A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Integrity Checking of Operating Systems with Respect to Kernel Level Malware”
To Bianca, for being who you are. Abstract Kernel-mode rootkits have gained a considerable momentum within the blackhat com- munity. They represent a considerable threat to any computer system, as they pro- vide an intruder with the ability to hide the presence of his malicious activity. These rootkits make changes to the operating system’s kernel, thereby providing particularly stealthy hiding techniques. Considering the kernel rootkit threat and other threats, the collection of reliable information from a compromised system becomes a central problem within the domain of computer security. This thesis addresses this problem. It looks at the possibility of using virtualization as a means to facilitate kernel-mode rootkit detection through integrity checking. The thesis describes several areas within the Linux kernel, which are commonly subverted by kernel-mode rootkits. It introduces the reader to the concept of virtual- ization and describes several technologies employing virtualization. The kernel-mode rootkit threat is then addressed through a description of their hiding methodologies. Some of the existing methods for malware detection are also addressed and analysed. A number of general requirements, which need to be satisfied by a general model enabling kernel-mode rootkit detection, are identified. A model addressing these requirements is suggested, and a framework implementing the model is set-up. The detection capabilities of the framework are tested on a couple of rootkits. iii Preface This report presents the results of my master thesis “Integrity checking of operating systems with respect to kernel level malware”. It is written as part of the Master de- gree (Sivilingeniør) in Computer Science at the Norwegian University of Science and Technology (NTNU), during Spring 2005. -
The Science DMZ
The Science DMZ Brian Tierney, Eli Dart, Eric Pouyoul, Jason Zurawski ESnet Supporting Data-Intensive Research Workshop QuestNet 2013 Gold Coast, Australia July 2, 2013 What’s there to worry about? © Owen Humphreys/National Geographic Traveler Photo Contest 2013 7/2/13 2 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Science DMZ in 1 Slide Consists of three key components, all required: “Friction free” network path • Highly capable network devices (wire-speed, deep queues) • Virtual circuit connectivity option • Security policy and enforcement specific to science workflows • Located at or near site perimeter if possible Dedicated, high-performance Data Transfer Nodes (DTNs) • Hardware, operating system, libraries all optimized for transfer • Includes optimized data transfer tools such as Globus Online and GridFTP Performance measurement/test node • perfSONAR Details at http://fasterdata.es.net/science-dmz/ Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science Overview Part 1: • What is ESnet? • Science DMZ Motivation • Science DMZ Architecture Part 2: • PerfSONAR • The Data Transfer Node • Data Transfer Tools Part 3: • Science DMZ Security Best Practices • Conclusions Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Energy Sciences Network (ESnet) A Department of Energy Facility Naonal Fiber footprint Distributed Team of 35 Science Data Network Internaonal Collaboraons Mul3ple 10G waves 5 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science ESnetSC Supports Supports Research DOE at More Office than 300 of Institutions Science Across the U.S. Universities DOE laboratories The Office of Science supports: 27,000 Ph.D.s, graduate students, undergraduates, engineers, and technicians 26,000 users of open-access facilities 300 leading academic institutions 17 DOE laboratories 6 Lawrence Berkeley National Laboratory U.S. -
Intrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Adli Wahid Role of Detection in Security • Part of security monitoring o Violation of security policies o Indicators of compromise o Threat drive or Vulnerability driven o What’s happening on the network? • Rules o Detection is based on rules • Action • What do we do when detection happens? • Alert and Investigate • Drop / Block Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework https://attack.mitre.org • Tactics – what are the goals of the adversary? • Technique – how do they do it? • SubJect to: o Resources o Platforms • Can we used this knowledge for detection? o Observe Adversaries Behaviour o Techniques, Tactics and Procedures (TTPs) o Deploy in prevention, detection, response Your Adversaries Motives Infrastructure Targets Behaviour Your Assets Your Systems Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf Making Your Infrastructure Forensics Ready • Detecting known or potentially malicious activities • Part of the incident response plan • If your infrastructure is compromised o Can you answer the questions: what happened and since when? o Can we ‘go back in time’ and how far back? • What information you you need to collect and secure? • Centralized logging Intrusion Detection Systems • An intrusion -
The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual
The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ...................................................................................... -
