DNA Intrusion Detection Methodology. James T. Dollens, Ph.D Cox Road Roswell, GA (678)

Similar documents
ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

Security Solutions. Overview. Business Needs

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Certified Ethical Hacker (CEH)

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Syllabus: The syllabus is broadly structured as follows:

COMMON CRITERIA CERTIFICATION REPORT

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Certification Report

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Computer Security. Solutions

ANATOMY OF AN ATTACK!

SDR Guide to Complete the SDR

Trusted Computing Group

Access Controls. CISSP Guide to Security Essentials Chapter 2

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

SECURITY & PRIVACY DOCUMENTATION

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Intruders and Intrusion Detection. Mahalingam Ramkumar

19.1. Security must consider external environment of the system, and protect it from:

Building Resilience in a Digital Enterprise

Viruses and Malicious Code: A Community Defense Perspective

Full file at

Certification Report

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

CEH: CERTIFIED ETHICAL HACKER v9

COMMON CRITERIA CERTIFICATION REPORT

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Introduction and Statement of the Problem

Certification Report

Protection and Security

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

HOLY ANGEL UNIVERSITY COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY CYBER SECURITY COURSE SYLLABUS

Ethical Hacking and Prevention

Certified Ethical Hacker

A Review Paper on Network Security Attacks and Defences

Discovering Computers Living in a Digital World

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

FairWarning Mapping to PCI DSS 3.0, Requirement 10

For the purposes of this discussion, the following two attacks are key:

Course 831 Certified Ethical Hacker v9

ISO27001 Preparing your business with Snare

Guidelines for Use of IT Devices On Government Network

BUFFERZONE Advanced Endpoint Security

DIGITAL STEGANOGRAPHY 1 DIGITAL STEGANOGRAPHY

SC27 WG4 Mission. Security controls and services

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Security Requirements for Crypto Devices

Applying Context to Web Authentication

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Define information security Define security as process, not point product.

Systems and Network Security (NETW-1002)

Distributed Systems. Lecture 14: Security. 5 March,

Certification Report

Payment Card Industry (PCI) Data Security Standard

Certification Report

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

1/11/11. o Syllabus o Assignments o News o Lecture notes (also on Blackboard)

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

McAfee Public Cloud Server Security Suite

Total Security Management PCI DSS Compliance Guide

From Data to Actionable Knowledge: Applying Data Mining to the Problem of Intrusion Detection

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

10EC832: NETWORK SECURITY

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

2. INTRUDER DETECTION SYSTEMS

Detecting MAC Spoofing Using ForeScout CounterACT

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

A. The portal will function as an identity provider and issue an authentication assertion

APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS.

Best Practices With IP Security.

Information Technology General Control Review

Network Security and Cryptography. December Sample Exam Marking Scheme

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

COMPUTER NETWORK SECURITY

Certification Report

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Securing trust in electronic supply chains

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

CITADEL INFORMATION GROUP, INC.

INFORMATION ASSURANCE DIRECTORATE

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Distributed Systems. Lecture 14: Security. Distributed Systems 1

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Integrated Access Management Solutions. Access Televentures

Transcription:

DNA Intrusion Detection Methodology by James T. Dollens, Ph.D. 1675 Cox Road Roswell, GA 30075 JTDDGC@aol.com (678) 576-3759 Copyright 2001, 2004 James T. Dollens Page 1 of 1

