CH10NetSec6e_accessiblePPT.pptx

Network Security Essentials: Applications and Standards

Sixth Edition

Chapter 10

Malicious Software

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

If this PowerPoint presentation contains mathematical equations, you may need to check that your computer has the following installed:

1) MathType Plugin

2) Math Player (free versions available)

3) NVDA Reader (free versions available)

There are application-specific security mechanisms for a number of application

areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access

(Secure Sockets Layer), and others. However, users have security concerns that

cut across protocol layers. For example, an enterprise can run a secure, private IP

network by disallowing links to untrusted sites, encrypting packets that leave the

premises, and authenticating packets that enter the premises. By implementing security

at the IP level, an organization can ensure secure networking not only for

applications that have security mechanisms but also for the many security-ignorant

applications.

IP-level security encompasses three functional areas: authentication, confidentiality,

and key management. The authentication mechanism assures that a received

packet was, in fact, transmitted by the party identified as the source in the packet

header. In addition, this mechanism assures that the packet has not been altered in

transit. The confidentiality facility enables communicating nodes to encrypt messages

to prevent eavesdropping by third parties. The key management facility is concerned

with the secure exchange of keys.

We begin this chapter with an overview of IP security (IPsec) and an introduction

to the IPsec architecture. We then look at each of the three functional areas in

detail. Appendix D reviews Internet protocols.

Table 10.1 Terminology for Malicious Software (1 of 3)

Name Description
Virus Malware that, when executed, tries to replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected cod is executed, the virus also executes.
Worm A computer program the can run independently and can propagate a complete working version of itself onto other hosts on a network.
Logic bomb A program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met ; the program then triggers an unauthorized act.
Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entitity that invokes the Trojan horse program.
Backdoor (trapdoor) Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality.
Mobile code Software(e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
Exploits Code specific to a single vulnerability or set of vulnerabilities.

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

2

(This table can be found on page 323 in the textbook.)

The terminology in this area presents problems because of a lack of universal agreement

on all of the terms and because some of the categories overlap. Table 10.1 is a

useful guide to some of the terms in use.

Table 10.1 Terminology for Malicious Software (2 of 3)

Name Description
Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail.
Auto-rooter Malicious hacker tools used to break into new machines remotely.
Kit (virus generator) Set of tools for generating new viruses automatically.
Spammer programs Used to send large volumes of unwanted e-mail.
Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial-of-service (DoS) attack.
Keyloggers Captures keystrokes on a compromised system.
Rootkit Set of hacker tools used after attacker has broken into a computer system and gained root level access.
Zombie, bot Program activated on an infected machine that is activated to launch attacks on other machines.

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

3

(This table can be found on page 323 in the textbook.)

The terminology in this area presents problems because of a lack of universal agreement

on all of the terms and because some of the categories overlap. Table 10.1 is a

useful guide to some of the terms in use.

Table 10.1 Terminology for Malicious Software (3 of 3)

Name Description
Spyware Software that collects information from a computer and transmits it to another system.
Adware Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

4

(This table can be found on page 323 in the textbook.)

The terminology in this area presents problems because of a lack of universal agreement

on all of the terms and because some of the categories overlap. Table 10.1 is a

useful guide to some of the terms in use.

A Broad Classification of Malware (1 to 4)

Can be classified into two broad categories:

Based first on how it spreads or propagates to reach the desired targets

Then on the actions or payloads it performs once a target is reached

Propagation mechanisms:

Include infection of existing executable or interpreted content by viruses that is subsequently spread to other system

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

5

One of the two most publicized threats to security is the intruder (the other is

viruses), often referred to as a hacker or cracker. In an important early study of

intrusion, Anderson [ANDE80] identified three classes of intruders:

• Masquerader: An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s account

• Misfeasor: A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges

• Clandestine user: An individual who seizes supervisory control of the system

and uses this control to evade auditing and access controls or to suppress audit

collection

The masquerader is likely to be an outsider, the misfeasor generally is an insider,

and the clandestine user can be either an outsider or an insider.

A Broad Classification of Malware (2 to 4)

Exploit of software vulnerabilities either locally or over a network by worms or drive-by-downloads to allow the malware to replicate

Social engineering attacks that convince users to bypass security mechanisms to install trojans or to respond to phishing attacks

Earlier approaches to malware classification distinguished between:

Those that need a host program, being parasitic code such as viruses

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

6

One of the two most publicized threats to security is the intruder (the other is

viruses), often referred to as a hacker or cracker. In an important early study of

intrusion, Anderson [ANDE80] identified three classes of intruders:

• Masquerader: An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s account

• Misfeasor: A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges

• Clandestine user: An individual who seizes supervisory control of the system

and uses this control to evade auditing and access controls or to suppress audit

collection

The masquerader is likely to be an outsider, the misfeasor generally is an insider,

and the clandestine user can be either an outsider or an insider.

