowledge

Auto Coordinated Tools Cross site scripting stealth / advanced scanning techniques packet spoofing denial of service High sniffers Intruder Knowledge sweepers

Staged distributed attack tools www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking burglaries sessions Attack Sophistication

exploiting known vulnerabilities password cracking self-replicating code Intruders password guessing Low 1980 1985 1990 1995 2000

Source: Carnegie Mellon University 05/01/06 Hofstra University Network Security Course, CSC290A 16 Intrusion Techniques Objective: Gain access to a system Frequent Goal: Acquiring a user password Most systems have a file that maps a password to each user Password file protection: one-way encryption access control 05/01/06

Hofstra University Network Security Course, CSC290A 17 Password Learning Techniques g u e s s a t t a c k

1. Try default passwords used with standard accounts shipped with the system 2. Exhaustive try of all short passwords 3. Try words in systems dictionary or list of likely passwords (hacker bulletin boards) 4. Collect information about users (full names, names of spouses and children, pictures and books in their office, related hobbies) 5. Try users phone numbers, social security numbers, room numbers 6. Try all legitimate license plate numbers 7. Use a trojan horse 8. Tap the line between a remote user and the system 05/01/06 Hofstra University Network Security Course, CSC290A

18 Intrusion Detection 05/01/06 Hofstra University Network Security Course, CSC290A 19 Intrusion Detection Second line of defense (firewall is 1st) Quick detection - minimize damage and quicker recovery Deterrent - an effective intrusion detection system helps to prevent intrusions Collection of techniques - information

about intrusion techniques leads to stronger prevention facility 05/01/06 Hofstra University Network Security Course, CSC290A 20 Intrusion Detection Basic Assumption: Behavior of the intruder differs from legitimate user in quantifiable ways There is an element of compromise and art in the practice of intrusion detection 05/01/06

Hofstra University Network Security Course, CSC290A 21 Intruder & Authorized User Behavior False Positive authorized users identified as intruders False Negative real intruders not identified as intruders 05/01/06 Hofstra University Network Security Course, CSC290A

22 Finding The Bad Guy Need to distinguish between a masquerader and a legitimate user Observe past history (Bayes Theorem) Establish patterns of behavior Look for significant deviations 05/01/06 Hofstra University Network Security Course, CSC290A 23 Two Approaches: Statistical Anomaly Detection

Collection of data over a period of time about legitimate user behavior Statistical tests to observe behavior and confidently determine non-legitimate use Threshold detection: for frequency of occurrence of certain events Profile-based: profile of user activity and change detection Successful against masqueraders but not against misfeasors 05/01/06 Hofstra University Network Security Course, CSC290A 24 Two Approaches: Rule-based Detection

Attempt to define set of rules that determine intruders behavior Anomaly detection: detect deviation from previous usage patterns Penetration identification: expert system that searches for suspicious behavior Better approach for detecting penetration 05/01/06 Hofstra University Network Security Course, CSC290A 25 Audit Record Basic Tool of Intrusion Detection Native audit records

Information collected for accounting No extra cost but not necessary or conveniently formed information Detection-specific audit records Only info required by IDS Extra overhead Vendor independent Subject, action, object, exception condition, resource usage, timestamp (Denning) 05/01/06 Hofstra University Network Security Course, CSC290A 26 Dorothy Denning

Professor of Computer Science at Georgetown, Senior Staff Scientist at SRI International, research staff at DEC 1982, Cryptography and Data Security, 1999, Information Warfare and Security ACM Fellow, Distinguished Lecture in Computer Security Award http:// www.cs.georgetown.edu/~den ning/publications.html 05/01/06 Hofstra University Network Security Course, CSC290A 27

Detection Specific Audit Records Decomposition of user operations into elementary actions COPY GAME.EXE TO GAME.EXE sub action object cond usage time-stamp Smith

execute COPY.EXE 0 CPU=0002 11058721678 Smith read GAME.EXE 0

Rec = 0 11058721823 Smith execute COPY.EXE Wr-viol Rec = 0 11058722134

Enables audit of all behavior affecting an object Single object, single action simplicity Easily extracted from native audit records Hofstra University Network 05/01/06 Security Course, CSC290A 28 Statistical Anomaly Categories Threshold detection Counting the number of occurrences of a specific event type over an interval of time

