1Intrusion DetectionJohn MitchellMethod of last resortIntrusion prevention• Network firewall– Restrict flow of packets; cover in another lecture• System security– Find buffer overflow vulnerabilities and remove them!Intrusion detection• Discover system modifications – Tripwire• Look for attack in progress– Network traffic patterns– System calls, other system eventsTripwireOutline of standard attack• Gain user access to system• Gain root access• Replace system binaries to set up backdoor• Use backdoor for future activitiesTripwire detection point: system binaries• Compute hash of key system binaries• Compare current hash to hash stored earlier• Report problem if hash is different• Store reference hash codes on read-only mediumIs Tripwire too late?Typical attack on server• Gain access• Install backdoor– This can be in memory, not on disk!!• Use itTripwire• Is a good idea• Wont catch attacks that don’t change system files• Detects a compromise that has happenedRemember: Defense in depthDetect modified binary in memory?Can use system-call monitoring techniquesFor example [Wagner, Dean IEEE S&P ’01]• Build automaton of expected system calls– Can be done automatically from source code• Monitor system calls from each program• Catch violationResults so far: lots better than not using source code!Example code and automatonEntry(f)Entry(g)Exit(f)Exit(g)open()close()exit()getuid() geteuid()f(int x) {x ? getuid() : geteuid();x++}g() {fd = open("foo", O_RDONLY);f(0); close(fd); f(1);exit(0);}If code behavior is inconsistent with automaton, something is wrong2General intrusion detectionMany intrusion detection systems• Close to 100 systems with current web pages• Network-based, host-based, or combinationTwo basic models• Misuse detection model – Maintain data on known attacks– Look for activity with corresponding signatures • Anomaly detection model – Try to figure out what is “normal”– Report anomalous behaviorFundamental problem: too many false alarmshttp://www.snort.org/Misuse example - rootkit Rootkit sniffs network for passwords• Collection of programs that allow attacker to install and operate a packet sniffer (on Unix machines)• Emerged in 1994, has evolved since then• 1994 estimate: 100,000 systems compromised Rootkit attack• Use stolen password or dictionary attack to get user access• Get root access using vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc.ypupdated, lpr, or passwd• Ftp Rootkit to the host, unpack, compile, and install it• Collect more username/password pairs and move onRootkit covers its tracksModifies netstat, ps, ls, du, ifconfig, login• Modified binaries hide new files used by rootkit• Modified login allows attacker to return for passwordsRootkit fools simple Tripwire checksum• Modified binaries have same checksum • But a better hash would be able to detect rootkitDetecting rootkit on systemSad way to find out• Disk is full of sniffer logsManual confirmation• Reinstall clean ps and see what processes are runningAutomatic detection• Rootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfig• Host-based intrusion detection can find rootkit files– As long as an update version of Rootkit does not disable your intrusion detection system …Detecting network attack (Sept 2003) Symantec honeypot running Red Hat Linux 9 Attack• Samba ‘call_trans2open’ Remote Buffer Overflow (BID 7294)• Attacker installed a copy of the SHV4 Rootkit Snort NIDS generated alerts, from this signaturealert tcp $EXTERNAL_NET any -> $HOME_NET 139 \(msg:"NETBIOS SMB trans2open buffer overflow attempt"; \flow:to_server,established; \content:"|00|"; offset:0; depth:1; \content:"|ff|SMB|32|"; offset:4; depth:5;content:"|00 14|"; offset:60; depth:2; \…More info: https://tms.symantec.com/members/AnalystReports/030929-Analysis-SHV4Rootkit.pdfMisuse example - port sweepAttacks can be OS specific• Bugs in specific implementations• Oversights in default configurationAttacker sweeps net to find vulnerabilities• Port sweep tries many ports on many IP addresses• If characteristic behavior detected, mount attack– SGI IRIX responds TCPMUX port (TCP port 1)– If machine responds, SGI IRIX vulnerabilities can be tested and used to break inPort sweep activity can be detected3Anomaly DetectionBasic idea• Monitor network traffic, system calls• Compute statistical properties• Report errors if statistics outside established rangeExample – IDES (Denning, SRI)• For each user, store daily count of certain activities– E.g., Fraction of hours spent reading email• Maintain list of counts for several days• Report anomaly if count is outside weighted normBig problem: most unpredictable user is the most importantAnomaly – sys call sequencesBuild traces during normal run of program• Example program behavior (sys calls)open read write open mmap write fchmod close• Sample traces stored in file (4-call sequences)open read write openread write open mmapwrite open mmap writeopen mmap write fchmodmmap write fchmod close• Report anomaly if following sequence observedopen read read open mmap write fchmod closeCompute # of mismatches to get mismatch rate[Hofmeyr, Somayaji, Forrest]Difficulties in intrusion detectionLack of training data• Lots of “normal” network, system call data• Little data containing realistic attacks, anomaliesData drift• Statistical methods detect changes in behavior• Attacker can attack gradually and incrementallyMain characteristics not well understood• By many measures, attack may be within bounds of “normal” range of activitiesFalse identifications are very costly• Sys Admin spend many hours examining evidenceResponse to intrusion?Ideally,• Identify attack (possible if misuse, hard if anomaly)• Limit damage, stop attack, block further attacks• Restore system, identify and prosecute attackerCliff Stoll• Detected attacker at Lawrence Berkeley• Created large file with nuclear weapons keywords • Traced international phone call during downloadStrategic Intrusion Assessment [Lunt]International/Allied Reporting CentersNational Reporting CentersDoD Reporting CentersRegional Reporting Centers (CERTs)Organizational Security CentersLocal Intrusion
View Full Document