computer security dd2395
play

Computer Security DD2395 - PowerPoint PPT Presentation

Sep 28, 2022 •98 likes •589 views

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service Nov. 15, 2010 DD2395 Sonja Buchegger 1 Malicious

  1. Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service Nov. 15, 2010 DD2395 Sonja Buchegger 1

  2. Malicious Software  programs exploiting system vulnerabilities  known as malicious software or malware - program fragments that need a host program  e.g. viruses, logic bombs, and backdoors - independent self-contained programs  e.g. worms, bots - replicating or not  sophisticated threat to computer systems Nov. 15, 2010 DD2395 Sonja Buchegger 2

  3. Malware Terminology  Virus  Worm  Logic bomb  Trojan horse  Backdoor (trapdoor) ‏  Mobile code  Auto-rooter Kit (virus generator) ‏  Spammer and Flooder programs  Keyloggers  Rootkit  Zombie, bot Nov. 15, 2010 DD2395 Sonja Buchegger 3

  4. Viruses  piece of software that infects programs - modifying them to include a copy of the virus - so it executes secretly when host program is run  specific to operating system and hardware - taking advantage of their details and weaknesses  a typical virus goes through phases of: - dormant - propagation - triggering - execution Nov. 15, 2010 DD2395 Sonja Buchegger 4

  5. Virus Structure  components: - infection mechanism - enables replication - trigger - event that makes payload activate - payload - what it does, malicious or benign  prepended / appended / embedded  when infected program invoked, executes virus code then original program code  can block initial infection (difficult) ‏  or propagation (with access controls) ‏ Nov. 15, 2010 DD2395 Sonja Buchegger 5

  6. Virus Structure Nov. 15, 2010 DD2395 Sonja Buchegger 6

  7. Compression Virus Nov. 15, 2010 DD2395 Sonja Buchegger 7

  8. Virus Classification  boot sector  file infector  macro virus  encrypted virus  stealth virus  polymorphic virus  metamorphic virus Nov. 15, 2010 DD2395 Sonja Buchegger 8

  9. Macro Virus  became very common in mid-1990s since - platform independent - infects documents - is easily spread  exploit macro capability of office apps - executable program embedded in office doc - often a form of Basic  more recent releases include protection  recognized by many anti-virus programs Nov. 15, 2010 DD2395 Sonja Buchegger 9

  10. E-Mail Viruses  more recent development  e.g. Melissa - exploits MS Word macro in attached doc - if attachment opened, macro activates - sends email to all on users address list - and does local damage  then saw versions triggered reading email  hence much faster propagation Nov. 15, 2010 DD2395 Sonja Buchegger 10

  11. Virus Countermeasures  prevention - ideal solution but difficult  realistically need: - detection - identification - removal  if detect but can’t identify or remove, must discard and replace infected program Nov. 15, 2010 DD2395 Sonja Buchegger 11

  12. Anti-Virus Evolution  virus & antivirus tech have both evolved  early viruses simple code, easily removed  as become more complex, so must the countermeasures  generations - first - signature scanners - second - heuristics - third - identify actions - fourth - combination packages Nov. 15, 2010 DD2395 Sonja Buchegger 12

  13. Generic Decryption  runs executable files through GD scanner: - CPU emulator to interpret instructions - virus scanner to check known virus signatures - emulation control module to manage process  lets virus decrypt itself in interpreter  periodically scan for virus signatures  issue is long to interpret and scan - tradeoff chance of detection vs time delay Nov. 15, 2010 DD2395 Sonja Buchegger 13

  14. Digital Immune System Nov. 15, 2010 DD2395 Sonja Buchegger 14

  15. Behavior-Blocking Software Nov. 15, 2010 DD2395 Sonja Buchegger 15

  16. Worms  replicating program that propagates over net - using email, remote exec, remote login  has phases like a virus: - dormant, propagation, triggering, execution - propagation phase: searches for other systems, connects to it, copies self to it and runs  may disguise itself as a system process  concept seen in Brunner’s “Shockwave Rider”  implemented by Xerox Palo Alto labs in 1980’s Nov. 15, 2010 DD2395 Sonja Buchegger 16

  17. Morris Worm  one of best know worms  released by Robert Morris in 1988  various attacks on UNIX systems - cracking password file to use login/password to logon to other systems - exploiting a bug in the finger protocol - exploiting a bug in sendmail  if succeed have remote shell access - sent bootstrap program to copy worm over Nov. 15, 2010 DD2395 Sonja Buchegger 17

