Your SlideShare is downloading. ×
0
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Intrusion Detection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Intrusion Detection

6,592

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,592
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
250
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Physical Intrusion Physically remove some hardware like - take disk away and read on another system, most BIOS have back door password. System Intrusion When hacker have a low-privilege user account and hacker can exploit system to get additional administrative privileges. Remote Intrusion When hacker try to get into system remotely across the network. The intruder has no special privileges like physical or system account. Most hacking is done this way and NIDS’s are primarily concerned with Remote Intrusion.
  • Software bugs Buffer overflows : hackers can try to overflow input(300 characters in 15 valid input) by random data. If the program crashes then carefully constructed input will allow the hacker to break in . Unexpected combinations: PERL send something like " | mail < /etc/passwd " that as input to another program , say mail. Unhand led input: Most software deals with vaild input ,action on invalid input ? Race conditions: , race conditions are very rare. Intruders tries thousands of time before they get it right, and hack into the system. System configuration Default configurations : Most systems has default, easy-to-use configurations , which is "easy-to-break-in”. Lazy administrators: an empty root/administrator password. Hole creation: Turn off everything that doesn't absolutely positively need to run on a machine in order to avoid accidental holes.
  • Password cracking Weak passwords: wife name Dictionary attacks either by repeatedly logging into systems, or by collecting encrypted passwords try to find match and Brute force attacks Sniffing unsecured traffic: Shared medium traditional Ethernet ,put a Sniffer on the wire . Server sniffing: A sniffing program on a server ( or a router), One can use that information to break into client machines/trusted machines. sniffing a Telnet session when they log in will give you that password. Design flow : TCP/IP protocol flaws: The TCP/IP was designed before security problem so this protocol is open for possible security problems.examples are Smurf, IP spoofing, and SYN floods . IP spoofing: When a intruder send a massage with a IP address of trusted host of gain unauthorized access to computers. Smurf : The Smurf attack is a DoS attack. It uses bandwidth consumption to disable a system's network resources, put it on broadcast address. The attacker sends ICMP request to the amplifying network with the return address as victim's machine address If the amplifying network has 100 systems, the signal can be amplified 100 times. SYN Flood: In a SYN flood attack, the attacker sends multiple SYN requests to the victim with spoofed source addresses(non exiting address ) for the return address. The victim's server responds with a SYN / ACK back to the nonexistent network and wait for respond from client .since it is non exiting , ACK will not come and server will run out of resource. UNIX design flaws:. The access control system,administrator can do anything.
  • The Intrusion Detection system Consortium (IDSC) was established in 1998 by ICSA. ICSA is the same company provides some of the first firewall certificate criteria. All Intrusion Detection are based in analyzing sequel records a set of patterns or signature of misuse. The IDS will run constantly on your system, working away in the background, and only notifying you when it detects something it considers suspicious or illegal. Whether you appreciate that notification depends on how well you've configured your intrusion detection system!
  • outside The intruder will find out as much as possible about target machine’s Domain Name, DNS tables , public information without actually giving themselves away. inside reconnaissance The intruder scan for information, but still doesn't do anything harmful. Look into your webpage for CGI scripts (CGI scripts are often easily hacked), do a 'ping' sweep to see which machines are alive, do a UDP/TCP scan/strobe to services are available Those are 'normal' activity on the network but not a intrusion. At this point, a NIDS will be able to tell you some one at the door but not open the door -yet yet exploit The intruder start trying to get into system by attempt to-- compromise a CGI script by sending shell commands in input fields, buffer-overrun, password cracking. If successful in password guessing then try to get root/admin access. CGI scripts, Web server attacks foot hold At this stage, the hacker is successful and try to hide evidence of the attacks (doctoring the audit trail and log files and put them again ) so attacker can stay there without coming into picture .Now hacker may try to replace existing services with their own Trojan horses, or create their own user accounts. System Integrity Verifiers (SIVs) can often detect an intruder but hacker will then use the system as a stepping stone to other systems. profit Steal confidential data, attack on another site from target site, change web pages. Run the whole businesses from your web site on your system . Random : Scan the entire Internet for machines that have the SendMail DEBUG hole.
  • What are some common reconnaissance scans? Ping sweeps This simple scan simply pings a range of IP addresses to find which machines are alive. TCP scans/UDP scans Looking for half open TCP connection or open TCP ports for services the intruder can exploit. Since UDP is connection less so this is little difficult. Send a garbage UDP packet to the desired port. Most machines will respond with an ICMP "destination port unreachable" message, indicating that no service is listening at that port. OS identification : response on invalid request tells about system Account scans: empty password ,default account,Accounts installed with software products
  • common exploits CGI scripts: CGI bug is The 'phf' library is supposed to allow server-parsed HTML, but can be exploited to give back any file. Next if you/system is not using any CGI script like TextCounter, GuestBook, EWS, info2www, Count.cgi, handler,, files.pl,, nph-publish, AnyForm, FormMail and many more and someone is trying to access those script ; then it is a indication of Intrusion attempt Web server attacks 1. In lots of self written web server To move file in file system filename can have "../" in path name. Because of this hole one can get any file . 2. buffer overflow –HTTP request field. 3 Web browser attacks : Old Microsoft's /Netscape's web browsers had security holes in URL - fields can cause a buffer overflow condition. HTML and HTTP - In HTTP headers some fields are passed to functions, and JavaScript -usually tries to exploit the "file upload" function by generating a filename and automatically hidden the "SUBMIT" button. Java and ActiveX works on trust model and runs native code. We don’t know about any security holes in latest MS or Netscape web browsers – yet. 4 SMTP (SendMail) attacks As we know in old days they use DEBUG command or the hidden WIZ feature to break into SMTP , but these days, they often try buffer overruns 1.8.5 Access Failed login attempts, failed file access attempts, password cracking, administrative powers abuse 5.IP spoofing to pretend some else using source address in IP package , an intruder can pretend to be you when talking to a server. Response package are sent to you on your machine and thrown away because they don't match any requests you've sent . IP spoofing is frequently used in SMURF TCP sequence number prediction DNS poisoning if you can corrupt the DNS server, you can take advantage of trust relationships Every DNS packet contains a "Question" section and "Answer" section. Vulnerable servers will believe (and cache) Answers that you send along with Questions. Most, but not all, DNS servers have been patched as of November, 1998. Buffer Overflows can be done by DNS overflow Where an overly long DNS name is sent to a server or state overflow where an overly long filename is provided .
