SlideShare a Scribd company logo

Lecture 10 intruders

•
•
R
rajakhurram

The document discusses various types of intruders including masqueraders, misfeasors, and clandestine users. It also covers intrusion techniques like password cracking, intrusion detection methods using statistical anomaly detection and rule-based approaches, and the importance of audit records and covering tracks to hide evidence of intrusion. Distributed intrusion detection systems are also mentioned as a more effective defense approach.

Technology
1 of 37
Intruders Raja Khurram Shahzad
Outline • Intruders – Intruder Behaviour Patterns – Intrusion Techniques • Intrusion Detection – Audit Records – Detection • Password Management • Covering Tracks
Security Problem • Unwanted trespass – By user: • Unauthorized login • Authorized user but unauthorized actions – By software: • Virus • Worms • Trojan Horse
Intruders • Masquerader (impersonation) (Outsider): An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit legitimate user’s account. • Misfeasor (insider): A legitimate user who accesses data, programs, or resources for which such access is not authorize, or who is authorized for such but misuses previlages • Clandestine User (Both insider and outsider): An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Intruder Behaviour Patterns • Constantly shifting – Exploit newly discovered weaknesses • Three broad examples – Hackers: hack into computers for thrill or for status • May or may not be malign (dangerous) • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) can counter it. – Criminals • Organized group of hackers (e.g. Lulz Boat) • Loosely affiliated, met in underground forums to trade tips, data and coordinate attacks • Common target: Root access, credit card files at e-commerce site
Intruder Behaviour Patterns • Quick in and out in nature • IDS and IPS: less effective – Inside Attacks • Most difficult to detect and prevent • Can be motivated by revenge or feeling of entitelment • IDS and IPS may be useful up to some extent
Intrusion Techniques • Objective: Gain access or increase access previlages • Vulnerabilities: – System vulnerabilities – Software vulnerabilities: allows user to executre code to open back door (http://www.telegraph.co.uk/technology/facebook/8938 725/Facebook-privacy-flaw-exposes-Mark-Zuckerberg- photos.html) • Acquire Secure Information: – System maintain a file that associates a password with each authorised user. • Passwords / Passwords File
Intrusion Techniques:Passwords • Password file is protected in two ways – One-way Function: • System stores only the value of a function based on the user’s password • User enters password • System transform entered password and compare with saved value – Access Control: • Access is limited to one or very few accounts.
Password Cracking 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary (60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (MUP103). 7. Use a Trojan horse 8. Tap the line between a remote user and the host system.
Password Cracking • 1 – 6 : Various ways of Guessing passwords – Feasible and highly effective – Automatic guessing and verification • 7: Difficult to counter • 8: Physical Security
Stages of Network Intrusion • Scan the network to: – locate which IP addresses are in use, – what operating system is in use, – what TCP or UDP ports are “open” (being listened to by Servers). • Run “Exploit” scripts against open ports • Get access to Shell program which is “suid” (has “root” privileges). • Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. • Use IRC (Internet Relay Chat) to invite friends to the feast.
Intrusion Detection • Detection: concerned with learning of an attack, either before or after its success • Prevention: security goal • The intruder can be identified and ejected from the system. • An effective intrusion detection can prevent intrusions. • Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
Intrusion Detection Based on assumption that behaviour differs Profiles of Behavior of Intruders and Authorized Users
Intrusion Detection • Statistical anomaly detection – Threshold detection: define threshold, independent of user, for the frequency of occurrence of various events. – Profile based: A profile of activity of each user is developed and used to detect changes in the behavior of individual user. • Rule based detection – Anomaly detection: Rules are developed to detect deviation from the previous usage patterns. – Penetration identification: An expert system approach that searches for suspicious behavior. A system may have both
Audit Records • Fundamental tool • Native Audit Records: – Accounting software that collects information on user activity – Advantage: No additional collection software required – Disadvantage: May not contain needed information or may not contain needed information in convenient format
Audit Records • Detection Specific Audit Records – A collection facility to generate audit records containing required information used by IDS – Advantage: Can be made vendor independent & portable – Disadvantage: Extra overhead
Audit Records : Example • Subject: Initiators of actions • Action: Operation Performed • Object: Receptors of actions • Exception-Condition: which, if any, exception condition is raised on return • Resource Usage: A list of quantitative elements about usage of resource • Time-Stamp: Unique time and date stamp
Statistical Anomaly Detection • Attempt to define normal or expected behaviour • Collect data related to behaviour over a period of time • Statistical tests are applied • Two broad categories – Threshold detection: define threshold, independent of user, for the frequency of occurance of various events
Statistical Anomaly Detection – Profile based: Profile of the activity of user or group is developed and then used to detect changes in behaviour. May consists of set of parameters. • Analysis of audit records is foundation • Effective against masqueraders • May not deal with misfeasors • Statistical tests – Mean and Standard Deviation Multivariate – Markov Process Time Series – Operational
