Intrusion DetectionWhat is Intrusion Detection?Slide 3Types of AttacksSlide 5Slide 6Malicious ActivitiesMasquerade AttackSlide 9Slide 10Masquerade DetectionCommand RecordingEvent RecordingSlide 14Computer UsageSlide 16Slide 17Identifying UsersBuilding SignaturesReal-time DetectionChallengesSlide 22Sequence ComparisonThe Real ProblemsSlide 25DNA Sequence ComparisonSlide 27Slide 28Slide 29Slide 30Slide 31Event Sequence ComparisonSlide 33Slide 34Slide 35Slide 36Comparison ScoresAdvantagesHow well does it work?What else can it do?ImplicationsSummaryIntrusion DetectionDr. Eric BreimerComputer Science DepartmentSiena College01/13/19 Intrusion Detection 2What is Intrusion Detection?Monitoring a computer network to detect a variety of security attacksIncluding•Hacker attacks•Insider attacks•Masquerade attacks01/13/19 Intrusion Detection 3What is Intrusion Detection?Monitoring a computer network to detect a variety of security attacksIncluding•Hacker attacks•Insider attacks•Masquerade attacksThis talk focuses on the masquerade attack01/13/19 Intrusion Detection 4Types of AttacksHacker AttackUnauthorized userBogus account and privilegesRecognizable: •system administrator may notice intrusion before a malicious action is committed01/13/19 Intrusion Detection 5Types of AttacksInsider AttackAuthorized userLegitimate account and privilegesMalicious activitiesNo repudiation:•Once discovered, its hard for the insider to cover his tracks.01/13/19 Intrusion Detection 6Types of AttacksMasquerade AttackHacker assumes the identity of an authorized userMalicious activities are attributed to an innocent userRepudiation:•Easier for the hacker to cover his trail.01/13/19 Intrusion Detection 7Malicious ActivitiesData DisclosureAccessing proprietary informationLeading to FraudData insertion, removal & modificationModifying proprietary informationLeading to FraudDenial of Service (DoS)Sabotage01/13/19 Intrusion Detection 8Masquerade AttackMethodsRemote Attack•Packet sniffer•Spyware•Used simply to gain user passwordOn-site Attack•Computer left logged-in•Insider with physical access01/13/19 Intrusion Detection 9Masquerade AttackChallengesPassword disclosure may be impossible to detect•Physical disclosure, simple eavesdroppingAccess as a legitimate user with authorized privileges such as•remote access•permission to turn off security systems such as firewalls or intrusion detection software01/13/19 Intrusion Detection 10Masquerade AttackChallengesData disclosure can be impossible to detect•If legitimate user has access to proprietary informationScapegoat•Legitimate user takes the heat•Minimizes risk in an insider attack01/13/19 Intrusion Detection 11Masquerade DetectionHow can you detect a masquerader on your computer system?To answer this question, we need to ask a more basic question:How can you distinguish two users based on their computer usage?01/13/19 Intrusion Detection 12Command RecordingCommand-line operating systems like UNIX can easily record and archive every command typed at a prompt.Example:>pine>ls>cd..>g++ main.cpp01/13/19 Intrusion Detection 13Event RecordingGUI-based operating systems like Windows or MacOS respond to every input eventMouse moveKey pressButton clickEvery event can be recorded.01/13/19 Intrusion Detection 14Event RecordingPrimitive input events can be merged into high-level events<program opened> <program name><file saved> <file name> <time stamp><editfind selected> <search string><query executed> <query name>Recorded in real time.Archived in log files.01/13/19 Intrusion Detection 15Computer UsageIndividuals use computers in different ways.Examples:Every morning the first program I open is Outlook (95% of the time)Two of my co-workers rarely use Outlook (10%); they prefer Web-base OutlookI use CTRL-C to copy text (99%). A co-worker frequently (50%) uses the EditCopy menu option to copy text.01/13/19 Intrusion Detection 16Computer UsageMore Examples:For three years, Cynthia, the receptionist, has never open a command prompt in WindowsShe has never typed the command nslookupOn Thursday, she typed nslookup 30 times.01/13/19 Intrusion Detection 17Computer UsageSubtle signs can identify a userUsers have habits•I always keep Outlook Open in the backgroundUsers exhibit patterns•I always type g++ main.cpp -o test.exe•I never type g++ -o test.ext main.cppUser frequently repeat tasks•Daily basis•Weekly basis01/13/19 Intrusion Detection 18Identifying UsersBuild A Signature for Each UserRecord a user’s behavior (commands or events) over a period of timeA Signature somehow captures a users normal behaviorIn real-time compare a user’s current behavior with the SignatureIf the current behavior does not match the signature, assume its a masquerade attack.01/13/19 Intrusion Detection 19Building SignaturesAssumptionsYou are recording a legitimate user•Physical verification or•Closed environmentDuration of recording is long enough to•capture user’s unique traits•summarize a variety of common tasks01/13/19 Intrusion Detection 20Real-time DetectionAssumptionsUse a “window” of time •i.e., events from the last 10 minutes“Event window” can be efficiently compared to the signature•Negligible effect on the systemTesting or Sampling can be done •at random or •at periodic intervals01/13/19 Intrusion Detection 21ChallengesBuilding Signatures is difficultData Mining can be used to identify patterns or traitsRules can be developed to identify masqueradersInherent Problem:The rules depend on the system and the software, which constantly changeMay stop working over time.01/13/19 Intrusion Detection 22ChallengesIs there a more generic way to compare user behavior?Signature Sequence:•Think of the signature as just a sequence of events for a valid userrecorded over a long timeconfirmed to be the true valid userCurrent Sequence:•Think of the current sequence as any moment of real-time computer usage.01/13/19 Intrusion Detection 23Sequence ComparisonCompare Signature Sequence with Current SequenceIf they are sufficiently similar,sequences come from the same users  No MasqueradeIf they are different,sequence come from different users 