  • Signature recognition well-known patterns of attack : Simple CGI pattern Simple CGI pattern "/cgi-bin/phf?“ copy password file ‘/ect/passwd’ over FTP section TCP port scan : In this attacker requested a large number TCP connection-requests to different ports on a target machine. Some Sensor is attached to a network segment and looking at the packets pass through it can stop that kind of attack. Port signatures if common port (telnet ,ftp,sunrcp )are not in use then incoming packed on that port are suspicious. and header condition signatures / invalid protocol behavior Watch for illogical combinations in packet headers. Example - Winnuke, where a packet is destined for a NetBIOS port and the Urgent pointer is set in, ignored that package can result is "blue screen of death" for Windows systems . Another Example -If a TCP packet with both the SYN and FIN flags set. Connection start and stop at same time. Protocol stack verification Some intrusion are based of violation of IP, TCP, UDP, and ICMP protocols, can be figure out by suspicious behavior by protocol.  
  • Anomaly detection if all of sudden there is a deviation of baseline of any state of CPU utilization, disk activity, user logins, file activity; system triggers . System can detect anomalies without going into specifications.for example all of traffic increase ,or workstation are trying to login into sever.
  • IDS : most system has one of this capabilities, tools those provide several of this capability are hybrid.
  • Command control: center commanding authority for controlling whole system a good command system should be remote Network sensor : agents or computer program runs on dedicated machine on critical network to monitor traffic . Alert notification: Alert system notifies security officer responsible for handling incident ,including on-screen alert , audible alerts Paging and email: Most system will provide SNMP to NOC (network operation system)can be notified Response subsystem : action based on threat – like reconfiguring firewall /router and shutdown system Database : Repository for all misuse /intrusion has observed. Network Tap : gathers data from network , can be software agent or hardware as router . Does prevent package loss in high- bandwidth network . The target agent performs tasks like sniffing TCP/IP packages, processing event log , centralizing data, checking file integrating , verifying system configuration or executing response . One target system can have many agent doing several different tasks. They run in background in UNIX or as an services in Win NT.
  • Network node system take care of lots of problem ,which traditional system didn’t. A typical example is looking for a large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A network intrusion detection system sniffs network traffic, by promiscuously watching all network traffic. Both system are real time and host base IDS can be either real time or non-real time.
  • Notification: Management console like HP OpenView, Tivoli, Cabletron Spectrum SNMP Trap datagram is send, an event is send to WinNT event log, in UNIX and UNIX syslog event system. Log the attack Save a tracefile of the raw packets for later analysis. Launch program Launch a separate program to handle the event.
  • Reconfigure firewall /router to filter out the IP address of the intruder so traffic from that source can be refused .(However, this still allows the intruder to attack from other addresses.) Checkpoint firewall's support a "Suspicious Activity Monitoring Protocol (SAMP)" for configuring firewalls. Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).
  • High –speed Network as speed increase , traditional system drops packets that can be cover for an intruder to hide .AS package flood itself is suspicious behavior but node-based network system can detect this. Packet-reassembly : Since many signature are only detected if they are in full string after assembled in a continuous massage .Sensor-based NIDS must implants Byzantine processing to reassemble for entire network segment..problem is system can get slow to reassemble them and become vulnerable to DoS,beside that some massage can only be be capture when packets are unassembled . Also, system should be able to capture them above IP layer Sniffer detection program : In July 1999, L0pht Heavy Industries released a program AntiSniff which can detect that a machine has a Network tap present or not .The test can determine whether a remote network is listening or not. AntiSniff has its own limitations. Switched network : ATM has their fixed size and provide built in transport,switching, network management ,the solution for this in hardware. But in Node-based Network system can put sensor on each node. Encryption Most commercial network base system are almost worthless against an encrypted data stream.:solution 1. Put the network sensor decrypted side of VPN 2. Encrypted on fly; put key on router – security threat and management nightmare 3. Distributed network architecture with ID agents on end systems, read after decryption 4. Intermediate (encryption-decryption-IDS-encryption) gateway with PKI key management
  • HIDS: This is achieved by monitoring log files, users, and the file system. Host based can use system logs, application logs, host traffic, and in some instances firewall logs as its data source. Some of activities that Host based can monitor include: System integrity checkers e.g. "Tripwire" or " LANguard File Integrity Checker'. Log file monitors – By retrieving & analyzing log files on systems and specially servers, one can detect intruders. E.g. for example a user acquires root/administrator level privileges Agent : is small executable run on target machine communicate with center command console (which can be on different machine). Example of Misuse Abuse of Privilege: privilege used in Unauthorized manner Unintended/ inadvertent privilege grants : administrator gives privilege to install a program and forgets Stale (live) accounts : EX employ account Bad account privilege policy: Back door creation : administrator can create account without going through procedures, an undocumented account
  • Host based can use system logs, application logs, host traffic, and in some instances firewall logs as its data source. Some of activities that Host based can monitor include: user specific actions: Monitor the file system for file permission changes, privilege escalation, and watch certain users. Some system will even prevent those event to occur. Access to system log files, running processes, and files system: search for certain strings/patterns and generate an alarm. Ability to determine the success/failure of an attack: Reduces rate of of false positives. Attacks pass through NIDS if NIDS is not updated regularly it might miss some NIDS attack ,which can be detected by HIDS because it is able to log the attack failure or success.
  • TCB trusted computer base, use to write Effective ID, event, behavior is not modified
  • Accuracy is good -no false alarms (as they accept all packets which doesn’t match) Negatives 1.gathering the required information,up to date with new vulnerabilities
  • 1 . alarm is generated when deviation 2. Good system to catch all attack but lots of faults alarm
  • S ignature is not carefully designed, lots of match: For example, tools detect attacks in sendmail by looking for the words "DEBUG" or "WIZARD" as the first word of a line. If this is in the body of the message, it's in fact innocuous, but if the tool doesn't differentiate between the header and the body of the mail, then a false alarm is generated. A Covert channel : data transfer between machines without alerting any firewalls and IDS’s on the network. It send data c through ports where most firewalls will permit . For IDS its an innocuous packet where it is carry actual data in one of the control fields in the TCP and IP headers.
  • We have firewalls because security holes are left open accidentally. When we put a firewall, first ALL communication is stopped and then administrator adds "rules" that allow specific types of traffic to go through the firewall. Firewall is not the dynamic defensive system that users imagine it to be , has no capability of detecting somebody trying to break in. In contrast, an IDS is much more of that dynamic system. An IDS does recognize attacks against the network that firewalls are unable to see. For example, in April of 1999, many sites were hacked via a bug in ColdFusion and all sites had firewalls that restricted access only to the web server at port 80. However, it was the web server that was hacked. Another problem with firewalls is that they are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network.
