DOCSLIB.ORG

An Efficient Intrusion Detection System for Networks with Centralized

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Efficient Intrusion Detection System for Networks with Centralized An Efficient Intrusion Detection System for Networks with Centralized Routing Paulo Filipe Canha de Andrade Dissertação para obtenção de Grau de Mestre em Engenharia Informática e de Computadores Júri Presidente: Prof. Luis Eduardo Teixeira Rodrigues Orientador: Prof. Fernando Henrique Corte Real Mira da Silva Co-orientador: Prof. Carlos Nuno da Cruz Ribeiro Vogais: Prof. Rodrigo Seromenho Miragaia Rodrigues Setembro de 2007 Abstract As Internet becomes more and more ubiquitous, security is an increasingly important topic. Furthermore, private networks are expanding and security threats from within the network have to be cautioned. For these large networks, which are generally high-speed and with several segments, Intrusion Detection System (IDS) placement usually comes down to a compromise between investment and monitoring ability. One common solution in these cases, is to use more than one IDS scattered across the network, thus raising the amount invested and administrative power to operate. Another solution is to collect data through sensors and send it to one IDS via an Ethernet hub or switch. This option normally tends to overload the hub/switch port where the IDS is connected. This document presents a new solution, for networks with a star topology, where a single IDS is coupled to the network’s core router. This solution allows the IDS to monitor every different network segment attached to the router in a round-robin fashion. Practical implementation issues and operational implications of this solution are also analyzed and discussed. Keywords: Intrusion Detection Systems,Security Analysis, High-speed Networks, Switch-based Networks. i Resumo À medida que a Internet se torna cada vez mais acessível, a segurança é cada vez mais um tópico muito importante. Para além disso, com o crescimento célere de redes privadas, as ameaças proveniente do interior da rede têm que ser acauteladas. Para estas redes de grande dimensão, que são geralmente de alta velocidade e com vários segmentos, o posicionamento de um Sistema de Detecção de Intrusões (SDI) acaba normalmente num compromisso entre o investimento e a capacidade de monitorização. Uma solução comum para estas redes, é o uso de vários SDIs espalhados pela rede. Elevando assim, o investimento necessário e os recursos administrativos necessários. Outra solução possível, é a de colher os dados da rede através de sensores e enviá-los para um SDI via um comutador de pacotes. Contudo, com esta solução, existe o risco de sobrecarregar a porta do comutador de pacotes onde está ligado o SDI. Este documento descreve uma nova solução para redes com uma topologia em estrela. Onde um único SDI está acoplado ao nó central da rede. Esta solução permite que o SDI monitorize todos os segmentos ligados a esse nó central de uma forma iterativa. Detalhes de implementação e implicações operacionais são também analisados. Palavras Chave: Sistemas de Detecção de Intrusos, Análise de Segurança, Redes de Alta Velocidade, Redes baseadas em Comutadores de Pacotes. ii Acknowledgements I would like express my gratitude to the supervising professors Fernando Mira da Silva and Carlos Ribeiro for their support, critical judgment and expertise. And from whom I learnt a lot. Fellow coworkers at CIIST, Jorge Matias, Miguel Cabeça, Cláudio Martins and André Regateiro, for their pointers and overall good humor. They allowed for a great working environment. And finally my family and girlfriend, Diana Nunes, for being there when troubles emerged and for letting me spend so much time around my work. iii Table of Contents Abstract i Resumo ii Acknowledgements iii Table of Contents v List of Figures vi List of Tables vii List of Acronyms viii 1 Introduction 1 1.1 Context . .1 1.2 Objectives . .2 1.3 Structure of this thesis . .3 2 Context/Area 4 2.1 Intrusion Detection Systems . .4 2.1.1 Terminology . .5 2.2 Different Types of Intrusion Detection Systems . .5 2.2.1 Host-based Intrusion Detection Systems . .7 2.2.2 Network-based Intrusion Detection Systems . .9 3 Network Topologies 13 3.1 IDS Placement . 13 iv 3.1.1 Basic Network Setups . 13 3.1.2 Larger Network Setups . 17 3.2 Discussion . 19 4 Port hopping 20 4.1 Networks with Centralized Routing . 20 4.2 Port hopper approach . 20 4.3 Value . 21 4.4 Requirements . 22 5 Implementation 24 5.1 Software Architecture . 25 5.1.1 IDS integration with the software . 26 5.2 IDS Deployment . 27 5.2.1 Signature Thresholds . 28 6 Evaluation 32 6.1 Design Issues . 32 6.2 Implementation Issues . 33 6.3 Monitoring Window . 33 7 Conclusion 35 7.1 Achieved Value . 35 7.2 Final Remarks . 35 7.3 Future Work . 36 Bibliography 37 Appendix One 40 .1 Example configuration file for the software . 40 .2 Example interaction with the system . 42 Appendix Two 44 .3 Packet information displayed by Basic Analysis and Security Engine (BASE) . 