Formal Reasoning about Intrusion Detection Systems. Abstract. Intrusion detection is an appealing approach to improving the security of systems.
|
|
- Dale Gilbert
- 8 years ago
- Views:
Transcription
1 Tao Song March 2007 Computer Science Formal Reasoning about Intrusion Detection Systems Abstract Intrusion detection is an appealing approach to improving the security of systems. The goal of intrusion detection is to detect attacks with low false positive rate and low false negative rate. New approach is needed to evaluate the effectiveness of the intrusion detection systems (IDSs. In this dissertation, we present a formal framework for the analysis of intrusion detection systems that employ declarative rules for attack recognition. Our approach allows reasoning about the effectiveness of an IDS by formalizing and proving security properties of the IDS. Detection rules of IDSs and security requirements of the system are formalized and properties about the IDSs are proved within the framework. To illustrate the validation of our approach, we formalize and proved properties about three typical IDSs. SHIM (System Health and Intrusion Monitoring is used as an exemplary host-based IDS to validate our approach. We formalized all specifications of SHIM which together with a trusted file policy enabled us to reason about the soundness and completeness of the specifications by proving that the specifications satisfy the policy under various assumptions. DRCP (Dynamic Registration and Configuration Protocol is an auto configuration protocol in mobile Ad Hoc networks. With respect to this protocol, our approach defines a global security requirement for a network that characterizes the good behavior of individual nodes to assure the global property. We formally prove that the local detection rules (identifying activity that is monitored imply the global
2 2 security requirement. OLSR (Optimized Link State Routing protocol is a proactive, table-driven routing protocol in MANETs. We analyze a specification-based intrusion detection mechanism to detect insider attacks in the OLSR protocol. We proved that the intrusion detection approach, which focuses on monitoring of local behavior, achieves a global integrity of network routing information. Our approach, novel to the field of intrusion detection, can, in principle, yield an intrusion detection system that detects any attack, even unknown attacks, that can imperil the security requirements of the system. The originality of our formal analysis is that it is completely based on analytical methods and does not rely on simulation or experimental evaluation.
3 Formal Reasoning about Intrusion Detection Systems By TAO SONG B.S. (Peking University 1997 M.S. (Peking University 2000 DISSERTATION Submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Computer Science in the OFFICE OF GRADUATE STUDIES of the UNIVERSITY OF CALIFORNIA DAVIS Approved: Committee in charge 2007 i
4 Formal Reasoning about Intrusion Detection Systems Copyright 2007 by Tao Song
5 To my wife, Xiaohan Gu, and my daughter, Sophia Song. iii
6 Acknowledgments I would like to express my sincere gratitude and appreciation to my advisor, Professor Karl Levitt, for his guidance, understanding, patience and support at all levels. In every sense, none of this work would have been possible without him. I would also like to thank Professor Devanbu and Professor Bishop for reading this dissertation and offering constructive comment. Dr. Poornima Balasubramanyam, Dr. Jeff Rowe, Dr. Calvin Co and Dr. Marcus Tylutki offered much-appreciated advice, support and thought-provoking ideas throughout my research in computer security. Many specifications and data I used in the formal verification were provided by many people inside and outside UC Davis. In particular, Calvin Co provided the spec of SHIM and Chinyang Henry Tseng simulated the OLSR detection mechanism on the GloMoSim simulation platform. I thank them and other friends at UC Davis for their encouragement and support in my research. In addition, I am grateful to my mother and father who have always been supportive of my academic pursuit in the United States. And I thank my brother and sister for supporting my study and taking care of our parents when I am far away from home. My final, and most heartfelt, acknowledgment goes to my wife, Xiaohan Gu. Her support, encouragement, and companionship has turned my journey through graduate school into a pleasure. When I was preparing this dissertation, our lovely daughter, Sophia Song, was brought to the world. She brings endless surprise and joy to my life. I dedicate this work and my love to them. iv
7 Contents List of Figures List of Tables viii ix 1 Introduction Overview of Intrusion Detection Limitations of Earlier Work Contribution of this Thesis Introducing Terminology Dissertation Outline Motivating examples Examples of Intrusion Scenarios on Host-based Systems Ftp Vulnerability Lpr Vulnerability Detecting Attack Scenarios Overview of Intrusion Detection Systems Developing Detection Rules Enforcement of Security Policies Trusted File Policies Policies Regarding Race Condition Attacks Need For a New Approach The Framework Introduction Overview Hierarchical Model of the Framework High level Security Requirements (Policy and Attacks Modeling the Behavior of Systems Specifications of Intrusion Detection Rules in the Model Verification Specification Completeness Environment Assumptions v
8 4 Formal Reasoning about Host-based IDSs Introduction Analysis of Intrusion-Detection Rules Framework Hierarchical framework of Verification Formalization of the Model Mechanization of the model Specification and Verification of SHIM Introduction to SHIM Formalization of Specifications Verification of SHIM rules Performance Discussion Summary Formal Reasoning about a Specification-based Intrusion Detection for Dynamic Auto-configuration Protocols in Ad hoc Networks Introduction Formal network model and hierarchical framework A Hierarchical Framework for Formal Reasoning A Formal network model Automated verification with ACL Overview of DRCP DRCP Vulnerabilities and Attacks Example DRCP attacks A Specification-based Intrusion Detection applied to DRCP Global Security Requirement Motivation for local behavioral specifications Generation of local behavioral specification Formalization and Verification Formalization of security requirements Formalization of Specifications of DRCP Verification about enforcement of security requirements Discussions Summary Formal Reasoning about a Specification-based Intrusion Detection for OLSR protocol Introduction Security Analysis of OLSR Overview of OLSR Attacks Against OLSR A Specification-based Intrusion Detection for OLSR Overview A Correct Behavior Model of OLSR Simulation Results The Framework and Formal Network Model The Framework vi
