Intruder Detection & Prevention

Lecture 10

D.W.Chathurika Pavithrani
 Malicious Programs

Needs Host Program Independent

Trapdoors Logic Trojan

Viruses Worm Zombie
Bombs Horses
 Self-replicating code fragments attached to
other codes
 Both propagates itself and carries payload
 Carries code to duplicate itself
 As well as code to perform some covert tasks
1. Dormant
2. Propagation
 Search for other systems to infect
 Establish connection to target remote system
 Replicate self into remote system
3. Trigger
4. Execute
1. Setup initial worm environment on infected system
2. Spawn 100 threads
 First 99 threads are used to spread the worm
 Spreads by creating a sequence of random IP addresses
 The 100th thread checks to see if it is running on a
English(US) Windows NT/2000 system.
 If so, deface the infected system’s website by changing
message to Welcome to http:/www.worm.com!, Hacked
by Chinese !
 If not, then the 100th worm thread is also used to infect
other systems.
3. Each worm thread checks for C:\notworm
 If file exists, became dormant. If not, continue to
infect more systems.

4. Each worm thread will now check the infected

computer’s time.
 The date is after the 20th of the month then begin
denial of service attack to www.whitehouse.gov
 Send 100k bytes of data to port 80of
www.whitehouse.gov
 If the data is between the 1st and the 19th of the
month then find and infect new web servers.
 Pretty Good Privacy(PGP) (www.pgp.com)
 Phillip R.Zimmerman is the creator of PGP
 PGP provides a confidentiality and authentication
service that can be used for electronic mail file
storage applications.

 S/MIME
 Secure/Multipurpose Internet Mail Extension
 S/MIME will probably emerge as the industry standard
 PGP for personal e-mail security
 It is available free on variety of platforms
 Based on well known algorithms
 Wide range of applicability
 Not developed or controlled by governmental
or standards organization
 Consists of five services:
 Authentication
 Confidentiality
 Compression
 E-mail compatibility
 Segmentation
Function Algorithm Used

Digital Signature DSS/SHA or RSA/SHA

Message Encryption CAST or IDEA or three-key triple DES with

Diffie-Hellman or RSA

Compression Zip

E-mail compatibility Radix-64 conversion

Segmentation
 Enveloped Data: Encrypted content and
Encrypted session keys for recipients.

 Signed data : Message Digest Encrypted with

private key of “signer”

 Clear-signed data: Signed but not encrypted.

 Signed and Enveloped Data: Various

orderings for encrypting and signing.
 Message digesting SHA-1 and MDS

 Digital Signatures : DSS

 Secret-Key encryption : Triple DES, RC2/40

(exportable)

 Public-Private key Encryption : RSA with key

sizes of 512 and 1024 bits and Diffie-
Hellman(foe session keys)
 S/MIME uses Public-key Certificates – X.509
version 3 signed by Certification Authority
 Functions:
 Key Generation – Diffie Hellman, DSS and RSA key
pairs.
 Registration – Public Keys must be registered with
X.509 CA
 Certificate Storage – Local (as in browser application)
for different services
 Signed and Enveloped data –Various orderings for
encrypting and signing
 Spam is difficult to define
 Spam is like junk mail, you get it whether you
want or not
 From post to UseNet with your email address
 From mailing lists
 From web pages
 From various web forms
 Blacklist/Whitelist
 In blacklist technique, list of domains, mail serves
and e-mail address are defined. Then e-mails
come from above address will not be allowed.
Whitelist technique is the opposite of blacklist
technique.

 Integrity Check
 Mail can be check and filter if it has the
characteristic s of a spam is very difficult.
 Reverse DNS lookup
 In this technique, when receiving a mail, the IP
address of the sending server is taken and DNS
lookup is performed on that address to check whether
the e-mail address is a real one or a bogus one.

 Rule-based filtering
 In rule-based filtering, mails are examined according
to the specific rules. These rules are defined according
to the patterns often used by spammers.
 System logs
 Firewall
 IDS
 Honeytokens, Honeypots and Honeynets
 A choke point of control and monitoring
 Interconnect networks with differing trust
 Imposes restrictions on network services
 Only authorized traffic is allowed
 Auditing and controlling access
 Can implement alarms for abnormal behavior
 Is(supposedly) itself immune to penetration
 Provides perimeter defense
 Basically, a firewall does three things to
protect the network
 It blocks incoming data that might contain a
hacker attack
 Hide internal addresses from Internet hackers.
(NAT)
 It screens outgoing traffic to limit Internet use
and/or access to remote sites.
 Cannot protect from attacks bypassing it.

 Cannot protect against internal threats.

 Cannot protect against transfer of all virus

infected programs or files because of huge
range of O/S and file types.
 Packet filters
 Stateful Packet filters
 Application Level Gateway
 Circuit Level Gateway
 Simple Concept
 Examine each IP packet and permit or deny
according to the rules
 Restrict access to services
 Possible default policies:
 That not expressly permitted is prohibited
 That not expressly prohibited is permitted
 IP address spoofing
 Source Routing Attacks
 Tiny fragment attacks
 Examine each IP packet in context
 Keeps track of client-server sessions
 Checks each packet validly belongs one
 Better able to detect bogus packets out of
context
 Use an application specific gateway/proxy
 Has full access to protocol
 User requests service from proxy
 Proxy validates as request as legal
 Then forwards request and returns result to user

 Need separate proxies for each service.

 Some services naturally support proxying
 Others are more problematic
 Custom services generally not supproted
▪ Ex :
▪ HTTP for Web
▪ FTP for file transfers
▪ SMTP/POP3 for e-mail
 Relays two TCP connections
 Imposes security by limiting which
connections are allowed.
 Once created, usually relays traffic without
examining contents
 Typically used, when it trusts internal users by
allowing general outbound connections
 Eg : SOCKS server
 A wide range of additional features and
functionalities are being integrated into
standard firewall products
 These are
 Demilitarized zone(DMZ)
 Content filtering
 VPN
 A secure system that supports a limited
number of applications for use by outsiders
 Inevitably will have security failures

 So to detect intrusion to :
 Block if detected quickly
 Act as deterrent
 Collect information to improve security

 Assume intruder will behave differently to

legitimate user
 But will have imperfect distinction
 Honeypot is just a computer system or a
network segment, loaded with servers and
devices and data.

 It may be protected with a firewall, although

you want the attackers to have some access.

 There may be some monitoring capability,

done carefully so that the monitoring is not
evident to the attacker.
 To watch what attackers do, in order to learn
about new attacks (so that you can strengthen
your defenses against these new attacks)
 To lure an attacker to a place in which you may
be able to learn enough to identify and stop the
attacker
 To provide an attractive but diversionary
playground, hoping that the attacker will leave
your real system alone
 The two difficult features of a honeypot are
 putting up a believable, attractive false
environment and
 confining and monitoring the attacker
surreptitiously