Generate either a lot of false positives or a lot of false negatives Profile-based systems Characterizing the past behavior of individual users or related groups of users and then detecting significant deviations A profile is a set of parameters Foundation of this approach is an analysis of audit records Records over time define typical behavior. Current audit records are used to detect intrusion 05/01/06 Hofstra University Network Security Course, CSC290A 29

Statistical Anomaly Detection Various tests determine whether current activity fits within acceptable limits Mean & standard deviation crude for intrusion detection Multivariate correlation determines intruder behavior Markov process establish transition probabilities among various states Time series focus on time intervals Operational model exceeding fixed limits Prior knowledge of security flaws is not required 05/01/06 Hofstra University Network Security Course, CSC290A

30 Measures Used For Intrusion Detection 05/01/06 Hofstra University Network Security Course, CSC290A 31 Rule-Based Detection Observe events in the system and apply a set of rules that decide if activity is suspicious or not Approaches focus on either: Anomaly detection Penetration identification

05/01/06 Hofstra University Network Security Course, CSC290A 32 Rule-Based Anomaly Detection Similar in terms of approach and strengths to statistical anomaly detection Automatically generate rules by analyzing historical audit records to identify usage patterns Assume the future will look like the past and apply rules to current behavior Does not require a knowledge of security vulnerabilities

Requires a rather large database of rules (104 to 106) 05/01/06 Hofstra University Network Security Course, CSC290A 33 Rule-Based Penetration Identification Based on expert system technology Uses rules for identifying known penetrations or ones that exploit known weaknesses suspicion rating Rules generated by experts and system specific Strength is a function of the skills of the rule makers hire a hacker Early systems: NIDX, IDES, Haystack late

80s Best approach is a high level model that is independent of specific audit records USTAT, a state transition model, deals with general actions and reduces the number of rules 05/01/06 Hofstra University Network Security Course, CSC290A 34 USTAT Actions State Transition diagram is developed that characterizes

suspicious activity 10 general actions 05/01/06 239 SunOS events Hofstra University Network Security Course, CSC290A 35 Base-Rate Fallacy IDS system must meet the standard of high rate of detections with a low rate of false alarms False alarm rate is the limiting factor for the performance of an IDS This is due to the Base-Rate Fallacy the belief that probability rates are

false i.e., failure to take base rates into account when judging probability 05/01/06 Hofstra University Network Security Course, CSC290A 36 Base-Rate Fallacy A cab was involved in a hit-and-run accident at night. Two cab companies, the Green and the Blue, operate in the city. You are given the following data: 85% of the cabs in the city are Green and 15% are Blue. A witness identified the cab as a Blue cab. The court tested his ability to identify cabs under the

appropriate visibility conditions. When presented with a sample of cabs (half of which were Blue and half of which were Green) the witness made correct identifications in 80% of the cases and erred in 20% of the cases. Question: What is the probability that the cab involved in the accident was Blue rather than Green?" 05/01/06 Hofstra University Network Security Course, CSC290A 37 Base-Rate Fallacy When people answer this, they tend to say that the probability it was Blue (the rare case) is about 80%, but the real probability is 41%, because this takes

into account the fact that there are may more green cabs than blue ones. The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection Bottom Line: IDS systems have a long Stefan Axelsson way to go! 05/01/06 Hofstra University Network Security Course, CSC290A

38 Distributed Intrusion Detection Scalability Issues Too much overhead for standalone IDS on each host Heterogeneous environment different audit records Need IDS across the network Centralized vs decentralized issues 05/01/06 Hofstra University Network Security Course, CSC290A 39 Distributed Intrusion

Detection 05/01/06 Hofstra University Network Security Course, CSC290A 40 Distributed Intrusion Detection Host agent module background process collects data and sends results to the central manager LAN monitor agent module analyzes LAN traffic and sends results to the central manager Central manager module processes and correlates received reports to detect

intrusion 05/01/06 Hofstra University Network Security Course, CSC290A 41 Agent Architecture Machine Independent 05/01/06 Hofstra University Network Security Course, CSC290A 42 Honeypots

