DNA Intrusion Detection Methodology by James T. Dollens, Ph.D. 1675 Cox Road Roswell, GA 30075 JTDDGC@aol.com (678) 576-3759 Copyright 2001, 2004 James T. Dollens Page 1 of 1
Introduction Computer viruses, worms and other devices are able to penetrate computer systems by becoming part of an operating system, application or data. When executed, these unauthorized agents have the potential to damage the host system and, using the authority of the host system, penetrate other systems. Password sub-systems, firewall sub-systems, intrusion detection systems and encryption, which are used to protect computer systems, are external agents that are designed to encapsulate the operating system, applications and data protecting them from intrusion. This paper discusses a dissertation project that proposed to develop an internal function, which would differentiate between self and non-self agents by creating unique identifiers for computer systems as the human DNA differentiates individuals. This research project determined a method that would insert identification data into an object to distinguish it uniquely to the operating system on which it resides. This DNA Pattern would serve to create a unique copy of the object and create an ownership token between the object and the operating system. Self-defense systems focus on outside-in technology by encapsulating the operating system and its applications. They interrogate the traffic and look for patterns or signatures that indicate the presence of an unwanted artifact. The scope of this study was to: Develop an inside-out self-defense methodology. Design a specific process for a single node operating system applying techniques in each step from the methodology. Develop, test and analyze this process with a proof of concept system. Background Knowing that an object does not belong to an authorized set of objects is an important step in computer system defense. While intrusion detection researchers used external processes to characterize normal activity to identify abnormal actions, this project examined computer system defense from an internal perspective. Dr. Stephanie Forrest of the University of New Mexico compared the process of computer system defense to the process used by living organisms to defend against diseases, viruses and other foreign agents (Forrest, Hofmeyr & Somayaji, 1997). Her thesis was to develop a methodology for identifying the self to use intrusion detection to detect non-self agents. Dr. Forrest suggested procedures for identifying the self by observing patterns of behavior of the system. In this case, non-self might be an unauthorized user, foreign code in the form of a computer virus or worm, unanticipated code in the form of a Trojan horse or corrupted data. Even when a computer system is equipped with stringent authentication procedures and firewalls it is still susceptible to hackers who take advantage of system flaws and social engineering tricks (Goan, 1999). Loscocco, Smalley, Muckelbauer, Taylor, Turner and Farrell (2000) stated that no single technical security solution could provide total system security; a proper balance of security mechanisms must be achieved. Each security mechanism provides a specific security function; and should be designed to Copyright 2001, 2004 James T. Dollens Page 2 of 2
only provide that function. It should rely on other mechanisms for support and for required security services. In a secure system, the entire set of mechanisms complement each other to provide a complete security package. Systems that fail to achieve this balance will be vulnerable. A poor password can compromise a company s system even if it is protected by security software such as firewalls, intrusion detection and encryption software. Passwords containing numbers and punctuation are more secure than not having them, but are harder for the average user to remember. Company systems are open to intrusion through virtual networks. Internal communication traffic can be compromised by unauthorized access through these virtual networks. Source authentication and encryption systems can help to keep this information private. Installation of an application may cause security issues by improperly (or not) applying security updates provided by the software supplier or by not following the company s security policy. Denning (1999) stated that the use of standard protocols allows interoperability across networks. While this facilitates communication and sharing, it also has drawbacks. Vulnerabilities can be pervasive across computer platforms and organizations, allowing thousands of systems to be swept up in a single attack. These examples are demonstrations of Sutton s (1998) statement that security against active penetrations is a weak link phenomenon. Loscocco et al. (2000) concluded that the necessity of operating system security to overall system security is undeniable; the underlying operating system is responsible for protecting application-space mechanisms against tampering, bypassing, and spoofing attacks. If it fails to meet this responsibility, system-wide vulnerabilities will result. Methodology Applying Dr. Forrest s biological metaphor, this project examined approaches to create unique signatures, or deoxyribonucleic acid (DNA), for computer system objects. A general inside-out methodology using a DNA mechanism was created for managing those objects and a process was developed for which a system could execute a function to determine whether an object is a valid part of the system. This project developed a computer self-defense system using a system-oriented version of DNA. The goal of the development of this general methodology was to formalize the concept of an inside-out perspective of computer system defense. This task resulted in a three-phased DNA Intrusion Detection Methodology: Definition, Creation and Authentication. Note that a patent application of this method has been submitted. The DNA Definition Phase defines the environment and processes for injecting a DNA Pattern into selected computer system objects. Defined in this phase are the DNA Pattern and a storage facility designated as the External Data Storage Structure (EDSS). The DNA Creation Phase injects the DNA Pattern into the computer system objects, creates a database of new objects and adds this information to the EDSS. The DNA Authentication Phase authorizes an object for execution by the computer system after verifying its DNA Pattern. The processes in the DNA Definition Phase are executed once while the DNA Creation and DNA Authentication Phases are executed continuously as new objects are encountered and existing objects are prepared for execution. Copyright 2001, 2004 James T. Dollens Page 3 of 3
Selected objects processed through the DNA Creation Phase contain identifiers that connect them uniquely. Execution of those objects is accomplished only through the DNA Authentication Phase. While this methodology does not restrict forces from placing unauthorized objects in the system, it will trap those objects and allow the system administrators to review and analyze them prior to execution. Proof of Concept System Out of this inside-out view of self-defense, instantiations of the general methodology can be designed to protect different types of objects on varying degrees of computer network configurations. Instantiations of this methodology can be applied to single node operating systems, client/server networks or other multi-node configurations containing multiple operating systems and applications. For the purposes of this study, the researcher limited the methods, procedures and discussion of results to a single node operating system. Analysis of the instantiation worked through the phases and tasks of the general methodology and created specific functions and applications for an individual computer system (single CPU) with one operating system to protect all executables of that operating system. A development project was planned and executed, which was used to validate a single node instantiation of the general methodology. The purpose of the proof of concept system was to develop a working model of the basic components of the DNA Intrusion Detection Methodology to determine the impact of the process on an actual environment. The model represented the completion of an instantiation of a DNA Design Phase and contained components that execute the DNA Creation and DNA Authentication Phases. Steganographic functions were developed to hide the DNA Pattern among the executable code. In the DNA Creation Phase a steganographic function, which inserts the DNA Pattern into an executable object creating a DNA Steganographic Object, was modeled. In the DNA Authentication Phase, the complementary steganographic function to the function in the DNA Creation Phase was also be modeled. This function extracts the DNA Pattern from the DNA Steganographic Object and recreates the executable object. Tests of the proof of concept system illustrated that the impact of the DNA Authentication Phase on a 1 GHz stand-alone system were well below the sub-second range. This indicates that the overhead impact may be within tolerable limits for most scenarios. However, other scenarios especially server situations may require significantly faster operation. Conclusions The objective of this research project was delivery and discussion of the DNA Intrusion Detection Methodology. Applications of the general methodology to support given scenarios are specific examples of how the general methodology can be applied to various defense situations. Deploying specific techniques are part of the development of an instantiation rather than part of the general methodology. The instantiations allow the Copyright 2001, 2004 James T. Dollens Page 4 of 4
designer to create and utilize specific techniques, such as cryptography and steganography, for securing and embedding the DNA Pattern in the objects. The use of additional techniques may be based on risk factors or the security policy of the installation. Practical implementation of this methodology would mean that it should be part of the operating system. This inside-out view would be required to identify unauthorized objects before their execution. Implementation of this method would also increase the level of difficulty for an intruder. While an intruder may gain access to execute objects on a computer system, the intruder would need to access additional authentication levels to change an existing object or add a new function to the authorized list of objects. Thus, an intruder would be able to copy a worm or virus onto the system, but not be able to execute it. While constructing each instantiation, the developer should analyze its impact on the systems involved and determine its relative cost and benefit. Before implementation, the analyst should compare the installation s security policy, value of the system to be protected and risk of exposure to the impact of the instantiation on the system. Depending on the security requirements and risk assessment, the designer could create an instantiation of the methodology that fits with other security resources available for this configuration that is in line with the environment s security policy. Benefits of Implementation Schneier (2000) stated that there is no known complete security system. Security is a process as well as a collection of devices. The methodology developed during this project is also not a complete security solution, but implementation of instantiations could be viewed as another factor in a suite of security tools. The anticipated benefits of implementing this methodology would be: 1. Establishment of a certified base of operating system and application objects By creating a self-identity through establishing a repository of known objects, the operating system or application will be enabled to detect unknown or non-self objects. 2. Detection of unauthorized objects before execution or use by the operating system or application Rule-based intrusion detection systems need prior notification to detect new viruses or Trojan horses. The owners of the intrusion detection system determine the signature of the new object they want to detect and update their system. Otherwise, the new virus or Trojan horse enters a computer system undetected and infects it. Through the self/non-self authorization procedure, this methodology will detect a new virus or Trojan horse before it can infect the computer system. 3. Real-time notification of unauthorized objects Copyright 2001, 2004 James T. Dollens Page 5 of 5
Given the nature of the process, the methodology will notify the computer system s owner of any object not containing a DNA Pattern. 4. Analysis of the object before its execution The methodology will enable another system or human administrators to destroy the unauthorized object and replace it with the certified version, or allow the object to be certified and executed. Implementation of this methodology would inhibit intrusion types five, six and seven of the Neumann and Parker intrusion taxonomy (Amoroso, 1999). Control Bypass intrusions would be affected since this methodology would insert another level of control of system executables thereby forcing the intruder to execute another round of analysis before implementing the unauthorized code. For Active Resource Misuse intrusions, the operating system and application resources would be protected since changes would only be allowed through an established update procedure. Given the nature of the DNA insertion process, a Passive Resource Misuse intruder would not be able to view an object in its natural form. An unauthorized intruder may be able to capture an object, but would not be able to execute it because the DNA Intrusion Detection Methodology disabled the object. Recommendations for Further Research Future research should continue to focus on analyzing and developing new instantiations of the general methodology for computer system/operating system scenarios. These instantiations should reflect scenarios more closely aligned to the client/server or multi-node environments. The resulting developmental efforts should test the instantiations for weaknesses in the functions or the methodology itself. The following additional studies are indicated: Given the single node instantiation, develop a full simulation that allows researchers to examine the capability of the methodology to detect non-self objects in various scenarios. Research and development of a pseudo-execution area to observe the actions of an object before certifying it. Research and analysis of other data hiding techniques from steganography to less resource intensive cryptography to obscure the DNA Pattern. Analysis of the use of other certification techniques or calculations, such as a checksum or the date/time stamps, when authenticating an object. Analysis of additional DNA properties in order to develop of a definition of unique across the DNA Domain. Design, develop and build a DNA-based self-defense sub-system for an operating system. Research the possibility of integrating this methodology with other computer system defense methods. Copyright 2001, 2004 James T. Dollens Page 6 of 6
Development of a formal meta-language used to define the scope and domain of the system to be protected. Research into the network implications of this methodology. Research and analysis of techniques for intellectual property protection. Summary This was primarily a research and analysis project. However, a proof of concept design and development effort was planned and executed to help the researcher better visualize the impact of this type of self-defense technology on a computer system. The deliverables of this project were: 1. A general inside-out self-defense methodology. 2. An instantiation of the methodology for a single node computer system. 3. A proof of concept system that is an application of some of the processes of the instantiation. 4. Test scenarios that were used to exercise the proof of concept application and test results that displayed the effect of the process on system overhead. Anti-virus, access control and intrusion detection systems focus on examining the wall around the objects that are to be secured. Dr. Forrest s work sought to protect an environment by cataloguing patterns of self-behavior so that non-self activity can be detected. The development of the self-defense methodology could be used to create a self-identifying organization enabling the operating system to identify foreign agents automatically. Loscocco et al. (2000) stated that the increased awareness of the need for security has resulted in increased efforts to add security to computing environments. However, these efforts suffer from the flawed assumption that security can be provided adequately in an application space without certain security features in the operating system. In reality, operating system security mechanisms play a critical role in supporting security at higher levels. The purpose of this project was to develop a methodology for a system to contain its own self-defense mechanism. The result of this research was development of a methodology that would allow insertion of identification data into an object to identify uniquely the object to the operating system. This identification data, defined as a DNA Pattern, is a sequence of identifier fields. Embedding an operating system DNA Pattern into an object will differentiate it from all other objects of the same function in other operating system locations. References Amoroso, E. (1999). Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. Sparta, NJ: Intrusion.Net Books. Denning, D. E. (1999). Information Warfare and Security. Reading, MA: Addison- Wesley. Copyright 2001, 2004 James T. Dollens Page 7 of 7
Forrest, S., Hofmeyr, S., & Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40 (10), 88-96. Retrieved July 26, 1999, from the ACM online database. Goan, T. (1999, July). A cop on the beat: Collecting and appraising intrusion evidence. Communications of the ACM, 42 (7), 46-52. Retrieved July 23, 1999, from the ACM online database. Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R. C., Turner, S. J., & Farrell, J. F. (2000, October 17). The inevitability of failure: The flawed assumption of security in modern computing environments. National Security Agency. Retrieved December 7, 2000, from http://www.esecurityonline.com/library/whitepapers2.asp Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. New York, NY: John Wiley & Sons. Sutton, S. (1998, March 18). Windows NT security guidelines: Considerations & guidelines for securely configuring Windows NT in multiple environments: A study for NSA Research. Trusted Systems Services Incorporated. Retrieved September 25, 1999, from http://www.trustedsystems.com/nsa_dpg.htm Copyright 2001, 2004 James T. Dollens Page 8 of 8