  • A lightweight intrusion detection system can easily be deployed on most any node of a network, with minimal disruption to operations. Lightweight IDS' should be cross-platform, have a small system footprint, and be easily configured by system administrators who need to implement a specific security solution in a short amount of time. They can be any set of software tools which can be assembled and put into action in response to evolving security situations. There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set and perform several actions based upon what it sees. Sniffer Mode If you just want to print out the TCP/IP packet headers to the screen Packet Logger Mode if you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode. Network Intrusion Detection Mode Changing Alert Order Some people don't like the default way in which Snort applies it's rules to packets. The Alert rules applied first, then the Pass rules, and finally the Log rules.
  • Malicious Software : This produces intentional flaws in the programs. Developed by attacker to probe the computer system in an unauthorized way.
  • Malicious Software is of different types: Viruses – Traditionally divided into two types : Boot sector viruses, File viruses. Rabbit Hoaxes Trojan Horse – e.g., Time Bomb and Logic Bomb. Spyware Trapdoor Worms
  • Viruses: Programs that spread malicious code to other programs by modifying them. Communications networks, such as the Internet, offer the viruses a good base for spreading worldwide. Viruses can weaken the availability, integrity and confidentiality of the data; in other words, they can destroy, change or alter the data. Viruses can also slow or hamper other operations of the systems. Some viruses may cause random damage to data files or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. Properties desired from virus: Hard to detect. Hard to destroy or deactivate. Spread widely. Able to re-infect. Platform independent. Easy to create.
  • Rabbit : Their sole purpose is to replicate themselves. A typical rabbit program may do nothing more than execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two new files, each of which is a copy of the original source file of the rabbit program. Both of those programs then may copy themselves twice, and so on. Rabbit reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources.
  • Hoaxes can be, for example, false alerts of spreading viruses. They can appear in the form of chain letters. Hoaxes are based on the assumption that information contained in a message is of such kind that the recipient will almost certainly forward it. This again can block the systems because so many users are sending e-mails at the same time thus loading the network resources.
  • Trojan Horse : This program appears to do something non-malicious. Trojan Horse programs are advertised to perform one function while, in fact, they perform a different function. This alternate, or secondary, function usually performs a covert action such as stealing user passwords. While the secondary function always executes in some manner, the advertised functionality may not necessarily exist. Trojan Horse programs that wish to function in a concealed manner, however, will perform their advertised task so as not to arouse suspicion. A common example of this is a system's user login program that not only authenticates users, but also records a user's plaintext password for use in future, unauthorized access. As Trojan Horses are neither self-replicating nor self-propagating , user assistance is required for infection. This occurs by user installing and executing programs that are infected with a Trojan Horse.
  • Trojan traditionally classified into two major categories: Time Bomb : A "time bomb" is simply a Trojan horse set to trigger at a particular time/date. Logic Bomb : A "logic bomb" is a Trojan horse set to trigger upon the occurrence of a particular logical event. An example of a logic bomb is a "letter bomb”, contained in electronic mail and triggered when the mail is read. 
  • Trapdoor: A trapdoor or backdoor is a feature in a program by which it can be accessed by someone using some means other than the obvious direct call, perhaps with special privileges. Key characteristics of a trap door: Since it is installed within the controlling portion of the system (e.g., operating system) and is therefore capable, it circumvents the normal control features of a system.  Another key characteristic is that a trap door is exercised under the direct control of an activation stimulus.    e.g., As the name implies, trap doors have a means of activation (like the latch on a door).  This activation key is under the direct control of the attacker.  A simple example of an activation key is a special sequence of characters that is typed into a terminal.  A software trap door program, embedded in the operating system code, can recognize this key and allow the user of the terminal special privileges.  This is done by the software circumventing the normal control features of the system.
  • Undetectable Trapdoor : The attacker can construct the trap door in such a manner as to make it virtually undetectable to even suspecting investigators.  Hardware Trapdoor : A major concern in computer security dealt with security-related hardware flaws.  The fear is that, processor hardware might fail in such a way that the processor would keep running but that security-related hardware checks would no longer be made.  For example, the failed hardware might allow a privileged instruction to be executed from a user program. 
  • Worms : A virus that spreads over a network and can run independently. A worm is very much like a virus in that it replicates itself and attacks a system with the potential to do irrecoverable damage. Unlike a virus, a worm is a stand-alone program that infects a computer system and infects other computers only through network connections. Once a worm infects a system, it actively seeks out connections to other computers and copies itself onto these systems. In addition to propagating from one computer system to another computer system, worms often perform malicious action. And such a malicious activity is not limited to just deletion of files. Since the computers are connected via a computer network, the worm can communicate information back to the author regarding such things as user passwords, network service information, and even proprietary research or information. Further a worm may be able to completely disrupt normal operations on a computer, thus causing denial of service attack. This often occurs when a worm does not check a system to see if it has already been infected and multiple worm programs execute on one computer system. Difference between Worms & Viruses : The difference is that unlike viruses, worms exist as separate entities. They do not attach themselves to other files or programs.
  • Infection by Worms : Before a system can become infected with a worm, the worm must be created. Creating a worm is a more difficult task. For a worm to properly function, the author must be knowledgeable with communication protocols, network system vulnerabilities, and operating system details such as file locations, file contents, and file manipulation. Once a worm has been created and testes, it can be released to attack and infect computer systems. By taking advantage of trusted host lists (e.g., UNIX .rhosts files), a worm would be capable of quickly infecting numerous systems. In the event that trusted host lists are unavailable, many worms will attempt to penetrate a system by guessing passwords. When both password guessing and trusted host accessing fails, a worm may attempt to exploit (widely) known security holes. This technique requires a worm's author to be very familiar with the inner-workings of a computer network services: an author must understand both how network services work and how they may be exploited to install a worm. An example of one such incident where this knowledge was used is the widely known Internet Worm. 
  • Virus infected file gets bigger because virus code embeds itself into the original program (which it is infecting) in any one of these places: Starting of the program End of the program In-between the program code – scattered with-in the program code so difficult to detect and remove, but equally difficult to design.
