Intrusion Detection Definitions


Presentation Description

No description available.


By: amit244 (137 month(s) ago)

gud 2 hav a ppt on this topic

Presentation Transcript


'The advanced exploration of computer systems is commonly referred to as hacking.' -- from ‘Hackers: a Canadian police perspective Part I’ Reference:  

Security Attacks/Threats: 

Security Attacks/Threats These are actions that compromise the security of information owned or transferred by an entity. Attacks can be one of 4 forms: Interruption Interception Modification Fabrication

Type Of Attacks/Threats: 

Type Of Attacks/Threats Information Information source Destination (a) Normal Flow (b) Interruption (c) Modification (d) Fabrication I I I (e) Interception I

Active and Passive Attacks: 

Active and Passive Attacks  

Active Attacks: 

Active Attacks A Passive attack can only observe communications or data. Example: Interception ( also called eavesdropping or passive wiretapping) An Active attack can actively modify communications or data • Often difficult to perform, but very powerful – Mail forgery/modification – TCP session hijacking /IP spoofing Examples: Interruption, Modification ( also called active wiretapping), Fabrication Types of Active Attacks: masquerade, replay, modification and denial of service.

Types of Intruders:: 

Types of Intruders: Intrusion by a Masquerader: One, who is not authorized to use a computer system, but who penetrates and uses a legitimate user’s account Misfeasor: A legitimate user who accesses data, programs or resources, for which he is not authorized; or A legitimate user who misuses his access privileges; Clandestine User: One who seizes supervisory control and uses it to evade access and audit controls or to suppress audit trail. A masquerader is an outsider, a misfeasor is an insider and the clandestine user can be either an insider or an outsider.

Why do they attack?: 

Why do they attack? The attacker may attack - taking it as an intellectual challenge - to have thrills by seeing reports of his exploits in public media. But a large majority of attacks are by foot-soldiers, called script kiddies, who use attacks discovered, designed and implemented by someone else. The script kiddies, simply download the script and launch the attack, without understanding anything. Or - they may be indulging in espionage for financial gain.

Survey: Type of attacks: 

Survey: Type of attacks FBI/CSI Survey of 2002: - 80% of respondents acknowledged financial loss due to intrusion - Only 34% reported the intrusions to police - 74% found misfeasors - 40% detected DOS attacks Reference: Annual FBI/Computer Security Institute Survey:

Hacker’s METHODS : 

Hacker’s METHODS Port Scan to find, for the target, - which ports/services are running - the O/S nmap - scans all the ports - guesses the operating system (Please refer to the paper by Fyodor to understand the methods used. These methods depend upon the special features that each OS has.) Reference: 1.Fyodor,’ Remote OS detection via TCP/IP Stack FingerPrinting’ June, 2002, available at 2.Stephen Northcutt and Judy Novak, ‘Network Intrusion Detection: An Analyst’s Handbook’, pp 81-85

Hacker’s Methods cont.: 

Hacker’s Methods cont. 2. Toolkits provided by manufacturers to make products compatible with their products. These may be used to discover the vulnerabilities of the product. 3. Wireless Nets: * ‘AirMagnet’ from AirMagnet Inc. * ‘Observer’ from Network Instruments * ‘Wireless Security Analyzer’ from IBM can check whether a wireless network can be accessed by outsiders. ( contains a list of access points, by city, that can be accessed by anyone. In 2002 Chris O’Ferrel, a security consultant, was able to connect to the Pentagon wireless net, from outside the building.)

Impersonation Methods: 

Impersonation Methods Guess the ID and password of an authorized user: - by guessing passwords - by using default passwords given with a system by its manufacturer (Many administrators fail to disable the defaults) Example: SNMP uses a ‘community string’ as a password for the community of devices, that can interact with one another. Many administrators forget to change the default ‘community string’ installed on a (new) router/switch. - by overflow - in some ill designed systems, authentication may be foiled by ‘overflow’ of password (if the password overflows, the system may assume authentication) -

Impersonation Methods continued: 

Impersonation Methods continued by non-existent authentication. In Unix, the file -rhosts lists the trusted hosts -rlogin lists trusted users, who can access without authentication A user may login one system as a guest- to access public information and through this host, he may connect to a trusted host.

Impersonation: A few Definitions: 

Impersonation: A few Definitions Impersonation vs. Spoofing Impersonation (mis)represents an authorized entity during communication on a net. Spoofing: A hacker spoofs when he falsely carries on one side of the exchange between two parties. Masquerade of a site: An example: Thus bank may be the official site. A hacker registers and asks clients to visit the site. Thus passwords and pin numbers may be collected for misuse.

Impersonation: A few Definitions cont. : 

Impersonation: A few Definitions cont. Session Hijacking: An example: A customer may select books on When it comes to taking the order and making the payment, may hijack the session. Man-in-the-middle Attack vs. Session Hijacking Man-in-the-middle is wire-tapping actively from the beginning, whereas a session-hijacker takes over after part of the session is over.

Examples of Attacks: 

Examples of Attacks Buffer Overflow Dot-Dot and constrained environment 'Server-side include' problem Incomplete Mediation Time-of-check to Time-of use DoS and DDoS Misuse of Active Code

Buffer Overflow: 

Buffer Overflow All programming languages set aside a specific area in memory for every variable. For example: char addr[10]; sets aside 10 bytes for the array. If someone were to give an input to addr, which is larger, it may overflow into some other area. This area may have been allocated to: -User data -User’s program code -System date -System program code

Buffer Overflow cont.: 

Buffer Overflow cont. Overwriting User Data: may affect program result. But will not affect any other program. Overwriting User’s Program: If an instruction that has already been executed(and is not to be executed again) as overwritten -andgt; no effect. -Otherwise if the character that has been overwritten is not a valid instruction, the system halts (Illegal instruction exception) -Otherwise the user program gives wrong output Overwriting System data/program: Results similar to the ones for user data/program. But it may affect all the users since system data and programs are used by every user on the machine

Buffer Overflow: Usual Buffer Overflow Attacks: 

Buffer Overflow: Usual Buffer Overflow Attacks The attacker may use the data input, close to system code. Thus he may be able to go into the O.S. which has the highest privileges. He may use the Stack Pointer to return to a part of the hackers code, which may have been placed earlier. Passing parameters through a URL: Consider andamp;parm1=(519)253-3000andamp;parm2=2003Mar20 If instead of parm1 and parm2, a 500 or 100 digit value is introduced, it could cause a problem in the web system. Reference: IIS 4.0 remote overflow exploit.

Buffer Overflow: An Example: U.S. Army Web Server Attacked: 

Buffer Overflow: An Example: U.S. Army Web Server Attacked Buffer Overflow Attack: A Web server was attacked using a URL that was 4KB in length. ( Reference: eWeek, March 18, 2003 ) The machine was compromised. It began mapping the network around it, looking for other vulnerable machines. It then started sending the results of its mapping to a remote machine through TCP port 3389 using terminal services

Dot-Dot and constrained environment: 

Dot-Dot and constrained environment To prevent an attack, external users, who approach through the Internet, may be put in a constrained environment. A constrained environment: where a user is allowed to use only specified and limited system resources. Accordingly the server may begin processing a user’s program in a particular directory sub-tree which contains everything the server needs.

Dot-Dot and constrained environment (cont..): 

Dot-Dot and constrained environment (cont..) But both in unix and windows, .. is the directory indicator for the predecessor. Cereberus discovered in MS Index Server the following fault: Passing the following url to the web-server: http://url/null.htw? CiWebHits File = /../../../.. /../winnt/system32/autoexec.nt a user is able to get the autoexec.bat file of the server. Now the hacker may modify it!

Dot-Dot and constrained environment (cont..): 

Dot-Dot and constrained environment (cont..) Solution: Webserver should have no editors, telnet programs or any utilities. But the code and data, for web applications, will have to be transferred manually to the server or may have to be pushed as a raw image. The webmaster may not like it.

“Server-side include” problem: 

'Server-side include' problem EXAMPLE: ‘contact us’ part on web-pages includes commands, which are supposed to be given by the server. Hence such commands may be accepted by the system without any scrutiny. These commands may be placed in HTML. A hacker may use this facility to modify the command to ‘telnet’ to gain access rights, which he should not have.


'Good judgment is the result of experience – and experience is the result of poor judgment.'

Examples of Attacks Slide 15 again : 

Examples of Attacks Slide 15 again Buffer Overflow Dot-Dot and constrained environment 'Server-side include' problem Incomplete Mediation Time-of-check to Time-of use DoS and DDoS Misuse of Active Code

Incomplete Mediation: 

Incomplete Mediation ACCEPTING DATA FROM A USER IN A WEB FORM: The system could put checks of valid data to screen out erroneous data. However after taking the values from the user, the program generates the URL line, based on the validated data. But the hacker can edit the URL generated by the program, and resend it. The web server cannot differentiate between an edited URL and a system-generated URL. Such a system is said to have incomplete mediation.

Application code Errors: Example of wrong code:: 

Application code Errors: Example of wrong code: Assume that a client selects book1 from page4 of the web-site of and then moves to another page. Assume that the book cost $69. The webserver may pass the following string to the client:;isbn1 = 0849308887andamp;pl=6900 Then the client selects book 2 from page 7. It costs $129. The webserver passes to the client:;isbn1 = 0849308887andamp;p1=6900andamp;isbn2=3540002235andamp;p2 = 12900

Application code Errors: Example of wrong code (cont…): 

Application code Errors: Example of wrong code (cont…) The malicious client may change the string to 1900 for both p1 and p2, before clicking ‘order’. He may get both the books at $38 only.

Time-of-check to Time-of use (TOCT TOU): 

Time-of-check to Time-of use (TOCT TOU) Every OS has access control. A file may be presented with a valid user, who can be authenticated and a valid job to be done. While the OS is checking for authentication, the file remains in the users area. So the user may modify the file, with malicious commands. The OS comes back after checking authentication and allows the file to be processed. And the malicious commands may be executed!

Denial of Service Attacks:: 

Denial of Service Attacks: ECHO CHARGEN: chargen is a protocol that generates a stream of echo packets. (Refer to ICMP) If a hacker continuously generates such packets for a server, the server would be busy in continuously responding to these packets. Ping of Death: an attacker, on a wide bandwidth net, can overwhelm a victim machine on a smaller BW net through sending a large number of ping messages. SMURF: spoofs a message ( which would generate an ICMP error message) as if it is coming from the victim. The spoofer broadcasts it on a large net. All hosts on the net respond to the victim.


SYN FLOOd: SYN_RECV queue: usually designed to have only 10-20 entries the usual time-out for deleting an entry is of many minutes So a SYN packet every few second can keep the host from accepting a new connection. To avoid detection, every new SYN packet is spoofed from a new IP address. (ICMP dest unreachable, sent by the host of the spoofed address back to the victim, goes to ICMP module of the victim and not to the TCP module of the victim)


DDoS Distributed Denial of Service attack: use trojan horses sent through an exe file thro e-mail or by buffer overflow-to a large number of machines. All the machines are triggered at the same time to jointly attack the victim Example: Tribal flood Network of 1999.


DDOS Attacker T T T T Victim

DDOS (cont…): 

DDOS (cont…) The attacker plants a Trojan horse on a large number of machines. He then triggers the attack, from all these machines (called zombies, now) on the victim. CERT has advised that now a single tool, which does the following, is available Identifies the zombies Installs the Trojans horse in Zombies Activates the zombies to wait for a trigger signal Reference:Kevin J. Houle and George M. Weaver, 'CERT Coordination Center Trends in Denial of Service Attack Technology' October 2001 at

Active or Mobile Code:: 

Active or Mobile Code: Definition: Active or Mobile Code: Code sent by a server to a client for execution on the client machine. The Objective of having the facility of Active or Mobile Code: Server is not over-loaded. The under loaded work station may be used for processing. Bandwidth use is reduced. Disadvantage: Without the knowledge or permission of the owner of the client machine, a remote machine causes a program to be executed on the client machine.

Examples of Active Code, that can be misused: 1. Cookies: 

Examples of Active Code, that can be misused: 1. Cookies Definition: Cookies: Data files caused to be stored on client machine by web-server Information - about the client - kept on client machine but encrypted by a key known only to web-server. A cookie may be… A per-session Cookie or A Persistent Cookie

Examples of Active Code, that can be misused: 2. Executing Scripts on Server: 

Examples of Active Code, that can be misused: 2. Executing Scripts on Server Web Server cannot differentiate between … Commands legitimately generated by the browser, as the client fills up a web page. A hand-crafted set of commands generated by a malicious user.

Examples of Active Code, that can be misused: 3. Escape Character attack on Server: 

Examples of Active Code, that can be misused: 3. Escape Character attack on Server CGI (common Gateway Interface) Commonly used on web servers for scripting. It Uses.. %nn to represent ASCII special characters. %0a to instruct interpreter to accept characters after %0a, as new command.

Escape Character attack on Server ……continued: 

Escape Character attack on Server ……continued The following command requests a copy of the password file: Another Example: A CGI script of the form.. andlt;!-#action arg1=value arg2=value…..andgt; is followed by a command. If someone gives the following string immediately after the above….. andlt;!-# exec cmd = 'rm *' andgt; it would delete all the files in the current directory of the web-server.

Escape Character attack on Server ……continued: 

Escape Character attack on Server ……continued MS uses ASP for scripting.. These pages instruct the browser on… how to display files; how to maintain context and Interact with the server. These pages can be seen at the browser and any weaknesses in the ASP code may be exploited by a malicious user.

Active Code: Comments: 

Active Code: Comments Java Script: Java 1.1 sandbox very restrictive. Java 1.2 opened the sandbox to permit stored disk files and executable procedures. This makes v1.2 more convenient to use at the cost of increase in security vunerability. Java 1.4 supposed to correct these problems?? Active X: Using it, objects of arbitrary type can be downloaded to a client. The Object may lead to an automatic download of the handler required for a file type.

Active Code: Comments Active X : 

Active Code: Comments Active X MS uses authentication certificates which certify the origin’s validity. But Proof of origin does not mean safety of code. Auto Exec by file-type: Besides the file’s extension, a file contains its type information inside the file also. So even if a file does not have an extension, it may be opened automatically, if one clicks on it.

Active Code: Comments Java vs. Active X: 

Active Code: Comments Java vs. Active X You can put only partial trust in a program, while ActiveX requires either full trust or no trust at all. A Java-enabled browser could keep a record of which dangerous operations are carried out by each trusted program, so it would be easier to reconstruct what happened if anything went wrong. Java offers better protection against accidental damage caused by buggy programs. Reference: activex.html SIP: Secure Internet Programming

Procedures for secure active code:: 

Procedures for secure active code: 1. System must control applets’ access to sensitive system resources, such as: File system Processor Network User’s Delay Internal State Variables.

Procedures for secure active code: continued: 

Procedures for secure active code: continued 2.The Language must protect memory by preventing forged memory pointers and array(buffer) overflows. 3. The system must prevent object reuse by clearing memory contents for new objects.

Procedures for secure active code: continued: 

Procedures for secure active code: continued The system must perform garbage collection to reclaim memory no longer in use. 4. The system must control inter –applet communication as well as applet’s effects on the environment outside the Java System through system calls. Reference: Dean, D.; Felten, E.W.; Wallach, D.S., ‘Java security: from HotJava to Netscape and beyond’ Proceedings of IEEE Symposium on Security and Privacy, 1996, pp190-200

A Networked System: More Vulnerable?: 

A Networked System: More Vulnerable? Attacker can be anonymous, safe behind an electronic shield, at a great distance, and can make his system hide behind a chain of other hosts. A large network has many points from which attack may be mounted and many targets. Sharing-Networks permit a number of users to share the services.  a larger number of attacker entities-users/systems

A Networked System: More Vulnerable? cont.: 

A Networked System: More Vulnerable? cont. Complexity of a system: Each operating system is complex. A network operating system, which may deal with multiple operating system, is even more complex. Even desktops have become powerful. So the user may not even know fully what his system is doing. Ill-defined perimeter –since networks are interconnected in a variety of ways. Multiple paths may exist between two legitimate communicators;hosts/networks in each path may have different security policies. Reference: Pfleeger and Pfleeger, ‘Security in Computing’ Prentice Hall 3rd Ed., 2003, pp 387-389

Security Services: 

Security Services Confidentiality: Protection of the message from disclosure to unauthorized persons; In addition the secrecy of the identity of the sender may also be required. Confidentiality may be compromised by -misdelivery, exposure in some part of the network, traffic flow analysis Integrity: Maintaining data consistency; message may not be altered during transmission. AUTHENTICATION: Verifying a principal’s claimed identity. Principal: a user logged on a remote system or - a local user logged on the server or - the server itself

Security Services: Authentication continued : 

Security Services: Authentication continued Authentication: A two - step process: - User Name - Password (check: - something you know (common) - Something you have - Something you are - what you do (Ex:key-stroke patterns) - where you are )

Security Services (continued ): 

Security Services (continued ) Distributed Authentication of users, processes, servers and services is even more difficult. Thus NT 4.0 had the concept of a single Primary Domain Controller. Windows 2000 has a Multi-master system. It makes the system more robust, but more vulnerable Non-repudiation: Originator of communications can’t deny it later Digital Signatures are used to relate an entity to information.

Security Services (continued ): 

Security Services (continued ) Availability Legitimate users have access when they need it Access control Unauthorized users are kept out Receipt Acknowledgement for received information Certificate Endorsement of information by a trusted party Anonymity Hiding the identity of an entity

Security Services (continued ): 

Security Services (continued ) Most Internet security problems are access control or authentication ones Denial of service is also popular, but mostly an annoyance Security services are often combined: • User authentication used for access control purposes • Non-repudiation combined with authentication

CERT Coordination Center (CERT/CC): 

CERT Coordination Center (CERT/CC) CERT/CC: a part of Software Engineering Institute (SEI) Networked Systems Survivability Program, Carnegie Mellon University, Pittsburgh, Pennsylvania History: 2nd November 1988: Morris worm incident, 1988, which brought 10 percent of Internet systems to a halt Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. 17th November 1988: Computer Emergency Response Team was set up. Today: CERT/CC: a Center of Internet security expertise.

authorStream Live Help