Introduction Computer viruses, worms and other devices are able to penetrate computer systems by becoming part of an operating system, application or data. When executed, these unauthorized agents have the potential to damage the host system and, using the authority of the host system, penetrate other systems. Password sub-systems, firewall sub-systems, intrusion detection systems and encryption, which are used to protect computer systems, are external agents that are designed to encapsulate the operating system, applications and data protecting them from intrusion. This paper discusses a dissertation project that proposed to develop an internal function, which would differentiate between self and non-self agents by creating unique identifiers for computer systems as the human DNA differentiates individuals. This research project determined a method that would insert identification data into an object to distinguish it uniquely to the operating system on which it resides. This DNA Pattern would serve to create a unique copy of the object and create an ownership token between the object and the operating system. Self-defense systems focus on outside-in technology by encapsulating the operating system and its applications. They interrogate the traffic and look for patterns or signatures that indicate the presence of an unwanted artifact. The scope of this study was to: Develop an inside-out self-defense methodology. Design a specific process for a single node operating system applying techniques in each step from the methodology. Develop, test and analyze this process with a proof of concept system. Background Knowing that an object does not belong to an authorized set of objects is an important step in computer system defense. While intrusion detection researchers used external processes to characterize normal activity to identify abnormal actions, this project examined computer system defense from an internal perspective. Dr. Stephanie Forrest of the University of New Mexico compared the process of computer system defense to the process used by living organisms to defend against diseases, viruses and other foreign agents (Forrest, Hofmeyr & Somayaji, 1997). Her thesis was to develop a methodology for identifying the self to use intrusion detection to detect non-self agents. Dr. Forrest suggested procedures for identifying the self by observing patterns of behavior of the system. In this case, non-self might be an unauthorized user, foreign code in the form of a computer virus or worm, unanticipated code in the form of a Trojan horse or corrupted data. Even when a computer system is equipped with stringent authentication procedures and firewalls it is still susceptible to hackers who take advantage of system flaws and social engineering tricks (Goan, 1999). Loscocco, Smalley, Muckelbauer, Taylor, Turner and Farrell (2000) stated that no single technical security solution could provide total system security; a proper balance of security mechanisms must be achieved. Each security mechanism provides a specific security function; and should be designed to Copyright 2001, 2004 James T. Dollens Page 2 of 2

only provide that function. It should rely on other mechanisms for support and for required security services. In a secure system, the entire set of mechanisms complement each other to provide a complete security package. Systems that fail to achieve this balance will be vulnerable. A poor password can compromise a company s system even if it is protected by security software such as firewalls, intrusion detection and encryption software. Passwords containing numbers and punctuation are more secure than not having them, but are harder for the average user to remember. Company systems are open to intrusion through virtual networks. Internal communication traffic can be compromised by unauthorized access through these virtual networks. Source authentication and encryption systems can help to keep this information private. Installation of an application may cause security issues by improperly (or not) applying security updates provided by the software supplier or by not following the company s security policy. Denning (1999) stated that the use of standard protocols allows interoperability across networks. While this facilitates communication and sharing, it also has drawbacks. Vulnerabilities can be pervasive across computer platforms and organizations, allowing thousands of systems to be swept up in a single attack. These examples are demonstrations of Sutton s (1998) statement that security against active penetrations is a weak link phenomenon. Loscocco et al. (2000) concluded that the necessity of operating system security to overall system security is undeniable; the underlying operating system is responsible for protecting application-space mechanisms against tampering, bypassing, and spoofing attacks. If it fails to meet this responsibility, system-wide vulnerabilities will result. Methodology Applying Dr. Forrest s biological metaphor, this project examined approaches to create unique signatures, or deoxyribonucleic acid (DNA), for computer system objects. A general inside-out methodology using a DNA mechanism was created for managing those objects and a process was developed for which a system could execute a function to determine whether an object is a valid part of the system. This project developed a computer self-defense system using a system-oriented version of DNA. The goal of the development of this general methodology was to formalize the concept of an inside-out perspective of computer system defense. This task resulted in a three-phased DNA Intrusion Detection Methodology: Definition, Creation and Authentication. Note that a patent application of this method has been submitted. The DNA Definition Phase defines the environment and processes for injecting a DNA Pattern into selected computer system objects. Defined in this phase are the DNA Pattern and a storage facility designated as the External Data Storage Structure (EDSS). The DNA Creation Phase injects the DNA Pattern into the computer system objects, creates a database of new objects and adds this information to the EDSS. The DNA Authentication Phase authorizes an object for execution by the computer system after verifying its DNA Pattern. The processes in the DNA Definition Phase are executed once while the DNA Creation and DNA Authentication Phases are executed continuously as new objects are encountered and existing objects are prepared for execution. Copyright 2001, 2004 James T. Dollens Page 3 of 3

