Professional Documents
Culture Documents
Intruders
//Modified by Prof. M. Singhal//
Henric Johnson
Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se
Henric Johnson 1
Outline
Intruders
Intrusion Techniques Password Protection Password Selection Strategies Intrusion Detection
Henric Johnson
Intruders
Three classes of intruders (hackers or crackers): Masquerader, Misfeasor, and Clandestine user.
Masquerader An unauthorized user who penetrates a computer systems access control and gains acccess to user accounts.
Henric Johnson 3
Intruders
Misfeasor >A legitimate user who accesses resources he is not authorized to access. >Who is authorized such access but misuses his privileges. Clandestine user A user who seizes the supervisory control of the system and uses it to evade auditing and access control.
Henric Johnson 4
Intrusion Techniques
Objective: An intruder wants to gain access to a system. >>Access is generally protected by passwords. System maintains a file that associates a password with each authorized user. Password file can be protected with:
One-way encryption and Access control
Henric Johnson 5
Intrusion Techniques
One-way encryption: >A system stores passwds only in encrypted form. >One-way transformation //not invertible.// Access Control >Access to the passwd file is limited to very few people.
Henric Johnson 6
Intrusion Techniques
Techniques for guessing passwords:
Try default passwords. (used with standard accounts that are shipped with systems.) Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the users hobbies, family names, birthday, etc.
Henric Johnson 7
Intrusion Techniques
Techniques for guessing passwords:..
Try users phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse (to bypass restrictions on access). Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)
Henric Johnson 8
Henric Johnson
13
Salt
The salt serves three purposes:
Prevents duplicate passwords from being visible in the password file. //even if two users choose the same password, their ciphertexts will differ// Effectively increases the length of the password (by two chars). //makes password guessing difficult// Prevents the use of hardware implementations of DES.
Henric Johnson 14
Henric Johnson
18
Markov Model
Henric Johnson
20
Markov Model
Main problem: Building the transition matrix. The Markov chain should reflect the structure of words in the dictionary. All strings generated by the MC denote bad passwords. A dictionary of guessable words is created. Transition matrix is computed as Henric Johnson 21 follows:
Transition Matrix
1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. Example: Password firefly consists of the following trigrams: fir, ire, ref, efl, Henric Johnson fly. 22
Transition Matrix
2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.
3. Compute the entries of T as follows:
f (i, j,k ) T (i, j, k ) f (i, j,)
Henric Johnson 23
Markov Model
Checking for a bad password: >Passwords (strings) generated by the Markov model are rejected. >For a given password, transition probabilities of trigrams are looked up. >Statistical tests are performed to see if this password is likely by the model. >Passwords likely by the model are rejected.
Henric Johnson 24
where
2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1
Henric Johnson 25
Bloom Filter
False positive: A password that is not in the dictionary but it produces a match in the table. Example: hogan and bogan are present in the dictionary, but logan is not.
H1(hogan)=32, H1(bogan)=76, H1(logan)=45 H2(hogan)=45, H2(bogan)=91, H2(logan)=76 >False positive cause a valid password to be rejected. >False positive should be minimized. Henric Johnson
26
Bloom Filter...
Design a hash scheme to minimize false positives. Probability of false positive:
P (1 e kD / N ) k (1 e k / R ) k or , equivalently, R k ln(1 P1/ k )
where k number of hash function N number of bits in hash table D number of words in dictionary R N / D, ratio of hash table size (bits) to dictionary size ( words )
Henric Johnson 27
Henric Johnson
28
locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are open (being listened to by Servers). 2. Run Exploit scripts against open ports 3. Get access to Shell program which is suid (has root privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Henric Johnson 29
29
Intrusion prevention may fail and intrusion detection is the next best defense. Motivations: If the intruder can be identified quickly enough, he can be ejected from the system and damage can be minimized. An effective intrusion detection can prevent intrusions. Henric Johnson //can act as a deterrent//
Intusion Detection
30
Motivations:... Collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Intrusion detection basis: The behavior of intruders differs from that of a legitimate user in a quantifiable way.
Henric Johnson 31
Intusion Detection
Henric Johnson
32
Intrusion Detection
There is likely to be some overlap in the behavior. Will generate false positives: Some authorized users will be branded as intruders. >If false positives are completely eliminated, some intruders will go undetected.
Henric Johnson 33
Intrusion Detection
Two approaches are used: 1. Statistical anomaly detection >History of legitimate users is collected and a user profile is built. >Statistical tests are applied to the observed behavior to determine if it is an intrusion. --Two approaches are used.
Henric Johnson 34
Intrusion Detection
Treshold detection Uses thresolds for the frquency of occurrence of various events. Profile based User profile is used to detect changes in the behavior of a user.
2. Rule based detection Defines a set of rules that can be used to decide if a behavior is that of an intruder. Henric Johnson 35
Intrusion Detection
2. Rule based detection... >Two approaches.
Anomaly detection Rules detect deviation from previous usage patterns. Penetration identification An expert system-based approach that searches for suspicious behavior.
Henric Johnson
36
Distributed ID
Consists of three components: 1. Host agent module: Collects data on security related events on the host and passes them to the central manager. 2. LAN Monitor agent module: It analyzes LAN traffic and reports results to the central manager. (host-host connections, services used, Henric Johnson 40 volume of traffic, rlogin activity, etc.)
Distributed ID
3. Central Manager module: >Receives reports from host agents and LAN monitor. >Processes and correlates the reports to detect intrusions. >Typically includes an expert system that draws inferences from the received data.
Henric Johnson 41
Henric Johnson
42