MALICIOUS SOFTWARE

What is the role of compression in the operation of a virus? A virus may use compression so that the infected program is exactly the same length as an uninfected version. What is the role of encryption in the operation of a virus?

The mutation engine creates a random encryption key to encrypt the remainder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When the virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with a different key for each instance, there is no consistent bit pattern to observe.
What are the typical phases of operation of a virus or worm? Dormant phase: The virus is idle, it will eventually be activated by some event, such as a date or another program. *Propagation phase: The virus places a copy of itself into other programs or into certain system areas on the disk. *Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events. *Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. What is a digital immune system? This system provides a general-purpose emulation and virus-detection system. The objective is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running a general antivirus program so that it can be detected before it is allowed to run elsewhere. How does behavior-blocking software work? Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system.

In general terms, how does a worm propagate? Search for other systems to infect by examining host tables or similar repositories of remote system addresses. - Establish a connection with a remote system. - Copy itself to the remote system and cause the copy to be run. Describe some worm countermeasures. *Signature-based worm scan filtering: Generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. *Filter-based worm containment: Focuses on the content of the work rather than a scan signature. The filter checks a message to determine if it contains worm code. *Payload-classification based worm containment: These network-based techniques examine packets to see if they contain a worm. *Threshold random walk scan detection: TRW exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation. *Rate limiting: This class limits the rate of scan like traffic from an infected host. *Rate halting: This approach blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or diversity of connection attempts. What is the difference between a bot and a rootkit?* Bot: A bot is a program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot's creator. *Rootkit: A rootkit is a set of programs installed on a system to maintain administrator access to the system. It alters the host's standard functionality in a malicious and stealthy way. Rootkits do not directly rely on vulnerabilities to get on a computer.
What is a DDoS?

A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that service. When this attack comes from a single host or network node, then it is simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target.

INTRUDERS
List and briefly define three classes of intruders. + Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. + Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. + Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. Describe the three logical components of an IDS. + Sensor: it has responsibility in collecting data; input includes network packets, log files, system call traces. + Analyzer: receiving input from one or more sensors, responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred and may include evidence supporting the conclusion that an intrusion has occurred. + User interface: it enables user to view the output of the system, or control the system behavior.

Describe the differences between a host-based ID and a network-based ID. + Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity. + Network-based IDS: Monitors network traffic for particular network segments and analyses network, transport and application protocols to identify suspicious activity. What are three benefits that can be provided by an IDS [Intrusion Detection System]? + If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. + An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. + Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

List some desirable characteristics of an IDS[Intrusion Detection System]? + Run continually with minimal human supervision - It must be able to recover from system crashes and reinitializations. + Resist subversion (= must be able to monitor itself). + Impose a minimal overhead on the system where it is running. + Be able to adapt to changes in system and user behavior over time. + Be able to scale to monitor a large number of hosts. What is the difference between anomaly detection and signature intrusion detection? Anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior (Threshold detection, profile based). Signature detection: Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder. What metrics are useful for profile-based intrusion detection? + Counter: Typically a count of certain event types is kept over a particular period of time. Eg. number of logins, number of times a command is executed, number of password failures. + Gauge: is used to measure the current value of some entity. Eg. number of connections assigned to a user application, number of outgoing messages queued for a user process. + Interval timer: The length of time between two related events. Eg. the time between successive logins to an account. + Resource utilization: Quantity of resources consumed during a specified period. Eg total time consumed by a program execution. What is the difference between rule-based anomaly detection and rule-based penetration identification? Rule-based anomaly detection: Historical audit records are analyzed to identify usage patterns and to generate automatically rules to describe those patterns. The current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern. Rule-based penetration identification: Use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet.

Explain the base-rate fallacy. The base rate fallacy is an error that occurs when the conditional probability of some hypothesis H (is this an intruder?), given some evidence E (network data), is assessed without taking into account the prior probability of H and the total probability of evidence E. If the actual numbers of intrusions is low compared to the number if legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating. This is known as base-rate fallacy. What is the difference between a distributed host-based IDS and a NIDS. [Intrusion detection
systems]

+ Distributed host-based IDS: examines user and software activity on a host system. + Network-based IDS: monitors traffic at selected points on a network Describe the types of sensors that can be used in NIDS. + inline sensors: inserted into a network segment so that the traffic that it is monitoring must pass through the sensor; able to block an attack when one is detected, may slow down network speed; may be integrated in a firewall or a LAN switch + passive sensors: monitors a copy of network traffic; does not slow down network speed; extra hardware is needed. What are possible locations for NIDS sensors? + Inside the external firewall + between the external firewall and the Internet + before internal servers and database resources + before the workstation networks What is a honeypot? Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. They can divert an attacker, collect information about the attacker's activity, encourage the attacker to stay on the system long enough for administrators to respond.

TRANSPORT-LEVEL SECURITY

What are the advantages of each of the three approaches shown in Figure 5.1? Network level: It is transparent to end users and applications and provides a general-purpose solution. Transport level: SSL is provided as a part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded into packages. Application level: The service can be tailored to the specific needs of the given application. *What protocols comprise SSL? SSL Record Protocol, SSL Handshake Protocol, SSL Change Cipher Spec What is the difference between an SSL connection and an SSL session? A connection is a transport that provides a suitable type of service. For SSL, Such connections are peerto-peer relationships. The connections are transient. An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. List and briefly define the parameters that define an SSL session state. - Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state. - Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null. - Compression method: The algorithm used to compress data prior to encryption. - Cipher spec: Specifies the bulk data encryption algorithm (such as null,AES,etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes such as the hash_size.

- Master secret: 48-byte secret shared between the client and server. - Is resumable: A flag indicating whether the session can be used to initiate new connections. List and briefly define the parameters that define an SSL session connection. - Server and client random: Byte sequences that are chosen by the server and client for each connection. - Server write MAC secret: The secret key used in MAC operations on data sent by the server. - Client write MAC secret: The secret key used in MAC operations on data sent by the client. - Server write key: The secret encryption key for data encrypted by the server and decrypted by the client. - Client write key: The symmetric encryption key for data encrypted by the client and decrypted by the server. - Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter, the final cipher text block from each record is preserved for use as the IV with the following record. - Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message. What services are provided by the SSL Record Protocol? - Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. - Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC). What steps are involved in the SSL Record Protocol transmission? - Fragmentation - Compression - compute a message authentication code over the compressed data - Compressed message plus the MAC are encrypted using symmetric encryption - SSL Record Protocol processing

What is the purpose of HTTPS? To implement secure communication between a Web browser and a Web server For what applications is SSH useful? Remote access to computer resources over the Internet, secure file transfers, and remote system administration. List and briefly define the SSH protocols. - Transport Layer Protocol: Provides server authentication, data confidentiality, and data integrity with forward secrecy. - User Authentication Protocol: Authenticates the user to the server. - Connection Protocol: Multiplexes multiple logical communications channels over a single, underlying SSH connection.