Intruders and Intrusion Detection. Mahalingam Ramkumar

Transcription

1 Intruders and Intrusion Detection Mahalingam Ramkumar

2 Intruders A significant issue for networked systems hostile or unwanted access either via network or local Classes of intruders: masquerader misfeasor clandestine user Varying levels of competence

3 Intruders Growing and much publicized problem Wily Hacker in 1986/87 escalating CERT stats May seem benign, but still costs resources May use compromised system to launch other attacks

4 The Wily Hacker Lawrence Berkeley Lab (LBL) Decided to observe attacker after detection Collaborative efforts of FBI and many military organizations Off-line monitors to track everything done by the attacker Analyzed by computers loosely coupled to the LAN Not a very sophisticated attacker

5 The Wily Hacker... Just used known and widely reported flaws in O/S es and applications (emacs, vi) Traceback was probably a lot simpler in those days Not too many entry points into the Internet Entry points were usually banks of modems Attacker simultaneously using several entry points Phone records!

6 The Wily Hacker... Provided various baits to the attacker to enable traceback Traced back to many locations Ultimately traced back to Germany Using LBL as the base of operations WH had compromised computers in various other organizations and universities. Spy??? Rumored to have been funded by KGB Three arrests made in 1988.

7 Intrusion Techniques Aim - to increase privileges on a system Basic attack methodology target acquisition and information gathering initial access privilege escalation covering tracks First step is to acquire passwords then exercise access rights of owner

8 Password Guessing One of the most common attacks Attacker knows a login ID (from /web page etc) Then attempts to guess password try default passwords shipped with systems try all short passwords searching dictionaries of common words intelligent searches - try passwords associated with the user (variations on names, birthday, phone, common words/interests) exhaustive search of all possible passwords Check by login attempt or against stolen password file Success depends on password chosen by user Many users choose poorly

9 Password Capture Another attack involves password capture watching over shoulder as password is entered using a trojan horse program to collect monitoring an insecure network login (eg. telnet, FTP, web, ) extracting recorded info after successful login (web history/cache, last number dialed etc) Using valid login/password, can impersonate user Users need to be educated to use suitable precautions/countermeasures

10 Intrusion Detection Not perfect - inevitably will have security failures Need to detect intrusions block access / processes if detected quickly act as deterrent collect info for improving security Assumption - intruder behaves differently (from a legitimate user) may not always be a valid assumption

11 Approaches to Intrusion Detection Statistical anomaly detection threshold profile based Rule-based detection anomaly penetration identification

12 Audit Records Fundamental tool for intrusion detection Native audit records part of all common multi-user O/S already available for use may not have the required info in desired form Detection-specific audit records created specifically to collect required info at cost of additional overhead on the system subject, action, object, exception-conditions, resource-usage, time-stamp

13 Statistical Anomaly Detection Threshold detection Count occurrences of specific event over time if exceeds a reasonable value - assume intrusion By itself a crude & ineffective detector profile based characterize past behavior of users detect significant deviations from this profile usually multi-parameter

14 Audit Record Analysis Foundation of statistical approaches Analyze records to get metrics over time counter, gauge, interval timer, resource use Use various tests on these to determine if current behavior is acceptable mean & standard deviation, multivariate, markov process, time series, operational No prior knowledge used

15 Rule-Based Intrusion Detection Observe events on system & apply rules to decide if activity is suspicious or not Rule-based anomaly detection analyze historical audit records to identify usage patterns & auto-generate rules for them observe current behavior & match against rules like statistical anomaly detection - does not require prior knowledge of security flaws

16 Rule-Based Intrusion Detection Rule-based penetration identification rules identify known penetration, weakness patterns, or suspicious behavior rules usually machine & O/S specific rules are generated by experts who interview & codify knowledge of security admins quality depends on how well this is done compare audit records or states against rules

17 Base-Rate Fallacy An intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms if too few intrusions detected -> false sense of security if too many false alarms -> admins will start ignoring alarms This is very hard to do Existing systems do not seem to have a good record!