A Broad Classification of Malware (3 to 4)

Those that are independent, self-contained programs run on the system such as worms, trojans, and bots

Another distinction used was:

Malware that does not replicate, such as trojans and spam e-mail

Malware that does, including viruses and worms

Payload actions performed by malware once it reaches a target system can include:

Corruption of system or data files

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

7

One of the two most publicized threats to security is the intruder (the other is

viruses), often referred to as a hacker or cracker. In an important early study of

intrusion, Anderson [ANDE80] identified three classes of intruders:

• Masquerader: An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s account

• Misfeasor: A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges

• Clandestine user: An individual who seizes supervisory control of the system

and uses this control to evade auditing and access controls or to suppress audit

collection

The masquerader is likely to be an outsider, the misfeasor generally is an insider,

and the clandestine user can be either an outsider or an insider.

A Broad Classification of Malware (4 to 4)

Theft of service in order to make the system a zombie agent of attack as part of a botnet

Theft of information from the system, especially of logins, passwords, or other personal details by keylogging or spyware programs

Stealthing where the malware hides its presence on the system from attempts to detect and block it

Blended attack

Uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

8

One of the two most publicized threats to security is the intruder (the other is

viruses), often referred to as a hacker or cracker. In an important early study of

intrusion, Anderson [ANDE80] identified three classes of intruders:

• Masquerader: An individual who is not authorized to use the computer and

who penetrates a system’s access controls to exploit a legitimate user’s account

• Misfeasor: A legitimate user who accesses data, programs, or resources for

which such access is not authorized, or who is authorized for such access but

misuses his or her privileges

• Clandestine user: An individual who seizes supervisory control of the system

and uses this control to evade auditing and access controls or to suppress audit

collection

The masquerader is likely to be an outsider, the misfeasor generally is an insider,

and the clandestine user can be either an outsider or an insider.

Attack Kits

Initially the development and deployment of malware required considerable technical skill by software authors

This changed with the development of virus-creation toolkits in the early 1990s and more general attack kits in the 2000s

These toolkits are often known as crimeware

Include a variety of propagation mechanisms and payload modules that even novices can combine, select, and deploy

Can easily be customized with the latest discovered vulnerabilities in order to exploit the window of opportunity between the publication of a weakness and the deployment of patches to close it

These kits greatly enlarged the population of attackers able to deploy malware

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

9

Intruder attacks range from the benign to the serious. At the benign end of the

scale, there are many people who simply wish to explore internets and see what is

out there. At the serious end are individuals who are attempting to read privileged

data, perform unauthorized modifications to data, or disrupt the system.

[GRAN04] lists the following examples of intrusion:

• Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information,

without authorization

• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated

software and music files

• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail

password, and learning the new password

• Using an unattended, logged-in workstation without permission

Attack Sources

Another significant malware development over the last couple of decades is the change from attackers being individuals to more organized and dangerous attack sources

These include politically motivated attackers, criminals, organized crime, organizations that sell their services to companies and nations, and national government agencies

This has significantly changed the resources available and motivation behind the rise of malware leading to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

10

Intruder attacks range from the benign to the serious. At the benign end of the

scale, there are many people who simply wish to explore internets and see what is

out there. At the serious end are individuals who are attempting to read privileged

data, perform unauthorized modifications to data, or disrupt the system.

[GRAN04] lists the following examples of intrusion:

• Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information,

without authorization

• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated

software and music files

• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail

password, and learning the new password

• Using an unattended, logged-in workstation without permission

Advanced Persistent Threat (A P T) (1 of 2)

Have risen to prominence in recent years

A well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets, usually business or political

APTs differ from other types of attack by their careful target selection, and persistent, often stealthy, intrusion efforts over extended periods

Aurora, RSA, APT1, and Stuxnet are often cited as examples

Named as a result of these characteristics:

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

11

Traditionally, those who hack into computers do so for the thrill

of it or for status. The hacking community is a strong meritocracy in which status

is determined by level of competence. Thus, attackers often look for targets

of opportunity and then share the information with others. A typical example is a

break-in at a large financial institution reported in [RADC04]. The intruder took

advantage of the fact that the corporate network was running unprotected services,

some of which were not even needed. In this case, the key to the break-in was the

pcAnywhere application. The manufacturer, Symantec, advertises this program as

a remote control solution that enables secure connection to remote devices. But the

attacker had an easy time gaining access to pcAnywhere; the administrator used the

same three-letter username and password for the program. In this case, there was

no intrusion detection system on the 700-node corporate network. The intruder was

only discovered when a vice-president walked into her office and saw the cursor

moving files around on her Windows workstation.

Benign intruders might be tolerable, although they do consume resources and

may slow performance for legitimate users. However, there is no way in advance to

know whether an intruder will be benign or malign. Consequently, even for systems

with no particularly sensitive resources, there is a motivation to control this problem.

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)

are designed to counter this type of hacker threat. In addition to using such systems,

organizations can consider restricting remote logons to specific IP addresses and/or

use virtual private network technology.

One of the results of the growing awareness of the intruder problem has been

the establishment of a number of computer emergency response teams (CERTs).

