DOCSLIB.ORG

Intrusion and Intrusion Detection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Intrusion and Intrusion Detection IJIS (2001) 1: 14–35 / Digital Object Identifier (DOI) 10.1007/s102070100001 Intrusion and intrusion detection John McHugh ∗ CERT Coordination Center , Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890, USA E-mail: [email protected] Published online: 27 July 2001 – Springer-Verlag 2001 Abstract. Assurance technologies for computer security panel that solutions to the problem will not occur have failed to have significant impacts in the marketplace, spontaneously, nor will they come from the various with the result that most of the computers connected to well-intentioned attempts to provide security as an the internet are vulnerable to attack. This paper looks at add-on to existing systems. the problem of malicious users from both a historical and practical standpoint. It traces the history of intrusion and Although these words could have been written today, intrusion detection from the early 1970s to the present they come from one of the seminal documents in com- day, beginning with a historical overview. The paper de- puter security, a report [3, Preface] prepared by James P. scribes the two primary intrusion detection techniques, Anderson & Co. for then Major Roger R. Schell of the anomaly detection and signature-based misuse detection, USAF in 1972. In the nearly 30years since the prepar- in some detail and describes a number of contemporary ation of the Anderson report, little has changed, except research and commercial intrusion detection systems. It that we are, perhaps, less sanguine about the solvabil- ends with a brief discussion of the problems associated ity of the problem. The line of research and development with evaluating intrusion detection systems and a dis- proposed in the report has produced a few fairly secure cussion of the difficulties associated with making further systems, but none that have achieved commercial success progress in the field. With respect to the latter, it notes or wide-scale deployment. The problems posed by mali- that, like many fields, intrusion detection has been based cious users are rampant, and the inability of commodity on a combination of intuition and brute-force techniques. operating systems to provide more than minimal protec- We suspect that these have carried the field as far as they tion has led to a variety of attempts to secure computing can and that further significant progress will depend on systems through add-on or external means. Firewalls and the development of an underlying theoretical basis for the similar mechanisms form the principle line of defense for field. many installations. Intrusion Detection Systems (IDSs), the primary topic of this paper, are an attempt to iden- Keywords: Computer misuse – Intrusion detection – In- tify both successful and unsuccessful attempts to abuse trusive anomalies – Intrusion signatures – Intrusion de- computer systems. tection systems (IDS) – IDS evaluation The paper begins with a discussion of intrusive activi- ties and the kinds of flaws or vulnerabilities in computing systems that enable them. This is followed by a historical 1 Introduction overview of the intrusion detection field, illustrated with descriptions of systems of both historical and current in- The principal unsolved technical problem terest. With the historical view to give perspective, the found by the working group was that of how paper takes an in-depth look at the technologies involved to provide multilevel resource and information in intrusion detection, considering both their strengths sharing systems secure against the threat from and weaknesses. This is illustrated with descriptions of a malicious user. This problem is neither hopeless current commercial, research and public-domain systems. nor solved. It is, however, perfectly clear to the The problems associated with evaluating IDSs are consid- ered briefly. The paper concludes with a discussion of the ∗ current state of the intrusion detection technology and its CERT and CERT Coordination Center are registered service marks of Carnegie Mellon University prospects for future improvement. J. McHugh: Intrusion and intrusion detection 15 2 Intrusions, intrusive activities, penetrations, compiler to capture files from other concurrent users of and exploits the same processor. Experiences such as these led to sys- tematic investigations of flaws and exploitations as well as From the earliest days of computer security, the possibil- techniques to design and build secure systems. ity that malicious users could defeat protection mechan- Although there are earlier discussions of the issues isms was an area of serious concern. Due to the relatively associated with malicious users, James P. Anderson’s limited networking of early systems and the prevalence of 1980report “Computer Security Threat Monitoring and multiuser batch systems, coupled with the fact that pub- Surveillance” [5] set up the first coherent framework for licly accessible services (such as present-day web servers) an investigation of intrusions and intrusion detection. We were almost unknown, most of the early efforts con- will use the following definitions, given by Anderson in centrated on mechanisms that untrusted insiders could this paper, supplementing them later, as necessary. use to access sensitive materials on multi-level secure 1 systems. Under this model, the primary threat is from Threat: The potential possibility of a delib- legitimate users of the system who try to gain access to erate, unauthorized attempt to: material for which they do not have authorization. By (a) Access information the early 1970s, timesharing and other multiuser systems (b) Manipulate information were well established and there were growing pressures to (c) Render a system unreliable or support multi-level operations on these systems, whether unusable they were actually capable of supporting them or not. In Risk: Accidental and unpredictable ex- 1970, the Defense Science Board’s Task Force on Com- posure of information, or violation puter Security supported by Willis H. Ware of the RAND of operations integrity due to mal- Corporation issued a report [81] that laid the groundwork function of hardware or incomplete for the development of adequate computer systems for the or incorrect software design. processing of multi-level data. As noted in the Anderson Vulnerability: A known or suspected flaw in the report [3], the Ware report did not get the attention it hardware or software design or op- 2 deserved, and systematic approaches to building multi- eration of a system that exposes the level secure systems did not emerge until the mid 1970s. system to penetration or its infor- Early multi-user operating systems provided minimal mation to accidental disclosure. security features and those that were present were often Attack: A specific formulation or execution directed towards protecting the data associated with one of a plan to carry out a threat. task from accidental corruption by another. While mod- Penetration: A successful attack; the ability to erately successful in this respect, such mechanisms were obtain (unauthorized) access to often trivial to defeat. For example, in the mid-1960s, files and programs or the control the resident engineer for a site where the author was em- state of a computer system. ployed gave him a list of about a dozen techniques that a job could use to gain supervisor mode with complete ad- Note that threat class (c) includes what are commonly dressability to all physical memory on systems running called “denial of service” attacks today. Attacks that mis- the IBM OS-360MFT operating system. appropriate computing resources also fall into this cate- In the meantime, security flaws that could be ex- gory. ploited by untrusted users were discovered in a number of Anderson classifies threats as shown in Fig. 1. The first systems that were considered to be secure. Paul Karger task faced by an external penetrator is to gain access to and Roger Schell performed an evaluation [44] of the Mul- the system in question. Note that the true external pen- tics operating system and discovered flaws that would etrator may be either an outsider with no connection to allow an untrusted user to access or modify protected in- the organization that owns or controls the system being formation. Work at the Naval Research Laboratory [74] attacked or it may be someone associated with the organi- uncovered flaws in the sharing mechanisms of Univac’s zation who is not authorized to use the system. In today’s Exec-VIII operating system for the 1108 that would al- world of networked systems, it could also be someone who low users of a language processor such as the FORTRAN has legitimate access to systems on the network, but not to the target of the attack. While there are certain classes 1 A multi-level secure computing system is one that is capable of attacks, notably some denial of service attacks, that do of supporting a mandatory access control policy that bases access not require the penetrator to actually become a recognized decisions on the classifications assigned to the information objects that it stores and clearances given to users on whose behalf pro- user of the attacked system, most attacks aimed at either cesses seek access. accessing or manipulating information require the pene- 2 Although the Ware report contained no sensitive information, trator to take on a user role, even though it may be limited it was classified at the CONFIDENTIAL level to control dissemi- to using (and abusing) a public service offered by the sys- nation of its contents. This, combined with its emphasis on stating requirements rather than suggesting solutions probably reduced its tem. Anderson further characterizes internal penetrators impact substantially. as masqueraders, legitimate users, or clandestine users. 16 J. McHugh: Intrusion and intrusion detection Penetrator Penetrator This hardware bug represents a violation of one Not Authorized Authorized of the most fundamental rules of the Multics de- to use to use sign – the checking of every reference to a seg- Data/Program Data/Program ment by the hardware.
Load more

Recommended publications
  • A Hypothesis-Based Approach to Digital Forensic Investigations (Brian D. Carrier)
    CERIAS Tech Report 2006-06 A HYPOTHESIS-BASED APPROACH TO DIGITAL FORENSIC INVESTIGATIONS by Brian D. Carrier Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, IN 47907-2086 A HYPOTHESIS-BASED APPROACH TO DIGITAL FORENSIC INVESTIGATIONS A Thesis Submitted to the Faculty of Purdue University by Brian D. Carrier In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy May 2006 Purdue University West Lafayette, Indiana ii To my parents, Gerry and Suzanne. iii ACKNOWLEDGMENTS I would first like to thank my advisor, Eugene Spafford (spaf). His advice and guidance helped to shape and direct this work. I would also like to thank my com- mittee for their helpful ideas and comments: Cristina Nita-Rotaru, Sunil Prabhakar, Marc Rogers, and Sujeet Shenoi (University of Tulsa). The Center for Education and Research in Information Assurance and Security (CERIAS) provided me with a great environment and the resources needed to complete this work and my appreciation goes to the faculty and staff. Thanks to the many people in the digital forensics community that have assisted me over the years. Special thanks to Dan Kalil, Chet Maciag, Gary Palmer, and others at the Air Force Research Labs for the creation of the annual Digital Foren- sic Research Workshop (DFRWS). This work is based on concepts from the initial DFRWS Research Roadmap and the framework discussions at DFRWS 2004 helped to direct this work. Simson Garfinkel provided many helpful comments during his review of this document. Lastly, thanks to my family. My parents have always supported my endeavors (and gently guided me towards a degree in engineering instead of one in music).
    [Show full text]
  • CERIAS Tech Report 2004-26 a CATEGORIZATION OF
    CERIAS Tech Report 2004-26 A CATEGORIZATION OF COMPUTER SECURITY MONITORING SYSTEMS AND THE IMPACT ON THE DESIGN OF AUDIT SOURCES by Benjamin A. Kuperman Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, IN 47907-2086 A CATEGORIZATION OF COMPUTER SECURITY MONITORING SYSTEMS AND THE IMPACT ON THE DESIGN OF AUDIT SOURCES A Thesis Submitted to the Faculty of Purdue University by Benjamin A. Kuperman In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy August 2004 ii ACKNOWLEDGMENTS There are a number of individuals and organizations that I would like to recognize for their assistance and support throughout the many years of my graduate career. First, I would like to note that portions of this work were supported by a gift from the Intel Corporations, Grant EIA-9903545 from the National Science Foundation, and the sponsors of the Purdue Center for Education and Research in Information Assurance and Security. I would like to personally thank the various sponsors of COAST and CERIAS for both their financial and intellectual support. Many of the opportunities I have had to research computer security would not have been possible without you. I would like to especially thank Hewlett-Packard Corporation including Mark Crosbie, John Trudeau, and Martin Sadler for a wonderful and productive internship and continuing relationship over the years. I would also like to thank my committee for all of their input, feedback, and support, especially my advisor Gene Spafford. Without his assistance and the op- portunities he has made available, I doubt I would be where I am today.
    [Show full text]
  • Session Learning and Teaching Methods, E-Learning + Educational Tools, and Related Issues
    Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'14 | 1 SESSION LEARNING AND TEACHING METHODS, E-LEARNING + EDUCATIONAL TOOLS, AND RELATED ISSUES Chair(s) TBA Copyright © 2014 CSREA Press, ISBN: 1-60132-268-2; Printed in the United States of America 2 Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'14 | Copyright © 2014 CSREA Press, ISBN: 1-60132-268-2; Printed in the United States of America Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'14 | 3 Students’ Perception towards Soft CLIL in the Basque Secondary Schools Chiharu Nakanishi1 and Hodaka Nakanishi2 1Music Department, Kunitachi College of Music, Tachikawa, Tokyo, Japan 2Joint Program Center, Teikyo University, Itabashi-ku, Tokyo, Japan language. Each is interwoven, even if the emphasis is greater Abstract - The Basque Autonomous Community, which is a on one or the other in a given time (p.1) [1].” bilingual community of Basque and Spanish, has adopted As CLIL is an innovative approach, well-devised CLIL as a method to teach English as a foreign language materials are to be developed. In order to meet the needs for with on-line materials as well as written materials. The object teachers who want to implement CLIL in their classroom, of this study is to investigate how the students think about several materials are provided on-line such as E-CLIL by studying subjects in English, in the form of Soft CLIL European Resource Centre and EKI project in Basque whose (language-driven) in the Basque-medium school. The materials are used in the schools we observed.
    [Show full text]
  • Contents Years, a Majority of IT Security Pros the Judges
    2013 SC Awards U.S. Optimistic despite threats When it comes to data protection and risk management planning, informa- tion security professionals are feeling more hopeful than ever. According to our annual “Guarding Against a Data Breach” survey, compared to previous Contents years, a majority of IT security pros The Judges .............................................................................. 54 say their organizations are taking ap- The Sponsors .......................................................................... 55 propriate steps to protect critical data. Word from the co-chair ........................................................... 56 As promising as this feedback is, one has to juxtapose it against the less Reader Trust Awards upbeat happenings of our collective Best Anti-Malware Gateway ................................................... 56 reality. For starters, advanced persistent threats (APTs) and Best Cloud Computing Security ............................................ 57 other more methodical and sophisticated cyber crime attacks Best Computer Forensic Tool ................................................. 57 Best Data Leakage Prevention (DLP) .................................... 58 are becoming the norm, according to most experts. Just look to Best Database Security Solution .......................................... 58 the recent attacks against The New York Times, Twitter or the Best Email Security Solution .................................................. 59 U.S. Department of Energy to get a sense
    [Show full text]
  • 0201707195.Pdf
    Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley,Inc., was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied waranty of any kind and assume no responsibility for errors or omis- sions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herin. Screen shots reprinted with permission from Microsoft. The publisher offers discounts on this book when ordered in quantity for special sales. For more information, please contact: Pearson Education Corporate Sales Division 201 W. 103rd Street Indianapolis, IN 46290 (800) 428-5331 [email protected] Visit AW on the Web: www.awl.com/cseng/ Library of Congress Cataloging-in-Publication Data Kruse, Warren G. Computer forensics : incident response essentials / Warren G. Kruse II, Jay G. Heiser. p. cm. Includes bibliographical references and index. ISBN 0-201-70719-5 1. Computer security. 2. Computer networks—Security measures. 3. Forensic sciences. I. Heiser, Jay G. II. Title QA76.9.A25 K78 2001 005.8—dc21 2001034106 Copyright © 2002 by Lucent Technologies All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher.
    [Show full text]
  • Chƣơng Trình Đào Tạo
    TRƢỜNG ĐẠI HỌC CÔNG NGHIỆP THỰC PHẨM TP.HCM KHOA CÔNG NGHỆ THÔNG TIN ---------------------------------------------------- CHƢƠNG TRÌNH ĐÀO TẠO Ngành đào tạo: An toàn thông tin Tên tiếng Anh: Information Security Trình độ đào tạo: Đại học Mã số: 52480299 Loại hình đào tạo: Chính quy TP. H Ch Minh th ng 04 n m 2017 MỤC LỤC 1. Mục tiêu đào tạo ............................................................................................................. 1 1.1. Mục tiêu chung ................................................................................................................... 1 1.2. Mục tiêu cụ thể ................................................................................................................... 1 2. Chuẩn đầu ra của chƣơng trình đào tạo ..................................................................... 2 3. Chi tiết chuẩn đầu ra và học phần ch nh tƣơng ứng ................................................. 3 4. Ma trận chƣơng trình đào tạo – chuẩn đầu ra của c c học phần ............................ 7 5. Vị tr làm việc sau khi tốt nghiệp ............................................................................... 11 6. Khả n ng học tập nâng cao trình độ sau khi ra trƣờng ......................................... 11 7. Thời gian đào tạo: 3 5 n m. ........................................................................................ 12 8. Khối lƣợng kiến thức toàn khóa ................................................................................. 12 9. Đối tƣợng tuyển sinh...................................................................................................