Cloaker: Hardware Supported Rootkit Concealment
Cloaker: Hardware Supported Rootkit Concealment Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave, Urbana, IL 61801 {fdavid,emchan,jcarlyle,rhc}@uiuc.edu Abstract signers resorted to more complex techniques such as modi- fying boot sectors [33, 51] and manipulating the in-memory Rootkits are used by malicious attackers who desire to image of the kernel. These rootkits are susceptible to de- run software on a compromised machine without being de- tection by tools that check kernel code and data for alter- tected. They have become stealthier over the years as a ation [43, 13, 42, 21]. Rootkits that modify the system consequence of the ongoing struggle between attackers and BIOS or device firmware [25, 26] can also be detected by system defenders. In order to explore the next step in rootkit integrity checking tools. More recently, virtualization tech- evolution and to build strong defenses, we look at this issue nology has been studied as yet another means to conceal from the point of view of an attacker. We construct Cloaker, rootkits [31, 44]. These rootkits remain hidden by running a proof-of-concept rootkit for the ARM platform that is non- the host OS in a virtual machine environment. To counter persistent and only relies on hardware state modifications the threat from these Virtual Machine Based Rootkits (VM- for concealment and operation. A primary goal in the de- BRs), researchers have detailed approaches to detect if code sign of Cloaker is to not alter any part of the host oper- is executing inside a virtual machine [20]. -
Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years. -
The Forseti Distributed File Integrity Checker
Cluster Security with NVisionCC: The Forseti Distributed File Integrity Checker Adam J. Lee†‡, Gregory A. Koenig†‡, and William Yurcik† †National Center for Supercomputing Applications ‡Department of Computer Science University of Illinois at Urbana-Champaign {adamlee, koenig, byurcik}@ncsa.uiuc.edu Abstract for a number of malicious actions. In many cases, the password used to log into a single node can be used Attackers who are able to compromise a single node to access a large number of nodes in the system, al- in a high performance computing cluster can use that lowing the attacker to utilize the vast computing and node as a launch point for a number of malicious ac- storage capabilities of the compromised cluster to carry tions. In many cases, the password used to log into out brute-force password cracking, launch distributed a single node can be used to access a large number of denial of service attacks, or serve illegal digital content. nodes in the system, allowing the attacker to utilize the Additionally, an attacker can listen to network traffic vast computing and storage capabilities of the compro- for other users to log into their compromised nodes in mised cluster to sniff network traffic, carry out brute- hopes of learning passwords for other accounts on these force password cracking, launch distributed denial of systems. service attacks, or serve illegal digital content. Often, The recent rise in popularity of grid computing has these types of attackers modify important system files exacerbated this problem by increasing the amount to collect passwords to other accounts, disable certain of damage that can be caused with a single compro- logging facilities, or create back-doors into the system. -
Network Security Presentation
http://bit.ly/2LamWxj Network Security & Performance Jason Zurawski Scott Chevalier [email protected] [email protected] ESnet / Lawrence Berkeley National Laboratory Indiana University International Networks Linux Cluster Institute (LCI) Introductory Workshop University of Oklahoma May 15-16, 2019 This document is a result of work by volunteer LCI instructors and is licensed under CC BY- NC-ND 4.0 (https://creativecommons.org/licenses/by-nc-nd/4.0/). National Science Foundation Award #1826994 https://epoc.global Science DMZ as Security Architecture • Allows for better segmentation of risks, more granular application of controls to those segmented risks. • Limit risk profile for high-performance data transfer applications • Apply specific controls to data transfer hosts • Avoid including unnecessary risks, unnecessary controls • Remove degrees of freedom – focus only on what is necessary • Easier to secure • Easier to achieve performance • Easier to troubleshoot Science DMZ Security • Goal : Disentangle security policy and enforcement for science flows from security for business systems • Rationale • Science data traffic is simple from a security perspective • Narrow application set on Science DMZ • Data transfer, data streaming packages • No printers, document readers, web browsers, building control systems, financial databases, staff desktops, etc. • Security controls that are typically implemented to protect business resources often cause performance problems • Separation allows each to be optimized Performance is a Core Requirement •Core information security principles • Confidentiality, Integrity, Availability (CIA) •In data-intensive science, performance is an additional core mission requirement: CIA PICA • CIA principles are important, but if the performance isn’t there the science mission fails • This isn’t about “how much” security you have, but how the security is implemented • Need to appropriately secure systems without performance compromises Motivations • The big myth: The main goal of the Science DMZ is to avoid firewalls and other security controls. -