Selected objects processed through the DNA Creation Phase contain identifiers that connect them uniquely. Execution of those objects is accomplished only through the DNA Authentication Phase. While this methodology does not restrict forces from placing unauthorized objects in the system, it will trap those objects and allow the system administrators to review and analyze them prior to execution. Proof of Concept System Out of this inside-out view of self-defense, instantiations of the general methodology can be designed to protect different types of objects on varying degrees of computer network configurations. Instantiations of this methodology can be applied to single node operating systems, client/server networks or other multi-node configurations containing multiple operating systems and applications. For the purposes of this study, the researcher limited the methods, procedures and discussion of results to a single node operating system. Analysis of the instantiation worked through the phases and tasks of the general methodology and created specific functions and applications for an individual computer system (single CPU) with one operating system to protect all executables of that operating system. A development project was planned and executed, which was used to validate a single node instantiation of the general methodology. The purpose of the proof of concept system was to develop a working model of the basic components of the DNA Intrusion Detection Methodology to determine the impact of the process on an actual environment. The model represented the completion of an instantiation of a DNA Design Phase and contained components that execute the DNA Creation and DNA Authentication Phases. Steganographic functions were developed to hide the DNA Pattern among the executable code. In the DNA Creation Phase a steganographic function, which inserts the DNA Pattern into an executable object creating a DNA Steganographic Object, was modeled. In the DNA Authentication Phase, the complementary steganographic function to the function in the DNA Creation Phase was also be modeled. This function extracts the DNA Pattern from the DNA Steganographic Object and recreates the executable object. Tests of the proof of concept system illustrated that the impact of the DNA Authentication Phase on a 1 GHz stand-alone system were well below the sub-second range. This indicates that the overhead impact may be within tolerable limits for most scenarios. However, other scenarios especially server situations may require significantly faster operation. Conclusions The objective of this research project was delivery and discussion of the DNA Intrusion Detection Methodology. Applications of the general methodology to support given scenarios are specific examples of how the general methodology can be applied to various defense situations. Deploying specific techniques are part of the development of an instantiation rather than part of the general methodology. The instantiations allow the Copyright 2001, 2004 James T. Dollens Page 4 of 4

designer to create and utilize specific techniques, such as cryptography and steganography, for securing and embedding the DNA Pattern in the objects. The use of additional techniques may be based on risk factors or the security policy of the installation. Practical implementation of this methodology would mean that it should be part of the operating system. This inside-out view would be required to identify unauthorized objects before their execution. Implementation of this method would also increase the level of difficulty for an intruder. While an intruder may gain access to execute objects on a computer system, the intruder would need to access additional authentication levels to change an existing object or add a new function to the authorized list of objects. Thus, an intruder would be able to copy a worm or virus onto the system, but not be able to execute it. While constructing each instantiation, the developer should analyze its impact on the systems involved and determine its relative cost and benefit. Before implementation, the analyst should compare the installation s security policy, value of the system to be protected and risk of exposure to the impact of the instantiation on the system. Depending on the security requirements and risk assessment, the designer could create an instantiation of the methodology that fits with other security resources available for this configuration that is in line with the environment s security policy. Benefits of Implementation Schneier (2000) stated that there is no known complete security system. Security is a process as well as a collection of devices. The methodology developed during this project is also not a complete security solution, but implementation of instantiations could be viewed as another factor in a suite of security tools. The anticipated benefits of implementing this methodology would be: 1. Establishment of a certified base of operating system and application objects By creating a self-identity through establishing a repository of known objects, the operating system or application will be enabled to detect unknown or non-self objects. 2. Detection of unauthorized objects before execution or use by the operating system or application Rule-based intrusion detection systems need prior notification to detect new viruses or Trojan horses. The owners of the intrusion detection system determine the signature of the new object they want to detect and update their system. Otherwise, the new virus or Trojan horse enters a computer system undetected and infects it. Through the self/non-self authorization procedure, this methodology will detect a new virus or Trojan horse before it can infect the computer system. 3. Real-time notification of unauthorized objects Copyright 2001, 2004 James T. Dollens Page 5 of 5