  18. Worm Propagation Model Nov. 15, 2010 DD2395 Sonja Buchegger 18

  19. Recent Worm Attacks  Code Red - July 2001 exploiting MS IIS bug - probes random IP address, does DDoS attack - consumes significant net capacity when active  Code Red II variant includes backdoor  SQL Slammer - early 2003, attacks MS SQL Server - compact and very rapid spread  Mydoom - mass-mailing e-mail worm that appeared in 2004 - installed remote access backdoor in infected systems Nov. 15, 2010 DD2395 Sonja Buchegger 19

  20. Worm Technology  multiplatform  multi-exploit  ultrafast spreading  polymorphic  metamorphic  transport vehicles  zero-day exploit Nov. 15, 2010 DD2395 Sonja Buchegger 20

  21. Worm Countermeasures  overlaps with anti-virus techniques  once worm on system A/V can detect  worms also cause significant net activity  worm defense approaches include: - signature-based worm scan filtering - filter-based worm containment - payload-classification-based worm containment - threshold random walk scan detection - rate limiting and rate halting Nov. 15, 2010 DD2395 Sonja Buchegger 21

  22. Proactive Worm Containment Nov. 15, 2010 DD2395 Sonja Buchegger 22

  23. Network Based Worm Defense Nov. 15, 2010 DD2395 Sonja Buchegger 23

  24. Bots  program taking over other computers  to launch hard to trace attacks  if coordinated form a botnet  characteristics: - remote control facility  via IRC/HTTP etc - spreading mechanism  attack software, vulnerability, scanning strategy  various counter-measures applicable Nov. 15, 2010 DD2395 Sonja Buchegger 24

  25. Rootkits  set of programs installed for admin access  malicious and stealthy changes to host O/S  may hide its existence - subverting report mechanisms on processes, files, registry entries etc  may be: - persistent or memory-based - user or kernel mode  installed by user via trojan or intruder on system  range of countermeasures needed Nov. 15, 2010 DD2395 Sonja Buchegger 25

  26. Rootkit System Table Mods Nov. 15, 2010 DD2395 Sonja Buchegger 26

  27. Summary  introduced types of malicous software - incl backdoor, logic bomb, trojan horse, mobile  virus types and countermeasures  worm types and countermeasures  bots  rootkits Nov. 15, 2010 DD2395 Sonja Buchegger 27

  28. Denial of Service  denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space  attacks - network bandwidth - system resources - application resources  have been an issue for some time Nov. 15, 2010 DD2395 Sonja Buchegger 28

  29. Classic Denial of Service Attacks  can use simple flooding ping  from higher capacity link to lower  causing loss of traffic  source of flood traffic easily identified Nov. 15, 2010 DD2395 Sonja Buchegger 29

  30. Classic Denial of Service Attacks Nov. 15, 2010 DD2395 Sonja Buchegger 30

  31. Source Address Spoofing  use forged source addresses - given sufficient privilege to “raw sockets” - easy to create  generate large volumes of packets  directed at target  with different, random, source addresses  cause same congestion  responses are scattered across Internet  real source is much harder to identify Nov. 15, 2010 DD2395 Sonja Buchegger 31

  32. SYN Spoofing  other common attack  attacks ability of a server to respond to future connection requests  overflowing tables used to manage them  hence an attack on system resource Nov. 15, 2010 DD2395 Sonja Buchegger 32

  33. TCP Connection Handshake Nov. 15, 2010 DD2395 Sonja Buchegger 33

  34. SYN Spoofing Attack Nov. 15, 2010 DD2395 Sonja Buchegger 34

  35. SYN Spoofing Attack  attacker often uses either - random source addresses - or that of an overloaded server - to block return of (most) reset packets  has much lower traffic volume - attacker can be on a much lower capacity link Nov. 15, 2010 DD2395 Sonja Buchegger 35

  36. Types of Flooding Attacks  classified based on network protocol used  ICMP Flood - uses ICMP packets, eg echo request - typically allowed through, some required  UDP Flood - alternative uses UDP packets to some port  TCP SYN Flood - use TCP SYN (connection request) packets - but for volume attack Nov. 15, 2010 DD2395 Sonja Buchegger 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 11, Nov. 29, 2010 Multi-Level Security Trusted Computing and Multilevel Security present some interrelated

1k views • 41 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger 1 Catch-up Labs l Labbvecka in June

540 views • 35 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 13, Dec. 6, 2010 Auditing Security Audit an independent review and examination of a system's records

353 views • 33 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 3 User Authentication KTH DD2395 Sonja Buchegger 1 More Follow-up Courses l EP2500: Networked Systems

821 views • 26 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 8 Denial of Service DD2395 Sonja Buchegger 1 Course Admin l WANTED: Student representatives for the

1.29k views • 37 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin l Lab 2: - prepare before lab session - signup!