44 v List of Figures 1.1 Growth in number of incidents reported to the CERT/CC . .1 1.2 Attack sophistication versus intruder knowledge (reproduced from [CER06]). .2 3.1 A common network topology. 14 3.2 Using a hub/tap to copy traffic to the IDS. 15 3.3 Schematic representation of a network Tap. 16 3.4 Using the switch port mirroring capabilities to copy traffic to the IDS. 17 3.5 Consolidating the taps output with an application-switch which is, in turn, balancing the load to two IDSs. 18 4.1 Example of a network with a star topology, where the IDS is connected directly to the central node.................................................. 21 4.2 Coupling of the IDS with the central router. 22 5.1 Network topology of Instituto Superior Técnico (reproduced from [Mic06]). 24 5.2 Structural view of the software. 25 vi List of Tables 2.1 Summary of IDS properties. .6 5.1 Top three signatures at the end of the first day. 29 5.2 Top four signatures at the end of the second day. 30 vii List of Acronyms IDS Intrusion Detection System CERT/CC Computer Emergency Response Team Coordination Center DoS Denial-of-Service TCP Transmission Control Protocol UDP User Datagram Protocol OS Operating System HIDS Host-based Intrusion Detection System NIDS Network-based Intrusion Detection System AIDS Application-based Intrusion Detection System SIDS Stack-based Intrusion Detection System AIDE Advanced Intrusion Detection Environment MAC Media Access Control SPAN Switch Port Analyzer CRC Cyclic Redundancy Check VLAN Virtual Local Area Network GPL GNU General Public License XML Extensible Markup Language IP Internet Protocol PDA Personal Digital Assistant SSH Secure Shell SNMP Simple Network Management Protocol CPU Central Processing Unit OID Object Identifier MIB Management Information Base IST Instituto Superior Técnico BASE Basic Analysis and Security Engine CIIST Centro de Informática do Instituto Superior Técnico ICMP Internet Control Message Protocol DNS Domain Name System P2P Peer-to-Peer viii Chapter 1 Introduction This document presents a new solution in the area of Intrusion Detection System placement, and discusses an actual implementation done at Instituto Superior Técnico (IST). This chapter intends to provide the motivation behind this solution, as well as describe its objectives. 1.1 Context Over the past two decades, with the rapid growth of the Internet — which now counts with more than 100 million sites [Net06] — companies have been forced to change the way they do business. To keep up with new Internet-centric companies or simply to still be competitive, many companies have had to alter their business process to accommodate this new means of operation and communication. 160000 137529 140000 120000 100000 82094 80000 60000 55100 Number of Incidents 40000 31756 20000 9852 1334 2340 2412 2573 2134 3734 0 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 Years Figure 1.1: Growth in number of incidents reported to the CERT/CC 1 However, along with this growth, the number of attacks to Internet sites has also increased dramatically. As Fig. 1.1 [Las03] denotes, between 2000–2003, the number of incidents reported to the Computer Emergency Response Team Coordination Center (CERT/CC) grew around 400%. There are a few factors that contribute to this astonishing rate. First, there is the continuously publication of exploits and vulnerabilities on the Internet as they are discovered. Secondly, there is a profusion of intrusion tools and automated scripts available that duplicate known methods of attack. These two factors combined allow for practically anyone with little technical knowledge to be able to perform an attack. Consequently, the number of sophisticated attacks has been increasing. Fig. 1.2 illustrates this point [CER06]. HIGH Tools Staged “Stealth” / advanced Auto Coordinated Intruder scanning techniques Knowledge Cross site scripting Automated probes/scans Distributed attack tools Sniffers www attacks Sweepers GUI Packet spoofing denial of service Back doors Network mgmt. diagnostics Disabling audits Hijacking sessions Burglaries Exploiting known vulnerabilities Attack Password cracking Sophistication Self-replicating code Intruders Password guessing LOW 1980 1985 1990 1995 2000 Figure 1.2: Attack sophistication versus intruder knowledge (reproduced from [CER06]). 1.2 Objectives The main goal of the proposal described in this document is to provide a cost-effective solution to IDS place- ment for networks with a star topology. The goals of this proposal are the following: • Make use of existing technologies and freely available tools, as well as, require few hardware to imple- ment, thus keeping costs at a minimum. • To provide a flexible solution, such that it is feasible for all networks with a star topology and be ad- justable for new and changing environments. • To provide valuable information, namely statistics, in a format legible to any system administrator, prefer- ably through a web interface. 2 1.3 Structure of this thesis In chapter 2, an introduction to IDSs is presented and the state of the art is reviewed.