Measures Used • Login frequency by day and time. • Frequency of login at different locations. • Time since last login. • Password failures at login. • Execution frequency. • Execution denials. • Read, write, create, delete frequency. • Failure count for read, write, create and delete.
Rule-Based Intrusion Detection • Define a set of rules to decide about behaviour • Two broad categories – Anomaly Detection: Historical audit records are analyzed to generate rules to describe patterns. • Rules May represent past behaviour patterns of users, previlagese, programs, time slots, terminals • Current behaviour is obsereved and matched with set of rules – Penetration Identification: Set of rules for identifying known penetrations or penetrations that would exploit known weaknesses. • Rules can be defined to identify suspecious behaviour • Analyze attack tools and scripts to generate rules.
Distributed Intrusion Detection • Single System stand alone IDS vs Distributed IDS • More effective defense – Coordination and cooperation among IDS across network – Different audit record formats – Different collection and analysis points – Confidentiality and Integrity of collected data during transmission – Centralized architecture (one collection point) or decentralized (more than one collection points coordinating and exchanging information)
Distributed Intrusion Detection • Host Agent Module – Audit collection module operating at background – Collect data on security related event – Transmits to the central manager • LAN monitor agent module – Operates like agent module – Analyze LAN traffic • Central manager module – Recieves reports – Processes and correlates these reports to detect intrusion
Distributed Intrusion Detection • Agent Architecture • Agent captures each record from native audit collection system • Filter is applied to retain only security records • Records are transmitted in Host Audit Record (HAR) format • Template driven logic module analyze the records • Agent protocol Machine • Lowest level – scans for notable events • Highest level – look for sequence of events (signature) • Also look for anomalous behaviour based on profile • If suspecious, Alert is sent to Central Manager (expert system) • May also query agents for copies of HARS Henric Johnson 24
Passwords • Most common weaknesses in a company – Weak passwords – uncontrolled devices on the network • Most systems and software have default passwords! • Characteristics of a strong password – Changes every 45 days – Minimum length of 10 characters – Contain at leas one alpha, one number and one special character – Cannot contain dictionary words – Cannot reuse the previous five passwords – Minimum password age of 10 days – After 5 failed logon attempts, password is locked for serveral hours
UNIX passwords • Stored in a publicly readable file /etc/passwd, (any user who was on the system had access to read the file i.e. more /etc/passwd ) usernamen:password:UID:GID:full name:home directory:shell sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh • Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file still exists, it contains everything except the encrypted passwords. This is stored in the /etc/shadow file and only visible by “root”. usernamen:password:last:min:max:warning:expire:disable sch:OZFGkH258h8yg:::::::
cat passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: smmsp:x:25:25:SendMail Message Submission Program:/: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/:
ypcat passwd • Ypcat: list all the users and groups / networkwide password map gymsjo:PgiEmZuEHpmY2:3227:3200:STEFAN JOHANSSON:/home/ dogmatix/gym/gymsjo:/usr/local/bin/tcsh frpe03:EoFPa/t0McqN6:470078:20031:FREDRIK PERSSON:/home/ dogmatix/students/20031/frpe03:/usr/local/bin/tcsh etmf01:Ck34HVjHPI3gQ:740030:20011:Etienne Mfoumou:/home/ dogmatix/students/20011/etmf01:/usr/local/bin/tcsh rope05:i/mTnW1jL7vmM:490146:20051:ROBIN PERSSON:/home/ obelix/students/20051/rope05:/usr/local/bin/tcsh nasc04:HfcXJTuIB7Bh2:500001:20041:Nadzida Saric:/home/obelix/ students/20041/nasc04:/usr/local/bin/tcsh
Salt • The salt serves three purposes: – Prevents duplicate passwords. – Effectively increases the length of the password. – Prevents the use of hardware implementations of DES Henric Johnson 29
UNIX Password Scheme Loading a new password
UNIX Password Scheme Verifying a password
Password Selection Strategies • User education – Unlikely to succeed – Many users ignore guidelines • Computer-generated passwords – Random in nature, problem in memorizing Henric Johnson 32
Password Selection Strategies • Reactive password checking – System periodically runs password cracker to find guessable passwords – Cancel guessed passwords and notify users – Resource intensive job • Proactive password checking – User is allowed to choose password – System checks , password is allowable or not
Password Cracking : Importance • From a security standpoint, password cracking can help you build and maintain a more secure system. • Reasons why password cracking is useful – To audit the strength of passwords – To recover forgotten / unknown passwords – To migrate users – To use as a checks and balance system • Main types of password cracking attacks: – Dictionary attacks – Brute force attacks – Hybrid attacks
Password Cracking: Attacks Dictionary Brute Force Hybrid attack attack attack Speed of the attack Fast Slow Medium Amount of passwords Finds only Finds every Finds only cracked words password passwords that have a Dictionary word as the base
Password Cracking: Programs • NT password cracking programs: – L0phtcrack – NTSweep – NTCrack – PWDump2 • UNIX password crackers: – Crack – John the Ripper – XIT – Slurpie
Covering the Tracks • After an attacker has gained access and accomplished what he wanted to do, one of the last steps he performs is covering his tracks, hiding evidence that he was ever there. • To do this there are 4 main areas an attacker is concerned with: 1. Log files 2. File information 3. Additional files 4. Network traffic