18 Base-Rate Fallacy - Example Accuracy of a test for detecting disease D is 85% If D, Pr{+} is 0.85 If not D (or W) Pr{+} is 0.15 D occurs only amongst 1% of the population Let us say some one test positive for D what is the probability of false alarm? False alarm occurrence = A = Pr{+ / W} Pr{W} Total occurrences = B =[Pr{+ / W} Pr{W}] + [Pr{+ / D}Pr{D}] A = 0.15*0.99 = , B = *0.01 = A/B = Pr{False Alarm} = 94.6% If Pr{+ / W} = 0.99 then Pr{False Alarm} = 0.5

19 Distributed Intrusion Detection Traditional focus is on single systems but typically systems are networked More effective defense has these working together to detect intrusions Issues dealing with varying audit record formats integrity & confidentiality of networked data centralized or decentralized architecture

20 Distributed Intrusion Detection Architecture (UC Davis)

21 Distributed Intrusion Detection Agent Implementation

22 Honeypots Decoy systems to lure attackers away from accessing critical systems and collect information of their activities and to encourage attacker to stay on system so administrator can respond (or traceback) Fabricated information Instrumented to collect detailed information on attackers activities May be single or multiple networked systems

23 Password Management Front-line defense against intruders Users supply both: login determines privileges of that user password to authenticate them Passwords often stored encrypted Unix uses multiple DES (crypt(3) DES variant with salt) more recent systems use cryptographic hash functions

24 Managing Passwords Need policies and good user education Ensure every account has a default password different default passwords for different privelege levels Ensure users change the default passwords to something they can remember Protect password file from general access Set technical policies to enforce good passwords minimum length (>6) require a mix of upper & lower case letters, numbers, punctuation block know dictionary words

25 Managing Passwords... May reactively run password guessing tools note that good dictionaries exist for almost any language/interest group May enforce periodic changing of passwords Have system monitor failed login attempts, & lockout account if too many attempts are seen in a short period Need to educate users and get support Balance requirements with user acceptance Be aware of social engineering attacks

26 Proactive Password Checking Most promising approach to improving password security Allow users to select own password But have system verify it is acceptable simple rule enforcement compare against dictionary of bad passwords use algorithmic models (markov model or bloom filter) to detect poor choices.

27 Protecting Passwords SSL/TLS Send username/passwords only over protected channels One-time passwords User generates a hash chain User starts with x 0, computes x 1 =h(x 0 ), x 2 =h( x 1 ) x n =h( x n 1 ) x n stored by the server First login user sends x n 1 Server verifies h( x n 1 )=x n and stores x n 1 Next login user sends x n 2 Server verifies h( x n 2 )=x n 1 and stores x n 2 and so on for n logins

28 Challenge-Response Protocols With Weak Secrets Challenge-response using weak secrets (like passwords) Challenge-response should not reveal weak-secret Convenient to use the weak secret to establish a strong secret. Assume client and server share a weak secret (password) W C-> S: K_W=E(W,K). Encrypt a secret K using the weak secret W as key S: K=(W,K_W); h_k= h(k) S->C: h_k, indicating server has decrypted K as it has access to secret W Issues?

29 Brute Forcing Weak Secrets Attacker has access to K_W=E(W,K) and h_k Attacker can easily brute force the weak weak secret. For every possible weak secret W' Check if h(d(w',k_w))=h_k The value W' for which the above relationship is satisfied is the actual weak secret.

30 Encrypted Key Exchange Client generates asymmetric key pair (R,U) Encrypts public key U using password W C->S: U_W=E(W,U) Server decrypts public key as U=D(W,U_W) Server choose secret K, encrypts using public key U of client; C->S: K' = E_U(K). Client can decrypt K=D_R(K') Server and client Have confirmed that they both have access to the password Have established a strong secret K

31 EKE Attacker has access to U_W=E(W,U) and K'=E_U(K). Attacker brute forces different values of W to get different candidate U's However this does not help attacker determine K Not so fast! Attacker may only need to know U_W IF the public key U has a known structure

32 EKE If the public key is easily distinguishable from a random value Only the correct W' will yield a valid public key For example, let public key U be RSA modulus For different choice of W' attacker will get different random U' But a random U' will not have the structure required for a RSA modulus A large number that is almost impossible to factorize And can be easily recognized as not being a prime (by doing Fermat's test)

33 EKE Work Around Generate RSA with large encryption exponent e Do not encrypt modulus n, only encrypt exponent e Most random numbers cannot be distinguished from a valid encryption exponent (any odd number can be an encryption exponent) Use Diffie Hellman Any number can be a valid public key α=g a mod p Bottom line... Do not encrypt any known value or any non random value using a weak secret Else, weak secret can be brute-forced easily.