Henric Johnson Blekinge Institute of Technology, Sweden Henric Johnson 1

Similar documents
Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Intruders and viruses. 8: Network Security 8-1

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

CS549: Cryptography and Network Security

Computer Security DD2395

Chapter 14 Computer Threats

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Network Incident Report

Cryptography and Network Security

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

Computer Networks & Computer Security

Worms, Trojan Horses and Root Kits

Topics. Virus Protection and Intrusion Detection. What is a Virus? Three related ideas

Rogue Programs. Rogue Programs - Topics. Security in Compu4ng - Chapter 3. l Rogue programs can be classified by the way they propagate

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Malware. Björn Victor 1 Feb [Based on Stallings&Brown]

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

CS 356 Lecture 9 Malicious Code. Spring 2013

Hackers: Detection and Prevention

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

E-BUSINESS THREATS AND SOLUTIONS

CS574 Computer Security. San Diego State University Spring 2008 Lecture #7

Introduction To Security and Privacy Einführung in die IT-Sicherheit I

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Common Cyber Threats. Common cyber threats include:

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Network and Host-based Vulnerability Assessment

(Self-Study) Identify How to Protect Your Network Against Viruses

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

Firewalls, Tunnels, and Network Intrusion Detection

License for Use Information

Malware: Malicious Code

Reduce Your Virus Exposure with Active Virus Protection

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection Systems (IDS)

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Network- vs. Host-based Intrusion Detection

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Patch and Vulnerability Management Program

Computer Viruses: How to Avoid Infection

Network Monitoring Tool to Identify Malware Infected Computers

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Radware s Behavioral Server Cracking Protection

Top Ten Cyber Threats

Computer Security Threats

Cracking and Computer Security

ANTIVIRUS BEST PRACTICES

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Executable Integrity Verification

Hope is not a strategy. Jérôme Bei

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

The Law. Computer Hacking & Cybercrime. Hacking Tools. Hacking Tools. Group 4 - Troester, van Winkle, Wickless, & Wilson

1949 Self-reproducing cellular automata Core Wars

Security Toolsets for ISP Defense

Optimizing and Protecting Hard Drives Chapter # 9

The Self-Hack Audit Stephen James Payoff

Module 4 Protection of Information Systems Infrastructure and Information Assets. Chapter 6: Network Security

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Penetration Testing Report Client: Business Solutions June 15 th 2015

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Network Security. Chapter 12. Learning Objectives. Chapter Outline. After reading this chapter, you should be able to:

Windows Remote Access

Computer Security. COMP 424 Lecture week 6 Program Security

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

PC Security and Maintenance

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Incident Handling. Applied Risk Management. September 2002

Host Security. Host Security: Pro

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Section 12 MUST BE COMPLETED BY: 4/22

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Announcements. Lab 2 now on web site

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Global Partner Management Notice

Nixu SNS Security White Paper May 2007 Version 1.2

Virii, Worms, and Other Malware. Thanks to Marc Liberatore for putting together these slides

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Network Security and Firewall 1

: PASSWORD AUDITING TOOLS

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

COMPUTER-INTERNET SECURITY. How am I vulnerable?

AN OVERVIEW OF VULNERABILITY SCANNERS

Incident Handling Procedure

Computer Security Maintenance Information and Self-Check Activities

Introduction to Computer Security Table of Contents

Web Plus Security Features and Recommendations

Transcription:

Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se h @bths Henric Johnson 1

Intruders Intrusion Techniques Outline Password Protection Password Selection Strategies Intrusion Detection Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques Recommended Reading and WEB Sites Henric Johnson 2

Intruders Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user Henric Johnson 3

Intrusion Techniques System maintain a file that associates a password with each authorized user. Password file can be protected with: One-way encryption Access Control Henric Johnson 4

Intrusion Techniques Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary(60,000). 000) Collect information about the user s hobbies, family names, birthday, etc. Try user s s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#) Henric Johnson 5

UNIX Password Scheme Loading a new password Henric Johnson 6

UNIX Password Scheme Verifying i a password file Henric Johnson 7

Storing UNIX Passwords UNIX passwords were kept in in a publicly readable file, etc/passwords. Now they are kept in a shadow directory and only visible by root. Henric Johnson 8

Salt The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES Henric Johnson 9

Password Selecting Strategies User ducation Computer-generated passwords Reactive password checking Proactive password checking Henric Johnson 10

Markov Model Henric Johnson 11

Transition i Matrix 1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. 2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij. 3. Compute the entries of T as follows: T ( i, j, k) = f f ( i, j, k) ( i, j, ) Henric Johnson 12

H i Spafford (Bloom Filter) ( X ) = y 1 i k; 1 j D; 0 y N 1 i where X i == D jth word number of in password dictionary word in password dictionary The following procedure is then applied to the dictionary: 1. A hash h table of N bits is definied, d with all bits initially set to 0. 2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1 Henric Johnson 13

Spafford (Bloom Filter) Design the hash scheme to minimize false positive. Probability of false positive: P (1 e kd / N or, equivalent R k ln(1 P 1/ k ) k ly, ) = (1 e k / R ) k where k = number of hash function N = number of bits in hash table D = number of words in dictionary R = N / D, ratio of hash table size ( bits ) to dictionary size ( words ) Henric Johnson 14

Performance of Bloom Filter Henric Johnson 15

The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are open (being listened to by Servers). 2. Run Exploit scripts against open ports 3. Get access to Shell program which is suid (has root privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Henric Johnson 16 16

Intusion Detection The intruder can be identified and ejected from the system. An effective intrusion detection can prevent intrusions. Intrusion detection enables the collection of information about intrusion techniques that t can be used to strengthen th the intrusion prevention facility. Henric Johnson 17

Profiles of Behavior of Intruders and Authorized Users Henric Johnson 18

Intrusion Detection Statistical anomaly detection Treshold detection Profile based Rule based detection Anomaly detection Penetration identidication Henric Johnson 19

Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Execution denials. Read, write, create, delete frequency. Failure count for read, write, create and delete. Henric Johnson 20

Distributed Intrusion Detection Developed at University of California at Davis Henric Johnson 21

Distributed Intrusion Detection Henric Johnson 22

Viruses and Malicious Programs Computer Viruses and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a Worm ). Other Malicious Programs may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs). Henric Johnson 23

Taxanomy of Malicious Programs Malicious Programs Need dhost Id Independentd Program Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms Henric Johnson 24

Definitions i i Virus - code that copies itself into other programs. A Bacteria replicates until it fills all disk space, or CPU cycles. Payload -harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Henric Johnson 25

Definitions i i Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something cool. A way for programmers to show that they control the product. Henric Johnson 26

Virus Phases Dormant phase - the virus is idle Propagation phase -the virus places an identical copy of itself into other programs Triggering phase the virus is activated to perform the function for which it was intended Execution phase the function is performed Henric Johnson 27

Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and email programs, if possible. Henric Johnson 28

Virus Structure Henric Johnson 29

A Compression Virus Henric Johnson 30

Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection. Henric Johnson 31

Macro Viruses Microsoft Office applications allow macros to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate email and edit letters. Henric Johnson 32

Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus signatures. Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory m and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above. Henric Johnson 33

Advanced Antivirus Techniques Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run each interpretation? Henric Johnson 34

Advanced Antivirus Techniques Henric Johnson 35

Recommended Reading and WEB Sites Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 CERT Coordination i Center (WEB Site) AntiVirus Online (IBM s site) Henric Johnson 36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information