Recommended

Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
SRIMCA
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 

Recommended

Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Password sniffing
Password sniffingPassword sniffing
Password sniffing
SRIMCA
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
Security Bootcamp
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
patelripal99
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUES
Trinity Dwarka
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Transposition cipher
Transposition cipherTransposition cipher
Transposition cipher
Antony Alex
 
Intruders
IntrudersIntruders
Intruders
ALOK KUMAR
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
Vaibhav Khanna
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Jowin John Chemban
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Network security and viruses
Network security and virusesNetwork security and viruses
Network security and viruses
Aamlan Saswat Mishra
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
Chirag Patel
 

More Related Content

What's hot

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
patelripal99
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUES
Trinity Dwarka
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Transposition cipher
Transposition cipherTransposition cipher
Transposition cipher
Antony Alex
 
Intruders
IntrudersIntruders
Intruders
ALOK KUMAR
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
Vaibhav Khanna
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Jowin John Chemban
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 

What's hot (20)

Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUES
 
IP Security
IP SecurityIP Security
IP Security
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Transposition cipher
Transposition cipherTransposition cipher
Transposition cipher
 
Intruders
IntrudersIntruders
Intruders
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 

Viewers also liked

Network security and viruses
Network security and virusesNetwork security and viruses
Network security and viruses
Aamlan Saswat Mishra
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
Chirag Patel
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
Harsh Mehta
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
Bluetooth technology presentation
Bluetooth technology presentationBluetooth technology presentation
Bluetooth technology presentation
Krishna Kumari
 
Bluetooth Presentation
Bluetooth PresentationBluetooth Presentation
Bluetooth Presentation
guest664c3f
 
