a building block approach to intrusion detection
play

A Building Block Approach to Intrusion Detection Mark J. Crosbie - PowerPoint PPT Presentation

Sep 14, 2023 •327 likes •485 views

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001

  1. A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001 Friday, November 30, 2001 1

  2. Who are we? • Mark Crosbie – Security Architect at Hewlett-Packard – Designed and implemented IDS/9000 • Benjamin Kuperman – PhD student at CERIAS, Purdue – Worked with HP on IDS/9000 – Designed and implemented detection templates RAID 2001 Friday, November 30, 2001 2

  3. For more information... • Product is available for zero-cost for HP-UX 11.0 and 11i systems. • Download from http://software.hp.com • Part number is J5083AA • More information at http://www.hp.com/products/security/ids/ • Contact Mark Crosbie mark_crosbie@hp.com for further details. RAID 2001 Friday, November 30, 2001 3

  4. What did we build? • Kernel level audit source designed to support Intrusion Detection. • An analysis engine that dynamically loads/unloads configurable detection template bytecode. • Detection templates – Detect the building blocks of intrusions. • Automated intrusion response mechanism. • GUI, manual, product support, etc etc... RAID 2001 Friday, November 30, 2001 4

  5. RAID 2001 Friday, November 30, 2001 5

  6. Why choose system call audit? • Kernel has the only reliable view of system state. • System calls do not have unintended side effects (compare to library audit). • Trustworthiness of data. • Ambiguity can be resolved at kernel level: – mapping inodes/file descriptors to pathnames. – symbolic/hard links, chroot. • Reliable capture of before and after state. RAID 2001 Friday, November 30, 2001 6

  7. Requirement of audit system • Audit record must capture as much state as possible. – Save before/after state of objects for modification actions (e.g. chmod, chown). – Do not query system while processing record. • Resolve ambiguity in the kernel – symbolic links, hard links. – inodes mapped to pathnames. – chroot environments. • Data format must be machine parseable. • Data presented in timely and efficient manner. RAID 2001 Friday, November 30, 2001 7

  8. What is a Building Block? Attacks Definition: An abstraction of attack Building Blocks activities undertaken to exploit a vulnerability. Vulnerabilities RAID 2001 Friday, November 30, 2001 8

  9. Building Blocks Detected • Login/logout activities, including su. • Local and remote filesystem changes: – Directories and files. – Creation, deletion, attribute changes. – Changes to files owned by others. – Unusual Log file modifications. • Creation of setuid “ backdoors” . • Race condition (TOCTTOU) attacks. • Unexpected change in privileges. RAID 2001 Friday, November 30, 2001 9

  10. Some sample alerts • Unexpected change in privilege levels with UID:100(GID:20) EUID:0(EGID:20) executing /usr/bin/ksh(1,42 246,"40000003") with arguments["/usr/bin/ksh", "-c", "foobar"] and system call kern_setuid as PID:19854 • UID:0 (EUID:0) Reference:/dev/emsagent_fifo currently kern_open:/dev/emsagent_fifo(8,1282,"40000003") was kern_mknod:/dev/emsagent_fifo(0,-1,"ffffffff") program running is /etc/opt/resmon/lbin/emsagent(1,1429,"40000003") with arguments ["/etc/opt/resmon/lbin/emsagent"] probable ATTACKER was UID:10 • User 0 opened for modification/truncation "/etc/opt/resmon/pipe/1652016795" executing /etc/opt/resmon/lbin/p_client(1,473,"40000004") with arguments ["/etc/opt/resmon/lbin/p_client"] as PID:2708 RAID 2001 Friday, November 30, 2001 10

  11. Automated Response • Active response to a recent intrusion event. • Examples of responses: – Locking a user account. – Collecting additional system state information. • Recovering from configuration changes. – E.g. changes made under /etc • Recovering from Trojan Horses: Replacing files changed in /sbin or /usr/bin. • Recovering from a web server hack. – rsync web pages from remote source/CDROM. RAID 2001 Friday, November 30, 2001 11

  12. Performance • Difficult to measure - why? – What is a typical system load? – How is the IDS to be configured? – Rate of “ intrusive” activity? Bursty? • How to measure performance impact? – System throughput, CPU time, response time. – IDS load, IDS throughput, IDS response time. • See paper for more details on our performance tests. RAID 2001 Friday, November 30, 2001 12

  13. What IDS/9000 does not do. • Does not fix pre-existing vulnerabilities. • Does not prevent activities from occurring. • Does not detect changes made to local filesystems mounted on remote systems. – No file signature scanning. • Not currently a network IDS. RAID 2001 Friday, November 30, 2001 13

  14. Conclusions • Possible to detect Building Blocks of intrusions. • By building the IDS and audit system together: – More context for making decisions. – Reliable detection. – Data is tailored to detection. • IDS can be used for more than security tasks: – monitor admins, misbehaving programs • Performance measurement is environmentally sensitive. RAID 2001 Friday, November 30, 2001 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on Finding log files Syslog:

547 views • 21 slides
CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF WORKING HAVE CHANGED Social distancing means working from home is the norm Substantially more reliant on IT to engage internally and externally,

884 views • 17 slides
r t r

r t r

r t r sts trs tt tt

994 views • 9 slides
Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting

Managing Functions in Couchbase Kishan Iyer LOONYCORN www.loonycorn.com Overview Redacting sensitive information from logs Function statistics from the Eventing Service Statistics graphs for functions Auditing in Couchbase Couchbase

1.85k views • 24 slides
Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John Steve Gribble Yoshi Kohno Hank Levy University of Washington The Move to Small, Powerful, Mobile Devices Small, powerful mobile devices are

363 views • 25 slides
We have to t st t rt tt

We have to t st t rt tt

We have to t st t rt tt r so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent

906 views • 48 slides
Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break

Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break

Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break your business Presented by Marge Hart, VP, Product Management Sponsored by MA MARGE HA E HART VP, Product Management 20 years experience with

569 views • 30 slides
Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County,

Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County,

Data-Driven Ju Justice: Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County, Iowa David Schwindt david-schwindt@iowa-city.org Existing Data vs New Data Housing First Study Housing First Study

620 views • 34 slides

More recommend