These cooperative ventures collect information about system vulnerabilities and disseminate

it to systems managers. Hackers also routinely read CERT reports. Thus,

it is important for system administrators to quickly insert all software patches to

discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,

and the rate at which patches are released, this is increasingly difficult to achieve

without automated updating. Even then, there are problems caused by incompatibilities

resulting from the updated software. Hence the need for multiple layers of

defense in managing security threats to IT systems.

Advanced Persistent Threat (A P T) (2 of 2)

Advanced

The individual components may not necessarily be technically advanced, but are carefully selected to suit the chosen

Persistent

Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success

Threats

Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

12

Traditionally, those who hack into computers do so for the thrill

of it or for status. The hacking community is a strong meritocracy in which status

is determined by level of competence. Thus, attackers often look for targets

of opportunity and then share the information with others. A typical example is a

break-in at a large financial institution reported in [RADC04]. The intruder took

advantage of the fact that the corporate network was running unprotected services,

some of which were not even needed. In this case, the key to the break-in was the

pcAnywhere application. The manufacturer, Symantec, advertises this program as

a remote control solution that enables secure connection to remote devices. But the

attacker had an easy time gaining access to pcAnywhere; the administrator used the

same three-letter username and password for the program. In this case, there was

no intrusion detection system on the 700-node corporate network. The intruder was

only discovered when a vice-president walked into her office and saw the cursor

moving files around on her Windows workstation.

Benign intruders might be tolerable, although they do consume resources and

may slow performance for legitimate users. However, there is no way in advance to

know whether an intruder will be benign or malign. Consequently, even for systems

with no particularly sensitive resources, there is a motivation to control this problem.

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)

are designed to counter this type of hacker threat. In addition to using such systems,

organizations can consider restricting remote logons to specific IP addresses and/or

use virtual private network technology.

One of the results of the growing awareness of the intruder problem has been

the establishment of a number of computer emergency response teams (CERTs).

These cooperative ventures collect information about system vulnerabilities and disseminate

it to systems managers. Hackers also routinely read CERT reports. Thus,

it is important for system administrators to quickly insert all software patches to

discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,

and the rate at which patches are released, this is increasingly difficult to achieve

without automated updating. Even then, there are problems caused by incompatibilities

resulting from the updated software. Hence the need for multiple layers of

defense in managing security threats to IT systems.

Viruses

Parasitic software fragments that attach themselves to some existing executable content

Can “infect” other programs or any type of executable content and modify them

The modification includes injecting the original code with a routine to make copies of the virus code, which can then go on to infect other content

One reason viruses dominated the malware scene in earlier years was the lack of user authentication and access controls on personal computer systems

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

13

Traditionally, those who hack into computers do so for the thrill

of it or for status. The hacking community is a strong meritocracy in which status

is determined by level of competence. Thus, attackers often look for targets

of opportunity and then share the information with others. A typical example is a

break-in at a large financial institution reported in [RADC04]. The intruder took

advantage of the fact that the corporate network was running unprotected services,

some of which were not even needed. In this case, the key to the break-in was the

pcAnywhere application. The manufacturer, Symantec, advertises this program as

a remote control solution that enables secure connection to remote devices. But the

attacker had an easy time gaining access to pcAnywhere; the administrator used the

same three-letter username and password for the program. In this case, there was

no intrusion detection system on the 700-node corporate network. The intruder was

only discovered when a vice-president walked into her office and saw the cursor

moving files around on her Windows workstation.

Benign intruders might be tolerable, although they do consume resources and

may slow performance for legitimate users. However, there is no way in advance to

know whether an intruder will be benign or malign. Consequently, even for systems

with no particularly sensitive resources, there is a motivation to control this problem.

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)

are designed to counter this type of hacker threat. In addition to using such systems,

organizations can consider restricting remote logons to specific IP addresses and/or

use virtual private network technology.

One of the results of the growing awareness of the intruder problem has been

the establishment of a number of computer emergency response teams (CERTs).

These cooperative ventures collect information about system vulnerabilities and disseminate

it to systems managers. Hackers also routinely read CERT reports. Thus,

it is important for system administrators to quickly insert all software patches to

discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,

and the rate at which patches are released, this is increasingly difficult to achieve

without automated updating. Even then, there are problems caused by incompatibilities

resulting from the updated software. Hence the need for multiple layers of

defense in managing security threats to IT systems.

Virus Structure (1 of 2)

A computer virus and many contemporary types of malware includes one or more variants of each of these components:

Infection mechanism

The means by which a virus spreads or propagates, enabling it to replicate

Also referred to as the infection vector

Trigger

The event or condition that determines when the payload is activated or delivered

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

14

Organized groups of hackers have become a widespread and common

threat to Internet-based systems. These groups can be in the employ of a corporation

or government but often are loosely affiliated gangs of hackers. Typically, these gangs

are young, often Eastern European, Russian, or southeast Asian hackers who do

business on the Web [ANTE06]. They meet in underground forums with names like

DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.

A common target is a credit card file at an e-commerce server. Attackers attempt to

gain root access. The card numbers are used by organized crime gangs to purchase

expensive items and are then posted to carder sites, where others can access and use

the account numbers; this obscures usage patterns and complicates investigation.