  • Transcript

    • 1. <ul><li>Intrusion Detection </li></ul><ul><li>By </li></ul><ul><li>Himani Singh </li></ul><ul><li>( himanisingh @ comcast .net ) </li></ul><ul><li>& </li></ul><ul><li>Kavita Khanna </li></ul><ul><li>( [email_address] ) </li></ul><ul><li>(CS-265, Fall-2003) </li></ul>
    • 2. Intrusion Detection – “Presentation Outline” <ul><li>How an Intruder gets access? </li></ul><ul><li>Security Holes and Vulnerabilities </li></ul><ul><li>What is Intrusion Detection? </li></ul><ul><li>Typical intrusion scenario </li></ul><ul><li>Host based and Network based Intrusion Detection. </li></ul><ul><li>Knowledge based and behavioral based Intrusion Detection. </li></ul><ul><li>False positives / false alarms. </li></ul><ul><li>Do I need IDS if I already have a firewall? </li></ul>
    • 3. How an Intruder get access <ul><ul><li>Intruder </li></ul></ul><ul><ul><li>a hacker and/or cracker who hacks into systems and does unauthorized/ malicious activities </li></ul></ul><ul><li> How does an intruder get access? </li></ul><ul><ul><li>Physical Intrusion  remove some hardware, disk, memory… </li></ul></ul><ul><ul><li>System Intrusion  low-privilege user account </li></ul></ul><ul><ul><li>Remote Intrusion  across network </li></ul></ul>
    • 4. Security Holes and Vulnerabilities What? Software bugs System configuration Bad Password Policy Traffic Sniffing Design flaws
    • 5. Security Holes and Vulnerabilities <ul><li>Software bugs </li></ul><ul><ul><li>Buffer overflows – overflow input by intentional code . </li></ul></ul><ul><ul><li>Unexpected combinations : PERL can send some malicious input to another program </li></ul></ul><ul><ul><li>Unhandled input : action on invalid input ? </li></ul></ul><ul><ul><li>Race conditions : rare but possible </li></ul></ul><ul><li>System configuration </li></ul><ul><ul><li>Default configurations - easy-to-use configurations </li></ul></ul><ul><ul><li>Lazy administrators - empty root/administrator password </li></ul></ul><ul><ul><li>Hole creations - Turn off everything that doesn't absolutely positively need to run </li></ul></ul>
    • 6. Security Holes and Vulnerabilities (Cont…) <ul><li>Password cracking </li></ul><ul><ul><li>Weak passwords, Dictionary attacks and Brute force etc </li></ul></ul><ul><li>Sniffing unsecured traffic </li></ul><ul><ul><li>Shared medium </li></ul></ul><ul><ul><li>Server sniffing </li></ul></ul><ul><ul><li>Remote access </li></ul></ul><ul><li>Design flaws </li></ul><ul><ul><li>TCP/IP protocol flaws </li></ul></ul><ul><ul><ul><li>Smurf—ICMP request as return address as victim's </li></ul></ul></ul><ul><ul><ul><li>SYN Flood-target run out of recourse,combine with IP spooling </li></ul></ul></ul><ul><ul><li>UNIX design flaws </li></ul></ul><ul><ul><li>Distributed DoS attack – Amazon and Yahoo </li></ul></ul><ul><li>Do not forget Social Engineering- Hacker “Kevin Mitnick” told congress that he use technology only 2% of time </li></ul>
    • 7. What is Intrusion Detection <ul><li>Intrusion: An unauthorized activity or access to an information system. Attack originated outside the organization. </li></ul><ul><li>Misuse : Attacks originating inside the organization. </li></ul><ul><li>Intrusion Detection (ID ): process of detecting, if Intrusion / Misuse has been attempted, is occurring, or has occurred .[1] </li></ul><ul><ul><li>Intrusion and/or misuse can be as severe as stealing sensitive information or misusing your email system for Spam </li></ul></ul><ul><ul><li>ID runs continuously </li></ul></ul><ul><ul><li>Does both Detection and Response </li></ul></ul>The practical Intrusion Detection book by Paul E.Proctor .[1]
    • 8. Typical intrusion scenario <ul><li>Step 1: outside reconnaissance </li></ul><ul><li>Step 2: inside reconnaissance </li></ul><ul><li>Step 3: exploit </li></ul><ul><li>Step 4: foot hold </li></ul><ul><li>Step 5: profit, like bandwidth theft </li></ul><ul><li>Step 6: get out,cover trace </li></ul><ul><li>random internet addresses looking for a specific hole on any system rather than a specific system </li></ul>
    • 9. <ul><li>Ping sweeps </li></ul><ul><li>TCP/UDP scans </li></ul><ul><li>OS identification </li></ul><ul><li>Account scan </li></ul>Step 1 & 2: Reconnaissance
    • 10. Step 3: EXPOITS <ul><li>CGI scripts </li></ul><ul><li>Web server attacks </li></ul><ul><li>Web browser attacks </li></ul><ul><ul><li>URL, HTTP, HTML, JAVA SCRIPT, FRAMS </li></ul></ul><ul><li>SMTP (SendMail) attacks </li></ul><ul><li>IP spoofing </li></ul><ul><li>DNS poisoning </li></ul><ul><li>Buffer Overflows </li></ul>
    • 11. Detection <ul><li>Signature recognition </li></ul><ul><ul><li>Patterns - well-known patterns of attack e.g. </li></ul></ul><ul><ul><ul><li>cgi patterns </li></ul></ul></ul><ul><ul><ul><li>tcp port scans </li></ul></ul></ul><ul><ul><li>Port based signatures : if common ports are not in use and traffic is coming in / going out on that port </li></ul></ul><ul><ul><li>Invalid protocol behavior </li></ul></ul>
    • 12. Detection <ul><li>Anomaly detection </li></ul><ul><ul><li>Some action or data that is not considered normal for a given system, user, or network. </li></ul></ul><ul><ul><li>Can be indicated by change in CPU utilization, disk activity, user logins, file activity, traffic increased, so forth </li></ul></ul><ul><ul><li>Advantage – Detects unknown attacks/ misuse </li></ul></ul>
    • 13. Detection <ul><li>Anomaly detection -- three statistical criteria </li></ul><ul><ul><ul><li>Number of events – expected range </li></ul></ul></ul><ul><ul><ul><ul><li>e.g. log in attempts > 3 </li></ul></ul></ul></ul><ul><ul><ul><li>If statistical period goes outside expected interval e.g. time to load a file on ftp server </li></ul></ul></ul><ul><ul><ul><li>Markov model – if there is sequence of events </li></ul></ul></ul><ul><ul><ul><ul><li>Suppose xyzhjzxyz then </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Now probability of ‘z ‘ coming after ‘xy’ is 1, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>and so on </li></ul></ul></ul></ul><ul><ul><ul><ul><li>If there is a s deviation then there is a problem </li></ul></ul></ul></ul>
