1 / 10

Hiding Intrusions : From the Abnormal to the Normal and Beyond

Hiding Intrusions : From the Abnormal to the Normal and Beyond. Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop, 7-9 October 2002 Published in LNCS 2578, pp1-17, Springer-Verlag, 2002.

guy
Télécharger la présentation

Hiding Intrusions : From the Abnormal to the Normal and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hiding Intrusions: From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5th Information Hiding Workshop, 7-9 October 2002 Published in LNCS 2578, pp1-17, Springer-Verlag, 2002 “We were hoping to gain insights that might move toward a more theoretical basis for understanding intrusions. Instead, we seem to have discovered an interesting approach for serious intruders.” Presented by Anne Crockett

  2. Host-based Intrusion Detection • There are two types of host-based IDS: • Signature-based • matches attack descriptions to sensed data (like virus checkers) • Anomaly-based • sensors produce a trace log of data that is analysed for anomalies • equate “unusual or abnormal [behaviour] withintrusions” • require training data to determine normal behaviour John McHugh: “Intrusion and Intrusion Detection” International Journal of Information Security 1, 2001, p14-35

  3. Summary This paper addresses the assumption of anomaly detectors that The authors believe this assumption is wrong and try to prove it by describing attacks that are not detectable by an anomaly based Intrusion Detection System (IDS): • First they describe the attacks and the system being attacked • UNIX running an anomaly detector called “Stide” • Next they describe how Stide detects attacks • They detail the weakness in Stide that they exploited • Lastly they show how the attack code is modified to prevent Stide detecting it intrusions cause “anomalous manifestations”

  4. Critical Comment 1 The paper was very similar to an earlier article written by Tan, Killourhy & Roy • In fact, some sentences were identical! Why don’t you read the other paper and compare them. • “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”, 5th International Symposium, RAID 2002, LNCS 2516, Springer-Verlag, pp54-73 • RAID = Recent Advances in Intrusion Detection • One term they used extensively is “manifestations” but they never define it in “Hiding Intrusions…” • The omission of the definition makes their argument harder to understand. • They did define it in their earlier paper: “sequence of system calls issued by the exploited/privileged system program, and due to the presence and activity of the exploit.”

  5. Appreciative Comment The authors dared to challenge the long held view that all intrusions produce anomalies • identified a weakness (blind spot) in Stide • exploited it using several simple and well described attacks which they downloaded from the Internet • described how they evaded detectionby either • making the attack’s manifestations appear normal • or finding a blind spot to hide it in. Their argument was convincing and logically structured:

  6. Examining the Argument(1) Do all intrusions cause “anomalous manifestations”? Dorothy Denning (1987) “exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage.” Yes No Tan, McHugh & Killourhy (2002) “we discovered techniques whereby intrusive activities with anomalous manifestations could be modified in such a way as to be indistinguishable from arguable normal activities”

  7. Examining the Argument (2) Given I = Intrusion (exploitation of vulnerability) E = Evidence of abnormal use Denning states: IE Tan et al claim: I¬E Tan et al demonstrate convincingly that their attacks can be hidden. Then they extend their argument by saying: “We speculate that similar attacks are possible against other anomaly based IDS…”

  8. Examining the Argument (3) Consider these two elements in the attack situation X = anomaly detector Y = operating system Tan et al speculateXYI ¬E • But consider that… • Stide is an open source anomaly detector but not all other IDSs are • Their approach requires the attacker to understand intimately the weaknesses of Stide • They must carefully manipulate the manifestations to avoid being detected

  9. Critical Comment 2 Their attacks are designed to exploit privileged Unixsystem processes, however their description of the “kernel” attack refers to how the Linux kernel enforces security. • Main criticism: It is unclear whether the kernel attack was run on Linux or Unix. • Side issue: The three programs they exploited can be patched with packs downloadable from RedHat Linux. • So, is Linux equally vulnerable to all three attacks?

  10. Conclusion and Question The authors prove that hiding evidence of an intrusion is possible in their particular case. If so, they state “[our] results have implications for both detector design and for detector evaluation” but fail to explain what those implications are. What are the implications of their research? Are you convinced that their intrusion hiding approach is a threat to other anomaly detectors?

More Related