Intrusion DetectionWhat is Intrusion Detection?Slide 3Types of AttacksSlide 5Slide 6Malicious ActivitiesMasquerade AttackSlide 9Slide 10Masquerade DetectionCommand RecordingEvent RecordingSlide 14Computer UsageSlide 16Slide 17Identifying UsersBuilding SignaturesReal-time DetectionChallengesSlide 22Sequence ComparisonThe Real ProblemsSlide 25DNA Sequence ComparisonSlide 27Slide 28Slide 29Slide 30Slide 31Event Sequence ComparisonSlide 33Slide 34Slide 35Slide 36Comparison ScoresAdvantagesHow well does it work?What else can it do?ImplicationsSummaryIntrusion DetectionDr. Eric BreimerComputer Science DepartmentSiena College01/13/19 Intrusion Detection 2What is Intrusion Detection?Monitoring a computer network to detect a variety of security attacksIncluding•Hacker attacks•Insider attacks•Masquerade attacks01/13/19 Intrusion Detection 3What is Intrusion Detection?Monitoring a computer network to detect a variety of security attacksIncluding•Hacker attacks•Insider attacks•Masquerade attacksThis talk focuses on the masquerade attack01/13/19 Intrusion Detection 4Types of AttacksHacker AttackUnauthorized userBogus account and privilegesRecognizable: •system administrator may notice intrusion before a malicious action is committed01/13/19 Intrusion Detection 5Types of AttacksInsider AttackAuthorized userLegitimate account and privilegesMalicious activitiesNo repudiation:•Once discovered, its hard for the insider to cover his tracks.01/13/19 Intrusion Detection 6Types of AttacksMasquerade AttackHacker assumes the identity of an authorized userMalicious activities are attributed to an innocent userRepudiation:•Easier for the hacker to cover his trail.01/13/19 Intrusion Detection 7Malicious ActivitiesData DisclosureAccessing proprietary informationLeading to FraudData insertion, removal & modificationModifying proprietary informationLeading to FraudDenial of Service (DoS)Sabotage01/13/19 Intrusion Detection 8Masquerade AttackMethodsRemote Attack•Packet sniffer•Spyware•Used simply to gain user passwordOn-site Attack•Computer left logged-in•Insider with physical access01/13/19 Intrusion Detection 9Masquerade AttackChallengesPassword disclosure may be impossible to detect•Physical disclosure, simple eavesdroppingAccess as a legitimate user with authorized privileges such as•remote access•permission to turn off security systems such as firewalls or intrusion detection software01/13/19 Intrusion Detection 10Masquerade AttackChallengesData disclosure can be impossible to detect•If legitimate user has access to proprietary informationScapegoat•Legitimate user takes the heat•Minimizes risk in an insider attack01/13/19 Intrusion Detection 11Masquerade DetectionHow can you detect a masquerader on your computer system?To answer this question, we need to ask a more basic question:How can you distinguish two users based on their computer usage?01/13/19 Intrusion Detection 12Command RecordingCommand-line operating systems like UNIX can easily record and archive every command typed at a prompt.Example:>pine>ls>cd..>g++ main.cpp01/13/19 Intrusion Detection 13Event RecordingGUI-based operating systems like Windows or MacOS respond to every input eventMouse moveKey pressButton clickEvery event can be recorded.01/13/19 Intrusion Detection 14Event RecordingPrimitive input events can be merged into high-level events<program opened> <program name><file saved> <file name> <time stamp><editfind selected> <search string><query executed> <query name>Recorded in real time.Archived in log files.01/13/19 Intrusion Detection 15Computer UsageIndividuals use computers in different ways.Examples:Every morning the first program I open is Outlook (95% of the time)Two of my co-workers rarely use Outlook (10%); they prefer Web-base OutlookI use CTRL-C to copy text (99%). A co-worker frequently (50%) uses the EditCopy menu option to copy text.01/13/19 Intrusion Detection 16Computer UsageMore Examples:For three years, Cynthia, the receptionist, has never open a command prompt in WindowsShe has never typed the command nslookupOn Thursday, she typed nslookup 30 times.01/13/19 Intrusion Detection 17Computer UsageSubtle signs can identify a userUsers have habits•I always keep Outlook Open in the backgroundUsers exhibit patterns•I always type g++ main.cpp -o test.exe•I never type g++ -o test.ext main.cppUser frequently repeat tasks•Daily basis•Weekly basis01/13/19 Intrusion Detection 18Identifying UsersBuild A Signature for Each UserRecord a user’s behavior (commands or events) over a period of timeA Signature somehow captures a users normal behaviorIn real-time compare a user’s current behavior with the SignatureIf the current behavior does not match the signature, assume its a masquerade attack.01/13/19 Intrusion Detection 19Building SignaturesAssumptionsYou are recording a legitimate user•Physical verification or•Closed environmentDuration of recording is long enough to•capture user’s unique traits•summarize a variety of common tasks01/13/19 Intrusion Detection 20Real-time DetectionAssumptionsUse a “window” of time •i.e., events from the last 10 minutes“Event window” can be efficiently compared to the signature•Negligible effect on the systemTesting or Sampling can be done •at random or •at periodic intervals01/13/19 Intrusion Detection 21ChallengesBuilding Signatures is difficultData Mining can be used to identify patterns or traitsRules can be developed to identify masqueradersInherent Problem:The rules depend on the system and the software, which constantly changeMay stop working over time.01/13/19 Intrusion Detection 22ChallengesIs there a more generic way to compare user behavior?Signature Sequence:•Think of the signature as just a sequence of events for a valid userrecorded over a long timeconfirmed to be the true valid userCurrent Sequence:•Think of the current sequence as any moment of real-time computer usage.01/13/19 Intrusion Detection 23Sequence ComparisonCompare Signature Sequence with Current SequenceIf they are sufficiently similar,sequences come from the same users No MasqueradeIf they are different,sequence come from different users
View Full Document