    • 14. IDS (Intrusion Detection System) <ul><li>IDS should do </li></ul><ul><ul><li>Event log analysis for Inside threat detection </li></ul></ul><ul><ul><li>Network traffic analysis for perimeter threat detection </li></ul></ul><ul><ul><li>Security configuration management </li></ul></ul><ul><ul><li>File integrity checking </li></ul></ul>Agent Director Agent Agent Host a Network M notifier
    • 15. Components of IDS <ul><ul><li>Command console : a center commanding authority </li></ul></ul><ul><ul><li>Network sensor </li></ul></ul><ul><ul><li>Alert notification </li></ul></ul><ul><ul><li>Response subsystem </li></ul></ul><ul><ul><li>Database </li></ul></ul><ul><ul><li>Network Tap(s) </li></ul></ul>
    • 16. Network Intrusion Detection System <ul><li>NIDS : When system detects an intruder by “Sniffing” or monitoring the network packets on network wire and matching the attack pattern to a database of known attack patterns. </li></ul><ul><li>Architecture of NIDS </li></ul><ul><li>Network–node: Agents distributed on each critical target computer in network to monitor traffic bound only for individual target. </li></ul><ul><li>Sensor–based: Sensor is between two communicating computers either stand-alone or on network device to monitor whole network </li></ul>
    • 17. <ul><li>A network packet is born. </li></ul><ul><li>A packet is read in real-time through sensor (either on a network sensor or network node sensor). </li></ul><ul><li>Detection engine used to identify predefined pattern of misuse. </li></ul><ul><li>If match, Security officer is notified by audible, e-mail, pager, visual, SNMP. For example Beep or play a .WAV file. &quot;You are under attack&quot;.   </li></ul><ul><li>An Alert is generated (either pre-defined or through Security officer). </li></ul><ul><li>A response to that Alert is generated. </li></ul>Steps In NIDS
    • 18. Steps In NIDS (Cont….) <ul><li>Reconfigure firewall /router </li></ul><ul><ul><li>Filter out IP address </li></ul></ul><ul><ul><li>Terminate (Reset) TCP connection </li></ul></ul><ul><li>Alert is stored for later review </li></ul><ul><ul><li>timestamp, intruder IP address, victim IP address/port, protocol information </li></ul></ul><ul><li>Reports are generated </li></ul><ul><li>Data log for long-term trends </li></ul>
    • 19. NIDS Limitations <ul><li>Packet loss on high speed network </li></ul><ul><ul><li>Intruder can hide in lost packets, Node-based </li></ul></ul><ul><ul><li>ID does not suffer from this issue </li></ul></ul><ul><li>Switched network : ATM </li></ul><ul><li>Encryption </li></ul><ul><ul><ul><li>Solutions – network sensor decrypted side of VPN </li></ul></ul></ul><ul><ul><ul><li>Distributed network architecture with ID agents </li></ul></ul></ul><ul><ul><ul><li>Encrypted on fly; put key on router – security threat </li></ul></ul></ul><ul><li>Packet-reassembly </li></ul><ul><ul><ul><li>many signatures can be detected in full string </li></ul></ul></ul><ul><li>Sniffer detection program </li></ul>
    • 20. Host based intrusion detection system <ul><li>HIDS : Monitors the actual target machines to identify tampering or malicious activity occurring within the system. Can detect ‘insider’ malicious activity. </li></ul><ul><ul><li>Agent based </li></ul></ul><ul><li>Misuse </li></ul><ul><ul><li>Abuse of Privilege </li></ul></ul><ul><ul><li>Unintended/ inadvertent privilege grants </li></ul></ul><ul><ul><li>Stale (live) accounts </li></ul></ul><ul><ul><li>Bad account privilege policy/Back door creation </li></ul></ul>
    • 21. Host based intrusion detection system ( Cont…) <ul><li>HIDS monitors - </li></ul><ul><ul><li>User specific actions </li></ul></ul><ul><ul><li>System integrity checkers : system log files, running processes, and files system,if system registry changes made by intruders. </li></ul></ul><ul><ul><li>Determine the success/failure of an attack </li></ul></ul><ul><li>Data source in HIDS </li></ul><ul><ul><li>system logs, application logs, host traffic, and in some instances firewall logs </li></ul></ul>
    • 22. Key points <ul><li>Audit Policy - if you fail to manage audit and detection policies , your deployment is likely to fail. </li></ul><ul><li>Detection policy - properly configure signature and appropriate number of active signature in both real and batch time . </li></ul><ul><li>Data source in HIDS is the heart of HIDS </li></ul><ul><ul><li>S ystem logs, application logs, host traffic, and in some instances firewall logs </li></ul></ul><ul><ul><li>Unix Syslog – not a good source , any application can write </li></ul></ul><ul><ul><li>Unix Binary Kernel Log – closest thing to TCB </li></ul></ul><ul><ul><li>Window NT/2000 - Trust security log </li></ul></ul>
    • 23. Knowledge-based and behavior-based approaches <ul><li>Knowledge-based approaches </li></ul><ul><ul><li>All IDS tools are knowledge–based </li></ul></ul><ul><ul><li>About specific attacks and system vulnerabilities </li></ul></ul><ul><ul><li>Accuracy is good – no false alarms, if attack is defined precisely </li></ul></ul><ul><ul><li>Fast corrective actions – signature can be added/ modified quickly </li></ul></ul><ul><ul><li>Drawbacks: </li></ul></ul><ul><ul><li>Completeness is questionable, depends on updates </li></ul></ul><ul><ul><li>New vulnerabilities – not defined, results in false negative </li></ul></ul><ul><ul><li>Maintenance is time-consuming, tedious task </li></ul></ul><ul><ul><li>Knowledge is environmental based (very focused depends on OS, platform, version…) </li></ul></ul>
    • 24. <ul><li>Behavior-based intrusion Detection </li></ul><ul><li>Detect a deviation from normal or expected behavior of the system or the users </li></ul><ul><ul><li>Compare current behavior vs. valid behavior </li></ul></ul><ul><li>Advantage </li></ul><ul><ul><li>detect attempts to exploit new and unforeseen vulnerabilities </li></ul></ul><ul><ul><li>automatic discovery of these new attacks </li></ul></ul><ul><li>Disadvantage </li></ul><ul><ul><li>High false alarm </li></ul></ul><ul><ul><li>If online retraining, can result in unavailability of ID system (good chance for attacker) or more false alarm </li></ul></ul><ul><ul><li>Good complement to Knowledge based. Not enough </li></ul></ul><ul><ul><li>alone. </li></ul></ul>