    [Show full text]
  • Personal Computing in the Soviet Era
    Contents | Zoom in | Zoom out For navigation instructions please click here Search Issue | Next Page Volume 37 Number 1 January–March 2015 www.computer.org Red Clones: Personal Computing in the Soviet Era Contents | Zoom in | Zoom out For navigation instructions please click here Search Issue | Next Page qM qMqM Previous Page | Contents |Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM Qmags THE WORLD’S NEWSSTAND® IEEE Annals of the History of Computing Vol. 37, No. 1 Contentswww.computer.org/annals January–March 2015 From the Editor’s Desk 2 Nathan Ensmenger, Editor in Chief Red Clones: The Soviet Computer Hobby Movement 12 of the 1980s Zbigniew Stachniak History of Computing in India: 1955–2010 24 Vaidyeswaran Rajaraman Useful Instruction for Practical People: Early Printed 36 Discussions of the Slide Rule in the US Peggy Aldrich Kidwell The Production and Interpretation of ARPANET Maps 44 Bradley Fidler and Morgan Currie “There Is No Saturation Point in Education”: Inside IBM’s 56 Sales School, 1970s–1980s James W. Cortada For more information on computing topics, visit the Computer Society Digital Library at www.computer.org/csdl. Sergey Popov operating a Micro-80 computer at the Moscow Institute of Electronic Engineering in 1979. (Photograph courtesy of Sergey Popov.) Published by the IEEE Computer Society ISSN 1058-6180 qM qMqM Previous Page | Contents |Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM Qmags THE WORLD’S NEWSSTAND® qM qMqM Previous Page | Contents |Zoom in | Zoom out | Front Cover | Search Issue | Next Page qMqM Qmags THE WORLD’S NEWSSTAND® Departments Editor in Chief Nathan Ensmenger 4 Interviews Associate Editors Dag Spicer David Hemmendinger, Marie Hicks Interview with Gordon Bell Christian Sandstrom,€ Jeffrey R.
    [Show full text]
  • A Framework for Live Forensics
    c 2011 Ellick M. Chan A FRAMEWORK FOR LIVE FORENSICS BY ELLICK M. CHAN DISSERTATION Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate College of the University of Illinois at Urbana-Champaign, 2011 Urbana, Illinois Doctoral Committee: Professor Roy H. Campbell, Chair, Director of Research Professor Carl Gunter Professor Pierre Moulin Professor Samuel T. King Professor Alex Halderman, University of Michigan Abstract Current techniques used by forensic investigators during incident response and search and seizure operations generally involve pulling the power on suspect machines and performing traditional dead box post-mortem analysis on the persistent storage medium. These cyber- forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. In contrast, live forensic tools can collect evidence from a running system while preserving system state. In addition to collecting the standard set of evidence, these tools can collect evidence from live web browser sessions, VPN connections, IM and e-mail. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. Current uses of live forensics in corporate in- cident response efforts are limited because the tools used to analyze the system inherently taint the state of disks and memory. As a result, the courts have been reluctant to accept evidence collected from volatile memory and law enforcement has been reluctant to use these techniques broadly. To help address these concerns we present Forenscope, a framework that allows an in- vestigator to examine the state of an active system without inducing the effects of taint or forensic blurriness caused by analyzing a running system.
    [Show full text]
  • Unregisterd Version
    Ripped by AaLl86 Software Security: Building Security In By Gary McGraw ............................................... Publisher: Addison Wesley Professional Pub Date: January 23, 2006 Print ISBN-10: 0-321-35670-5 Print ISBN-13: 978-0-321-35670-3 Pages: 448 Table of Contents | Index "When it comes to software security, the devil is in the details. This book tackles the details." -- Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies "McGraw's book shows you how to make the 'culture of security' part of your development lifecycle." --Howard A. Schmidt, Former White House Cyber Security Advisor "McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall." --Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing. Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work.
    [Show full text]