application intrusion detection n.
Skip this Video
Loading SlideShow in 5 Seconds..
Application Intrusion Detection PowerPoint Presentation
Download Presentation
Application Intrusion Detection

Application Intrusion Detection

146 Views Download Presentation
Download Presentation

Application Intrusion Detection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Application Intrusion Detection Anita Jones Robert Sielken University of Virginia

  2. Intrusion Detection determining whether or not some entity, the intruder, has attempted to gain, or has gained unauthorized access to the system Intruder Types External Internal -- our greater concern Introduction Application Intrusion Detection

  3. Assume the Operating System as the basis Use what an OS knows about -- OS semantics users, processes, devices controls on access and resource usage Record events in the life of the OS Use OS audit records State of Practice OS Intrusion Detection Systems -- OS IDS Application Intrusion Detection

  4. Anomaly Detection assume that behavior can be characterized statically -- by known, fixed data encoding dynamically -- by patterns of event sequences or by threshold limits on event occurrences (e.g. system calls) detect errant behavior that deviates from expected, normal behavior Misuse Detection look for known patterns (signatures) of intrusion, typically as the intrusion unfolds OS IDS - the two Approaches Application Intrusion Detection

  5. Anomaly Detection Static: e.g. Tripwire, Self-Nonself Dynamic: e.g. NIDES, Pattern Matching (UNM) Misuse Detection e.g. NIDES, MIDAS, STAT Networks are handled as “extensions” I.e. Use same two approaches listed above Centralized: e.g. DIDS, NADIR, NSTAT Decentralized: e.g. GrIDS, EMERALD OS IDS - the two Approaches Application Intrusion Detection

  6. OS IDS -- a Particular Problem • OS IDS has problems when • anomalous & normal behavior can’t be distinctly characterized • OS IDS has no pattern for a newly invented intrusion (misuse) • But, the greatest problem is • to distinguish abusive internal (legit user) activity Application Intrusion Detection

  7. An OS IDSis inherently limitedby the semantics of the OS You can’t talk about something for which you have no words!

  8. A Complementary Approach Assume that the OS IDS does its job. Use the semantics of the application as a further basis for detection of intruders Application Intrusion Detection App IDS

  9. App IDS -- What’s Possible? • How do you define intrusion in the context of (in the semantics of) an application? • Can an intrusion be “seen”? • Seen in progress? • Can intrusive behavior be linked to users? • Is there a richer notion of history (of intrusion)? • Is there a richer notion of “abused system state”? Application Intrusion Detection

  10. App IDS -- Guiding Questions • Opportunity – what types of intrusions can be detected by an AppIDS? • Effectiveness – how well can those intrusions be detected by an AppIDS? • Cooperation – how can an AppIDS cooperate with the OS IDS to be more effective than either alone? Application Intrusion Detection

  11. Electronic Toll Collection hierarchical numerous devices distributed complementary device state values monitors external behavior accounting component Health Record Management non-hierarchical; modular no devices beyond controlling computer limited access in app’n bound by known physical & medical realities no financial component complex scheduling components Case Studies Application Intrusion Detection

  12. Devices Toll Lane Tag Sensor Automated Coin Basket Toll Booth Attendant Loop Sensor Axle Reader Weigh-In-Motion Scale Traffic Signal Video Camera Electronic Toll Collection (ETC) • - Vehicle • Tag (Active/Passive) Application Intrusion Detection

  13. ETC - Hierarchy Application Intrusion Detection

  14. Need Analysis Technique • What intrusions make sense in app’n terms? • How do you derive them? • Is there a disciplined analysis approach that ensures that “all” intrusions are found? • Once an intrusion is defined, is there a way to monitor for it within the application? • Is there a relation to the OS, and information that it has? Application Intrusion Detection

  15. Threat Categories Specific Intrusions Methods Relations ETC - One Approach • Start with the known threat categories • How can they be manifested in app’n terms • Define app’n specific intrusions • Determine method that abuser would use • Define relations based on app’n state values that can be the basis for monitoring method Application Intrusion Detection

  16. Denial of Service Disclosure Manipulation Masqueraders Replay Repudiation Physical Impossibilities Device Malfunctions Threat Categories Application Intrusion Detection

  17. ETC - Appl’n Specific Intrusions • Annoyance (3 methods) • Steal Electronic Money (10 methods) • Steal Vehicle (4 methods) • Device Failure (1 method) • Surveillance (2 methods) Threat Categories Specific Intrusions Methods Relations Application Intrusion Detection

  18. 5 relations ETC Intrusion - Steal Service 3 methods Application Intrusion Detection

  19. Health Record Management (HRM) • Components • Patient Records • Orders – lists of all requests for drugs, tests, or procedures • Schedule – schedule for rooms for patient occupancy, laboratory tests, or surgical procedures (does not include personnel) • Users • doctors, laboratory technicians, and nurses Application Intrusion Detection

  20. HRM - App’n Specific Intrusions • Annoyance (4 methods) • Steal Drugs (1 method) • Patient Harm (6 methods) • Surveillance (2 methods) Threat Categories Specific Intrusions Methods Relations Application Intrusion Detection

  21. HRM - Patient Harm Intrusion 6 methods 4 relations Application Intrusion Detection

  22. Similarities detect intrusions by evaluating relations to differentiate between anomalous and normal behavior centralized or decentralized (hierarchical) similar threat categories Differences anomaly detection using statistical and rule-based app’n relations internal intruders/abusers event causing entity outside system resolution -- finer grain tightness of thresholds Relate OS IDS to App IDS Application Intrusion Detection

  23. Dependencies OS IDS on App IDS None App IDS on OS IDS basic security services prevent abuser from bypassing application control to access application components Cooperation correlate audit/event record communication bi-directional request-response complications terms of communication resource usage - lowest common denominator Relate OS IDS to App IDS (cont’d) Application Intrusion Detection

  24. Opportunity app’n semantics are a rich basis for detecting internal intruders (abusers) can detect intrusions not visible to OS intrusions relate to real world! monitors similar: rule-based & statistical relations Effectiveness grain and units of resolution much richer tighter of thresholds less ambiguity of anomalous and normal behavior Conclusion -- App IDS Application Intrusion Detection

  25. Have developed an analysis technique that permits systematic derivation of intrusions; apply more broadly heuristic; no guarantee of completeness Create definition of attacks; contrast to OS attacks Are there new categories of attacks -- beyond what we see in OS’s/networks -- especially latent/lurking attacks Focus on critical national infrastructure applications Describe in CISL or other extant languages for attack description Conclusion -- Next Application Intrusion Detection

  26. Explore basis for a “generic” App IDS Define generic architecture and a set of tools To what extent can OS techniques/tools be extended Determine how and when OS IDS & App IDS can exchange questions & answers Resolve semantic mismatch Conclusion -- Next (cont) Application Intrusion Detection