Whereas traditional hackers look for targets of opportunity, criminal hackers

usually have specific targets, or at least classes of targets in mind. Once a site

is penetrated, the attacker acts quickly, scooping up as much valuable information as

possible and exiting.

IDSs and IPSs can also be used for these types of attackers, but may be less

effective because of the quick in-and-out nature of the attack. For e-commerce

sites, database encryption should be used for sensitive customer information, especially

credit cards. For hosted e-commerce sites (provided by an outsider service),

the e-commerce organization should make use of a dedicated server (not used to

support multiple customers) and closely monitor the provider’s security services.

Virus Structure (2 of 2)

Sometimes known as a logic bomb

Payload

What the virus does, besides spreading

May involve damage or benign but noticeable activity

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

15

Organized groups of hackers have become a widespread and common

threat to Internet-based systems. These groups can be in the employ of a corporation

or government but often are loosely affiliated gangs of hackers. Typically, these gangs

are young, often Eastern European, Russian, or southeast Asian hackers who do

business on the Web [ANTE06]. They meet in underground forums with names like

DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.

A common target is a credit card file at an e-commerce server. Attackers attempt to

gain root access. The card numbers are used by organized crime gangs to purchase

expensive items and are then posted to carder sites, where others can access and use

the account numbers; this obscures usage patterns and complicates investigation.

Whereas traditional hackers look for targets of opportunity, criminal hackers

usually have specific targets, or at least classes of targets in mind. Once a site

is penetrated, the attacker acts quickly, scooping up as much valuable information as

possible and exiting.

IDSs and IPSs can also be used for these types of attackers, but may be less

effective because of the quick in-and-out nature of the attack. For e-commerce

sites, database encryption should be used for sensitive customer information, especially

credit cards. For hosted e-commerce sites (provided by an outsider service),

the e-commerce organization should make use of a dedicated server (not used to

support multiple customers) and closely monitor the provider’s security services.

Virus Phases (1 of 2)

During its lifetime, a typical virus goes through the following four phases:

Dormant phase

The virus is idle

Will eventually be activated by some event

Not all viruses have this stage

Propagation phase

The virus places a copy of itself onto other programs or into certain system areas on the disk

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

16

Insider attacks are among the most difficult to detect and prevent.

Employees already have access and knowledge about the structure and content of

corporate databases. Insider attacks can be motivated by revenge or simply a feeling

of entitlement. An example of the former is the case of Kenneth Patterson, fired

from his position as data communications manager for American Eagle Outfitters.

Patterson disabled the company’s ability to process credit card purchases during

five days of the holiday season of 2002. As for a sense of entitlement, there have

always been many employees who felt entitled to take extra office supplies for home

use, but this now extends to corporate data. An example is that of a vice-president

of sales for a stock analysis firm who quit to go to a competitor. Before she left, she

copied the customer database to take with her. The offender reported feeling no

animus toward her former employee; she simply wanted the data because it would

be useful to her.

Although IDS and IPS facilities can be useful in countering insider attacks,

other more direct approaches are of higher priority. Examples include the

following:

• Enforce least privilege, only allowing access to the resources employees need

to do their job.

• Set logs to see what users access and what commands they are entering.

• Protect sensitive resources with strong authentication.

• Upon termination, delete employee’s computer and network access.

• Upon termination, make a mirror image of employee’s hard drive before reissuing

it. That evidence might be needed if your company information turns up

at a competitor.

In this section, we look at the techniques used for intrusion. Then we examine

ways to detect intrusion.

Virus Phases (2 of 2)

Triggering phase

The virus is activated to perform the function for which it was intended

Can be caused by a variety of system events

Execution phase

The function is performed

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

17

Insider attacks are among the most difficult to detect and prevent.

Employees already have access and knowledge about the structure and content of

corporate databases. Insider attacks can be motivated by revenge or simply a feeling

of entitlement. An example of the former is the case of Kenneth Patterson, fired

from his position as data communications manager for American Eagle Outfitters.

Patterson disabled the company’s ability to process credit card purchases during

five days of the holiday season of 2002. As for a sense of entitlement, there have

always been many employees who felt entitled to take extra office supplies for home

use, but this now extends to corporate data. An example is that of a vice-president

of sales for a stock analysis firm who quit to go to a competitor. Before she left, she

copied the customer database to take with her. The offender reported feeling no

animus toward her former employee; she simply wanted the data because it would

be useful to her.

Although IDS and IPS facilities can be useful in countering insider attacks,

other more direct approaches are of higher priority. Examples include the

following:

• Enforce least privilege, only allowing access to the resources employees need

to do their job.

• Set logs to see what users access and what commands they are entering.

• Protect sensitive resources with strong authentication.

• Upon termination, delete employee’s computer and network access.

• Upon termination, make a mirror image of employee’s hard drive before reissuing

it. That evidence might be needed if your company information turns up

at a competitor.

In this section, we look at the techniques used for intrusion. Then we examine

ways to detect intrusion.

