Chapter 6

From MCS Wiki
Jump to: navigation, search


Intrusion Detection

what is an Intruder? Hacker or Attacker.


An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. (an outsider)


A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. (an insider)

Clandestine User

An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. (either insider or outsider)

Intruder Behavior patterns

Intruder behavior is constantly changing: different tasks to avoid detection, make use of new attack vectors. Still, intruders do have certain basic behaviors that can be detected (Behavior Patterns).


1. Select the target using IP lookup tools such as NSLookup, Dig, and others.

2. Map network for accessible services using tools such as NMAP.

3. Identify potential vulnerable services (i.e. - pcAnywhere)

4. Brute force passwords

5. Install remote admin tools (DameWare)

6. Wait for admin to log on (Capture that password)

7. use that password to access remainder of network.

What motivates hackers? Recognition

Criminal Enterprise

1. Act quickly and precisely to make their activities hard to detect.

2. Exploit perimeter through vulnerable ports.

3. Use Trojan Horses ( hidden software ) to leave back doors.

4. Use sniffers to capture passwords.

5. Leave quickly.

6. Make few or no mistakes

Criminal "gangs" of hackers who hack for monetary gain. Usually clandestine groups or Eastern European, Russian, or Southeast Asian orgin. They commonly meet in underground forums like or lolz. Usually have specific targets rather than targets of opportunity which IDSs and IPSs provide protection against or attempt too. Encryption should be an additional layer of security.

Insider Threat

1. Create network accounts for themselves and their friends.

2. Access accounts and applications they wouldn't normally use for their daily jobs.

3. E-mail former and prospective employers.

4. Conduct furtive instant-messaging chats.

5. Visit Web sites that cater to disgruntled employees, such as f'

6. Perform large downloads and file copying.

7. Access the network during off hours.

Upon termination make a mirror image of employee's HD before reissuing it.

Intrusion Detection Definitions

Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resources) without having autorization to do so.

Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

IDS Classification

Host-based IDS: monitors the characteristics/events of a single host for suspicious activity.

Network-based IDS: monitors/analyzes network traffic

+1: Distributed IDS

3 Main Components:

Sensors: Responsible for collecting data.

Analyzers: Receive input from 1 or more sensors or from other analyzers; determines if intrusion has occured.

User Interface: UI allows user to view output to or control behavior of IDS.

IDSs usually work alongside other security measures (user authentication, access control, firewalls, etc.)

Basic Principles

  • If the intrusion is detected early enough then damage can be stopped or mitigrated.
  • An effective IDS can act as deterent (try to be more trouble than your worth).
  • Intrusion detection is a way to study intrusion techniques which can feed the development of intrusion prevention systems.

IDSs are based on the idea that deviations from the normal behavior that are the hallmark of malicious activity can be quantified. Still, there will be some overlap. Type 1 Error vs Type 2 Error.

Host Based IDS

Add a specialized security layer to sensitive systems (database servers, admin. systems)

Primary benefit: Can detect both external and internal intrusions (not possible with Network based IDSs)

Two Basic Approaches:

1. Anomaly Detection: collect the data relating to a particular user over a period of time; apply statistical tests to see if behavior fits "normal" distribution (threashold detection or profile-based).

2. Signature Detection: define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder.

+1: Proactive: use more advanced "change-point" statistical analysis to identify switch to malicious behavior.

sensors and deployment

  • Just inside the external firewall
  • Just outside the external firewall
  • Just before internal servers
  • Just before internal work station
  • stuff they look for:

Denial of Service, Scanning, Worms

Audit Records

Usually, some record of ongoing activity by users must be maintained as input to IDS

Two Plans:

Native audit records: based on logs kept by the OS.

Detection-specific records: could be made vendor independent.

Honey Pots

  • open systems that encourage attacks to draw attention away from the network and collect data on intruders.

Anomaly Detection

  • Threshold Detection: counting the number of occurences of an event over a period of time.
  • Profile-based Detection: profiling users or groups of users and then detecting for signifcant changes.

2 Requirements:

1. Find a number of quantitative metrics to measure user behavior.

2. Current audit records are compared against old audit records.

Web Security

SSC/TLS: Cryptographic protocols that provide security/data integrity using handshakes and data encryption

  • Handshake Protocol:
  • Record Protocol:


  • Rollback Attack:An attack on a computer system which uses an insecure feature of an old version of a protocol. This occurs because new versions of protocols will often contain many of the features and software of an old version.
  • Man in the Middle:Attacker intercepts messages from both ends, views and receives both sets of messages and data, changes/views it, acting as an in-between.


  • Cookies:used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site.[1] The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.
  • XSS Attack:a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
Personal tools