Decoy systems Lure attacker from critical systems Collect information about the attacker Keep attacker around long enough to respond Jury is still out on this! 05/01/06 Hofstra University Network Security Course, CSC290A 43 Password Management 05/01/06 Hofstra University Network

Security Course, CSC290A 44 Password Protection User ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control 05/01/06 Hofstra University Network Security Course, CSC290A 45 Password Protection

Unix system (user ID, cipher text password, plain text salt) password 8 printable characters - 56-bit value (7-bit ASCII) encryption routine (crypt(3)) based on DES modified DES algorithm with 12-bit salt value (related to time of password assignment) 25 encryptions with 64-bit block of zeros input 64-bit - 11 character sequence 05/01/06 Hofstra University Network Security Course, CSC290A 46

Loading A New Password 05/01/06 Hofstra University Network Security Course, CSC290A 47 Password Protection Purposes of salt: Prevents duplicate passwords from being visible Effectively increases password length without the user needing to remember additional 2 characters (possible passwords increased by 4096) Prevent use of hardware DES

implementation for a brute-force guessing attack 05/01/06 Hofstra University Network Security Course, CSC290A 48 Verifying A Password 05/01/06 Hofstra University Network Security Course, CSC290A 49 Password Protection

Unix password scheme threats: Gain access through a guest account and run a password cracker Obtain a copy of the password file and run a password cracker Goal: Run a password cracker Rely on people choosing easily guessable passwords! 05/01/06 Hofstra University Network Security Course, CSC290A 50 Observed Password Lengths In a Purdue Study 05/01/06

Hofstra University Network Security Course, CSC290A 51 Passwords Cracked From A Sample Set easy pickins 05/01/06 Hofstra University Network Security Course, CSC290A 52 Access Control

One Method: Deny access to password file Systems susceptible to unanticipated break-ins An accident in protection may render the password file readable compromising all accounts Users have accounts in other protection domains using the same passwords 05/01/06 Hofstra University Network Security Course, CSC290A 53 Access Control Answer:

Force users to select passwords that are difficult to guess Goal: Eliminate guessable passwords while allowing the user to select a password that is memorable 05/01/06 Hofstra University Network Security Course, CSC290A 54 Password Selection Strategies (Basic Techniques) User education Users may ignore the guidelines

Computer-generated passwords Poor acceptance by users Difficult to remember passwords 05/01/06 Hofstra University Network Security Course, CSC290A 55 Password Selection Strategies Reactive password checking System runs its own password cracker Resource intensive Existing passwords remain vulnerable until reactive checker finds them

Proactive password checking Password selection is guided by the system Strike a balance between user accessibility and strength May provide guidance to password crackers (what not to try) Dictionary of bad passwords (space and time problem) 05/01/06 Hofstra University Network Security Course, CSC290A 56 Proactive Password Checker There are two techniques currently in

use: Markov Model search for guessable password Bloom Filter search in password dictionary 05/01/06 Hofstra University Network Security Course, CSC290A 57 Markov Model Probability that b follows a M = {states, alphabet, prob, order} 05/01/06

Hofstra University Network Security Course, CSC290A 58 Markov Model Is this a bad password?same as Was this password generated by this Markov model? Passwords that are likely to be generated by the model are rejected Good results for a second-order model 05/01/06 Hofstra University Network

Security Course, CSC290A 59 Bloom Filter A probabilistic algorithm to quickly test membership in a large set using multiple hash functions into a single array of bits Developed in 1970 but not used for about 25 years Used to find words in a dictionary also used for web caching Small probability of false positives which can be reduced for different values of k, # hash funcs www.cs.wisc.edu/~cao/papers/summary-cache/node8.html a good tutorial 05/01/06

Hofstra University Network Security Course, CSC290A 60 Bloom Filter A vector v of N bits k independent hash functions. Range 0 to N1 For each element x, compute hash functions H1(x), H2(x)Hk(x) Set corresponding bits to 1 Note: A bit in the resulting vector may be set to 1 multiple times 05/01/06