I3FS: an In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University
I3FS: An In-Kernel Integrity Checker and Intrusion Detection File System Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok Stony Brook University Appears in the proceedings of the 18th USENIX Large Installation System Administration Conference (LISA 2004) Abstract System administrators must stay alert to protect their systems against the effects of malicious intrusions. In Today, improving the security of computer systems this process, the administrators must first detect that an has become an important and difficult problem. Attack- intrusion has occurred and that the system is in an in- ers can seriously damage the integrity of systems. At- consistent state. Second, they have to investigate the tack detection is complex and time-consuming for sys- damage done by attackers, like data deletion, adding in- tem administrators, and it is becoming more so. Current secure Trojan programs, etc. Finally, they have to fix integrity checkers and IDSs operate as user-mode utili- the vulnerabilities to avoid future attacks. These steps ties and they primarily perform scheduled checks. Such are often too difficult and hence machines are mostly re- systems are less effective in detecting attacks that hap- installed and then reconfigured. Our work does not aim pen between scheduled checks. These user tools can be at preventing malicious intrusions, but offers a method easily compromised if an attacker breaks into the sys- of notifying administrators and restricting access once tem with administrator privileges. Moreover, these tools an intrusion has happened, so as to minimize the effects result in significant performance degradation during the of attacks. Our system uses integrity checking to detect checks. -
Evaluating the Availability of Forensic Evidence from Three Idss: Tool Ability
Evaluating the Availability of Forensic Evidence from Three IDSs: Tool Ability EMAD ABDULLAH ALSAIARI A thesis submitted to the Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Masters of Forensic Information Technology School of Engineering, Computer and Mathematical Sciences Auckland, New Zealand 2016 i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. Emad Abdullah Alsaiari ii Acknowledgement At the beginning and foremost, the researcher would like to thank almighty Allah. Additionally, I would like to thank everyone who helped me to conduct this thesis starting from my family, supervisor, all relatives and friends. I would also like to express my thorough appreciation to all the members of Saudi Culture Mission for facilitating the process of studying in a foreign country. I would also like to express my thorough appreciation to all the staff of Saudi Culture Mission for facilitating the process of studying in Auckland University of Technology. Especially, the pervious head principal of the Saudi Culture Mission Dr. Satam Al- Otaibi for all his motivation, advice and support to students from Saudi in New Zealand as well as Saudi Arabia Cultural Attaché Dr. Saud Theyab the head principal of the Saudi Culture Mission. -
SM User Guide
Oracle® Communications Tekelec Virtual Operating Environment Licensing Information User Manual Release 3.5 E93070-01 November 2017 Copyright ©2010, 2017 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. -
How Attackers Break Programs, and How to Write Programs More Securely
How Attackers Break Programs, and How To Write Programs More Securely Matt Bishop Department of Computer Science University of California at Davis Davis, CA 95616-8562 United States of America email: [email protected] www: http://seclab.cs.ucdavis.edu/~bishop phone: +1 (530) 752-8060 © 2002 by Matt Bishop This page deliberately left blank. That is, this page would have been blank except that we had to put the notice "this page deliberately left blank" on it. Otherwise, you might have seen the blank page and worried that someone left a page out of your booklets. So, we put a note on the blank page to assure you that no-one forgot to put something on this page; indeed, we intended for it to be blank. But we could not live up to our intentions, for the reason stated above, so we couldn't put a blank page in here. We had to put a page with some writing on it. So we couldn't put the notice "this page deliberately left blank" because it's not true and, if we couldn't tell when a page is blank, you'd doubt the veracity of everything we did. So we wrote this paragraph to ... oh, heck, forget it. Table of Contents sections slides Overview..................................... 1— 13 Attacking Programs ........................... 14—123 Overview .......................14 — 20 Users and Privilege ...............21 — 29 Environment ....................30 — 48 Buffer Overflow ..................49 — 70 Numeric Overflow ................71 — 76 Validation and Verification .........77 — 92 Race Conditions..................93—112 Denial of Service ............... 113—121 Environment .................. 122—123 Writing Better Programs ......................124—379 Overview ....................