Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of Minnesota, Computer Science & Engineering Bonus: anonymity overlays Signature matching Anomaly detection Learn pattern of normal behavior Signature is a pattern that matches “Not normal” is a sign of a potential known bad behavior attack Typically human-curated to ensure Has possibility of finding novel attacks specificity Performance depends on normal See also: anti-virus scanners behavior too Recall: FPs and FNs Signature and anomaly weaknesses False positive: detector goes off Signatures without real attack Won’t exist for novel attacks Often easy to attack around False negative: attack happens without Anomaly detection detection Hard to avoid false positives Any detector design is a tradeoff Adversary can train over time between these (ROC curve)
Base rate problems Adversarial challenges If the true incidence is small (low base FP/FN statistics based on a fixed set of rate), most positives will be false attacks Example: screening test for rare disease But attackers won’t keep using Easy for false positives to overwhelm techniques that are detected admins Instead, will look for: E.g., 100 attacks out of 10 million Existing attacks that are not detected packets, 0.01% FP rate Minimal changes to attacks How many false alarms? Truly novel attacks Wagner and Soto mimicry attack Outline Host-based IDS based on sequence of Intrusion detection systems syscalls Malware and the network Compute ❆ ❭ ▼ , where: ❆ models allowed sequences Announcements intermission ▼ models sequences achieving attacker’s goals Denial of service and the network Further techniques required: Many syscalls made into NOPs Bonus: anonymity overlays Replacement subsequences with similar effect Malicious software Trojan (horse) Shortened to Mal. . . ware Looks benign, has secret malicious Software whose inherent goal is functionality malicious Not just used for bad purposes Key technique: fool users into Strong adversary installing/running High visibility Concern dates back to 1970s, MLS Many types
(Computer) viruses Worms Completely automatic self-propagation Attaches itself to other software Requires remote security holes Propagates when that program runs Classic example: 1988 Morris worm Once upon a time: floppy disks “Golden age” in early 2000s More modern: macro viruses Internet-level threat seems to have Have declined in relative importance declined Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can Pre-scan list of likely targets deceive normal code Accelerate cold-start phase Rootkit: hide malware by changing Permutation-based sampling kernel behavior Systematic but not obviously patterned Pseudorandom permutation MBR virus: take control early in boot Approximate time: 15 minutes Blue-pill attack: malware is a VMM “Warhol worm” running your system Too fast for human-in-the-loop response Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial Modest-size industry credentials Competition and specialization Ransomware Also significant: nation-states Application of public-key encryption Industrial espionage Malware encrypts user files Stuxnet (not officially acknowledged) Only $300 for decryption key
Bots and botnets Bot monetization Bot: program under control of remote attacker Click (ad) fraud Botnet: large group of bot-infected Distributed DoS (next section) computers with common “master” Bitcoin mining Command & control network protocol Pay-per-install (subcontracting) Once upon a time: IRC Now more likely custom and obfuscated Spam sending Centralized ✦ peer-to-peer Gradually learning crypto and protocol lessons Malware/anti-virus arms race Signature-based AV “Anti-virus” (AV) systems are really Similar idea to signature-based IDS general anti-malware Would work well if malware were static Clear need, but hard to do well In reality: No clear distinction between benign Large, changing database Frequent updated from analysts and malicious Not just software, a subscription Endless possibilities for deception Malware stays enough ahead to survive Emulation and AV Polymorphism Simple idea: run sample, see if it does Attacker makes many variants of something evil starting malware Obvious limitation: how long do you Different code sequences, same wait? behavior Simple version can be applied online One estimate: 30 million samples observed in 2012 More sophisticated emulators/VMs used in backend analysis But could create more if needed
Packing Fake anti-virus Sounds like compression, but real goal Major monentization strategy recently is obfuscation Your system is infected, pay $19.95 for Static code creates real code on the fly cleanup tool Or, obfuscated bytecode interpreter For user, not fundamentally Outsourced to independent “protection” distinguishable from real AV tools Outline Note to early readers Intrusion detection systems This is the section of the slides most Malware and the network likely to change in the final version Announcements intermission If class has already happened, make sure you have the latest slides for Denial of service and the network announcements Bonus: anonymity overlays Outline DoS versus other vulnerabilities Intrusion detection systems Effect: normal operations merely become impossible Malware and the network Software example: crash as opposed Announcements intermission to code injection Less power that complete compromise, Denial of service and the network but practical severity can vary widely Airplane control DoS, etc. Bonus: anonymity overlays
When is it DoS? Algorithmic complexity attacks Can an adversary make your algorithm Very common for users to affect have worst-case behavior? others’ performance ❖ ✭ ♥ ✷ ✮ quicksort Focus is on unexpected and unintended Hash table with all entries in one bucket effects Exponential backtracking in regex Unexpected channel or magnitude matching XML entity expansion Compression DoS XML entities (HTML ✫❧t ) are like C Some formats allow very high macros compression ratios Simple attack: compress very large input ★❞❡❢✐♥❡ ❇ ✭❆✰❆✰❆✰❆✰❆✮ More powerful: nested archives ★❞❡❢✐♥❡ ❈ ✭❇✰❇✰❇✰❇✰❇✮ Also possible: “zip file quine” ★❞❡❢✐♥❡ ❉ ✭❈✰❈✰❈✰❈✰❈✮ decompresses to itself ★❞❡❢✐♥❡ ❊ ✭❉✰❉✰❉✰❉✰❉✮ ★❞❡❢✐♥❡ ❋ ✭❊✰❊✰❊✰❊✰❊✮ DoS against network services Tiny bit of queueing theory Mathematical theory of waiting in line Common example: keep legitimate Simple case: random arrival, sequential users from viewing a web site fixed-time service Easy case: pre-forked server supports M/D/1 100 simultaneous connections If arrival rate ✕ service rate, expected Fill them with very very slow downloads queue length grows without bound
SYN flooding SYN cookies Change server behavior to stateless SYN is first of three packets to set up approach new connection Embed small amount of needed Traditional implementation allocates information in fields that will be echoed space for control data in third packet However much you allow, attacker fills MAC-like construction with unfinished connections Other disadvantages, so usual Early limits were very low (10-100) implementations used only under attack DoS against network links Traffic multipliers Third party networks (not attacker or Try to use all available bandwidth, victim) crowd out real traffic One input packet causes ♥ output Brute force but still potentially effective packets Baseline attacker power measured by Commonly, victim’s address is forged packet sending rate source, multiply replies Misuse of debugging features “Smurf” broadcast ping Distributed DoS Many attacker machines, one victim ICMP echo request with forged source Easy if you own a botnet Sent to a network broadcast address Impractical to stop bots one-by-one Every recipient sends reply May prefer legitimate-looking traffic Now mostly fixed by disabling this over weird attacks feature Main consideration is difficulty to filter
Recommend
More recommend
