Transcript Slide 1

CSci530:
Computer Security Systems
Intrusion Detection and Response
19 November 2004
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Announcements
• Mid-term grading done
– See TA’s to collect graded exam
• All paper proposal responded to
• Final exam December 13th
– We may have some new experimental features on the
discussion board focused around last years exam.
– We will spend time reviewing during part of final lecture
• Final lecture on December 3
– Will cover multiple current topics suggested by the class
– Send email to [email protected] with requests for topics.
• Class evaluations on December 3rd
– I need a volunteer to distributed and collect evaluations
– See me during break
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Components of ID systems
• Collectors
– Gather raw data
• Director
– Reduces incoming traffic and finds
relationships
• Notifier
– Accepts data from director and takes
appropriate action
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Advanced IDS models
• Distributed Detection
– Combining host and network
monitoring (DIDS)
– Autonomous agents
(Crosbie and Spafford)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Response
• Intrusion Prevention
– (marketing buzzword)
• Intrusion Response
– How to react when an intrusion is
detected
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Possible Responses
– Notify administrator
– System or network lockdown
– Place attacker in controlled environment
– Slow the system for offending processes
– Kill the process
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Phase of Response
(Bishop)
– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Follow up
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
PREPARATION
• Generate baseline for system
– Checksums of binaries
▪ For use by systems like tripwire
• Develop procedures to follow
• Maintain backups
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDENTIFICATION
• This is the role of the ID system
– Detect attack
– Characterize attack
– Try to assess motives of attack
– Determine what has been affected
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CONTAINMENT
• Passive monitoring
– To learn intent of attacker
– Learn new attack modes so one can defend
against them later
• Constraining access
– Locking down system
– Closing connections
– Blocking at firewall, or closer to source
• Combination
– Constrain activities, but don’t let attacker know
one is doing so (Honeypots, Jail).
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
ERADICATION
• Prevent attack or effects of attack from
recurring.
– Locking down system (also in
containment phase)
– Blocking connections at firewall
– Isolate potential targets
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
RECOVERY
• Restore system to safe state
– Check all software for backdoors
– Recover data from backup
– Reinstall but don’t get re-infected before
patches applied.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FOLLOWUP
• Take action against attacker.
– Find origin of attack
• Notify other affected parties
– Some of this occurs in earlier
phases as well
• Assess what went wrong and
correct procedures.
• Find buggy software that was
exploited and fix
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Limitations of Monolithic ID
•
•
•
•
Single point of failure
Limited access to data sources
Only one perspective on transactions
Some attacks are inherently distributed
– Smurf
– DDoS
• Conclusion: “Complete solutions” aren’t
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Benefits
– Increased robustness
– More information for all components
– Broader perspective on attacks
– Capture distributed attacks
• Risks
– Eavesdroppers, compromised
components
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Communication risks can be
resolved cryptographically (at least
in part)
• Defining appropriate level of
expression
– Efficiency
– Expressivity
– Specificity
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CIDF
• Common Intrusion Detection
Framework
– Collaborative work of DARPAfunded projects in late 1990s
– Task: Define language, protocols
to exchange information about
attacks and responses
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Common Intrusion Specification
Language
– Conveys information about attacks
using ordinary English words
– E.g., User joe obtains root access
on demon.example.com at 2003
Jun 12 14:15 PDT
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problem: Parsing English is hard
• S-expressions (Rivest)
– Lisp-like grouping using parentheses
– Simplest examples: (name value) pairs
(Username ‘joe’)
(Hostname ‘demon.example.com’)
(Date ‘2003 Jun 12 14:15 PDT’)
(Action obtainRootAccess)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problems with simple pairs
– Confusion about roles played by entities
▪ Is joe an attacker, an observer, or a
victim?
▪ Is demon.example.com the source or
the target of the attack?
– Inability to express compound events
▪ Can’t distinguish attackers in multiple
stages
• Group objects into GIDOs
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Roles
• Clarifies roles identified by descriptors
(Attacker
(Username ‘joe’)
(Hostname ‘carton.example.com’)
(UserID 501)
)
(Target
(Hostname ‘demon.example.com’)
)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Verbs
• Permit generic description of actions
(Compromise
(Attacker …)
(Observer
(Date ‘2003 Jun 12 14:15 PDT’)
(ProgramName ‘GrIDSDetector’)
)
(Target …)
)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Conjunctions
• Permit expression of compound
events
– HelpCause: Indicates partial
causality
– InOrder: Indicates sequencing
– AsAWayOf: Indicates multiple
views of the same attack
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Lambda calculus-like macros
(def CompromiseHost $1 $2 $3
(Compromise
(Attacker (Username $1))
(Target (Hostname $2))
(Observer (Date $3))
)
)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Originally defined to reduce payload
• Also usable for database queries
– Look for all records matching
‘CompromiseHost’
– Difficulty: Store expanded form or
macro form in database?
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• CISL is expressive, leading to questions
– Is it ambiguous?
▪ Does a given GIDO have more than
one interpretation?
– Is it overbuilt?
▪ Is there more than one GIDO that
expresses the same thing (aside from
reordering)?
