Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications techniques Stephen McCamant University of Minnesota, Computer Science & Engineering Tor basics Tor experiences and challenges Basic idea: detect attacks Network and host-based IDSes The worst attacks are the ones you don’t even know Network IDS: watch packets similar to firewall about But don’t know what’s bad until you see it Best case: stop before damage occurs More often implemented offline Marketed as “prevention” Host-based IDS: look for compromised process or Still good: prompt response user from within machine Challenge: what is an attack? Signature matching Anomaly detection Learn pattern of normal behavior Signature is a pattern that matches known bad behavior “Not normal” is a sign of a potential attack Typically human-curated to ensure specificity Has possibility of finding novel attacks See also: anti-virus scanners Performance depends on normal behavior too Recall: FPs and FNs Signature and anomaly weaknesses Signatures False positive: detector goes off without real attack Won’t exist for novel attacks False negative: attack happens without detection Often easy to attack around Anomaly detection Any detector design is a tradeoff between these Hard to avoid false positives (ROC curve) Adversary can train over time
Base rate problems Adversarial challenges If the true incidence is small (low base rate), most FP/FN statistics based on a fixed set of attacks positives will be false But attackers won’t keep using techniques that are Example: screening test for rare disease detected Easy for false positives to overwhelm admins Instead, will look for: E.g., 100 attacks out of 10 million packets, 0.01% FP Existing attacks that are not detected rate Minimal changes to attacks Truly novel attacks How many false alarms? Wagner and Soto mimicry attack Outline Intrusion detection systems Host-based IDS based on sequence of syscalls Malware and the network Compute ❆ ❭ ▼ , where: Announcements intermission ❆ models allowed sequences Denial of service and the network ▼ models sequences achieving attacker’s goals Further techniques required: Anonymous communications techniques Many syscalls made into NOPs Tor basics Replacement subsequences with similar effect Tor experiences and challenges Malicious software Trojan (horse) Shortened to Mal. . . ware Software whose inherent goal is malicious Looks benign, has secret malicious functionality Not just used for bad purposes Key technique: fool users into installing/running Strong adversary Concern dates back to 1970s, MLS High visibility Many types (Computer) viruses Worms Completely automatic self-propagation Attaches itself to other software Requires remote security holes Propagates when that program runs Classic example: 1988 Morris worm Once upon a time: floppy disks “Golden age” in early 2000s More modern: macro viruses Internet-level threat seems to have declined Have declined in relative importance
Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can deceive Pre-scan list of likely targets Accelerate cold-start phase normal code Permutation-based sampling Rootkit: hide malware by changing kernel behavior Systematic but not obviously patterned MBR virus: take control early in boot Pseudorandom permutation Blue-pill attack: malware is a VMM running your Approximate time: 15 minutes system “Warhol worm” Too fast for human-in-the-loop response Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial credentials Modest-size industry Ransomware Competition and specialization Application of public-key encryption Also significant: nation-states Malware encrypts user files Industrial espionage Only $300 for decryption key Stuxnet (not officially acknowledged) Bots and botnets Bot monetization Bot: program under control of remote attacker Click (ad) fraud Botnet: large group of bot-infected computers with Distributed DoS (next section) common “master” Bitcoin mining Command & control network protocol Once upon a time: IRC Pay-per-install (subcontracting) Now more likely custom and obfuscated Spam sending Centralized ✦ peer-to-peer Gradually learning crypto and protocol lessons Malware/anti-virus arms race Signature-based AV Similar idea to signature-based IDS “Anti-virus” (AV) systems are really general Would work well if malware were static anti-malware In reality: Clear need, but hard to do well Large, changing database No clear distinction between benign and malicious Frequent updated from analysts Endless possibilities for deception Not just software, a subscription Malware stays enough ahead to survive
Emulation and AV Polymorphism Simple idea: run sample, see if it does something evil Attacker makes many variants of starting malware Obvious limitation: how long do you wait? Different code sequences, same behavior Simple version can be applied online One estimate: 30 million samples observed in 2012 More sophisticated emulators/VMs used in backend But could create more if needed analysis Packing Fake anti-virus Sounds like compression, but real goal is obfuscation Major monentization strategy recently Static code creates real code on the fly Your system is infected, pay $19.95 for cleanup tool Or, obfuscated bytecode interpreter For user, not fundamentally distinguishable from real AV Outsourced to independent “protection” tools Outline Tunneling question Intrusion detection systems A “captive portal” on a WiFi network directs all HTTP traffic to a login Malware and the network web server. Which kind of tunneling might slowly circumvent this? Announcements intermission A. DNS over HTTPS Denial of service and the network B. UDP over TCP Anonymous communications techniques C. SOCKS over SSH Tor basics D. IP over DNS E. HTTPS over HTTP Tor experiences and challenges Upcoming important dates Spring special topics course CSci 5980/8980, Manual and Automated Binary Exercise set 4 due tonight Reverse Engineering Wouldn’t HA1 have been more fun if you didn’t get Hands-on assignment 2 due Friday night the source code? Last project progress reports due next Wednesday Studying disassembled code by hand, and with 11/27 open-source and research tools Include a sample of report formatting MS Word, LaTeX, Overleaf options Only prerequisite is CSci 2021 (or similar) 5271-like project
Outline DoS versus other vulnerabilities Intrusion detection systems Malware and the network Effect: normal operations merely become impossible Software example: crash as opposed to code Announcements intermission injection Denial of service and the network Less power that complete compromise, but practical Anonymous communications techniques severity can vary widely Tor basics Airplane control DoS, etc. Tor experiences and challenges When is it DoS? Algorithmic complexity attacks Can an adversary make your algorithm have Very common for users to affect others’ worst-case behavior? performance ❖ ✭ ♥ ✷ ✮ quicksort Focus is on unexpected and unintended effects Hash table with all entries in one bucket Unexpected channel or magnitude Exponential backtracking in regex matching XML entity expansion Compression DoS XML entities (c.f. HTML ✫❧t ) are like C macros Some formats allow very high compression ratios ★❞❡❢✐♥❡ ❇ ✭❆✰❆✰❆✰❆✰❆✮ Simple attack: compress very large input ★❞❡❢✐♥❡ ❈ ✭❇✰❇✰❇✰❇✰❇✮ More powerful: nested archives ★❞❡❢✐♥❡ ❉ ✭❈✰❈✰❈✰❈✰❈✮ Also possible: “zip file quine” decompresses to itself ★❞❡❢✐♥❡ ❊ ✭❉✰❉✰❉✰❉✰❉✮ ★❞❡❢✐♥❡ ❋ ✭❊✰❊✰❊✰❊✰❊✮ DoS against network services Tiny bit of queueing theory Mathematical theory of waiting in line Common example: keep legitimate users from Simple case: random arrival, sequential fixed-time viewing a web site service Easy case: pre-forked server supports 100 M/D/1 simultaneous connections If arrival rate ✕ service rate, expected queue length Fill them with very very slow downloads grows without bound
Recommend
More recommend