Attack - Informatik 4

Transcription

Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Attacks (Intrusions)
Chapter 2: Security Techniques Background
Even if a network is protected by a firewall,
attacks can be started on it.
Chapter 3: Security on
Network and Transport Layer
An attack, also called intrusion, is defined
as any set of actions that attempts to
compromise a resource regarding
• confidentiality,
• integrity, or
• availability
Chapter 4: Security on
the Application Layer
Chapter 5: Security Concepts for Networks
• Firewalls
• Intrusion Detection
5.2: Intrusion Detection
• Intrusion detection techniques
• Misuse detection
• Anomaly detection
• Specification-based anomaly
detection
• Transaction-based anomaly
detection
Sources of information:
• Communication with users (shoulder
surfing, socializing, social engineering,
etc.)
• Actions on place
(dumpster diving, theft, etc.)
• Actions on computers
• Communication with experts
• Communication with other potential
attackers
Chapter 5.2: Intrusion Detection
Ping of Death
Ping Sweep
UDP
UDP Scan
TCP
SYN Flood
SYN Scan
FIN Scan
SYN/ACK Scan
RST Scan
Xmas Tree Scan
Application
FTP Bounce Attack
Process
Deadlock
Buffer Overflow
Race Condition
Page 2
Step 2: Information Collection
Information retrieval:
• Structure of the network
• Used operating systems
• Installed software
• Accounts
Attack
ICMP
SYN/FIN Scan
Steps of an intrusion attempt:
1. Target selection
2. Information collection
3. Attack
4. System modification
5. Hiding of traces
Page 1
Protocol
Step 3: Attack – SYN Flood Attack
Example: Scanning
Identify the network structure, the available
hosts, their operating system and the
available services
FIN Scan: identify open ports by polling
all ports using TCP
Port closed:
Attacker
FIN
Port open:
Server
Attacker
Server
FIN
RST
Page 3
• Denial-of-Service (DoS) attack
• Establishment of a certain number of half-open
TCP connections in order to prevent the server
from opening any other connections
• Attacker sends several SYN packets in order to
establish connections, which are answered by
the target with the corresponding SYN/ACK
packets
• Attacker does never answer the received
SYN/ACK packets, i.e. he never completes 3way-handshake of TCP’s connection
establishment
• Half-open connections are discovered by the
server through timeouts, but attacker sends
connection requests with a higher rate
• Somewhen, all resources of the server are
reserved for these half-open connections
SYN
CK
SYN, A
not sent
ACK
SYN
CK
SYN, A
.
.
.
SYN
CK
SYN, A
SYN
Page 4
Step 3: Attack – Buffer Overflow
Address space of the process
0xFFFF
Attack Code
Return Address
Local Variables
Buffer
Stack
Heap
Buffer overflow
and overwriting
of return address
• The stack on a host keeps track of location
of the instructions following a procedure call
so that control can be passed back to that
instruction
• Corrupting the stack can cause the system
to return to a random address
• Attackers use this feature to induce a
system to execute arbitrary code
• Attacker crafts a character string that
overwrites the buffer so that the content of
the return pointer field is overwritten with
alternative values
• Altered values cause the system to execute
a inserted command
• Particular interesting in combination with
processes running with super user privilege
Step 3: Attack – Race Condition
0x0000
Page 5
Step
0
1
2
3
4
5
6
7
8
System calls done by rdistd
System calls done by the attacker
execv("/usr/ucb/rdist");
fd=creat("/ko/rdista768");
write(fd, ...);
close (fd);
rename("/ko/rdista768", "/ko/tmp");
symlink("/bin/sh","/ko/rdista768");
Timing
Window
chown("/ko/rdista768", owner);
chmod("/ko/rdista768", pmode);
rename("/ko/rdista768", "/ko/data");
Attacker uses
timing window
to place the file
he wants to
have access to
Page 6
Intrusion Detection
Common Intrusion Detection Framework (CIDF)
Firewalls…
• do not protect against internal attacks
• do not protect against errors in software
• do not protect against configuration errors
• do not protect against errors of external servers
• do not protect against connection hijacking
• can be eluded
→ Intrusion Detection to deal with these problems
Additionally to a firewall, let run an Intrusion Detection System (IDS) in your network
to detect against attacks
Needed:
Monitoring of the network traffic and generate events if something happens
(i.e. constantly process a network audit)
Processing of events, generating alarms
Defining actions to be taken in presence of certain alarms
A timing window exists between the time an attribute is checked and the time it is actually
used, e.g.
• rdist (remote file distribution program)
• rdist and rdistd run with root privileges
• rdistd creates temporary file (1), writes new data to the temporary file (2, 3), changes
ownership (6) and the permission mode (7) of the temporary file to correspond to the
master, and renames the temporary file (8)
• chmod changes the permission mode of /bin/sh
Page 7
E-box1
A-box1
A-box3
R-box1
Network
E-box2
A-box2
Event boxes (E-boxes)
• Generate audit events that are
processed by the IDS
Analysis boxes (A-boxes)
• Process events form the E-boxes
to create alarms
D-box1
Database boxes (D-boxes)
• Store events for later retrieval
Response boxes (R-boxes)
• Apply countermeasures to the
system according to the alarms
generated
Page 8
Intrusion Detection Techniques
Misuse Detection – Expert Systems
Misuse Detection:
• Specify abnormal (attack) behavior
through attack signatures
• Monitor network for occurrences of attack
signatures
Anomaly Detection:
• Specify normal behavior
• Monitor the network for deviations from
the normal behavior
Technique
System
Technique
System
Quantitative analysis
IDES
Expert systems
IDES
Profilebased
Mean/standard deviation
IDES
NIDES
Multivariate statistics
IDES
MIDAS
Markov processes
IDES
EMERALD
Cluster analysis
LB
Finite state
machines
STAT
Rule-based
TIM
Petri nets
IDIOT
Languages
RUSSEL
Modelling of
state
transitions by
USTAT
Wisdom &
Sense
Specification-based
C. Ko
transaction
-based
Page 9
Example of fact matching:
[+e:event|event_type==login,
return_code==BAD_PASSWORD]
Example of rule declaration:
rule[Bad_Login(#10;*):
[+e:event| event_type==login,
return_code==BAD_PASSWORD]
==>[+bad_login| username=e.username,
hostname=e.hostname]
[-|e]
[!|printf(“Bad login for user %s from
host %s\n”, e.username, e.hostname)]
]
Page 10
IDIOT (Intrusion Detection In Our Times)
• Knowledge-based IDS using Colored Petri Nets
• Example: number of unsuccessful login attempts exceeds four within a minute
1.
%cp /bin/csh /usr/spool/mail/root
assumes no root mail file
2.
%chmod 4755 /usr/spool/mail/root
make setuid file
3.
%touch x
create empty file
4.
%mail root < x
mail root empty file
5.
%/user/spool/mail/root
execute setuid-to-root shell
6.
root %
attacker
mod_setuid (object)
t=T1
attacker
mod_ouid (object)
SC-1
t=T2
unsuccessful
login
unsuccessful
login
unsuccessful
login
unsuccessful
login
(start)
(final)
S1
SC
S2
Page 11
S3
S4
S5
T2 - T1 ≤ 60 s
1. exists(object)=false 1. owner(object) = attacker 1. owner(object)=attacker 1. owner(object) ≠ attacker
2. attacker ≠ root
2. setuid(object) = disabled 2. setuid(object) = enabled 2. setuid(object) = enabled
Object=/usr/spool/mail/root
Chapter
5.2: Intrusion Detection
]
Misuse Detection – Petri Nets
USTAT (Unix State Transition Analysis):
• State transition diagram as a graphical representation of a penetration scenario
• Example: mail bug
Step Command
Comment
SC-2
[ event event_type:int,
return_code:int,
usernname:string,
hostname:string
Misuse Detection – Finite State Machines
SR
ptype
attacker
creates (object)
Example of a pattern type declaration:
P-BEST:
• Expert systems provide mechanisms for
processing facts regarding the state of a
given environment and deriving local
inferences from these facts
• A fact maps an event that is recorded
and evaluated
• The process of fact evaluation is referred
to as modus ponens, which states that
given (p → q) ∧ p, q is deduced
• Systems iteratively applying modus
ponens under a bottom-up reasoning
strategy are referred to as forwardchaining systems
• Event records are asserted as facts and
evaluated against penetration rules sets
Page 12
Misuse Detection
Anomaly Detection – Statistical Measures
Advantages:
• Small number of false positives
• Small performance overhead
• Clear definition of relevant audit events
False
Positives
False
Negatives
Disadvantages:
• Not possible to detect new attacks
• Correctness of used patterns difficult to
prove
• Scalability and performance depend on
the number of patterns that have to be
tested
Anomaly detector observes the activity of subjects and generates profiles
• System periodically generates a value indicative of the abnormality of audit records
• Value generation is done by measures defined in a profile:
a1S12 + a2 S22 + + anSn2 ,ai > 0
1. Activity Intensity Measures
Rate at which an activity is progressing, e.g. number of audit records processed for
a user in interval t
2. Audit Record Distribution Measures
Measure the distribution of all activity types in recent audit records, e.g. relative
distribution of file accesses, I/O activity, etc. for a particular user
3. Categorical Measures
Measure the distribution of a particular activity over categories, e.g. the relative
frequency of logins from each physical location
4. Ordinal Measures
Measure activity whose outcome is a numeric value, e.g. the amount of CPU and
I/O used by a particular user
…
reduced tolerance
Page 13
Anomaly Detection – Combining Anomaly Measures
• Let A1, A2, ..., An be n measures used to
determine if an intrusion is occurring (I/O
activity, number of page faults, etc.)
• Each measure Ai has two values, 1
implying that the measure is anomalous,
0 otherwise
• Let I be the hypothesis that the system is
currently undergoing an intrusive attack
• reliability and sensitivity of each anomaly
measure Ai is determined by the number
P(Ai =1|I) and P(Ai =1|¬I)
• Combined belief in I is:
…, A ) =
P(I )
P( A , A ,… ,A | I ) ×
P( A , A ,… , A
P(I | A1 ,A2 ,
1
2
n
n
1
2
n
)
Page 14
• Combined belief requires joint probability
distribution of the set of measures
conditioned on I and ¬I
• Simplification of assuming that each
measure Ai depends only on I and is
independent of the other measures
… ,A | I ) = ∏
P( A1 ,A2 ,
and
n
n
i =1
… , A | ¬I ) = ∏
P( A1 ,A2 ,
n
P( Ai | I )
n
i =1
AT C −1 A
where C is the covariance matrix representing the dependence between each pair of
anomaly measures Ai and Aj
P( Ai | ¬I )
which leads to
…
…
• The odds of an intrusion can be determined, given the values of various anomaly
measures, form the prior odds of the intrusion and the likelihood of each measure being
anomalous in the presence of intrusion
• More realistic estimate of P(I|A1, A2, ..., An) by taking the interdependence of the various
measures Ai into account, e.g. by use of covariance matrix
• If measures Ai are represented by the vector A, then the compound anomaly measure is
determined by:
P(I | A1 ,A2 , ,An )
P(I )
∏ i =1 P( Ai | I )
=
×
P( ¬I | A1 ,A2 , ,An ) P( ¬I ) ∏ n P( Ai | ¬I )
n
i =1
Page 15
Bayesian Networks:
• Use of Bayesian or other belief networks to combine anomaly measures
• Bayesian networks allow representation of causal dependencies between random
variables and permit calculation of joint probability distribution of the random variables by
specifying only a small set of probabilities
Page 16
Anomaly Detection – Rule-based Approaches
Intrusion
Intrusion
Bayesian Networks:
• Boxes represent binary random
variables with values representing
either its normal or abnormal condition
• Observe values of some of the
variables and calculate
P(Intrusion|Evidence) with Bayesian
network calculus
• Not trivial to determine the a-priori
probability of the root node and the link
matrices for each directed arc
Too
TooMany
Many
CPU
CPUIntensive
Intensive
Jobs
Jobs
Too
TooMany
Many
Users
Users
DISK
DISKI/O
I/O
CPU
CPU
NET
NETI/O
I/O
Too
TooMany
Many
Disk
DiskIntensive
Intensive
Jobs
Jobs
Trashing
Trashing
Newly
NewlyAvailable
Available
Fragmentation
Fragmentation Program on the Net
Program on the Net
Page 17
False
Negatives
False
Positives
Page 18
Statistical Anomaly Detection
Advantages:
• No knowledge about possible attacks
necessary
• Universal validity
• Use of well-known statistical methods
Predictive Pattern Generation:
• Assumption: sequences of events are not random but follow a discernible pattern
• Usage of inductive time-based rules that characterize the normal behavior patterns of
users
• Looks for patterns in sequences of events by implementing a Markov transition
probability model
• Rules are modified dynamically and only rules with low entropy remain in the system
• If sequence of events matches the head of a rule, then the next event in the body of the
rule is considered anomalous if it is not in the set of predicted events in the body of the
rule
• Example (TIM): E1→E2→E3⇒(E4=95%,E5=5%)
i.e. if the pattern of observed events is E1 followed by E2 followed by E3 then the
probability of seeing E4 is 95% and that of E5 is 5%
Alternative Approaches
Disadvantages:
• High number of false positives
• Difficulty of defining the normal behavior
and protecting it from the attacker
• Statistical properties of relevant
parameters are probably difficult to detect
(probability distribution, correlation, etc.)
• No consideration of the sequence of
events in time
Model-based Intrusion Detection
• Combines models of misuse with evidential reasoning to support conclusions about the
occurrence of a misuse
• Database of attack scenarios
• At any given moment the system is considering a subset of these attack scenarios as
likely ones under which the system might be currently under attack
• Seek information in audit trail to substantiate or refute an attack scenario (the anticipator)
• Anticipator generates next behavior to be verified, and passes it to the planner
• Planner determines how the hypothesized behavior will show up in the audit data and
translates it into a system dependent audit trail match
• Mapping from behavior to activity must have a high likelihood of appearing in the
behavior, i.e. the following value has to be high:
P( Activity | Behavior )
P( Activity | ¬Behavior )
• Evidence for some scenarios accumulates and drops for other scenario
reduced tolerance
Page 19
Page 20
Specification-based Anomaly Detection – C. Ko
Transaction-based Anomaly Detection
Behavior is specified
• Definition of expected process behavior
• Definition based on parallel
environment grammars (PEGs)
• PEGs allows the description of the
parallel execution of processes
• Basic elements of a PEG:
Environment variables
Protovariables
Terminals
Initial environment assignments
Hyperrules
Parallel start expression
Example grammar:
Advantages:
• Formal process description
• Operational
security
policy
Chapter
5.2: Intrusion
Detection
Disadvantages:
• No universal validity, restricted to OS
• Complicated specification
Page 21
Network protocols and processes can be specified by finite state machines:
/* Environment Variables */
1. Int E=0;
/* Start Expression */
2. <progA> || <progB>
/* Hyperrules */
3. <progA> -> <writeA, E>.
4. <writeA, 0> -> <openA><closeA>{E=E-1;}.
5. <openA> -> open_A {E=E+1;}.
6. <closeA> -> close_A.
7. <progB> -> <writeB, E>.
8. <writeB, 0> -> <openB><closeB>{E=E-1;}.
9. <openB> -> open_B {E=E+1;}.
10. <closeB> -> close_B.
A finite state machine (FSM) A is defined by a quintuple A=(Q, Σ, q0, δ, F) with
• Q: finite set of states
• Σ: finite input alphabet
• q0 ∈ Q: initial state
• δ: transition function δ: Q × Σ → Q
• F ⊆ Q: set of final states
A finite state machine accepts a language L(A) ⊆ Σ*, which is defined by
L(A) = {x ∈ Σ*| δ*(q0,x) ∈ F}
δ* is the extension of the transition function from single input symbols to words
Now: use FSMs to model transactions
Page 22
Transactions can be characterized by the ACID properties:
• Atomicity: all operations of a transaction must be completed, i.e. a transaction is treated
as a single, indivisible unit
• Consistency: a transaction takes the system from one consistent state to another
• Isolation: each transaction must be performed without interference with other transactions
• Durability: after a transaction has successfully been completed, all its results are saved in
permanent storage
Detect attacks by violation of ACID properties:
Violation
Protocol / Layer
Attack
Atomicity
TCP
SYN Flood
TCP
SYN Scan
Process
Deadlock
ICMP
Ping of Death
ICMP
Ping of Death
TCP
FIN Scan
TCP
SYN/ACK Scan
TCP
SYN/FIN Scan
TCP
RST Scan
TCP
Xmas Tree Scan
UDP
UDP Scan
Application
FTP Bounce Attack
Process
Buffer Overflow
Process
Race Condition
Consistency
Transaction-based anomaly detection:
• Description of positive behavior by definition of admissible transactions through FSMs
• Monitor security domain regarding potential violations of transaction properties (ACID)
• Report detected anomalies for further classification based on simple misuse detection
(ECA rules)
Page 23
Isolation
Page 24
Conclusion
For networks, a lot of different security concepts exist:
1. Guarantee confidentiality, authentication, and integrity of data exchanged between
communication partners
• On the network layer by IPSec
• On the transport layer by SSL/TLS
• On the application layer by security enhancements tailored to certain applications,
e.g. PGP, PEM, S/MIME
• Make life easier by introducing e.g. central authentication services, like Kerberos
• To apply security concepts, trusted third parties are necessary, e.g. KDCs
2. Guarantee inaccessibility of your Intranet
• Firewalls to control incoming and outgoing traffic, and block unwanted traffic
• Intrusion Detection to detect attacks to your Intranet
3. … and maybe much more not presented in this lecture
Page 25

Attack - Informatik 4

Transcription

Documents pareils

Firewall Tasks of a Firewall Tasks of a Firewall

Abstractions from Multimedia Hardware Abstraction

Lehrstuhl für Wirtschaftsinformatik I

seminar invitation - Lehrstuhl für Systemdynamik und Prozessführung

Database Systems Multimedia Database Management

Network Infrastructure Infrastructure Components: Hub

Secure Socket Layer (SSL) Handshake Protocol

Glass pipes for sale - Hookah Online Store

Synchronization in Distributed Systems

Chapter 2 - Informatik 4

Intrusion Detection Based on Swarm Intelligence using mobile agent