844 views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 8, Feb. 10, 2010 Malicious Software, Denial of Service Announcements ! Lab reports ! Bonus points !

1.08k views • 42 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 10, Nov. 24, 2011 Social Engineering DD2395, Sonja Buchegger 1 Course Admin GPG Lab 1 bonus results in

1.22k views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 2, Jan. 20, 2010 Cryptography Scope of Computer Security Jan. 20, 2010 KTH DD2395 Sonja Buchegger 2

469 views • 45 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 2, Oct. 27, 2010 Cryptography Oct. 27, 2010 KTH DD2395 Sonja Buchegger 1 Questionnaire Results Prior

602 views • 42 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 4 Access Control 1 Access Control l The prevention of unauthorized use* of a resource, including the

429 views • 39 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Feb. 8, 2010 Malicious Software Malicious Software programs exploiting system vulnerabilities known

427 views • 10 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 1, Oct. 25, 2010 Introduction Oct. 25, 2010 Computer Security, Sonja Buchegger 1 Outline for Today About

670 views • 43 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 1, Oct. 25, 2011 Introduction Oct. 25, 2011 Computer Security, Sonja Buchegger 1 Outline for Today ! About

565 views • 45 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 3 User Authentication KTH DD2395 Sonja Buchegger 1 User Authentication KTH DD2395 Sonja Buchegger 2 User

485 views • 27 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
English for Computer Science Mohammad Farshi Department of Computer Science, Yazd University

English for Computer Science Mohammad Farshi Department of Computer Science, Yazd University

English for Computer Science Mohammad Farshi Department of Computer Science, Yazd University 1391-1392 (CS Dept. Yazd U.) Yazd Univ. English4CS 1391-1392 1 / 16 Arshad 90 Konkoor CS Arshad 90 (CS Dept. Yazd U.) Yazd Univ. English4CS

674 views • 25 slides
The Case for a Flexible Low-Level Backend for Software Data Planes Sean Choi 1 , Xiang Long 2 ,

The Case for a Flexible Low-Level Backend for Software Data Planes Sean Choi 1 , Xiang Long 2 ,

The Case for a Flexible Low-Level Backend for Software Data Planes Sean Choi 1 , Xiang Long 2 , Muhammad Shahbaz 3 , Skip Booth 4 , Andy Keep 4 , John Marshall 4 , Changhoon Kim 5 1 3 4 2 5 Why software data planes? VM hypervisors VM

633 views • 27 slides
Performance Optimization for Cluster Computing

Performance Optimization for Cluster Computing

Myrinet User's Group Conference 12-14 May 2002 Vienna, Austria Performance Optimization for Cluster Computing

421 views • 26 slides
Chapter 5: I/O Systems Input/Output Principles of I/O hardware Principles of I/O software

Chapter 5: I/O Systems Input/Output Principles of I/O hardware Principles of I/O software

Chapter 5: I/O Systems Input/Output Principles of I/O hardware Principles of I/O software I/O software layers Disks Clocks Character-oriented terminals Graphical user interfaces Network terminals Power management

1.28k views • 63 slides
Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web The Course Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia The Big Picture Memory Processor

1.18k views • 80 slides
Computer Networks 2 Schedule Exam 3 Friday, April 20 th

Computer Networks 2 Schedule Exam 3 Friday, April 20 th

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Computer Networks 2 Schedule Exam 3 Friday, April

787 views • 44 slides
A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile network Whats the Internet Roughly Hierarchical At center: tier-1 ISPs (e.g., UUNet, Level 3, Sprint, AT&T), Network

953 views • 25 slides
Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15,

Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15,

Classification Scheme One-way Traffic Composition Service Availability Monitoring Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15, 2012 Eduard Glatz, Xenofontas Dimitropoulos Classifying

653 views • 29 slides

More recommend