    • 25. Best IDS <ul><li>Is hybrid network-based,host-based ,must include knowledge based and behavior based detection </li></ul>
    • 26. False positives / false alarms <ul><li>False positives - signaling attack when there is none. </li></ul><ul><li>Why: </li></ul><ul><ul><li>Difficult to detect intrusions, IDS are limited in scope. </li></ul></ul><ul><ul><li>Tools are stateless. </li></ul></ul><ul><ul><li>Signature is not carefully designed, lots of matches. </li></ul></ul><ul><ul><li>Accuracy is often traded for urgency to plug in a new signature. </li></ul></ul>
    • 27. Do I need IDS if I already have a firewall? <ul><li>Firewall is not a dynamic defensive system and has no capability to understand that someone is trying to break-in </li></ul><ul><li>Example: ColdFusion bug (port 80 web attack) </li></ul><ul><li>Boundary of network </li></ul><ul><li>Firewall is prevention and ID is detection and response </li></ul><ul><li>Reasons </li></ul><ul><ul><li>Catches attacks that firewalls legitimately allow through (such as attacks against web servers). </li></ul></ul><ul><ul><li>Catches attempts that fail. </li></ul></ul><ul><ul><li>Catches insider hacking, financial loss </li></ul></ul>
    • 28. Popular NIDS – SNORT™ <ul><li>open source network intrusion detection system </li></ul><ul><ul><li>real-time traffic analysis </li></ul></ul><ul><ul><li>Detect attacks such as </li></ul></ul><ul><ul><ul><li>buffer overflows, </li></ul></ul></ul><ul><ul><ul><li>stealth port scans, </li></ul></ul></ul><ul><ul><ul><li>CGI attacks, SMB probe and more </li></ul></ul></ul><ul><ul><li>Decision of traffic depends on flexible rules language </li></ul></ul>
    • 29. Popular NIDS – Snort Cont…. <ul><li>Platforms </li></ul><ul><ul><li>SunOS 4.1.X—Sparc , Linux ,Win32 - (Win9x/NT/2000), OpenBSD, HP-UX </li></ul></ul><ul><li>Snort is lightweight intrusion detection , cost efficient, open source so keep getting updated for signature, very powerful post-processors </li></ul>
    • 30. Interesting <ul><ul><li>Snort and other signature based IDS match unique patterns against rules in the database . </li></ul></ul><ul><ul><li>For example Snort uses following rule the SubSeven Trojan: Alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: &quot;BACKDOOR SIG - SubSseven 22&quot;; flags: A+; content: “|0d0a5b52504c5d3030320d0a|&quot;; reference:arachnids,485;) alert Sn ort match hex signature ,can be present anywhere in payload&quot;0d 0a 5b 52 50 4c 5d 30 30 32 0d 0a” </li></ul></ul><ul><ul><li>Attacker can change/ scramble the noticeable content by encryption . Add 1st byte of the packet payload to every subsequent byte. </li></ul></ul><ul><ul><li>If 3 then payload is &quot;31 3d 8e 85 83 7f 81 63 63 65 31 3e&quot; </li></ul></ul><ul><ul><li>which does not mach any of the known signatures . </li></ul></ul><ul><ul><li>The attacker has now evaded our intrusion detection system . </li></ul></ul>Matthe w http://www.snort.org/what_is_snort. htm
    • 31. Resources… in case you get hacked <ul><li>CERT (Computer Emergency Response Team) http://www.cert.org . </li></ul><ul><li>CIAC ( Computer Incident Advisory Capability) by US Department of Energy </li></ul><ul><ul><li>http://www. ciac .org/ </li></ul></ul><ul><li>SANS http://www.sans.org/ </li></ul><ul><li>AUSCERT (Australian Computer Emergency Response Team) http://www.auscert.org.au/ </li></ul><ul><li>Network Intrusion Detection Systems http://www.robertgraham.com/pubs/network-intrusion-detection.html </li></ul>
    • 32. References <ul><li>The Practical Intrusion detection hand book – Paul E. Proctor </li></ul><ul><li>www.intrusion.com/ </li></ul><ul><li>www.snort.org/ </li></ul><ul><li>Retrieved Nov 14, 2003 from website: www.sans.org </li></ul><ul><li>Retrieved Nov 15, 2003 from website: www. cerias . purdue . edu /coast/intrusion-detection / </li></ul><ul><li>www.cs.usask.ca/undergrads/der850/project/ids/ - 9k - </li></ul>
    • 33. Project Presentation Instructor : Prof. Mark Stamp Due Date : 11/18/03 Malicious Software & Intrusion Detection By, Kavita Khanna Himani Singh (CS-265, Fall-2003)
    • 34. <ul><li>Malicious Software </li></ul><ul><li>By </li></ul><ul><li>Kavita Khanna </li></ul><ul><li>( [email_address] ) </li></ul><ul><li>& </li></ul><ul><li>Himani Singh </li></ul><ul><li>( himanisingh @ comcast .net ) </li></ul><ul><li>(CS-265, Fall-2003) </li></ul>
    • 35. <ul><li>Malicious Software – “Presentation Outline” </li></ul><ul><li>What is malicious software? </li></ul><ul><li>Categories of malicious software. </li></ul><ul><li>Different malicious software – viruses, worms, Trojan Horse etc. </li></ul><ul><li>More description about viruses : </li></ul><ul><li>Desirable properties of viruses. </li></ul><ul><li>Identifying infected files and programs. </li></ul><ul><li>Where do viruses reside. </li></ul><ul><li>Identifying and detecting viruses – virus signature. </li></ul><ul><li>Effect of Virus attack on computer system. </li></ul><ul><li>Protection against attacks by malicious software – preventing infection. </li></ul><ul><li>References. </li></ul>
    • 36. What is Malicious Software: <ul><li>Software deliberately designed to harm </li></ul><ul><li>computer systems. </li></ul><ul><li>Malicious software program causes undesired actions in information systems. </li></ul><ul><li>Spreads from one system to another through: </li></ul><ul><li>E-mail (through attachments) </li></ul><ul><li>Infected floppy disks </li></ul><ul><li>Downloading / Exchanging of corrupted files </li></ul><ul><li>Embedded into computer games </li></ul>
    • 37. Malicious Software - Categories Malicious Software Viruses Trapdoor Worms Spyware Trojan Horse Hoaxes Rabbit Time Bomb Logic Bomb Boot Viruses File Viruses