Figure 10.1 Example Virus Logic

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

18

Traditional machine-executable virus code can be

prepended or postpended to some executable program, or it can be embedded into

the program in some other fashion. The key to its operation is that the infected program,

when invoked, will first execute the virus code and then execute the original

code of the program.

A very general depiction of virus structure is shown in Figure 10.1a. In this

case, the virus code, V, is prepended to infected programs, and it is assumed that the

entry point to the program, when invoked, is the first line of the program.

The infected program begins with the virus code and works as follows.

The first line of code labels the program, which then begins execution with the

main action block of the virus. The second line is a special marker that is used

by the virus to determine whether or not a potential victim program has already

been infected with this virus. When the program is invoked, control is immediately

transferred to the main virus program. The virus program may first seek

out uninfected executable files and infect them. Next, the virus may execute its

payload if the required trigger conditions, if any, are met. Finally, the virus

transfers control to the original program. If the infection phase of the program

is reasonably rapid, a user is unlikely to notice any difference between the

execution of an infected and an uninfected program.

A virus such as the one just described is easily detected because an infected version

of a program is longer than the corresponding uninfected one. A way to thwart

such a simple means of detecting a virus is to compress the executable file so that

both the infected and uninfected versions are of identical length. Figure 10.1b shows

in general terms the logic required. The key lines in this virus are labeled with times,

and Figure 10.2 illustrates the operation.

Figure 10.2 A Compression Virus

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

19

Traditional machine-executable virus code can be

prepended or postpended to some executable program, or it can be embedded into

the program in some other fashion. The key to its operation is that the infected program,

when invoked, will first execute the virus code and then execute the original

code of the program.

A very general depiction of virus structure is shown in Figure 10.1a. In this

case, the virus code, V, is prepended to infected programs, and it is assumed that the

entry point to the program, when invoked, is the first line of the program.

The infected program begins with the virus code and works as follows.

The first line of code labels the program, which then begins execution with the

main action block of the virus. The second line is a special marker that is used

by the virus to determine whether or not a potential victim program has already

been infected with this virus. When the program is invoked, control is immediately

transferred to the main virus program. The virus program may first seek

out uninfected executable files and infect them. Next, the virus may execute its

payload if the required trigger conditions, if any, are met. Finally, the virus

transfers control to the original program. If the infection phase of the program

is reasonably rapid, a user is unlikely to notice any difference between the

execution of an infected and an uninfected program.

A virus such as the one just described is easily detected because an infected version

of a program is longer than the corresponding uninfected one. A way to thwart

such a simple means of detecting a virus is to compress the executable file so that

both the infected and uninfected versions are of identical length. Figure 10.1b shows

in general terms the logic required. The key lines in this virus are labeled with times,

and Figure 10.2 illustrates the operation.

Virus Classification By Target (1 of 2)

Includes the following categories:

Boot sector infector

Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus

File infector

Infects files that the operating system or shell consider to be executable

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

20

The objective of the intruder is to gain access to a system or to increase the range of

privileges accessible on a system. Most initial attacks use system or software vulnerabilities

that allow a user to execute code that opens a backdoor into the system.

Alternatively, the intruder attempts to acquire information that should have been

protected. In some cases, this information is in the form of a user password. With

knowledge of some other user’s password, an intruder can log in to a system and

exercise all the privileges accorded to the legitimate user.

Typically, a system must maintain a file that associates a password with each

authorized user. If such a file is stored with no protection, then it is an easy matter

to gain access to it and learn passwords. The password file can be protected in one

of two ways:

• One-way function: The system stores only the value of a function based on the

user’s password. When the user presents a password, the system transforms

that password and compares it with the stored value. In practice, the system

usually performs a one-way transformation (not reversible), in which the password

is used to generate a key for the one-way function and in which a fixed length

output is produced.

• Access control: Access to the password file is limited to one or a very few

accounts.

Virus Classification By Target (2 of 2)

Macro virus

Infects files with macro or scripting code that is interpreted by an application

Multipartite virus

Infects files in multiple ways

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

21

The objective of the intruder is to gain access to a system or to increase the range of

privileges accessible on a system. Most initial attacks use system or software vulnerabilities

that allow a user to execute code that opens a backdoor into the system.

Alternatively, the intruder attempts to acquire information that should have been

protected. In some cases, this information is in the form of a user password. With

knowledge of some other user’s password, an intruder can log in to a system and

exercise all the privileges accorded to the legitimate user.

Typically, a system must maintain a file that associates a password with each

authorized user. If such a file is stored with no protection, then it is an easy matter

to gain access to it and learn passwords. The password file can be protected in one

of two ways:

• One-way function: The system stores only the value of a function based on the

user’s password. When the user presents a password, the system transforms

that password and compares it with the stored value. In practice, the system

usually performs a one-way transformation (not reversible), in which the password

is used to generate a key for the one-way function and in which a fixed length

output is produced.

• Access control: Access to the password file is limited to one or a very few

accounts.

Virus Classification by Concealment Strategy (1 of 2)

Includes the following categories:

Encrypted virus

Portion of the virus creates a random encryption key and encrypts the remainder of the virus

When an infected program is invoked, the virus uses the stored random key to decrypt the virus

When the virus replicates, a different random key is selected

Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

22

Organized groups of hackers have become a widespread and common

threat to Internet-based systems. These groups can be in the employ of a corporation

or government but often are loosely affiliated gangs of hackers. Typically, these gangs

are young, often Eastern European, Russian, or southeast Asian hackers who do

business on the Web [ANTE06]. They meet in underground forums with names like

DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.

A common target is a credit card file at an e-commerce server. Attackers attempt to

gain root access. The card numbers are used by organized crime gangs to purchase

expensive items and are then posted to carder sites, where others can access and use

the account numbers; this obscures usage patterns and complicates investigation.

Whereas traditional hackers look for targets of opportunity, criminal hackers

usually have specific targets, or at least classes of targets in mind. Once a site

is penetrated, the attacker acts quickly, scooping up as much valuable information as

possible and exiting.

IDSs and IPSs can also be used for these types of attackers, but may be less

effective because of the quick in-and-out nature of the attack. For e-commerce

sites, database encryption should be used for sensitive customer information, especially

credit cards. For hosted e-commerce sites (provided by an outsider service),

the e-commerce organization should make use of a dedicated server (not used to

support multiple customers) and closely monitor the provider’s security services.

Virus Classification by Concealment Strategy (2 of 2)

Stealth virus

A form of virus explicitly designed to hide itself from detection by antivirus software

The entire virus, not just a payload is hidden

Polymorphic virus

A virus that mutates with every infection, making detection by the “signature” of the virus impossible

Metamorphic virus

Mutates with every infection

Rewrites itself completely at each iteration, increasing the difficulty of detection

May change their behavior as well as their appearance

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

23

Organized groups of hackers have become a widespread and common

threat to Internet-based systems. These groups can be in the employ of a corporation

or government but often are loosely affiliated gangs of hackers. Typically, these gangs

are young, often Eastern European, Russian, or southeast Asian hackers who do

business on the Web [ANTE06]. They meet in underground forums with names like

DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.

A common target is a credit card file at an e-commerce server. Attackers attempt to

gain root access. The card numbers are used by organized crime gangs to purchase

expensive items and are then posted to carder sites, where others can access and use

the account numbers; this obscures usage patterns and complicates investigation.

Whereas traditional hackers look for targets of opportunity, criminal hackers

usually have specific targets, or at least classes of targets in mind. Once a site

is penetrated, the attacker acts quickly, scooping up as much valuable information as

possible and exiting.

IDSs and IPSs can also be used for these types of attackers, but may be less

effective because of the quick in-and-out nature of the attack. For e-commerce

sites, database encryption should be used for sensitive customer information, especially

credit cards. For hosted e-commerce sites (provided by an outsider service),

the e-commerce organization should make use of a dedicated server (not used to

support multiple customers) and closely monitor the provider’s security services.

Macro and Scripting Viruses

Macro viruses infect scripting code used to support active content in a variety of user document types

Threatening for a number of reasons:

A macro virus is platform independent

Macro viruses infect documents, not executable portions of code

Macro viruses are easily spread, as the documents they exploit are shared in normal use

Because macro viruses infect user documents rather than system programs, traditional file system access controls are of limited use in preventing their spread

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

24

Organized groups of hackers have become a widespread and common

threat to Internet-based systems. These groups can be in the employ of a corporation

or government but often are loosely affiliated gangs of hackers. Typically, these gangs

are young, often Eastern European, Russian, or southeast Asian hackers who do

business on the Web [ANTE06]. They meet in underground forums with names like

DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.

A common target is a credit card file at an e-commerce server. Attackers attempt to

gain root access. The card numbers are used by organized crime gangs to purchase

expensive items and are then posted to carder sites, where others can access and use

the account numbers; this obscures usage patterns and complicates investigation.

Whereas traditional hackers look for targets of opportunity, criminal hackers

usually have specific targets, or at least classes of targets in mind. Once a site

is penetrated, the attacker acts quickly, scooping up as much valuable information as

possible and exiting.

IDSs and IPSs can also be used for these types of attackers, but may be less

effective because of the quick in-and-out nature of the attack. For e-commerce

sites, database encryption should be used for sensitive customer information, especially

credit cards. For hosted e-commerce sites (provided by an outsider service),

the e-commerce organization should make use of a dedicated server (not used to

support multiple customers) and closely monitor the provider’s security services.

Worms

A program that actively seeks out more machines to infect

Upon activation, the worm may replicate and propagate again

To replicate itself, a worm uses some means to access remote systems:

Electronic mail or instant messenger facility

File sharing

Remote execution capability

Remote file access or transfer capability

Remote login capability

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

25

Inevitably, the best intrusion prevention system will fail. A system’s second line

of defense is intrusion detection, and this has been the focus of much research in

recent years. This interest is motivated by a number of considerations, including the

following:

1. If an intrusion is detected quickly enough, the intruder can be identified and

ejected from the system before any damage is done or any data are compromised.

Even if the detection is not sufficiently timely to preempt the intruder,

the sooner that the intrusion is detected, the less the amount of damage and

the more quickly that recovery can be achieved.

2. An effective intrusion detection system can serve as a deterrent, so acting to

prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques

that can be used to strengthen the intrusion prevention facility.

Intrusion detection is based on the assumption that the behavior of the

intruder differs from that of a legitimate user in ways that can be quantified. Of

course, we cannot expect that there will be a crisp, exact distinction between an

attack by an intruder and the normal use of resources by an authorized user. Rather,

we must expect that there will be some overlap.

Worm Phases

A worm typically uses the same phases as a computer virus:

Dormant

Propagation

Triggering

Execution

The propagation phase generally performs the following functions:

Search for appropriate access mechanisms to other systems to infect by examining host tables, address books, buddy lists, trusted peers, and other similar repositories of remote system access details

Use the access mechanisms found to transfer a copy of itself to the remote system and cause the copy to be run

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

26

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Target Discovery (1 of 2)

Scanning/fingerprinting

The function in the propagation phase for a network worm to search for other systems to infect

Worm network scanning strategies:

Random

Each compromised host probes random addresses in the IP address space, using a different seed

Produces a high volume of Internet traffic, which may cause generalized disruption even before the actual attack is lunched

Hit list

The attacker first compiles a long list of potential vulnerable machines

Once the list is compiled, the attacker begins infecting machines on the list

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

27

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Target Discovery (2 of 2)

Each infected machine is provided with a portion of the list to scan

This results in a very short scanning period, which may make it difficult to detect that infection is taking place

Topological

Uses information contained on an infected victim machine to find more hosts to scan

Local subnet

If a host is infected behind a firewall, that host then looks for targets in its own local network

The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

28

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Figure 10.3 Worm Propagation Model

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

The Morris Worm

Released onto the Internet by Robert Morris in 1988

Designed to spread on U N I X systems and used a number of different techniques for propagation

When a copy began execution its first task was to discover other hosts known to this host that would allow entry from this host

For each discovered host, the worm tried a number of methods for gaining access:

It attempted to log on to a remote host as a legitimate user

It exploited a bug in the U N I X finger protocol, which reports the whereabouts of a remote user

It exploited a trapdoor in the debug option of the remote process that receives and sends mail

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

30

A fundamental tool for intrusion detection is the audit record. Some record of

ongoing activity by users must be maintained as input to an intrusion detection

system. Basically, two plans are used:

• Native audit records: Virtually all multiuser operating systems include

accounting software that collects information on user activity. The advantage

of using this information is that no additional collection software is needed.

The disadvantage is that the native audit records may not contain the needed

information or may not contain it in a convenient form.

• Detection-specific audit records: A collection facility can be implemented that

generates audit records containing only that information required by the intrusion

detection system. One advantage of such an approach is that it could

be made vendor independent and ported to a variety of systems. The disadvantage

is the extra overhead involved in having, in effect, two accounting

packages running on a machine.

Worm Technology (1 of 3)

Multiplatform

Newer worms can attack a variety of platforms

Multi-exploit

New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications, or via shared media

Ultrafast spreading

Exploit various techniques to optimize the rate of spread of a worm to maximize its likelihood of locating as many vulnerable machines as possible in a short time period

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

31

A fundamental tool for intrusion detection is the audit record. Some record of

ongoing activity by users must be maintained as input to an intrusion detection

system. Basically, two plans are used:

• Native audit records: Virtually all multiuser operating systems include

accounting software that collects information on user activity. The advantage

of using this information is that no additional collection software is needed.

The disadvantage is that the native audit records may not contain the needed

information or may not contain it in a convenient form.

• Detection-specific audit records: A collection facility can be implemented that

generates audit records containing only that information required by the intrusion

detection system. One advantage of such an approach is that it could

be made vendor independent and ported to a variety of systems. The disadvantage

is the extra overhead involved in having, in effect, two accounting

packages running on a machine.

Worm Technology (2 of 3)

Polymorphic

To evade detection, skip past filters, and foil real-time analysis, each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques

Metamorphic

In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation

Transport vehicles

Because worms can rapidly compromise a large number of systems, they are ideal for spreading a wide variety of malicious payloads

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

32

A fundamental tool for intrusion detection is the audit record. Some record of

ongoing activity by users must be maintained as input to an intrusion detection

system. Basically, two plans are used:

• Native audit records: Virtually all multiuser operating systems include

accounting software that collects information on user activity. The advantage

of using this information is that no additional collection software is needed.

The disadvantage is that the native audit records may not contain the needed

information or may not contain it in a convenient form.

• Detection-specific audit records: A collection facility can be implemented that

generates audit records containing only that information required by the intrusion

detection system. One advantage of such an approach is that it could

be made vendor independent and ported to a variety of systems. The disadvantage

is the extra overhead involved in having, in effect, two accounting

packages running on a machine.