Load more

Recommended publications
  • Integrity Checking of Operating Systems with Respect to Kernel Level Malware”
    To Bianca, for being who you are. Abstract Kernel-mode rootkits have gained a considerable momentum within the blackhat com- munity. They represent a considerable threat to any computer system, as they pro- vide an intruder with the ability to hide the presence of his malicious activity. These rootkits make changes to the operating system’s kernel, thereby providing particularly stealthy hiding techniques. Considering the kernel rootkit threat and other threats, the collection of reliable information from a compromised system becomes a central problem within the domain of computer security. This thesis addresses this problem. It looks at the possibility of using virtualization as a means to facilitate kernel-mode rootkit detection through integrity checking. The thesis describes several areas within the Linux kernel, which are commonly subverted by kernel-mode rootkits. It introduces the reader to the concept of virtual- ization and describes several technologies employing virtualization. The kernel-mode rootkit threat is then addressed through a description of their hiding methodologies. Some of the existing methods for malware detection are also addressed and analysed. A number of general requirements, which need to be satisfied by a general model enabling kernel-mode rootkit detection, are identified. A model addressing these requirements is suggested, and a framework implementing the model is set-up. The detection capabilities of the framework are tested on a couple of rootkits. iii Preface This report presents the results of my master thesis “Integrity checking of operating systems with respect to kernel level malware”. It is written as part of the Master de- gree (Sivilingeniør) in Computer Science at the Norwegian University of Science and Technology (NTNU), during Spring 2005.
    [Show full text]
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools
    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
    [Show full text]
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
    [Show full text]
  • Network Security Jim Binkley
    Tools Network Security Jim Binkley. Jim Binkley 1 Outline basic tools netcat intrusion detection – network monitors – net-based audit/analysis (nessus) – net-based signature analysis (snort) (see ASCII lecture) – host-based anomaly analysis (tripwire) web audit/analysis wireless (kismet/netstumbler) attack tools (dsniff, ettercap) remote control/backdoor tools Jim Binkley 2 a few intro thoughts some of these tools can be grouped into different categories BUT then both tripwire and ourmon are intrusion detection tools (what do they have in common?) ID tools may have problems with false-positives attack tools can always be used for defensive purposes or offensive purposes: – nmap used to check for open ports ... any tool may be used for ill (even ping) Jim Binkley 3 information sources: Anti-Hacker Toolkit, Jones, Shema, Johnson. Osborne 2002 Snort FAQ (and book) nmap documentation Hacker’s Exposed in numerous editions Jim Binkley 4 basic tools ping and relatives traceroute tcpdump and other sniffers – ethereal whois and the whois database dig/nslookup and the DNS scanners problem: given email handout, what can you learn about its origin? Jim Binkley 5 ping ping may be used to test basic 2-way connectivity or determine if an ip address space is populated – to stuff an ARP database (HPOV does this) » so that we can see how many hosts we have – to enable a port query because J. Hacker has an exploit Jim Binkley 6 ping may have these options -c <count> - send count pings -n <count> - windows, the same thing -f -
    [Show full text]
  • Beginner's Guide to Open Source Intrusion Detection Tools
    BEGINNER’S GUIDE to Open Source Intrusion Detection Tools www.alienvault.com Introduction to Open Source Intrusion Detection Threat and intrusion detection have become a top priority in cybersecurity, making it more important than ever before. If you aren’t already running an intrusion detection system (IDS) in your network, you should start now. Is Open Source Security a Good Route? There are a wealth of great tools out there that can dramatically improve the security of your network. Open source security goes back decades, and there is a large, active community behind many of the tools. In fact, some of these tools are used by commercial security vendors in their products, and these vendors contribute to the tools to keep them current. Before getting started, we’d be remiss not to address the pros and cons of going the open source route. Open source might be a good solution for you if: • Your company has the expertise in both security and system administration needed to deploy several tools with only community support. • You want “complete control” over your security architecture and are willing to do extra work to make that happen. • You develop a plan for keeping these tools up-to-date. Unlike most software, failure to keep security tools current with the latest versions and security updates (which may come weekly, daily, or even hourly) renders the tools themselves almost useless after a short time. • You have a very low budget to buy products, but have the staff needed to maintain open source tools. • Your use-case and security concerns don’t align well with commercial products.
    [Show full text]
  • Open Source Intrusion Detection Tools
    Beginner’s guide: Open source intrusion detection tools 1 Threat and intrusion Is open source detection have security a become a top priority in cybersecurity, good route? making it more important than ever before. If you aren’t already running an intrusion detection system (IDS) in your network, you should start now. This document is intended to include general information for beginners learning about open source intrusion detection. Use of names of 2 third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity. Introduction There are a wealth of great tools out there that can dramatically improve the security of your network. Open source security goes back decades, and there is a large, active community behind many of the tools. In fact, some of these tools are used by commercial security vendors in their products, and these vendors contribute to the tools to keep them current. Before getting started, we’d be remiss not to address the pros and cons of going the open source route. Open source might be a good solution for you if: Open source is easier than ever to install and maintain. • Your company has the expertise in both security and system However, on the “con” side, there are a few important administration needed to deploy several tools with only concerns. If you are going to design a security solution for community support. your company, please keep in mind: • You will have to do your own support. There are great • You want “complete control” over your security architecture communities behind some of these tools, but you are the only and are willing to do extra work to make that happen.
    [Show full text]
  • Unix Administration
    Unix Administration Guntis Barzdins Linux System Administration SYS ADMIN TASKS Setting the Run Level System Services User Management Network Settings Scheduling Jobs Quota Management Backup and Restore Adding and Removing software/packages Setting a Printer Monitoring the system (general, logs) Monitoring any specific services running. Eg. DNS, DHCP, Web, NIS, NPT, Proxy etc. Process Manipulation Once you run a program (e.g. vi, myprog,...), that program will suspend the terminal you called it in (the terminal will not be receiving input from you). You can start the program in the background to avoid this: myprog & You can suspend a program that is running and send it to background, if you already started it: Ctrl-z (to suspend) bg (sends the suspended program to the background) ps (show running processes) top (monitor running processes) kill (kill processes) & (send process to background) bg (send process to background) fg (get process from background) Ctrl+c (terminate process) Ctrl+z (suspend process) Intrusion Detection System (IDS) Open Source Tripwire – is a file integrity- checking program for UNIX/Linux operating systems Host-based Software that alerts you when important files change Tripwire keeps a hash value for each designated file When a file is altered/deleted, tripwire will have a new hash value that is different than the original Replaced by more advanced HIDS: OSSEC, Samhain, AIDE Client/Server mode etc. Tripwire tutorial in a slide Initial setup download / build / install it generate policy file # twadmin –create-polfile /etc/tripwire/twpol.txt modify policy file (e.g. remove unnecessary files) # vi /etc/tripwire/twpol.txt build initial database # tripwire –init check periodically # tripwire –check reconcile differences (e.g.
    [Show full text]
  • Prelude User Manual General Configuration
    Prelude User Manual [[PreludeForeword|Foreword]] 1. Introduction 1. [[PreludeGlossary|Glossary]] 2. [[PreludeComponents|Prelude Components]] 3. [[PreludeArchitecture|Prelude Architecture]] 4. [[PreludeStandards|Prelude Standards]] 5. [[PreludeCompatibility|Prelude Compatibility]] 2. Installation 1. [[InstallingPreludeRequirement|Installation Requirements]] 2. [[InstallingPrelude|Installation from sources]] 1. [[InstallingPreludeLibrary|Libprelude]] 2. [[InstallingPreludeDbLibrary|LibpreludeDB]] 3. [[InstallingPreludeManager|Prelude Manager]] 4. [[InstallingPreludeCorrelator|Prelude Correlator]] 5. [[InstallingPreludeLml|Prelude LML]] 6. [[InstallingPreludePrewikka|Prewikka]] 3. [[InstallingPackage|Installation from packages]] 4. [[AgentsInstallation|Agents Installation]] 1. [[InstallingAgentRegistration|Agents Registration]] 2. [[InstallingAgentThirdparty|3rd Party Agents Installation]] 3. Configuration 1. [[ConfigurationGeneral|General Configuration]] 2. [[PreludeComponentsConfiguration|Prelude Components Configuration]] 1. [[PreludeManager|Prelude-Manager]] 2. [[PreludeCorrelator|Prelude-Correlator]] 3. [[PreludeLml|Prelude-LML]] 4. [[PreludeImport|Prelude-Import]] 3. [[HowtoHACentralServices|Howto Configure High Availability Central Services]] 4. Optimisation 1. [[DatabaseOptimisation|Database Optimisation]] 5. User Manuals 1. [[ManualPrewikka|Prewikka Manual]] 2. [[ManualPreludeAdmin|Prelude-Admin Manual]] 3. [[ManualPreludeDbAdmin|PreludeDB-Admin Manual]] 6. Development 1. [[DevelopmentGuidelines|Development guidelines]] 2. [[SourceOrganization|Source
    [Show full text]
  • U|Xahbeigy03102ozxv+:'
    U|xaHBEIGy03102ozXv+:' LINUX JOURNAL STORAGE RAID | LVM2 | Kioslaves | Fish | Konqueror | SSHFS | Tripwire | Gambas JUNE 2006 ISSUE 146 JUNE 2006 CONTENTS Issue 146 storage FEATURES 52 RECOVERY OF RAID AND LVM2 VOLUMES 64 SSHFS: SUPER EASY FILE ACCESS OVER SSH When there’s something strange in your LVM, who you gonna call? SSH does more than just provide safe communications. Richard Bullington-McGuire Matthew E. Hoskins 58 NETWORK TRANSPARENCY WITH KIO ON THE COVER Konqueror is a slave to fishing. Or at least it has one. • Dual Booting with Finesse, p. 89 Jes Hall • RAID and LVM2 Data Recovery, p. 52 62 YELLOW DOG LINUX INSTALLS NEATLY ON AN IPOD • SSH Is Not Just a Secure Shell, p. 64 Take one Mac, insert iPod, boot Linux. • Fish for Data with KIO, p. 58 Dave Taylor • Boot Linux with an iPod, p. 62 COVER PHOTO: JOHN LAMB/STONE+/GETTY IMAGES 2 | june 2006 www.linuxjournal.com JUNE 2006 CONTENTS Issue 146 COLUMNS INDEPTH 24 REUVEN M. LERNER’S 68 AN INTRODUCTION TO GAMBAS AT THE FORGE Will VB refugees gamble on Gambas? Google Maps Mark Alexander Bain 28 MARCEL GAGNÈ’S COOKING WITH LINUX If Only You Could Restore Wine 34 DAVE TAYLOR’S WORK THE SHELL Coping with Aces 38 MICK BAUER’S PARANOID PENGUIN Security Features in Red Hat Enterprise 4 76 HOW TO SET UP 89 THE ULTIMATE LINUX/WINDOWS SYSTEM AND USE TRIPWIRE Don’t let intruders go unnoticed. Marco Fioretti 80 THE WORLD IS Next Month A LIBFERRIS FILESYSTEM libferris can make your toaster look like a filesystem.
