Intrusion Detection & Password Management

Transcription

1 Intrusion Detection & Password Management

2 Intruders, Intrusions

3 Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence clearly a growing publicized problem from Wily Hacker in 1986/87 to clearly escalating CERT stats may seem benign, but still cost resources may use compromised system to launch other attacks

4 Examples of Intrusion Performing a remote root compromise of an server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information, without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive s password, and learning the new password Using an unattended, logged-in workstation without permission

5 Intrusion Detection/Prevention

6 Intrusions Detection Definitions Elements Components of IDS Approaches Misuse Detection Anomaly Detection Deployments Host-based IDSs Network-based IDSs Key-metrics Architecture of Net-IDS

7 Definitions Intrusion: a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable. The person who intrudes is an intruder. Instrusion is a set of actions aimed to compromise the security goals, namely : Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection (ID): The process of identifying and responding to intrusion activities Intrusion prevention: Extension of ID with exercises of access control to protect computers from exploitation

8 six types of intrusions Attempted break-ins, which are detected by atypical behavior profiles or violations of security constraints. An intrusion detection system for this type is called anomalybased IDS. Masquerade attacks, which are detected by atypical behavior profiles or violations of security constraints. These intrusions are also detected using anomaly-based IDS. Penetrations of the security control system, which are detected by monitoring for specific patterns of activity. Leakage, which is detected by atypical use of system resources. Denial of service, which is detected by atypical use of system resources. Malicious use, which is detected by atypical behavior profiles, violations of security constraints, or use of special privileges.

9 Elements Primary assumptions: System activities are observable Normal and intrusive activities have distinct evidence Components of intrusion detection systems: From an algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together From a system architecture perspective: Various components: audit data processor, knowledge base, decision engine, alarm generation and responses

10 Components of IDS system activities are observable normal and intrusive activities have distinct evidence

11 Intrusion Detection Approaches Modeling Features: evidences extracted from audit data Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: Network-based or Host-based Network based: monitor network traffic Host based: monitor computer processes

12 Misuse Detection Rule-based detection Anomaly Penetration identifications Example: if (src_ip == dst_ip) then land_attack Can t detect new attacks

13 Anomaly Detection Statistical anomaly detections Threshold Profile based problems??? Relatively high false positive rate Anomalies can just be new normal activities. Anomalies caused by other element faults E.g., router failure or misconfiguration, P2P misconfiguration

14 Host-based IDSs Using OS auditing mechanisms E.G., BSM on Solaris: logs all direct or indirect events generated by a user strace for system calls made by a program (Linux) Monitoring user activities E.G., analyze shell commands Problems: user dependent Have to install IDS on all user machines! Ineffective for large scale attacks

15 Network-based IDSs At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage

16 Network-based IDSs Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at routers Inspecting network traffic Watch for violations of protocols and unusual connection patterns Monitoring user activities Look into the data portions of the packets for malicious code May be easily defeated by encryption Data portions and some header information can be encrypted The decryption engine may still be there, especially for exploit

17 Key Metrics of IDS/IPS Algorithm Alarm: A; Intrusion: I Detection (true alarm) rate: P(A I) False negative rate P( A I) False alarm (aka, false positive) rate: P(A I) True negative rate P( A I) Architecture Throughput of NIDS, targeting 10s of Gbps E.g., 32 nsec for 40 byte TCP SYN packet Resilient to attacks

18 Architecture of Net IDS

19 Firewall/Net IPS vs. Net IDS Firewall/IPS Active filtering Fail-close Network IDS Passive monitoring Fail-open

20 Distributed IDS Traditional systems focused on single-system stand-alone facilities The typical organization, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork A more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network Major design issues: A distributed intrusion detection system may need to deal with different audit record formats One or more nodes in the network will serve as collection and analysis points for the data from the systems on the network Either a centralized or decentralized architecture can be used

21 Honeypots Decoy systems that are designed to lure a potential attacker away from critical systems Has no production value These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldn t access Thus, any attempt to communicate with the system is most likely a probe, scan, or attack Designed to: Divert an attacker from accessing critical systems Collect information about the attacker s activity Encourage the attacker to stay on the system long enough for administrators to respond Because any attack against the honeypot is made to seem successful, administrators have time to mobilize and log and track the attacker without ever exposing productive systems Recent research has focused on building entire honeypot networks that emulate an enterprise, possible with actual or simulated traffic and data

22 Password Management (Additional Slide)

23 UNIX Password Scheme

24 Password Selection Strategies The goal is to eliminate guessable passwords while allowing the user to select a password that is memorable Four basic techniques are in use: User education Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords Computer-generated passwords Computer-generated password schemes have a history of poor acceptance by users Users have difficulty remembering them Reactive password checking A strategy in which the system periodically runs its own password cracker to find guessable passwords Proactive password checking A user is allowed to select his or her own password, however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it

25 Passwords New Ways Use passwords manager applications Use passphrase instead of passwords Random common words instead of gibberish hard-tomemmorized random word (xkcd #936)

26 References W. Stallings, Cryptography and Network Security: Principles and Practice, 7th Ed., Pearson Publishing.

27 Happy Learning ;)

28 Exercise 1. Gunakan wireshark untuk memantau trafik/lalu lintas jaringan kamu Simpan Trafik jaringanmu tersebut selama 30 menit Dari File trafik tersebut: Tentukan berapa banyak trafik ARP, DNS dan HTTP yang lewat? Berapa IP address mu?? Apa DNS server mu?? 2. Asumsikan bahwa password dipilih dari kombinasi empat karakter dari 26 karakter alfabet. Asumsikan bahwa musuh mampu mencoba kata kunci dengan kecepatan one per second. Jawablah pertanyaan dibawah ini : a. Dengan asumsi tidak ada umpan balik kepada lawan sampai setiap usaha telah selesai, berapakah waktu yang diharapkan untuk menemukan kata kunci yang benar? b. Dengan asumsi umpan balik terhadap musuh menandai kesalahan karena setiap karakter salah dimasukkan, berapakah waktu yang diharapkan untuk menemukan kata kunci yang benar?

29 Exercise (2) 3. Carilah dari paper 2 tahun terakhir, teknik intrusion detection yang digunakan. Jelaskan dengan singkat model yang mereka lakukan!