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• GIDO Bake-offs
– June 1999: Demonstration of simple
corroboration
– October 2000: Semantic testing
▪ Group A: Devised
scenarios/questions
▪ Group B: Only knows scenarios,
creates GIDOs
▪ Group C: Only knows questions,
receives GIDOs
▪ Three levels: Easy, medium, gnarly
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Lessons from CISL
• Lessons from testing,
standardization efforts
– Heavyweight
– Not ambiguous, but too many
ways to say the same thing
– Mismatch between what CISL can
say and what detectors/analyzers
can reliably know
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Enter IDWG
• Intrusion Detection Working Group
– WG of Internet Engineering Task
Force
– Chief product: IDMEF
▪ Intrusion Detection Message
Exchange Format
▪ Driven by many CIDF
participants
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDMEF
• XML-based; defines DTD for ID
• Reduced vocabulary
– Roles reduced to analyzer (observer),
source, target
– Extra information for identifying
exploits, buffer overflows
– Provision for indicating that previous
alerts are related
– No provision for response prescriptions
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDWG Status
• IDMEF (and other IDWG drafts)
– Submitted to IESG for
advancement to IETF Draft
Standard (as standards-track RFC)
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CSci530:
Computer Security Systems
Wireless Technologies and Implications
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
What’s Different
• Easy (but wrong) answer:
– Wireless communication involves transmission of data
by radio or similar means, and this allows an attacker to
read the data more readily without requiring physical
access to the network.
• The problem with this explanation:
– If you have been paying attention during this course,
you will likely note that we have been assuming it is
easy for an attacker to intercept data anyway, even on
wired networks. Good security design should assume
this. Yes, it is a little easier for an attacker to eavesdrop
with wireless, but there are so many other ways to get
the data that wireless doesn’t really change this part.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
What’s Different
• The real answer:
– Wireless communications devices are
often disconnected.
– Such devices may have limited storage or
limited computation abilities.
– Such systems CAN be deployed in ways that create
greater vulnerabilities if the basic protocols running
on such systems have not applied
confidentiality protection.
– Such systems may be more vulnerable to jamming.
– Such systems create a less accountable path
into the network.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
A False Sense of Security
• Solutions that provide encryption at the
network layer or below provide a false
sense of security.
– WEP: Wired Equivalent Protocol is just that.
▪ Doesn’t solve the end to end problems.
▪ Wires aren’t that hard to tap anyway.
– Attacks on WEP
▪ Repeated IV on encryption enables recovery
of the key stream.
▪ Authentication reveals secret.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
A False Claim of Security
• Beware of papers like the Bluetooth paper
in the final week assigned readings.
– These kinds of papers appear all the time,
pointing to vulnerabilities in competing
products or protocols and showing how their
solution does not exhibit these weakness.
– Keep in mind that weakness and vulnerabilities
are usually approach specific. That an
alternative doesn’t exhibit the SAME
vulnerabilities is not at all surprising.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Bluetooth Vulnerabilities
• Bluetooth exhibits serious vulnerabilities
in its interface to the user.
– Similar to SSL URL authentication problems.
▪ i.e. that you know the name of the server you were talking to, but not
that it was the right server.
– SNARF Attack
▪ Connect to device without alerting owner
– Backdoor Attack
▪ Establish trust by pairing, but remove from list
of pair devices.
– Problem is to few protection domains.
▪ Connection grants access to most data on the device.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Wireless to Improve Security
• Wireless promotes less constrained
reconfiguration.
– Topology of network is not constrained by
physical wires.
– Examples in sensor nets.
▪ Home burglary example
• Spread spectrum can be used as a
security tool.
– If codes secret, useful to hide communication.
– Resistant to jamming.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Peer to Peer and Ad Hoc Security
• Security protocols may have phases
independent of central infrastructure.
• Services may be provided by
untrusted nodes.
• Messages need to be relayed by
untrusted nodes.
• Devices may be overrun.
• Collusion is possible (Byzantine failure).
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Review for Final Exam - Cryptography
• Basic Crypto
– Transposition, Substitution
– Mathematical
• Modes of operation
– Block cipher ECB
– Streams
▪ CBC, CFB, OFB
– Some systems
– RSA, DES, 3DES, AES
– Digital Signatures
• Key Sizes
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Review for Final Exam – Authentication
and Key Management
• Choosing Keys
• Authentication and Key Distribution
– PKI
– Kerberos
• Group Key Management
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Review for Final Exam - Authorization
• Access Matrix
• Policy Models
– Bell Lapadula, Biba, Chinese Wall
– MAC – Mandatory Access Controls
– Clark Wilson
– Role Based Access Controls
– Least Privelege
• Distributed Mechanisms
– Proxies
– GAA-API
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Review for Final Exam - Intrusions
• Detection - how
– Signature based
– Anomaly based
• Detection - where
– Network based
– Host based
– Application based
• Coordination of detection
• Response
• Recovery
• Forensics
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Review for Final Exam - Wireless
• The real differences
– Devices and connectivity
• Some of the benefits
– Redundancy of communication paths
– Autonomy
• WEP as examples of vulnerabilities
• Need for end-to-end security
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Summary
• Be critical
– Look for the vulnerabilities in systems.
▪ Protocol errors.
▪ Vulnerabilities in administration.
▪ Incorrect assumptions about the environment.
▪ Failure to meet the high level goals even if the
system functions perfectly.
– Assume that there will be failures
▪ Defense in depth
▪ Mitigation
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Current event
• Advanced email phishing attacks steal passwords and
compromise computer security
Source: http://www.theregister.co.uk/2004/11/04/phishing_exploit/
Fraudsters have developed phishing emails capable of automatically
stealing bank log-in details without requiring users to click on a
website link, email filtering firm MessageLabs warns.
Over the last two weeks, MessageLabs has monitored a small number
of these dangerous new emails, which are capable of sidestepping
the need for user intervention in phishing attacks.
Users who only open maliciously constructed emails to be exposed
to risk. These emails contain scripts that rewrite the host files of
targeted machines.
This means that next time a user attempts to access their online
banking account they will be automatically redirected to a fraudulent
website instead, enabling their log-in details to be stolen.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE