1 60-564 Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection...
-
Upload
magdalen-nash -
Category
Documents
-
view
219 -
download
2
Transcript of 1 60-564 Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection...
1
60-564 Survey
“Intrusion Detection: Systems and Models”
“A Stateful Intrusion Detection System for World-Wide Web Servers”
2
Outline
Introduction Computer attacks The STAT framework Intrusion Detection System A novel IDS – WebSTAT Performance evaluation Conclusion
3
Introduction Computer security is to protect
computer resources: read and write access to a data file processing time communication over a network link
An intrusion is somebody attempting to break into or misuse your system
IDS is a network security system designed to identify intrusive or malicious behavior via monitoring of network activity.
4
Computer Attacks Worms - self replicating programs that spread across a
network. Viruses - programs that replicate when a user performs
some action such as running a program. Server attacks - a client exploits a bug in the server to
cause it to perform some unintended action. Client attacks - a server exploits a bug in a client to
cause it to perform some unintended action. Network attacks (denial of service) - a remote
attacker exploits a bug in the network software or weakness in the protocol to cause a server, router, or network to fail.
Root attacks - a user on a multiuser operating system obtains the priveliges of another user (usually root)
5
Computer Attacks - Worm A worm is an independent program that replicates from
machine to machine across network connections. The three security flaws:
Backdoor bypasses the normal security mechanisms Usually installed for maintenance purposes
Buffer overflow A process contains: Code, data, and stack Stack is to store information associated with function calls By overriding stack, the attacker can both inject a malicious
execution code and set the return address to point to the malicious code
Weak password First guess the administrator’s password Copy itself to the startup to propagate every time the machine
start up
6
Computer Attacks - Virus
software program capable of causing great harm to the computer
Unlike a worm, it requires action from a user to spread
For example, email viruses spread when the recipient runs an attached program
7
Computer Attacks - Server Attacks Nearly every type of service has
identified vulnerabilities which has been attacked
For example, IIS4 installs a number of sample scripts.
These scripts give clients access to view any file on the same volume as the web server
8
Computer Attacks - Client Attacks Unlike a server attack, it works by
waiting for victims to connect to a rogue server
For example, a buffer overflow vulnerability has been found in Outlook
It allows arbitrary code to be executed by overflowing the time zone field in the date field of the mail header
activated when the user download the mail from mail server using outlook
9
Computer Attacks - Network Attacks usually Denial of Service (DoS) attacks disturb the normal operation of
applications take advantage of a weakness in the
system or application cause it to crash or stop responding For example, ping to death: Some systems
will crash if they received a fragmented ICMP packet. An attack is to send a packet larger than 65,535 bytes, which causes many TCP/IP implementations to crash.
10
Computer Attacks - Root Attacks
a user on a multi-user system obtains root or administrative privileges
Certain programs are suid bit set, break this program means obtaining the root user privilege
11
The STAT Framework STAT is a technique for representing high-level
descriptions of computer attacks It contains 6 components:
STATL Language Extension Module Event Provider Scenario Plug-in Response Module STAT Core
12
The STATL Language Attack description language Using states and transitions to
represent attack scenarios domain-independent It is extended by the IDS developer
to express the characteristics of a particular domain and environment. E.g. Sun Solaris, Windows NT.
13
Language Extension Modules
shared libraries that define events that describe a particular application domain.
Loaded into STAT Core in runtime
Loaded before either Scenario Plugin or Event Provider can use it
14
Event Providers
collects events from the external environment
Create events as defined in Language Extension Modules
encapsulates events into generic STAT events
inserts events into the event queue of the STAT Core
15
Scenario Plugins shared library
that describes an attack scenario.
It is defined either from a STATL description or from user manually
16
Response Modules shared library that
contains Response Functions.
If the state in a scenario is reached the Response Function is invoked
For example, it an alert to someone, or take steps to stop an ongoing attack once a state is reached.
17
STAT Core
Loads various modules
matches the event supplied by Event Providers
executes the corresponding transitions
triggers responses defined in Response Modules
18
Intrusion Detection System Host-based IDS
uses log files and system’s auditing agents monitors the communications traffic in and out
of a single computer checks the integrity of system files and process
Network-based IDS monitors the traffic on its network
segment Capture three signatures: String, Port and
Header signatures
19
WebSTAT It is an IDS
developed based on STAT framework.
built by composing the STAT core with a number of web language extensions modules, event providers, attack scenarios plugins, and response modules.
20
Attack Scenario Examples
Document Root Escape Attack: detect events from the web server log and operating system logs to examine the unauthorized file system access
Cookie stealing scenario: detects if a valid cookie is improperly used by unauthorized user to steal protected web resources
21
Performance Evaluation Experiments on a host running
standalone Apache Apache monitored by WebSTAT
WebSTAT incurs a small performance overhead in web server throughput.
acceptable given the powerful detection capabilities WebSTAT provides
a sophisticated web server performance tuning would also reduce the overhead
22
Conclusion Presented classification of computer
attacks and intrusion detection system Described STAT framework The IDS implementation WebSTAT From the performance evaluation result,
we see although WebSTAT brings some small performance overhead to the web server
It is acceptable considering the advanced detection capabilities.
23
Reference Sherif, J.S.; Dearmond, T.G.; “Intrusion detection: systems
and models” Sundaram, A., “An Introduction to Intrusion Detection”. Mahoney, M., “Computer Security: A Survey of Attacks and
Defenses” Lindquist, U., and E. Jonsson, “How to Systematically
Classify Computer Security Intrusions" Giovanni Vigna, William Robertson, Vishal Kher, and Richard
A. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers”
STAT Framework Reference Manual S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An
Attack Language for State-based Intrusion Detection," G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The STAT Tool
Suite" G. Vigna, R.A. Kemmerer, and P. Blix, "Designing a Web of
Highly-Configurable Intrusion Detection Sensors"