Given the nature of the process, the methodology will notify the computer system s owner of any object not containing a DNA Pattern. 4. Analysis of the object before its execution The methodology will enable another system or human administrators to destroy the unauthorized object and replace it with the certified version, or allow the object to be certified and executed. Implementation of this methodology would inhibit intrusion types five, six and seven of the Neumann and Parker intrusion taxonomy (Amoroso, 1999). Control Bypass intrusions would be affected since this methodology would insert another level of control of system executables thereby forcing the intruder to execute another round of analysis before implementing the unauthorized code. For Active Resource Misuse intrusions, the operating system and application resources would be protected since changes would only be allowed through an established update procedure. Given the nature of the DNA insertion process, a Passive Resource Misuse intruder would not be able to view an object in its natural form. An unauthorized intruder may be able to capture an object, but would not be able to execute it because the DNA Intrusion Detection Methodology disabled the object. Recommendations for Further Research Future research should continue to focus on analyzing and developing new instantiations of the general methodology for computer system/operating system scenarios. These instantiations should reflect scenarios more closely aligned to the client/server or multi-node environments. The resulting developmental efforts should test the instantiations for weaknesses in the functions or the methodology itself. The following additional studies are indicated: Given the single node instantiation, develop a full simulation that allows researchers to examine the capability of the methodology to detect non-self objects in various scenarios. Research and development of a pseudo-execution area to observe the actions of an object before certifying it. Research and analysis of other data hiding techniques from steganography to less resource intensive cryptography to obscure the DNA Pattern. Analysis of the use of other certification techniques or calculations, such as a checksum or the date/time stamps, when authenticating an object. Analysis of additional DNA properties in order to develop of a definition of unique across the DNA Domain. Design, develop and build a DNA-based self-defense sub-system for an operating system. Research the possibility of integrating this methodology with other computer system defense methods. Copyright 2001, 2004 James T. Dollens Page 6 of 6

Development of a formal meta-language used to define the scope and domain of the system to be protected. Research into the network implications of this methodology. Research and analysis of techniques for intellectual property protection. Summary This was primarily a research and analysis project. However, a proof of concept design and development effort was planned and executed to help the researcher better visualize the impact of this type of self-defense technology on a computer system. The deliverables of this project were: 1. A general inside-out self-defense methodology. 2. An instantiation of the methodology for a single node computer system. 3. A proof of concept system that is an application of some of the processes of the instantiation. 4. Test scenarios that were used to exercise the proof of concept application and test results that displayed the effect of the process on system overhead. Anti-virus, access control and intrusion detection systems focus on examining the wall around the objects that are to be secured. Dr. Forrest s work sought to protect an environment by cataloguing patterns of self-behavior so that non-self activity can be detected. The development of the self-defense methodology could be used to create a self-identifying organization enabling the operating system to identify foreign agents automatically. Loscocco et al. (2000) stated that the increased awareness of the need for security has resulted in increased efforts to add security to computing environments. However, these efforts suffer from the flawed assumption that security can be provided adequately in an application space without certain security features in the operating system. In reality, operating system security mechanisms play a critical role in supporting security at higher levels. The purpose of this project was to develop a methodology for a system to contain its own self-defense mechanism. The result of this research was development of a methodology that would allow insertion of identification data into an object to identify uniquely the object to the operating system. This identification data, defined as a DNA Pattern, is a sequence of identifier fields. Embedding an operating system DNA Pattern into an object will differentiate it from all other objects of the same function in other operating system locations. References Amoroso, E. (1999). Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. Sparta, NJ: Intrusion.Net Books. Denning, D. E. (1999). Information Warfare and Security. Reading, MA: Addison- Wesley. Copyright 2001, 2004 James T. Dollens Page 7 of 7

Forrest, S., Hofmeyr, S., & Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40 (10), 88-96. Retrieved July 26, 1999, from the ACM online database. Goan, T. (1999, July). A cop on the beat: Collecting and appraising intrusion evidence. Communications of the ACM, 42 (7), 46-52. Retrieved July 23, 1999, from the ACM online database. Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R. C., Turner, S. J., & Farrell, J. F. (2000, October 17). The inevitability of failure: The flawed assumption of security in modern computing environments. National Security Agency. Retrieved December 7, 2000, from http://www.esecurityonline.com/library/whitepapers2.asp Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. New York, NY: John Wiley & Sons. Sutton, S. (1998, March 18). Windows NT security guidelines: Considerations & guidelines for securely configuring Windows NT in multiple environments: A study for NSA Research. Trusted Systems Services Incorporated. Retrieved September 25, 1999, from http://www.trustedsystems.com/nsa_dpg.htm Copyright 2001, 2004 James T. Dollens Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback