Chapter 18

Intruders
//Modified by Prof. M. Singhal//

Henric Johnson
Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se
Henric Johnson 1

Outline
Intruders
Intrusion Techniques Password Protection Password Selection Strategies Intrusion Detection

Henric Johnson

Intruders
Three classes of intruders (hackers or crackers): Masquerader, Misfeasor, and Clandestine user.
Masquerader An unauthorized user who penetrates a computer systems access control and gains acccess to user accounts.
Henric Johnson 3

Intruders
Misfeasor >A legitimate user who accesses resources he is not authorized to access. >Who is authorized such access but misuses his privileges. Clandestine user A user who seizes the supervisory control of the system and uses it to evade auditing and access control.
Henric Johnson 4

Intrusion Techniques
Objective: An intruder wants to gain access to a system. >>Access is generally protected by passwords. System maintains a file that associates a password with each authorized user. Password file can be protected with:
One-way encryption and Access control
Henric Johnson 5

Intrusion Techniques
One-way encryption: >A system stores passwds only in encrypted form. >One-way transformation //not invertible.// Access Control >Access to the passwd file is limited to very few people.
Henric Johnson 6

Intrusion Techniques
Techniques for guessing passwords:
Try default passwords. (used with standard accounts that are shipped with systems.) Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the users hobbies, family names, birthday, etc.
Henric Johnson 7

Intrusion Techniques
Techniques for guessing passwords:..
Try users phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse (to bypass restrictions on access). Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)
Henric Johnson 8

UNIX Password Scheme

Passwords are stored in crypted form. User selects a password of chars. This password serves as the key to an encryption routine. Encryption routine is a modified version of DES. 12 bit Salt is used for modification. Salt: related to time the password is assigned.
Henric Johnson 9

UNIX Password Scheme

Modified DES is used with data input as 64-bit block of zeros. This process is repeated 25 times. The resulting output is translated into an 11 chars sequence. (cipher passwd) Ciphertext password is stored in the table together with Salt.
Henric Johnson 10

UNIX Password Scheme

Loading a new password

Henric Johnson 11

UNIX Password Scheme

Verifying a password file

Henric Johnson 12

Storing UNIX Passwords

UNIX passwords were kept in a publicly readable file, etc/passwords. Now they are kept in a shadow directory and only visible to root.

Henric Johnson

13

Salt
The salt serves three purposes:
Prevents duplicate passwords from being visible in the password file. //even if two users choose the same password, their ciphertexts will differ// Effectively increases the length of the password (by two chars). //makes password guessing difficult// Prevents the use of hardware implementations of DES.
Henric Johnson 14

Password Selecting Strategies

Goal: Eliminate guessable passwords while allowing users to select passwords that are memorable. 1. User education >Told the importance of hard-to-guess passwds. >Provided guidelines to select strong passwords. >Many users ignoreJohnson guidelines. Henric 15

Password Selecting Strategies

2. Computer-generated passwords >Passwords will be random in nature and will be hard to memorize. 3. Reactive password checking >System runs its own password checker to find guessable passwords. >Users given a deadline to change the password //account is cancelled or frozen// 16 Henric Johnson

Password Selecting Strategies

4. Proactive password checking >A user is allowed to select his passwd. >At the time of selection, the system checks to see if the passwd is allowable. >It rejects the password if not allowable. >The most promising approach. Henric Johnson 17

Proactive Password Checking

Problem: How to efficiently and effectively check for passwords. >It is not practical to maintain a list of bad passwords and check it. >Two compact ways: Markov model and Bloom filters.

Henric Johnson

18

Proactive Password Checking

Markov model: >Each state represents a chars. >The current state denotes the most recent char/letter. >Transition from a state to another state denotes the next char. >Transitions have probability associated to them.
Henric Johnson 19

Markov Model

Henric Johnson

20

Markov Model
Main problem: Building the transition matrix. The Markov chain should reflect the structure of words in the dictionary. All strings generated by the MC denote bad passwords. A dictionary of guessable words is created. Transition matrix is computed as Henric Johnson 21 follows:

Transition Matrix
1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. Example: Password firefly consists of the following trigrams: fir, ire, ref, efl, Henric Johnson fly. 22

Transition Matrix
2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.
3. Compute the entries of T as follows:
f (i, j,k ) T (i, j, k ) f (i, j,)
Henric Johnson 23

Markov Model
Checking for a bad password: >Passwords (strings) generated by the Markov model are rejected. >For a given password, transition probabilities of trigrams are looked up. >Statistical tests are performed to see if this password is likely by the model. >Passwords likely by the model are rejected.
Henric Johnson 24

Spafford (Bloom Filter)

Hi ( X i ) y 1 i k ; 1 j D; 0 y N 1

where

X i jth word in password dictionary D number of word in password dictionary

The following procedure is then applied to the dictionary: 1. A hash table of N bits is defined, with all bits initially set to 0.

2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1
Henric Johnson 25

Bloom Filter
False positive: A password that is not in the dictionary but it produces a match in the table. Example: hogan and bogan are present in the dictionary, but logan is not.
H1(hogan)=32, H1(bogan)=76, H1(logan)=45 H2(hogan)=45, H2(bogan)=91, H2(logan)=76 >False positive cause a valid password to be rejected. >False positive should be minimized. Henric Johnson

26

Bloom Filter...
Design a hash scheme to minimize false positives. Probability of false positive:
P (1 e kD / N ) k (1 e k / R ) k or , equivalently, R k ln(1 P1/ k )

where k number of hash function N number of bits in hash table D number of words in dictionary R N / D, ratio of hash table size (bits) to dictionary size ( words )
Henric Johnson 27

Performance of Bloom Filter

Henric Johnson

28

The Stages of a Network Intrusion

1. Scan the network to:

locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are open (being listened to by Servers). 2. Run Exploit scripts against open ports 3. Get access to Shell program which is suid (has root privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Henric Johnson 29
29

Intrusion prevention may fail and intrusion detection is the next best defense. Motivations: If the intruder can be identified quickly enough, he can be ejected from the system and damage can be minimized. An effective intrusion detection can prevent intrusions. Henric Johnson //can act as a deterrent//

Intusion Detection

30

Motivations:... Collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Intrusion detection basis: The behavior of intruders differs from that of a legitimate user in a quantifiable way.
Henric Johnson 31

Intusion Detection

Profiles of Behavior of Intruders and Authorized Users

Henric Johnson

32

Intrusion Detection
There is likely to be some overlap in the behavior. Will generate false positives: Some authorized users will be branded as intruders. >If false positives are completely eliminated, some intruders will go undetected.
Henric Johnson 33

Intrusion Detection
Two approaches are used: 1. Statistical anomaly detection >History of legitimate users is collected and a user profile is built. >Statistical tests are applied to the observed behavior to determine if it is an intrusion. --Two approaches are used.
Henric Johnson 34

Intrusion Detection
Treshold detection Uses thresolds for the frquency of occurrence of various events. Profile based User profile is used to detect changes in the behavior of a user.

2. Rule based detection Defines a set of rules that can be used to decide if a behavior is that of an intruder. Henric Johnson 35

Intrusion Detection
2. Rule based detection... >Two approaches.
Anomaly detection Rules detect deviation from previous usage patterns. Penetration identification An expert system-based approach that searches for suspicious behavior.

Henric Johnson

36

Measures used for Intrusion Detection

Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Data transfers Read, write, create, delete frequency. Failure count for read, write, create and delete.
Henric Johnson 37

Distributed Intrusion Detection

Early IDSs were for single-stand alone systems (centralized IDS). A more effective defense can be achieved by cooperation among several intrusion detection systems across the network.
>A diagram of such system (next slide)
Henric Johnson 38

Distributed Intrusion Detection

Developed at University of California at Davis

Henric Johnson 39

Distributed ID
Consists of three components: 1. Host agent module: Collects data on security related events on the host and passes them to the central manager. 2. LAN Monitor agent module: It analyzes LAN traffic and reports results to the central manager. (host-host connections, services used, Henric Johnson 40 volume of traffic, rlogin activity, etc.)

Distributed ID
3. Central Manager module: >Receives reports from host agents and LAN monitor. >Processes and correlates the reports to detect intrusions. >Typically includes an expert system that draws inferences from the received data.
Henric Johnson 41

Distributed Intrusion Detection

Henric Johnson

42