Bit Vector: v Element: x H1(x)=P1 H2(x)=P2 H3(x)=P3 H4(x)=P4 Hofstra University Network Security Course, CSC290A 1 1 1 N bits 1 61

Bloom Filter To query for existence of an entry x, compute H1(x), H2(x)Hk(x) and check if the bits at the corresponding locations are 1 If not, x is definitely not a member Otherwise there may be a false positive (passwords not in the dictionary but that produce a match in the hash table). The probability of a false positive can be reduced by choosing k and N 05/01/06 Hofstra University Network Security Course, CSC290A 62

Performance of Bloom Filter Dictionary of 1 million words with 0.01 probability of rejecting a password We need a hash table of 9.6 X 106 bits 05/01/06 Hofstra University Network Security Course, CSC290A 63 Important URLs http://www.cert.org/

Originally DARPAs computer emergency response team. An essential security site http://project.honeynet.org/ Organization of security professionals dedicated to learning the tools, tactics, and motives of the blackhat community - interesting tools and papers http://tlc.discovery.com/convergence/hackers/h ackers.html Good overview of the psychology of hackers http://www.aaai.org/AITopics/html/uncert.html Good probability and Bayes overview 05/01/06 Hofstra University Network Security Course, CSC290A 64

Homework Read Chapter Nine Final Project/Term Paper Due Next Week No lateness! (Problems? Let Me Know Before) 05/01/06 Hofstra University Network Security Course, CSC290A 65 Happy Cinco de Mayo!!! 05/01/06 Hofstra University Network

Security Course, CSC290A 66

Recently Viewed Presentations

  • Magnetism, Electricity and Gravity Unit

    Magnetism, Electricity and Gravity Unit

    The law of universal gravitation state that the force of gravity acts between all objects in the universe. This means that any two objects in the universe, without exception attract each other. ... Magnetism, Electricity and Gravity Unit Last modified...
  • New Delhi, 09-10 September 2019 Jointly organized by

    New Delhi, 09-10 September 2019 Jointly organized by

    ICSE Objectives. 1. To . share good practices . in sustainability education in the school system from across the globe. 2. Incorporate . SE as a core concept . from the early stage of education systems and strengthen the process...
  • The Italian City-States and the New Moncarchs

    The Italian City-States and the New Moncarchs

    The Italian City-States and the New Moncarchs. Why did the Renaissance begin in northern Italy? Northern Italian cities witnessed the birth of the commercial revolution: ... Proto-bureaucracy of local officials loyal to and paid by the state.
  • Template Title

    Template Title

    Circuits can be run in parallel or series. In a series circuit, each component is connected, one after the other, in a single loop. In the circuit on the left, the bulb, motor, and switches are connected one after another...
  • Genetic Association Analysis - University of Michigan

    Genetic Association Analysis - University of Michigan

    Genetic architecture of complex traits. Array-based GWAS? Family-based Sequencing. Deep Genome with. Very Large Samples? Genotype array-based GWAS identifiedthousands of associated variants. Published G-W significant associations(p ≤ 5x10-8) as of 12/2012.
  • Earth History - mrsplante.weebly.com

    Earth History - mrsplante.weebly.com

    Relative Dating. Relative Age: the age of something compared to something else. Absolute Age: the actual age of a rock or an event ... than the rock layers they effect. Dating Rock Features. Unconformity - A surface of erosion between...
  • Bellringer 10-1-12: LA

    Bellringer 10-1-12: LA

    If you are finished: Write a paragraph about what you know about ecology, ecosystems, abioticfactors, biotic factors, populations, biomes, biosphere, and communities. Hey guys, I will miss you this week! :( Remember to treat Mr. Ewart with even more respect...
  • Mad Cow Disease - local-brookings.k12.sd.us

    Mad Cow Disease - local-brookings.k12.sd.us

    ΩΩ Incurable, fatal brain disease. Ω. Ω. Unusual transmissible agent called a . prion. Ω. Ω. Normal protein changes to a harmful protein. Ω. Ω. Gradually damages central nervous system of cattle