a building block approach to intrusion detection
play

A Building Block Approach to Intrusion Detection Mark J. Crosbie - PowerPoint PPT Presentation

Sep 14, 2023 •327 likes •485 views

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001

  1. A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001 Friday, November 30, 2001 1

  2. Who are we? • Mark Crosbie – Security Architect at Hewlett-Packard – Designed and implemented IDS/9000 • Benjamin Kuperman – PhD student at CERIAS, Purdue – Worked with HP on IDS/9000 – Designed and implemented detection templates RAID 2001 Friday, November 30, 2001 2

  3. For more information... • Product is available for zero-cost for HP-UX 11.0 and 11i systems. • Download from http://software.hp.com • Part number is J5083AA • More information at http://www.hp.com/products/security/ids/ • Contact Mark Crosbie mark_crosbie@hp.com for further details. RAID 2001 Friday, November 30, 2001 3

  4. What did we build? • Kernel level audit source designed to support Intrusion Detection. • An analysis engine that dynamically loads/unloads configurable detection template bytecode. • Detection templates – Detect the building blocks of intrusions. • Automated intrusion response mechanism. • GUI, manual, product support, etc etc... RAID 2001 Friday, November 30, 2001 4

  5. RAID 2001 Friday, November 30, 2001 5

  6. Why choose system call audit? • Kernel has the only reliable view of system state. • System calls do not have unintended side effects (compare to library audit). • Trustworthiness of data. • Ambiguity can be resolved at kernel level: – mapping inodes/file descriptors to pathnames. – symbolic/hard links, chroot. • Reliable capture of before and after state. RAID 2001 Friday, November 30, 2001 6

  7. Requirement of audit system • Audit record must capture as much state as possible. – Save before/after state of objects for modification actions (e.g. chmod, chown). – Do not query system while processing record. • Resolve ambiguity in the kernel – symbolic links, hard links. – inodes mapped to pathnames. – chroot environments. • Data format must be machine parseable. • Data presented in timely and efficient manner. RAID 2001 Friday, November 30, 2001 7

  8. What is a Building Block? Attacks Definition: An abstraction of attack Building Blocks activities undertaken to exploit a vulnerability. Vulnerabilities RAID 2001 Friday, November 30, 2001 8

  9. Building Blocks Detected • Login/logout activities, including su. • Local and remote filesystem changes: – Directories and files. – Creation, deletion, attribute changes. – Changes to files owned by others. – Unusual Log file modifications. • Creation of setuid “ backdoors” . • Race condition (TOCTTOU) attacks. • Unexpected change in privileges. RAID 2001 Friday, November 30, 2001 9

  10. Some sample alerts • Unexpected change in privilege levels with UID:100(GID:20) EUID:0(EGID:20) executing /usr/bin/ksh(1,42 246,"40000003") with arguments["/usr/bin/ksh", "-c", "foobar"] and system call kern_setuid as PID:19854 • UID:0 (EUID:0) Reference:/dev/emsagent_fifo currently kern_open:/dev/emsagent_fifo(8,1282,"40000003") was kern_mknod:/dev/emsagent_fifo(0,-1,"ffffffff") program running is /etc/opt/resmon/lbin/emsagent(1,1429,"40000003") with arguments ["/etc/opt/resmon/lbin/emsagent"] probable ATTACKER was UID:10 • User 0 opened for modification/truncation "/etc/opt/resmon/pipe/1652016795" executing /etc/opt/resmon/lbin/p_client(1,473,"40000004") with arguments ["/etc/opt/resmon/lbin/p_client"] as PID:2708 RAID 2001 Friday, November 30, 2001 10

  11. Automated Response • Active response to a recent intrusion event. • Examples of responses: – Locking a user account. – Collecting additional system state information. • Recovering from configuration changes. – E.g. changes made under /etc • Recovering from Trojan Horses: Replacing files changed in /sbin or /usr/bin. • Recovering from a web server hack. – rsync web pages from remote source/CDROM. RAID 2001 Friday, November 30, 2001 11

  12. Performance • Difficult to measure - why? – What is a typical system load? – How is the IDS to be configured? – Rate of “ intrusive” activity? Bursty? • How to measure performance impact? – System throughput, CPU time, response time. – IDS load, IDS throughput, IDS response time. • See paper for more details on our performance tests. RAID 2001 Friday, November 30, 2001 12

  13. What IDS/9000 does not do. • Does not fix pre-existing vulnerabilities. • Does not prevent activities from occurring. • Does not detect changes made to local filesystems mounted on remote systems. – No file signature scanning. • Not currently a network IDS. RAID 2001 Friday, November 30, 2001 13

  14. Conclusions • Possible to detect Building Blocks of intrusions. • By building the IDS and audit system together: – More context for making decisions. – Reliable detection. – Data is tailored to detection. • IDS can be used for more than security tasks: – monitor admins, misbehaving programs • Performance measurement is environmentally sensitive. RAID 2001 Friday, November 30, 2001 14

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall,

Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall,

Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall, Partha P. Pal, and Richard E. Schantz {jloyall, ppal, schantz}@bbn.com BBN Technologies Franklin Webber franklin.webber@computer.org

239 views • 19 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik Sengupta, Ankur Chowdhary, Subbarao Kambhampati Dijiang Huang SNAC Secure Networking and Yochan AI Lab Computing Lab Intrusion Detection Systems?

681 views • 38 slides
Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and Computer Security Com puter security: confidentiality, integrity, and availability Intrusion: actions to com prom ise security W hy

1.09k views • 63 slides
Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs.

Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs.

CS 166: Information Security Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs. Detection Most systems we've discussed focus on keeping the bad guys out. Intrusion prevention is a traditional

479 views • 34 slides
Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H. Sanders Previous Work [1] Intrusion detection by combining and clustering diverse monitor data System Logs Firewall Logs Feature extraction Cluster

527 views • 49 slides

More recommend