Network security
Network securityNetwork security
Network securityGichelle Amon
 

Viewers also liked (9)

Network security and viruses
Network security and virusesNetwork security and viruses
Network security and viruses
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
 
IP Security
IP SecurityIP Security
IP Security
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
Bluetooth technology presentation
Bluetooth technology presentationBluetooth technology presentation
Bluetooth technology presentation
 
Bluetooth Presentation
Bluetooth PresentationBluetooth Presentation
Bluetooth Presentation
 
Network security
Network securityNetwork security
Network security
 

Similar to Lecture 10 intruders

BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7limsh
 
ch18 ABCD.pdf
ch18 ABCD.pdfch18 ABCD.pdf
ch18 ABCD.pdf
georgejustymirobi1
 
ch08.ppt
ch08.pptch08.ppt
ch08.ppt
HaipengCai1
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
DhananjaySingh23178
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
KIYALIBAN1
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
RoyBokhiriya
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_Controlsggggggggggggggggg
Saurabh846965
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
TikdiPatel
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 

Similar to Lecture 10 intruders (20)

BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
 
ch18 ABCD.pdf
ch18 ABCD.pdfch18 ABCD.pdf
ch18 ABCD.pdf
 
ch08.ppt
ch08.pptch08.ppt
ch08.ppt
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_Controlsggggggggggggggggg
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.pptch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 

More from rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
rajakhurram
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
rajakhurram
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
rajakhurram
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
rajakhurram
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
rajakhurram
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
rajakhurram
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
rajakhurram
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
rajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryptionrajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attackrajakhurram
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
rajakhurram
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
rajakhurram
 