    • 38. Types of Malicious Software <ul><li>Virus : These are the programs that spread to other software in the system .i.e., program that incorporates copies of itself into other programs. </li></ul><ul><li>Two major categories of viruses: </li></ul><ul><li>Boot sector virus : infect boot sector of systems. </li></ul><ul><li> become resident. </li></ul><ul><li> activate while booting machine </li></ul><ul><li>File virus : infects program files. </li></ul><ul><ul><li> activates when program is run. </li></ul></ul><ul><ul><li> </li></ul></ul>
    • 39. Categories of Viruses <ul><li>Polymorphic </li></ul><ul><li>Virus </li></ul><ul><li>Produces </li></ul><ul><li>modified & fully </li></ul><ul><li>operational code. </li></ul><ul><li>Produces new </li></ul><ul><li>& different code </li></ul><ul><li>every time when </li></ul><ul><li>virus is copied & </li></ul><ul><li>transmitted to a </li></ul><ul><li>new host. </li></ul><ul><li>Difficult to </li></ul><ul><li>detect & remove. </li></ul><ul><li>Stealth </li></ul><ul><li>Virus </li></ul><ul><li>Programming </li></ul><ul><li>tricks make the </li></ul><ul><li>tracing and </li></ul><ul><li>understanding </li></ul><ul><li>the code difficult. </li></ul><ul><li>Complex </li></ul><ul><li>programming </li></ul><ul><li>methods used to </li></ul><ul><li>design code, so </li></ul><ul><li>difficult to repair </li></ul><ul><li>infected file. </li></ul><ul><li>Armored </li></ul><ul><li>Virus </li></ul><ul><li>Hides </li></ul><ul><li>modifications it </li></ul><ul><li>has made to </li></ul><ul><li>files or to the </li></ul><ul><li>disk. </li></ul><ul><li>Reports </li></ul><ul><li>false values to </li></ul><ul><li>programs as </li></ul><ul><li>they read files </li></ul><ul><li>or data from </li></ul><ul><li>storage media.  </li></ul><ul><li>Companion </li></ul><ul><li>Virus </li></ul><ul><li>Creates new </li></ul><ul><li>program instead </li></ul><ul><li>of modifying </li></ul><ul><li>existing program. </li></ul><ul><li>Contains all </li></ul><ul><li>virus code. </li></ul><ul><li>Executed by </li></ul><ul><li>shell, instead of </li></ul><ul><li>original program. </li></ul>
    • 40. <ul><li>Rabbit : This malicious software replicates itself without limits. Depletes some or all the system’s resources. </li></ul><ul><li>Re-attacks the infected systems – difficult recovery. </li></ul><ul><li>Exhausts all the system’s resources such as CPU time, memory, disk space. </li></ul><ul><li>Depletion of resources thus denying user access to those resources. </li></ul>
    • 41. <ul><li>Hoaxes : False alerts of spreading viruses. </li></ul><ul><li>e.g., sending chain letters. </li></ul><ul><li>message seems to be important to recipient, forwards it to other users – becomes a chain. </li></ul><ul><li>Exchanging large number of messages (in chain) floods the network resources – bandwidth wastage. </li></ul><ul><li>Blocks the systems on network – access denied due to heavy network traffic. </li></ul>
    • 42. <ul><li>Trojan Horse : This is a malicious program with unexpected additional functionality. It includes harmful features of which the user is not aware. </li></ul><ul><li>Perform a different function than what these are advertised to do (some malicious action e.g., steal the passwords). </li></ul><ul><li>Neither self-replicating nor self-propagating. </li></ul><ul><li>User assistance required for infection. </li></ul><ul><li>Infects when user installs and executes infected programs. </li></ul><ul><li>Some types of trojan horses include Remote Access Trojans (RAT), KeyLoggers, Password-Stealers (PSW), and logic bombs. </li></ul>
    • 43. <ul><li>Transmitting medium : </li></ul><ul><li>spam or e-mail </li></ul><ul><li>a downloaded file </li></ul><ul><li>a disk from a trusted source </li></ul><ul><li>a legitimate program with the Trojan inside. </li></ul><ul><li>Trojan looks for your personal information and sends it to the Trojan writer (hacker). It can also allow the hacker to take full control of your system . </li></ul><ul><li>Different types of Trojan Horses : </li></ul><ul><li>1. Remote access Trojan takes full control of your </li></ul><ul><li>system and passes it to the hacker. </li></ul><ul><li>2. The data-sending Trojan sends data back to the hacker by means of e-mail. </li></ul><ul><li>e.g., Key-loggers – log and transmit each keystroke. </li></ul>
    • 44. <ul><li>The destructive Trojan has only one purpose: to destroy and delete files. Unlikely to be detected by anti-virus software. </li></ul><ul><li>The denial-of-service (DOS) attack Trojans combines computing power of all computers/systems it infects to launch an attack on another computer system. Floods the system with traffic, hence it crashes. </li></ul><ul><li>The proxy Trojans allows a hacker to turn user’s computer into HIS (Host Integration Server) server – to make purchases with stolen credit cards and run other organized criminal enterprises in particular user’s name. </li></ul><ul><li>The FTP Trojan opens port 21 (the port for FTP transfer) and lets the attacker connect to your computer using File Transfer Protocol (FTP). </li></ul>
    • 45. <ul><li>The security software disabler Trojan is designed to stop or kill security programs such as anti-virus software, firewalls, etc., without you knowing it. </li></ul><ul><li>Spyware : </li></ul><ul><li>Spyware programs explore the files in an information system. </li></ul><ul><li>Information forwarded to an address specified in Spyware. </li></ul><ul><li>Spyware can also be used for investigation of software users or preparation of an attack. </li></ul>
    • 46. <ul><li>Trapdoor : Secret undocumented entry point to the program. </li></ul><ul><li>An example of such feature is so called back door , which enables intrusion to the target by passing user </li></ul><ul><li>authentication methods. </li></ul><ul><li>A hole in the security of a system deliberately left in place by designers or maintainers.  </li></ul><ul><li>Trapdoor allows unauthorized access to the system. </li></ul><ul><li>Only purpose of a trap door is to &quot;bypass&quot; internal controls.  It is up to the attacker to determine how this circumvention of control can be utilized for his benefit. </li></ul>
    • 47. <ul><li>Types of Trapdoor </li></ul>Undetectable Trapdoor Virtually undetectable. Hardware Trapdoor Security-related hardware flaws.