9 6.4.2 A Formal Network Model Formal Reasoning about OLSR Formalization of OLSR Validation of the OLSR Model Verification of the Intrusion Detection Mechanism for OLSR Discussion Summary Conclusions and Future Work Conclusions On the Hierarchical Model of Formal Analysis On Formal Reasoning about Host-based IDSs On Formal Reasoning about a Specification-based Intrusion Detection for Dynamic Auto-configuration Protocols in Ad hoc Networks Formal Reasoning about a Specification-based Intrusion Detection for OLSR Protocol Future Work Compositional Verification Improving Specifications for Privileged Programs Distributed Monitoring Detection of Temporary Inconsistency Verification on other Systems Bibliography 98 A Specifications for Privileged Programs in UNIX systems 103 B Functions and Theorem of the Verification 126 vii
10 List of Figures 3.1 Framework of Our Approach Verification Hierachy Relationship among security policy, specifications and attacks Mechanism of SHIM to filter concurrent execution audit log Hierarchical Framework for Verification Example Operation of DRCP Example DRCP Attack Global Requirements and Local Specification for DRCP protocol An EFSM Model of DRCP Server Part Generation of a route from Topology Table OLSR Routing Finite State Automata (FSA Hierarchical Framework for Verification viii
11 List of Tables 2.1 The ftp buffer overflow attack The lpr race condition attack Important functions of ACL System Requirement for DRCP Attack techniques in MANETs OLSR Routing Table Establishment ix
12 Abstract Intrusion detection is an appealing approach to improving the security of systems. It involves the runtime gathering of data from system operations, and the subsequent analysis of the data. There are three different kinds of detection models: anomaly detection, misuse detection and specification-based intrusion detection. Anomaly detection compares characteristics of the system with normal behavior profiles and an alert is reported if they do not match. Misuse detection compares current behavior to signatures of known attacks and reports an alert if there is a match. Specification-based intrusion detection monitors behavior of systems according to specifications, which describe desired functionality for securitycritical entities. The goal of intrusion detection is to detect attacks with low false positive rate and low false negative rate. New approach is needed to evaluate the effectiveness of the intrusion detection systems (IDSs. In this dissertation, we present a formal framework for the analysis of intrusion detection systems that employ declarative rules for attack recognition, e.g. specificationbased intrusion detection. Our approach allows reasoning about the effectiveness of an IDS by formalizing and proving security properties of the IDS. Detection rules of IDSs and security requirements of the system are formalized and properties about the IDSs, like security requirements are satisfied by deploying detection rules, are proved within the framework. The formal framework and analysis methodology will provide a scientific basis for one to argue that the IDS detects all attacks that would violate security requirements of the system. To illustrate the validation of our approach, we formalize and proved properties about three typical IDSs including a host-based IDS (SHIM, an IDS for an auto configuration protocol (DRCP and an IDS for a routing protocol (OlSR. For each IDS, detection rules are formalized and security requirements of the system are proved to be satisfied with the enforcement of these detection rules. SHIM (System Health and Intrusion Monitoring is used as an exemplary hostbased IDS to validate our approach. We formalized all specifications of SHIM which together with a trusted file policy enabled us to reason about the soundness and completeness of the x
13 specifications by proving that the specifications satisfy the policy under various assumptions. DRCP (Dynamic Registration and Configuration Protocol is an auto-configuration protocol in mobile Ad Hoc networks. With respect to this protocol, our approach defines a global security requirement for a network that characterizes the good behavior of individual nodes to assure the global property. We formally prove that the local detection rules (identifying activity that is monitored imply the global security requirement. OLSR (Optimized Link State Routing protocol is a proactive, table-driven routing protocol in MANETs. We analyze a specification-based intrusion detection mechanism to detect insider attacks in the OLSR protocol. The specifications, also called local constraints, describe valid behavior of local network. We proved that the intrusion detection approach, which focuses on monitoring of local behavior, achieves a global integrity of network routing information. Our approach, novel to the field of intrusion detection, can, in principle, yield an intrusion detection system that detects any attack, even unknown attacks, that can imperil the security requirements of the system. The originality of our formal analysis is that it is completely based on analytical methods and does not rely on simulation or experimental evaluation. xi
14 1 Chapter 1 Introduction 1.1 Overview of Intrusion Detection Critical computer systems and networks, for economic, functionality, and compatibility reasons, will likely be comprised of commercial-off-the-shelf (COTS products. These COTS systems and software are not designed and built in a way that provides users with confidence in their ability to meet security requirements; nor are these systems secure. It seems new attacks that exploit vulnerabilities in existing systems occur daily. Therefore, there is an imminent need for new techniques that can increase the trustworthiness of COTS systems. Complementing preventive strategies, intrusion detection has been a prevalent technology that is becoming accepted by the community. Intrusion detection is an appealing approach to improving the security of existing systems, as it can be retrofitted onto security-critical programs. Briefly, intrusion detection involves the runtime gathering of data from system operation, and the subsequent analysis of the data; the data can be audit logs generated by an operating system, packets sniffed from a network, or reports from instrumented programs, which could be applications such as a database system. We can categorize IDSs with many different criteria. IDSs can be divided into network-based IDS and host-based IDS by the systems they monitor.. IDSs that monitor network backbones and look for attack scenarios are called network-based IDSs, whereas those that operate on hosts defend and monitor the operating and file systems for signs of
15 2 intrusion are called host-based IDSs. Normal behaviors of a computer system have the characteristics of predictable statistics, the absence of a known attack scenario and a conformation to specifications [13]. Intrusion detection systems are developed on the assumption that attacks will break at least one of the characteristics. There are three different kinds of intrusion detection models: anomaly detection, misuse detection and specification-based intrusion detection. Anomaly detection, first proposed by Anderson [22], is based on the assumption that the characteristics of attacks are significantly different from normal behavior. The characteristics of the system are compared with the expected values and an alert is reported if they do not match. Anomaly detection is capable of detecting unknown attacks or variants of known attacks if such attacks significantly change the monitored characteristics of the system. But the trade-off is that detection often comes with high false-positive rate, which means tat normal system behaviors will be reported as potential attacks. Misuse detection compares current behavior to signatures of known attacks and reports an alert if there is a match [49, 41]. Misuse systems have difficulty detecting unknown attacks as well as variants of known attacks. Whether generalized attack signatures are capable of detecting unknown attacks still remains an open question. Specification-based intrusion detection monitors current behavior of systems according to specifications that describe desired functionality for security-critical entities [26, 30, 56, 29, 67]. A mismatch between current behavior and the specifications will be reported as an attack. Privileged programs, also called root-setuid programs, are often analyzed by a specification-based intrusion detection system because of their significant impact on system security. The effective user of a privileged program has root privileges and attacks against a privileged program often abuse the privilege to access security critical objects that are not supposed to be accessed by the victim programs. During program operation, the system accesses associated with the operation of a program are recorded in audit logs and matched against the specification by the IDS. Mismatches are reported and almost always indicate an attack. Theoretically, specification-based intrusion detection is capable of detecting unknown attacks or variant of known attacks and a report is issued as soon as a specification violation occurs.
16 3 While intrusion detection systems can improve the security of a system, it is hard to evaluate the effectiveness of the IDS with respect to the primary objective users have for the deployment of such systems: the ability to detect large classes of attacks (including variations of known attacks and unknown attacks with a low false alarm rate. In addition, it is hard to assess, in a scientific manner, the security posture of a system with an IDS deployed. Even more important to users than detecting attacks is to know that IDS will generate alerts if there is any violation of a security policy. 1.2 Limitations of Earlier Work So far, experimental evaluation and testing have been the only approaches that have been attempted to evaluate the effective of an intrusion detection system. First, the intrusion detection system is subjected to test data, which are normal (e.g. attack-free, to develop a profile of normal behavior. Then it will be challenged by test data that contain attacks, like DARPA Off-line Intrusion Detection Evaluation [50]. Results, including the detection rate for real attacks and false alarm rate, are used to assess the effectiveness of the intrusion detection system. The usefulness of these evaluations depends on the coverage of the test data and the sensitivity of the test results with respect to changes in the environments. However, it is hard to obtain test data from real environment that are known to be free of attacks or obtain test data that cover attacks representing most attack categories. Attacks experienced by a system quite often change with time as variations of known attacks surface or new attack emerge. Thus it is difficult to develop a set of test data that is comprehensive and that has strong prediction power with respect to changes in operating environments. There is a critical need to establish a scientific foundation for evaluating and analyzing the effectiveness of intrusion detection systems. This research employs formal reasoning to analyze intrusion detection systems, attempting to provide a scientific foundation for assessing the security of the overall system. We consider host-based systems and network-based systems, reasoning about intrusion detection systems in isolation and their composition.
17 4 1.3 Contribution of this Thesis This thesis makes two contributions in evaluation of the effectiveness of intrusion detection systems. The key contribution of this research is a mechanized methodology to formally reason about the effectiveness of intrusion detection systems in satisfying specific security requirements. This is one of the first approaches to analyzing detection rules of an IDS with formal methods. A hierarchical verification model is proposed, in which we formalize an abstract system model, detection rules and security requirements. Theorems are created and proved to reason about the soundness and completeness of detection rules. Second, we implement the framework in our analysis of a host-based intrusion detection system, SHIM and network intrusion detection systems. The specifications in SHIM are formalized and reasoned about with respect of simulated attacks and access control policies. In the analysis of network intrusion detection systems in ad hoc networks, we develop global requirements to describe the security properties of ad hoc networks and local specifications that restrict behavior of nodes. We formally prove that the global requirements are enforce by the local specifications together with some assumptions. Parts of the research are represented in my papers[54, 59, 64, 60]. Taken together, this research puts formal evaluation of intrusion detection systems on much further footing, and provides direction for the continued development of the area. 1.4 Introducing Terminology This section explains some terms that are used throughout this proposal. Some of the terms have well-accepted definitions among security professional while others have specific use in this dissertation. Attack: An attack is any set of actions whose purpose is to compromise the integrity, confidentiality, or availability of a resource. The set of actions may be performed by a single attacker or by a group of cooperating attackers. An attacker exploits vulnerabilities in a system to gain necessary privileges to achieve his/her goal. Auditing: Auditing is the analysis of log records to represent information about
18 5 the system in a clear and understandable manner [34]. Exploitation: An exploitation is a set of actions that result in a violation of the security policy of a computer system. Intruders exploit system vulnerabilities or flaws to gain unauthorized access to the system. Logging: Logging is the recording of events or statistics to provide information about system use and performance [34]. Security policy: A security policy is a statement that partitions the state of the system into a set of authorized, or secure states and a set of unauthorized or nonsecure states [34]. Specification: A specification is a description of characteristics of a computer system or program. Specification-based intrusion detection: An intrusion detection method which monitors current behavior of systems according to specifications that describe desired functionality for security-critical entities and raises an alert if there is a violation. Privileged program: A privileged program is a program that is executed with special privileges, enabling it to bypass the system security mechanism in order to accomplish its task. In Unix, examples are those programs that are owned by root and have the setuid bit on. Vulnerability: A vulnerability is a weakness in automated system security procedures, administrative controls, or internal controls that could be exploited by a thread to gain unauthorized access to information or to disrupt critical processing. 1.5 Dissertation Outline The rest of this dissertation is organized as follows. Chapter 2 presents a framework of our approach. Chapter 3 describes our analysis of a host-based IDS, SHIM. In chapter 4 we formalize security requirements for DRCP protocol and formally address the enforcement of these security requirements by a specification-based IDS. Chapter 5 presents a distributed IDS for OLSR protocol and analyze this IDS in fulfilling security requirements for OLSR. Chapter 6 discusses various issues of our work. Chapter 7 concludes our work and gives
19 some suggestions about future research. 6
20 7 Chapter 2 Motivating examples This chapter presents several examples aimed at illustrating the subtleties involved in developing detecting rules and security policies to detect intrusions and the associated pitfalls. The examples motivate the need for a formal framework for reasoning about detection rules in intrusion detection systems. The overall approach is to prove properties about intrusion detection systems. Our proof method depends on detecting rules and a security policy, where these rules are reasoned about with respect to the policy. 2.1 Examples of Intrusion Scenarios on Host-based Systems We present two well-known intrusion scenarios, each exploiting a different class of vulnerabilities (buffer overflow, race condition. Detection rules and security policies, which detect or prohibit these attacks, will be introduced in the following sections Ftp Vulnerability Ftp daemon is a Unix utility for providing file transfer service to remote clients. Ftp daemon is a setuid root program, or previleged program, because root privileges are required to monitor the ftp port, which is a system port in UNIX. The fact that ftp daemon runs with root privilege enables it to perform operations inaccessible by normal users. Therefore if ftp daemon is comprised, the attacker may acquire root privilege. This is the basis for the exploitation. There is a buffer overflow vulnerability for an early version
21 8 of wuftp daemon(2.4.2-beta-18. The vulnerability can be exploited by an attack which enables the attacker to invoke any arbitrary system call. Specifically, wuftp daemon invoke a strcat( C library call without restrict the size of the input. As a result, when wuftp daemon is given a very long request, the data could overwrite the memory location beyond the buffer, causing unexpected behavior. An elaborated organized request may even invoke arbitrary system calls. Due to the fact that wuftp daemon is a setuid program, the attacker can invoke a shell with root privilege and use it to access any files of the system [8]. Table 2.1 depicts a trace of the exploit. When strcat( is called, the run-time stack consists of the activation record of strcat(, which include the parameters, the return address, and local variables. When an attacker sends a long request message consisting of code to the ftp daemon, strcat( fills the read buffer and beyond with the message so that the buffer now contains the injected code and the return address is overwritten with an address pointing to the buffer. When the subroutine returns, it branches into the buffer and executes the attacker s code. Obviously, we can detect aattacks that exploit this vulnerability by checking the parameters of strcat(. However, most auditing systems do not record the content of strcat( operations because of the huge volume of data associated with these operations. Therefore, it is not possible to tell whether from the audit trails, wuftp daemon is under a buffer overflow attack. However, if we look at the operations performed by wuftp daemon, we can detect the intrusion by comparing the operations performed by wuftp daemon in a normal execution and under an attack. Another idea is to detect the buffer overflow attacks by examining audit data for attack signatures, like sequences of operations or strings which are used to exploit the vulnerabilities. However, it is not difficult to develop variants of known attacks which have different signatures but still exploit the same vulnerabilities. Therefore, the signature-based approach may have high false alert rate in detecting attacks exploit specific vulnerabilities Lpr Vulnerability This section describes a race-condition vulnerability in an early version of lpd(line printer Daemon utility and related intrusions that exploit this and similar vulnerabilities. Lpd is a UNIX utility which provides printing services. After a printing job is submitted
22 9 ftp daemon attack comments Len =... Set the length of the buffer t=xcalloc(len,... Malloc memory Strcat(t,... Buffer overflow attack 7... Following attack behavior 8 Open(O RW, /etc/passwd... Change the passwd file 9... Table 2.1: The ftp buffer overflow attack by a client, lpd will check whether the client has the privilege to access the file. After that lpd will read the file and send it to the printer. Lpd is a setuid root program because root privileges are required in order to send files to printing devices. Therefore, lpd run with root privileges and can access any arbitrary file in a UNIX system. Lpd has a race condition flaw, which enables an attacker to read files which is inaccessible to him. The flaw relates to the way lpd check the permission of a file before printing it as well as its semantics in dealing with symbolic links. Specifically, the flaw enables a nonprivileged user to print out any file that he does not have privileges to read. The lpr attack exploits the race condition vulnerability. Please refer to table 2.2 for a simple exploit. First, the attacker requests the printing of some benign file (for example, his own file doc.txt. His rights are checked by the lpr command and, if access is granted, the request is put into the printer daemon queue. Then, before the printing actually starts, the attacker removes the printed file and replaces it by a link to some file he is not allowed to access (for example, /etc/shadow. As a result, the latter file will eventually be printed on his behalf. We can detect this intrusion in two ways. First, we can detect it by just looking at the operations performed by lpd. Although the sequence of calls and parameters performed by lpd are the same when it is under the race condition attack, the actual physical files printed by the calls are different. In Unix, each physical file is identified by a unique inode number. In the normal sequence, lpd prints the file corresponding to the inode of the
23 10 lpd daemon attack 1 lpr doc.txt 2 read /var/spool/lpd/job-**** 3 rm doc.txt 4 ln -s /etc/shadow doc.txt 5 read doc.txt 6 send document to printer Table 2.2: The lpr race condition attack file whose permissions have been checked. However, in the sequence of audit records of lpd under the exploitation, the file being printed and the file being checked have different inodes. Thus, by checking the inode of the files being printed, which are usually available in the audit trail, we can detect occurrences of this intrusion. Second, we can detect the intrusion by checking whether operations that change the meaning of the file are performed by other processes between the time lpd checks the file and prints files. Some ways of specifying the valid order among these operations are needed in order to detect the intrusion in that way. In section 3, policies regarding noninterference will be introduced and they will provide general solutions for race condition attacks. 2.2 Detecting Attack Scenarios In this section, we give an overview of intrusion detection systems first. Then a few examples are presented to indicate the subtleties involved in developing detect rules Overview of Intrusion Detection Systems We can categorize IDSs according to different criteria. IDSs can be divided into network-based IDS and host-based IDS by the systems they monitor.. IDSs that monitor network backbones and look for attack scenarios are called network-based IDSs, whereas those that operate on hosts defend and monitor the operating and file systems for signs of intrusion are called host-based IDSs. Normal behaviors of a computer system have the characteristics of predictable statistics, the absence of a known attack scenario and a conformation to specifications
24 11 [13]. Intrusion detection systems are developed on the assumption that attacks will break at least one of the characteristics. There are three different kinds of intrusion detection models: anomaly detection, misuse detection and specification-based intrusion detection. Anomaly detection, first proposed by Anderson [22], is based on the assumption that the characteristics of attacks are significantly different from normal behavior. The characteristics of the system are compared with the expected values and an alert is reported if they do not match. Anomaly detection is capable of detecting unknown attacks or variants of known attacks if such attacks significantly change the monitored characteristics of the system. But the trade-off is that detection often comes with high false-positive rate, which means tat normal system behaviors will be reported as potential attacks. Misuse detection compares current behavior to signatures of known attacks and reports an alert if there is a match [49, 41]. Misuse systems have difficulty detecting unknown attacks as well as variants of known attacks. Whether generalized attack signatures are capable of detecting unknown attacks still remains an open question. Specification-based intrusion detection monitors current behavior of systems according to specifications that describe desired functionality for security-critical entities [26, 30, 56, 29, 67]. A mismatch between current behavior and the specifications will be reported as an attack. Privileged programs, also called root-setuid programs, are often analyzed by a specification-based intrusion detection system because of their significant impact on system security. The effective user of a privileged program has root privileges and attacks against a privileged program often abuse the privilege to access security critical objects that are not supposed to be accessed by the victim programs. During program operation, the system accesses associated with the operation of a program are recorded in audit logs and matched against the specification by the IDS. Mismatches are reported and almost always indicate an attack. Theoretically, specification-based intrusion detection is capable of detecting unknown attacks or variant of known attacks and a report is issued as soon as a specification violation occurs.
25 Developing Detection Rules In designing an intrusion detection system, one must select which kind of detection rules will be developed to detect intrusions. These detection rules include specifications of a specification-based intrusion detection system and attack signatures of misuse detection systems. Anomaly detection systems will not be analyzed because most of them are statistics-based and difficult to analyze with logic while specifications and signatures are declarable. Development of correct intrusion-detection rules is a very difficult and error-prone task: it involves extensive knowledge engineering on attacks and most components of the system; it requires a deep and correct understanding of most of the components in a system and how they work together; it requires the rule developers to be cautious and careful to avoid mistakes and gaps in coverage. Often, it is very difficult to assess whether a given set of intrusion-detection rules is correct (they detect the attacks or enforce security policies. We discuss the subtleties involved in writing valid behavior specifications for a program. Traditionally, in specification-based IDSs, a valid behavior specification for a program declares what operations and system calls are allowed for the program. Whether an operation is allowed or not depends on the attributes of the process and the reference, and attributes of the system calls. In SHIM, a specification for a program is a list of rules describing all the operations valid for the program. For example, the following rule in the ftp daemon (ftpd specification allows the program to open any file in the /var/log/wtmp directory to write. (OPEN W R,$F.path == /var/log/wtmp With specifications that list valid operations of security-critical programs, an IDS can monitor the execution of the programs and raise an alert if the specifications are violated. If the specifications are correct and complete, the IDS is capable of detecting all, including known and unknown, attacks that change the behavior of the programs. However, the draft specifications, when used to monitor the program execution, will produce false positives (i.e., valid operations performed by the program reported as erroneous because they are
26 13 not included in the specification. Then, one augments the specification to include rules to cover these operations. However, one needs to be very careful in writing the specification for a program to avoid some attacks going undetected. For example, given the above rule, if /var/log/wtmp somehow is writable by attackers, they can create a link from /var/log/wtmp/file to the /etc/passwd file. A specification-based IDS with this rule in the specification of ftpd will permit this operation and the attack will go undetected. For the intrusion scenarios that we introduced in the previous section, the ftp buffer overflow attack can be detected by a specification-based IDS if the attacker intend to invoke a shell or open some security-critical objects, like the passwd file; the lpr race condition attack, however, may not be detected because the attack does not change the observed behavior of the lpd program. We can augment the specification of the lpd to check the number of links to the target object and to generate a warning if the number of links to the object is greater than one, thus preventing this kind of attacks. Based on our experience, writing specifications for a program is subtle and tricky, thus demanding an approach to rule validation. 2.3 Enforcement of Security Policies In the current view, rules are evaluated against known attacks and hypothesis unknown attacks. How good are these rules? This thesis addresses this question by proposing that the rules can be reasoned about with respect to the security goal, e.g. a security policy. One interesting question about intrusion detection is, given the detection rules, whether the high-level security policies, like access control policies, can be satisfied. In this context, we mean that actions that violate the security policies are either prohibited or detected. Most computer systems employ access controls policies as the first line of defense to protect resources and information in the systems. The access control policies limit access to files and other operating system objects based on their ownership and the settings of the owner, group and others permission bits. To ensure the security of a system, the access
27 14 control mechanism should work properly. And, an intrusion detection system should be able to monitor violations of the standard access control policy and raise an alarm. In addition, we identify a suite of policies at different levels of abstraction to specify the full breadth and depth of intrusion detection mechanisms and detect different attacks. This hierarchy will be addressed in the formal specification and verification described in this dissertation Trusted File Policies Initially, we start with a simple and easily understood integrity policy, which states that certain files cannot be modified. For example, a UNIX system relies on a number of privileged programs and devices drivers. These programs often read data from configuration files, trusting the integrity of these files. These trusted files must be specified as special files by the policy and then protected as such. Trusted file access policies are security policies that we developed to keep trusted files from unauthorized access. In UNIX systems, a discretionary access control (DAC mechanism defines whether a subject can access an object or not depending on the privilege of the subject and the access permission of the object. Some files are intended to be accessed by specific users or using specific programs. Thus, trusted file access policies are defined in our format as: (trusted file, authorized user, program, access where trusted file is the file to be protected, authorized user defines the user that can aaccess the file with any programs and program defines the program that can be used by other users to access the file. As an example, the passwd file access policy is defined as: (/etc/passwd, root, passwd, (open-wr,create, chmod, chown, rename. It indicates the passwd file of a UNIX system should be editable by root using any program or by an ordinary user using the passwd program. Therefore, if an attacker compromises a ftp daemon and try to access the passwd file, the passwd file access policy will be violated. In fact, this policy prohibited any unauthorized access to the passwd file. Therefore, if this policy is enforced by an IDS, it means any unauthorized access to the passwd file will be detected by the IDS.
28 Policies Regarding Race Condition Attacks A few policies are proposed to detect race condition attacks. Zimmermann et al. proposed a reference flow control model to policy-based intrusion detection [70, 71]. The authors claim that their approach is capable of detecting unknown noninterference behaviors which violate security policy specifications of a system [71]. In the reference flow control model, a security policy is enforced by defining domains that specify sets of method calls, each combination of these calls producing authorized information flows. Any cross-domain information flow operation will be considered as an intrusion. Race-condition attacks can be detected by observing information flows from an object created by an attacker to objects that he is not authorized to access. Ko et al. proposed another approach to detect race-condition attacks by checking valid interleaving between privileged and unprivileged processes [28]. They developed a noninterference model which ensures that concurrent behavior of two programs will have no impact on behavior of each programs. Their approach only bases on the knowledge of system call execution interleaving legality which is defined once and for all by the implementation and is considered to be more simple and efficient in detecting race-condition attacks. The lpr race condition attack, which we introduced in the previous section, can be detected by both approaches. Formal [42, 53, 3] techniques for assuring the security of a system have been investigated. It is our view that a security policy should support formal reasoning. 2.4 Need For a New Approach As illustrated by the examples, writing intrusion-detection rules for specificationbased and misuse detection is tricky. Existing techniques for evaluating the intrusiondetection rules, primarily based on testing, have limitations. A major problem is the development of a comprehensive suite of test cases, which are typically manually generated by intrusion detection experts, based on observed attack instances and analysis of captured attack tools. The process of developing the test suite is thus labor-intensive and errorprone. Moreover, the trend toward increasing sophistication of attacks such as multi-step
29 16 attacks, distributed coordinating attacks, and the use of code obfuscation and IDS evasion techniques makes IDS testing more and more difficult. An automated tool that can assist IDS developers to generate, analyze, and verify the correctness of the rules, that they are both necessary and sufficient, will be of benefit to the process of evaluating the effectiveness of intrusion-detection rules. In the next section, we will present a complementary approach, based on a formal framework, for reasoning about intrusion-detection rules.
30 17 Chapter 3 The Framework 3.1 Introduction We develop a formal framework that permits analysis of the detection rules in intrusion detection systems. This analysis can be used to identify errors and improve the quality of the rules. In particular, we focus our effort on misuse detection and specificationbased detection, both employing declarative rules to detect intrusive activity. Based on our experience, developing good misuse signatures and good specifications for programs is tricky and error prone. It often requires insights into the attacks and critical security aspects of a system. In addition, one needs to be very careful when writing them to avoid gaps in coverage. In particular, it is hard to judge whether changes to the rules actually improve or degrade the ability to detect new attacks. This research explores the application of techniques from formal method research to assist the development and analysis of detection rules. We employ verification techniques to prove that a given rule set, together with the operating system, can enforce a given security policy. In addition, we enumerate assumptions of specific security policies to identify possible ways the policies can be violated without being detected by the detection rules. Thus we abstract any special attacks and strict to prove that our IDS will detect any attack that threatening the security policy. The assumptions cover the kind of attacks that cannot or very unlikely to occur. In particular, we model the expert rules in host-based IDSs and network IDSs in this research. We envision that the analysis allows one to provide a solid argument that the
31 18 given intrusion detection rules can detect certain attacks and violations of certain security policies, thus providing assurance of the security of the overall system beyond the level of assurance achieved by experiments and testing. We build specifications of network protocols and use them to analyze packet traffic sniffed from the network. We verify security invariants that can be enforced by these specifications. In addition, to increasing the coverage of intrusion detection systems and our confidence in that coverage, we provide a methodology to make future enhancements and to allow others to continue this work in other areas, with other intrusion detection systems, and on other platforms. -.* / :( +:, 6(4 +, * - ** +, ' ( *+, -.* / - 4 5' ( +, 8 : 6(4 +7,!"#$%& ;< / ( Overview Figure 3.1: Framework of Our Approach Our approach to formal analysis of intrusion-detection rules is inspired by the formal methods research on designing and building trusted computer systems (Figure 3.1:
32 19 Left side. Here, a model of a system is shown to satisfy a security policy. Formal methods involve the use of mathematical logic to model a system that enables one to reason about the properties of the system. Formal methods have been used to discover errors that occur in the process of designing and building a computer system. Formal methods are feasible for reasoning specifications with respect to a security policy, e.g. A1 certification as in the Orange Book. Our reasoning, although new and novel, offer a similar complexity. We reason about the detection rules with respect to security requirements of a system (Figure 3.1: Right side. The process of designing and building a trusted system involves the development of a security model. A security model usually consists of a specification of a security policy (which defines the security requirements or what is meant by secure and an abstract behavioral model of the system. Usually, the security policy can be stated as a mapping of system states into authorized (secure and unauthorized (insecure states; or can be a property of the system (e.g., noninterference. The model is an abstraction of the actual system which provides a high level description of the major entities of the system and operations on those entities. There may be many layers of abstraction within the model, each a refinement of the higher level abstraction. Given the security policy and model, one should be able to prove that the model satisfies the security policy assuming some restriction on the state transition functions. The behavioral model itself can be used to guide the design of the system. In addition, one can then formally specify the design and prove that the design actually adheres to the model. Further, one can also mathematically prove that the implementation (software and hardware correctly implements the abstract system model, or rigorously test the code. Usually, the verification is done in a hierarchical manner in which a hierarchy of abstract machines, or refinements of the system, is defined. 3.3 Hierarchical Model of the Framework We develop a security model for IDS. This IDS security model will consist of an abstract behavioral model of an existing system, specifications of high-level security properties, and specifications of intrusion-detection rules. Rather than relying on a system with
Intrusion Detection for Mobile Ad Hoc Networks
Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems
More informationPerformance Evaluation of Intrusion Detection Systems
Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationCS52600: Information Security
CS18000: Programming I CS52600: Information Security Vulnerability Analysis 15 November 2010 Prof. Chris Clifton Vulnerability Analysis Vulnerability: Lapse in enforcement enabling violation of security
More informationSystem Health and Intrusion Monitoring Using a Hierarchy of Constraints
System Health and Intrusion Monitoring Using a Hierarchy of Constraints Calvin Ko NAI Labs, Network Associates, Inc. Jeff Rowe University of California, Davis October 2001 Historical Behavior Attacks /
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationAccess Control Fundamentals
C H A P T E R 2 Access Control Fundamentals An access enforcement mechanism authorizes requests (e.g., system calls) from multiple subjects (e.g., users, processes, etc.) to perform operations (e.g., read,,
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview
More informationIntrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs
Intrusion Detection Systems Oussama El-Rawas History and Concepts of IDSs Overview A brief description about the history of Intrusion Detection Systems An introduction to Intrusion Detection Systems including:
More informationExperimenting with a Policy-Based HIDS Based on an Information Flow Control Model
Experimenting with a Policy-Based HIDS Based on an Information Flow Control Model Jacob Zimmermann, Ludovic Mé, Christophe Bidan {firstname.lastname}@supelec.fr Abstract In [1], we proposed a model for
More informationCHAPTER 1 INTRODUCTION
21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationWeb Application Security
Web Application Security Richard A. Kemmerer Reliable Software Group Computer Science Department University of California Santa Barbara, CA 93106, USA http://www.cs.ucsb.edu/~rsg www.cs.ucsb.edu/~rsg/
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationIntrusion Detection System (IDS)
Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes
More informationCase Studies. Joint software development Mail 1 / 38. Case Studies Joint Software Development. Mailers
Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationCase Study: Access control 1 / 39
Case Study: Access control 1 / 39 Joint software development Mail 2 / 39 Situations Roles Permissions Why Enforce Access Controls? Classic Unix Setup ACL Setup Reviewer/Tester Access Medium-Size Group
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationCEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa
CEN 559 Selected Topics in Computer Engineering Dr. Mostafa H. Dahshan KSU CCIS mdahshan@ccis.ksu.edu.sa Access Control Access Control Which principals have access to which resources files they can read
More informationOutline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002
Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Page 1 Page
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationDemystifying the Myth of Passive Network Discovery and Monitoring Systems
Demystifying the Myth of Passive Network Discovery and Monitoring Systems Ofir Arkin Chief Technology Officer Insightix Copyright 2012 - All Rights Reserved. This material is proprietary of Insightix.
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationTesting Network Security Using OPNET
Testing Network Security Using OPNET Agustin Zaballos, Guiomar Corral, Isard Serra, Jaume Abella Enginyeria i Arquitectura La Salle, Universitat Ramon Llull, Spain Paseo Bonanova, 8, 08022 Barcelona Tlf:
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationCS 392/681 - Computer Security. Module 16 Vulnerability Analysis
CS 392/681 - Computer Security Module 16 Vulnerability Analysis Course Policies and Logistics Homework 5 due tonight Homework 6 posted Read Chapter 23 11/13/2003 Module 16 - Vulnerability Analysis 2 Some
More informationB database Security - A Case Study
WHITE PAPER: ENTERPRISE SECURITY Strengthening Database Security White Paper: Enterprise Security Strengthening Database Security Contents Introduction........................................................................4
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationPassive Vulnerability Detection
Page 1 of 5 Passive Vulnerability Detection "Techniques to passively find network security vulnerabilities" Ron Gula rgula@securitywizards.com September 9, 1999 Copyright 1999 Network Security Wizards
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationObservation and Findings
Chapter 6 Observation and Findings 6.1. Introduction This chapter discuss in detail about observation and findings based on survey performed. This research work is carried out in order to find out network
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationComputer security technologies
4 Computer security technologies 4.1 Introduction Determining the risk that a vulnerability poses to a computer system and also its vulnerability risk status forms part of the information security field
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security
More informationA SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1
A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1 1 Royal Holloway, University of London 2 University of Strathclyde ABSTRACT Future mobile
More informationState of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number:
State of Vermont Intrusion Detection and Prevention Policy Date: 11-02-10 Approved by: Tom Pelham Policy Number: 1 Table of Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope...
More informationResearch on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1
International Conference on Informatization in Education, Management and Business (IEMB 2015) Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationAdjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006
Adjusting Prevention Policy Options Based on Prevention Events Version 1.0 July 2006 Table of Contents 1. WHO SHOULD READ THIS DOCUMENT... 4 2. WHERE TO GET MORE INFORMATION... 4 3. VERIFYING THE OPERATION
More informationVMWARE Introduction ESX Server Architecture and the design of Virtual Machines
Introduction........................................................................................ 2 ESX Server Architecture and the design of Virtual Machines........................................
More informationName. Description. Rationale
Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.
More informationLecture 18: More Assurance
Lecture 18: More Assurance Reviews of assurance evidence Security testing Penetration testing Slide #18-1 Reviews of Assurance Evidence Reviewers given guidelines for review Other roles: Scribe: takes
More informationSpecification and Analysis of Contracts Lecture 1 Introduction
Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.
More informationData Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila
Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008 Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems.
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationNessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson
Nessus A short review of the Nessus computer network vulnerability analysing tool Authors: Henrik Andersson Johannes Gumbel Martin Andersson Introduction What is a security scanner? A security scanner
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationA very short history of networking
A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the
More information83-10-35 A New Security Model for Networks and the Internet Dan Thomsen Payoff
83-10-35 A New Security Model for Networks and the Internet Dan Thomsen Payoff Computer security is a matter of controlling how data is shared for reading and modifying. Type enforcement is a new security
More informationBlended Security Assessments
Blended Security Assessments Combining Active, Passive and Host Assessment Techniques October 12, 2009 (Revision 9) Renaud Deraison Director of Research Ron Gula Chief Technology Officer Table of Contents
More informationIntrusion Detection for Grid and Cloud Computing
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal University of Santa Catarina, Brazil Content Type
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationFifty Critical Alerts for Monitoring Windows Servers Best practices
Fifty Critical Alerts for Monitoring Windows Servers Best practices The importance of consolidation, correlation, and detection Enterprise Security Series White Paper 6990 Columbia Gateway Drive, Suite
More informationCustomized Data Exchange Gateway (DEG) for Automated File Exchange across Networks
Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks *Abhishek Vora B. Lakshmi C.V. Srinivas National Remote Sensing Center (NRSC), Indian Space Research Organization (ISRO),
More informationNetwork Management and Monitoring Software
Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the
More informationFoundstone ERS remediation System
Expediting Incident Response with Foundstone ERS Foundstone Inc. August, 2003 Enterprise Risk Solutions Platform Supports Successful Response and Remediation Introduction The Foundstone Enterprise Risk
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationEthical Hacking Agreement for External Network Security Unannounced Penetration Test
Ethical Hacking Agreement for External Network Security Unannounced Penetration Test Agreement made on the (date), between (Name of Consultant) of (street address, city, state, zip code), referred to herein
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationSTUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS
STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS SACHIN MALVIYA Student, Department of Information Technology, Medicaps Institute of Science & Technology, INDORE (M.P.)
More informationChange Management. Why Change Management? CHAPTER
Change Management 19 CHAPTER In this chapter, you will Learn why change management is an important enterprise management tool Understand the key concept of segregation of duties Review the essential elements
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 13, Dec. 6, 2010 Auditing Security Audit an independent review and examination
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationNetwork & Agent Based Intrusion Detection Systems
Network & Agent Based Intrusion Detection Systems Hakan Albag TU Munich, Dep. of Computer Science Exchange Student Istanbul Tech. Uni., Dep. Of Comp. Engineering Abstract. The following document is focused
More informationHow To Classify A Dnet Attack
Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationIntruders and viruses. 8: Network Security 8-1
Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationSystem Health and Intrusion Monitoring Using a Hierarchy of Constraints
System Health and Intrusion Monitoring Using a Hierarchy of Constraints Calvin Ko 1, Paul Brutch 1, Jeff Rowe 2, Guy Tsafnat 1, and Karl Levitt 2 1 NAI Labs, Network Associates Inc., Santa Clara, CA {Calvin
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationHost-Based Intrusion Detection Using User Signatures
Host-Based Intrusion Detection Using User Signatures Seth Freeman Rensselaer olytechnic Institute 110 8th Street freems@cs.rpi.edu Alan Bivens Rensselaer olytechnic Institute 110 8 th street bivenj@cs.rpi.edu
More informationAdvancement in Virtualization Based Intrusion Detection System in Cloud Environment
Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,
More information