More from rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

Lecture 10 intruders

  • 2. Outline • Intruders – Intruder Behaviour Patterns – Intrusion Techniques • Intrusion Detection – Audit Records – Detection • Password Management • Covering Tracks
  • 3. Security Problem • Unwanted trespass – By user: • Unauthorized login • Authorized user but unauthorized actions – By software: • Virus • Worms • Trojan Horse
  • 4. Intruders • Masquerader (impersonation) (Outsider): An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit legitimate user’s account. • Misfeasor (insider): A legitimate user who accesses data, programs, or resources for which such access is not authorize, or who is authorized for such but misuses previlages • Clandestine User (Both insider and outsider): An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
  • 5. Intruder Behaviour Patterns • Constantly shifting – Exploit newly discovered weaknesses • Three broad examples – Hackers: hack into computers for thrill or for status • May or may not be malign (dangerous) • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) can counter it. – Criminals • Organized group of hackers (e.g. Lulz Boat) • Loosely affiliated, met in underground forums to trade tips, data and coordinate attacks • Common target: Root access, credit card files at e-commerce site
  • 6. Intruder Behaviour Patterns • Quick in and out in nature • IDS and IPS: less effective – Inside Attacks • Most difficult to detect and prevent • Can be motivated by revenge or feeling of entitelment • IDS and IPS may be useful up to some extent
  • 7. Intrusion Techniques • Objective: Gain access or increase access previlages • Vulnerabilities: – System vulnerabilities – Software vulnerabilities: allows user to executre code to open back door (http://www.telegraph.co.uk/technology/facebook/8938 725/Facebook-privacy-flaw-exposes-Mark-Zuckerberg- photos.html) • Acquire Secure Information: – System maintain a file that associates a password with each authorised user. • Passwords / Passwords File
  • 8. Intrusion Techniques:Passwords • Password file is protected in two ways – One-way Function: • System stores only the value of a function based on the user’s password • User enters password • System transform entered password and compare with saved value – Access Control: • Access is limited to one or very few accounts.
  • 9. Password Cracking 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary (60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (MUP103). 7. Use a Trojan horse 8. Tap the line between a remote user and the host system.
  • 10. Password Cracking • 1 – 6 : Various ways of Guessing passwords – Feasible and highly effective – Automatic guessing and verification • 7: Difficult to counter • 8: Physical Security
  • 11. Stages of Network Intrusion • Scan the network to: – locate which IP addresses are in use, – what operating system is in use, – what TCP or UDP ports are “open” (being listened to by Servers). • Run “Exploit” scripts against open ports • Get access to Shell program which is “suid” (has “root” privileges). • Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. • Use IRC (Internet Relay Chat) to invite friends to the feast.
  • 12. Intrusion Detection • Detection: concerned with learning of an attack, either before or after its success • Prevention: security goal • The intruder can be identified and ejected from the system. • An effective intrusion detection can prevent intrusions. • Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
  • 13. Intrusion Detection Based on assumption that behaviour differs Profiles of Behavior of Intruders and Authorized Users
  • 14. Intrusion Detection • Statistical anomaly detection – Threshold detection: define threshold, independent of user, for the frequency of occurrence of various events. – Profile based: A profile of activity of each user is developed and used to detect changes in the behavior of individual user. • Rule based detection – Anomaly detection: Rules are developed to detect deviation from the previous usage patterns. – Penetration identification: An expert system approach that searches for suspicious behavior. A system may have both
  • 15. Audit Records • Fundamental tool • Native Audit Records: – Accounting software that collects information on user activity – Advantage: No additional collection software required – Disadvantage: May not contain needed information or may not contain needed information in convenient format
  • 16. Audit Records • Detection Specific Audit Records – A collection facility to generate audit records containing required information used by IDS – Advantage: Can be made vendor independent & portable – Disadvantage: Extra overhead
  • 17. Audit Records : Example • Subject: Initiators of actions • Action: Operation Performed • Object: Receptors of actions • Exception-Condition: which, if any, exception condition is raised on return • Resource Usage: A list of quantitative elements about usage of resource • Time-Stamp: Unique time and date stamp
  • 18. Statistical Anomaly Detection • Attempt to define normal or expected behaviour • Collect data related to behaviour over a period of time • Statistical tests are applied • Two broad categories – Threshold detection: define threshold, independent of user, for the frequency of occurance of various events
  • 19. Statistical Anomaly Detection – Profile based: Profile of the activity of user or group is developed and then used to detect changes in behaviour. May consists of set of parameters. • Analysis of audit records is foundation • Effective against masqueraders • May not deal with misfeasors • Statistical tests – Mean and Standard Deviation Multivariate – Markov Process Time Series – Operational
  • 20. Measures Used • Login frequency by day and time. • Frequency of login at different locations. • Time since last login. • Password failures at login. • Execution frequency. • Execution denials. • Read, write, create, delete frequency. • Failure count for read, write, create and delete.