    • 48. <ul><li>Worms : </li></ul><ul><li>program that spreads copies of itself through a </li></ul><ul><li>network.  </li></ul><ul><li>Does irrecoverable damage to the computer system. </li></ul><ul><li>Stand-alone program, spreads only through network. </li></ul><ul><li>Also performs various malicious activities other than spreading itself to different systems e.g., deleting files. </li></ul><ul><li>Attacks of Worms: </li></ul><ul><li>Deleting files and other malicious actions on systems. </li></ul><ul><li>Communicate information back to attacker e.g., passwords, other proprietary information. </li></ul><ul><li>Disrupt normal operation of system, thus denial of service attack (DoS) – due to re-infecting infected system. </li></ul><ul><li>Worms may carry viruses with them. </li></ul>
    • 49. <ul><li>Means of spreading Infection by Worms : </li></ul><ul><li>Infects one system, gain access to trusted host lists on infected system and spread to other hosts. </li></ul><ul><li>Another method of infection is penetrating a system by guessing passwords. </li></ul><ul><li>By exploiting widely known security holes, in case, password guessing and trusted host accessing fails. </li></ul><ul><li>e.g., A well-known example of a worm is the ILOVEYOU </li></ul><ul><li>worm, which invaded millions of computers through </li></ul><ul><li>e-mail in 2000. </li></ul>
    • 50. <ul><li>VIRUSES – More Description </li></ul><ul><li>Desirable properties of Viruses : </li></ul><ul><li>Virus program should be hard to detect by </li></ul><ul><li>anti-virus software. </li></ul><ul><li>Viruses should be hard to destroy or deactivate. </li></ul><ul><li>Spread infection widely. </li></ul><ul><li>Should be easy to create. </li></ul><ul><li>Be able to re-infect. </li></ul><ul><li>Should be machine / platform independent, so that it can spread on different hosts. </li></ul>
    • 51. <ul><li>Detecting virus infected files/programs : </li></ul><ul><li>Virus infected file changes – gets bigger. </li></ul><ul><li>Modification detection by checksum : </li></ul><ul><li>> Use cryptographic checksum/hash function </li></ul><ul><li> e.g., SHA, MD5. </li></ul><ul><li>> Add all 32-bit segments of a file and store the sum </li></ul><ul><li> (i.e., checksum). </li></ul>
    • 52. <ul><li>Identifying Viruses : </li></ul><ul><li>A virus is a unique program. </li></ul><ul><li>It as a unique object code. </li></ul><ul><li>It inserts in a deterministic manner. </li></ul><ul><li>The pattern of object code and where it is inserted provides a signature to the virus program. </li></ul><ul><li>This virus signature can be used by virus scanners to identify and detect a particular virus. </li></ul><ul><li>Some viruses try to hide or alter their signature: </li></ul><ul><li>Random patterns in meaningless places. </li></ul><ul><li>Self modifying code – metamorphic, polymorphic viruses. </li></ul><ul><li>Encrypt the code, change the key frequently. </li></ul>
    • 53. <ul><li>Places where viruses live : </li></ul><ul><li>Boot sector </li></ul><ul><li>Memory resident </li></ul><ul><li>Disk – Applications and data stored on disk. </li></ul><ul><li>Libraries – stored procedures and classes. </li></ul><ul><li>Compiler </li></ul><ul><li>Debugger </li></ul><ul><li>Virus checking program infected by virus – unable to detect that particular virus signature. </li></ul>
    • 54. <ul><li>Effect of Virus attack on computer system </li></ul><ul><li>Virus may affect user’s data in memory – overwriting. </li></ul><ul><li>Virus may affect user’s program – overwriting. </li></ul><ul><li>Virus may also overwrite system’s data or programs – corrupting it – disrupts normal operation of system. </li></ul><ul><li>“ Smashing the Stack” – Buffer overflow due to execution of program directed to virus code. </li></ul>
    • 55. <ul><li>Preventing infection by malicious software : </li></ul><ul><li>Use only trusted software, not pirated software. </li></ul><ul><li>Test all new software on isolated computer system. </li></ul><ul><li>Regularly take backup of the programs. </li></ul><ul><li>Use anti-virus software to detect and remove viruses. </li></ul><ul><li>Update virus database frequently to get new virus signatures. </li></ul><ul><li>Install firewall software, which hampers or prevents the functionality of worms and Trojan horses. </li></ul><ul><li>Make sure that the e-mail attachments are secure. </li></ul><ul><li>Do not keep a floppy disk in the drive when starting a program, unless sure that it does not include malicious software, else virus will be copied in the boot sector. </li></ul>
    • 56. References: <ul><li>Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website: http://www. webopedia .com/TERM/T/Trojan_horse.html </li></ul><ul><li>Staffordshire University, Information & Security Team (Jun 8, </li></ul><ul><li>2002). Information Systems Security Guidelines. Retrieved </li></ul><ul><li>Nov 10, 2003 from website: </li></ul><ul><li>http://www.staffs.ac.uk/services/information_technology/regs/security7.shtm </li></ul><ul><li>M.E.Kabay, Norwich University, VT (2002). Malicious Software. Retrieved Nov 9, 2003 from website: </li></ul><ul><li>http://www2.norwich.edu/mkabay/cyberwatch/09malware.htm </li></ul><ul><li>Computer Emergency Response Team (CERT), Information Security (Jul 2, 2002). Malicious Software – general. Retrieved Nov 10, 2003 from </li></ul><ul><li>website: http://www.ficora.fi/englanti/tietoturva/haittaohj.htm </li></ul>
    • 57. References Cont... <ul><li>Rutgers, New Jersey (Oct 10, 2003). Trojan Horses. Retrieved Nov 10, 2003 from website: http:// netsecurity . rutgers . edu / trojan . htm </li></ul><ul><li>Dr. Roger R. Schell, Monterey CA (Apr 24, 2000). Malicious Software. </li></ul><ul><li>Retrieved Nov 11, 2003 from website: www.sp.nps.navy.mil </li></ul><ul><li>Edward F. Gehringer. Computer Abuse – Worms, Trojan Horses, Viruses. Retrieved Nov 12, 2003 from website: </li></ul><ul><li>http://legacy.eos.ncsu.edu/eos/info/computer_ethics/abuse/wvt/study.html </li></ul><ul><li>Bullguard.com Computer Viruses. Retrieved Nov12, 2003 from website: </li></ul><ul><li>http://www.bullguard.com/antivirus/vi_info.aspx </li></ul><ul><li>Google.com. Program Security. Retrieved Nov 12, 2003 from website: </li></ul><ul><li>http://www.sm.luth.se/csee/courses/smd/102/lek6-6.pdf . </li></ul>

    ×