    [Show full text]
  • Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems
    Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems by Beng Heng Ng A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2013 Doctoral Committee: Professor Atul Prakash, Chair Professor Kang G. Shin Associate Professor Vineet R. Kamat Associate Professor Zijiang James Yang c Beng Heng Ng 2013 All Rights Reserved For my wife, Haoyi, and daughter, Reann. ii ACKNOWLEDGEMENTS The journey towards writing this thesis had not been an easy one, and I will forever be indebted to the kind people around me for their guidance and support. This thesis would not have materialize without the unrelenting support, enormous patience, and encouragement of my advisor, Prof. Atul Prakash. He has taught me the importance of rigorous research methodologies, critical thinking, as well as the need to always keep an open mind. His advice was not limited to science, but also included life, especially during one of the most challenging periods in my life. I am also extremely grateful to Prof. Shin, Prof. Kamat, and Prof. Yang, for their invaluable suggestions, perspectives and insights, which have helped shape this thesis. I also thank my previous and current colleagues, Billy Lau, Hu Xin, Alex Crowell, Earlence Fernandes, and Ajit Aluri, for the numerous intense and thought-provoking discussions. I gratefully acknowledge the funding provided by the Government of Singapore, thus allowing me to focus on my research that leads to this thesis. Above all, I would like to thank my wife, Hao Yi, for putting her dreams on hold so that I can go after mine.
    [Show full text]
  • Unix Administration
    Unix Administration Guntis Barzdins Linux System Administration SYS ADMIN TASKS Setting the Run Level System Services User Management Network Settings Scheduling Jobs Quota Management Backup and Restore Adding and Removing software/packages Setting a Printer Monitoring the system (general, logs) Monitoring any specific services running. Eg. DNS, DHCP, Web, NIS, NPT, Proxy etc. Have you used UNIX before? • Which OS did Apple choose when it needed a stable OS layer for its Mac OSX? • Which OS made the biggest impact to the online lives as you know it today? Process Manipulation Once you run a program (e.g. vi, myprog,...), that program will suspend the terminal you called it in (the terminal will not be receiving input from you). You can start the program in the background to avoid this: myprog & You can suspend a program that is running and send it to background, if you already started it: Ctrl-z (to suspend) bg (sends the suspended program to the background) ps (show running processes) top (monitor running processes) kill (kill processes) & (send process to background) bg (send process to background) fg (get process from background) Ctrl+c (terminate process) C l+ ( d ) Intrusion Detection System (IDS) Open Source Tripwire – is a file integrity- checking program for UNIX/Linux operating systems Host-based Software that alerts you when important files change Tripwire keeps a hash value for each designated file When a file is altered/deleted, tripwire will have a new hash value that is different than the original Replaced by more advanced HIDS: OSSEC, Samhain, AIDE Tripwire tutorial in a slide Initial setup download / build / install it modify policy file (e.g.
    [Show full text]
  • Effectiveness of Linux Rootkit Detection Tools
    Effectiveness of Linux Rootkit Detection Tools University of Oulu Faculty of Information Technology and Electrical Engineering Degree Programme in Information Processing Sciences Master’s Thesis Juho Junnila 27.3.2020 2 Abstract Rootkits – a type of software that specializes in hiding entities in computer systems while enabling continuous control or access to it – are particularly difficult to detect compared to other kinds of software. Various tools exist for detecting rootkits, utilizing a wide variety of detection techniques and mechanisms. However, the effectiveness of such tools is not well established, especially in contemporary academic research and in the context of the Linux operating system. This study carried out an empirical evaluation of the effectiveness of five tools with capabilities to detect Linux rootkits: OSSEC, AIDE, Rootkit Hunter, Chkrootkit and LKRG. The effectiveness of each tool was tested by injecting 15 publicly available rootkits in individual detection tests in virtual machines running Ubuntu 16.04, executing the detection tool and capturing its results for analysis. A total of 75 detection tests were performed. The results showed that only 37.3% of the detection tests provided any indication of a rootkit infection or suspicious system behaviour, with the rest failing to provide any signs of anomalous behaviour. However, combining the findings of multiple detection tools increased the overall detection rate to 93.3%, as all but a single rootkit were discovered by at least one tool. Variation was observed in the effectiveness of the detection tools, with detection rates ranging from 13.3% to 53.3%. Variation in detection effectiveness was also found between categories of rootkits, as the overall detection rate was 46.7% for user mode rootkits and 31.1% for kernel mode rootkits.
    [Show full text]