  • 21. Rule-Based Intrusion Detection • Define a set of rules to decide about behaviour • Two broad categories – Anomaly Detection: Historical audit records are analyzed to generate rules to describe patterns. • Rules May represent past behaviour patterns of users, previlagese, programs, time slots, terminals • Current behaviour is obsereved and matched with set of rules – Penetration Identification: Set of rules for identifying known penetrations or penetrations that would exploit known weaknesses. • Rules can be defined to identify suspecious behaviour • Analyze attack tools and scripts to generate rules.
  • 22. Distributed Intrusion Detection • Single System stand alone IDS vs Distributed IDS • More effective defense – Coordination and cooperation among IDS across network – Different audit record formats – Different collection and analysis points – Confidentiality and Integrity of collected data during transmission – Centralized architecture (one collection point) or decentralized (more than one collection points coordinating and exchanging information)
  • 23. Distributed Intrusion Detection • Host Agent Module – Audit collection module operating at background – Collect data on security related event – Transmits to the central manager • LAN monitor agent module – Operates like agent module – Analyze LAN traffic • Central manager module – Recieves reports – Processes and correlates these reports to detect intrusion
  • 24. Distributed Intrusion Detection • Agent Architecture • Agent captures each record from native audit collection system • Filter is applied to retain only security records • Records are transmitted in Host Audit Record (HAR) format • Template driven logic module analyze the records • Agent protocol Machine • Lowest level – scans for notable events • Highest level – look for sequence of events (signature) • Also look for anomalous behaviour based on profile • If suspecious, Alert is sent to Central Manager (expert system) • May also query agents for copies of HARS Henric Johnson 24
  • 25. Passwords • Most common weaknesses in a company – Weak passwords – uncontrolled devices on the network • Most systems and software have default passwords! • Characteristics of a strong password – Changes every 45 days – Minimum length of 10 characters – Contain at leas one alpha, one number and one special character – Cannot contain dictionary words – Cannot reuse the previous five passwords – Minimum password age of 10 days – After 5 failed logon attempts, password is locked for serveral hours
  • 26. UNIX passwords • Stored in a publicly readable file /etc/passwd, (any user who was on the system had access to read the file i.e. more /etc/passwd ) usernamen:password:UID:GID:full name:home directory:shell sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh • Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file still exists, it contains everything except the encrypted passwords. This is stored in the /etc/shadow file and only visible by “root”. usernamen:password:last:min:max:warning:expire:disable sch:OZFGkH258h8yg:::::::
  • 27. cat passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: smmsp:x:25:25:SendMail Message Submission Program:/: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/:
  • 28. ypcat passwd • Ypcat: list all the users and groups / networkwide password map gymsjo:PgiEmZuEHpmY2:3227:3200:STEFAN JOHANSSON:/home/ dogmatix/gym/gymsjo:/usr/local/bin/tcsh frpe03:EoFPa/t0McqN6:470078:20031:FREDRIK PERSSON:/home/ dogmatix/students/20031/frpe03:/usr/local/bin/tcsh etmf01:Ck34HVjHPI3gQ:740030:20011:Etienne Mfoumou:/home/ dogmatix/students/20011/etmf01:/usr/local/bin/tcsh rope05:i/mTnW1jL7vmM:490146:20051:ROBIN PERSSON:/home/ obelix/students/20051/rope05:/usr/local/bin/tcsh nasc04:HfcXJTuIB7Bh2:500001:20041:Nadzida Saric:/home/obelix/ students/20041/nasc04:/usr/local/bin/tcsh
  • 29. Salt • The salt serves three purposes: – Prevents duplicate passwords. – Effectively increases the length of the password. – Prevents the use of hardware implementations of DES Henric Johnson 29
  • 30. UNIX Password Scheme Loading a new password
  • 31. UNIX Password Scheme Verifying a password
  • 32. Password Selection Strategies • User education – Unlikely to succeed – Many users ignore guidelines • Computer-generated passwords – Random in nature, problem in memorizing Henric Johnson 32
  • 33. Password Selection Strategies • Reactive password checking – System periodically runs password cracker to find guessable passwords – Cancel guessed passwords and notify users – Resource intensive job • Proactive password checking – User is allowed to choose password – System checks , password is allowable or not
  • 34. Password Cracking : Importance • From a security standpoint, password cracking can help you build and maintain a more secure system. • Reasons why password cracking is useful – To audit the strength of passwords – To recover forgotten / unknown passwords – To migrate users – To use as a checks and balance system • Main types of password cracking attacks: – Dictionary attacks – Brute force attacks – Hybrid attacks
  • 35. Password Cracking: Attacks Dictionary Brute Force Hybrid attack attack attack Speed of the attack Fast Slow Medium Amount of passwords Finds only Finds every Finds only cracked words password passwords that have a Dictionary word as the base
  • 36. Password Cracking: Programs • NT password cracking programs: – L0phtcrack – NTSweep – NTCrack – PWDump2 • UNIX password crackers: – Crack – John the Ripper – XIT – Slurpie
  • 37. Covering the Tracks • After an attacker has gained access and accomplished what he wanted to do, one of the last steps he performs is covering his tracks, hiding evidence that he was ever there. • To do this there are 4 main areas an attacker is concerned with: 1. Log files 2. File information 3. Additional files 4. Network traffic