Worm Technology (3 of 3)

Zero-day exploit

To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

33

A fundamental tool for intrusion detection is the audit record. Some record of

ongoing activity by users must be maintained as input to an intrusion detection

system. Basically, two plans are used:

• Native audit records: Virtually all multiuser operating systems include

accounting software that collects information on user activity. The advantage

of using this information is that no additional collection software is needed.

The disadvantage is that the native audit records may not contain the needed

information or may not contain it in a convenient form.

• Detection-specific audit records: A collection facility can be implemented that

generates audit records containing only that information required by the intrusion

detection system. One advantage of such an approach is that it could

be made vendor independent and ported to a variety of systems. The disadvantage

is the extra overhead involved in having, in effect, two accounting

packages running on a machine.

Mobile Code (1 of 2)

Refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics

Transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction

Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation

Popular vehicles for mobile code include:

Java applets

ActiveX

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

34

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Mobile Code (2 of 2)

JavaScript

VBScript

The most common ways of using mobile code for malicious operations on local system are:

Cross-site scripting

Interactive and dynamic Web sites

E-mail attachments

Downloads from untrusted sites or of untrusted software

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

35

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Client-Side Vulnerabilities and Drive-by-Downloads (1 of 2)

Drive-by-download

Exploits browser vulnerabilities so that when the user views a Web page controlled by the attacker, it contains code that exploits the browser bug to download and install malware on the system without the user’s knowledge or consent

Does not actively propagate as a worm does, but rather waits for unsuspecting users to visit the malicious Web page in order to spread to their systems

Watering-hole attacks are a variant of this used in highly targeted attacks

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

36

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Client-Side Vulnerabilities and Drive-by-Downloads (2 of 2)

The attacker researches their intended victims to identify Web sites they are likely to visit and then scans theses sites to identify those with vulnerabilities that allow their compromise with a drive-by-download attack

Malvertising is another technique used to place malware on Web sites without actually compromising them

The attacker pays for advertisements that are highly likely to be placed on their intended target Web sites, and which incorporate malware in them

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

37

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Clickjacking (1 of 2)

Also known as a user-interface (UI) redress attack

Is a vulnerability used by an attacker to collect an infected user’s clicks

The attacker can force the user to do a variety of things from adjusting the user’s computer settings to unwittingly sending the user to Web sites that might have malicious code

Also, by taking advantage of Adobe Flash or JavaScript, an attacker could even place a button under or over a legitimate button, making it difficult for users to detect

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

38

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Clickjacking (2 of 2)

A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page

Using a similar technique, keystrokes can also be hijacked

With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their e-mail or bank account but are instead typing into an invisible frame controlled by the attacker

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

39

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Spam

Unsolicited bulk e-mail

Imposes significant costs on both the network infrastructure needed to relay this traffic and on users who need to filter their legitimate e-mails

Most recent spam is sent by botnets using compromised user systems

Is a significant carrier of malware

May be used in a phishing attack

Although a significant security concern, in many cases it requires the user’s active choice to view the e-mail and any attached document or to permit the installation of some program, in order for the compromise to occur

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

40

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Trojan Horses

Is a useful, or apparently useful, program or utility containing hidden code that, when invoked, performs some unwanted or harmful function

Can be used to accomplish functions indirectly that the attacker could not accomplish directly

Fit into one of three models:

Continuing to perform the function of the original program and additionally performing a separate malicious activity

Continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity

Performing a malicious function that completely replaces the function of the original program

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

41

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload - System Corruption (1 of 2)

Once malware is active on the target system, the next concern is what actions it will take on this system

Examples:

Data destruction on the infected system when certain trigger conditions were met

Display unwanted messages or content on the user’s system when triggered

Encrypt the user’s data and demand payment in order to access the key needed to recover this information (ransomware)

Inflict real-world damage on the system

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

42

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload - System Corruption (2 of 2)

Attempt to rewrite the B I O S code used to initially boot the computer

Target specific industrial control system software

Logic bomb

Code embedded in the malware that is set to “explode” when certain conditions are met

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

43

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload -Attack Agent

Malware subverts the computational and network resources of the infected system for use by the attacker

Bot (robot), zombie, drone

Secretly takes over another Internet-attached computer and then uses that computer to launch or manage attacks that are difficult to trace to the bot’s creator

A botnet is a collection of bots often capable of acting in a coordinated manner

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

44

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Uses of Bots

Distributed denial-of-service (D D o S) attacks

Spamming

Sniffing traffic

Keylogging

Spreading new malware

Installing advertisement add-ons and browser helper objects (BHOs)

Attacking Internet Relay Chat (IRC) networks

Manipulating online polls/games

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

45

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Remote Control Facility

Distinguishes a bot from a worm

A worm propagates itself and activates itself, whereas a bot is controlled from some central facility

Typical means of implementing is on an I R C server

More recent botnets use covert communication channels via protocols such as H T T P

Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure

Once a communications path is established between a control module and the bots, the control module can activate the bots

Can also issue update commands that instruct the bots to download a file from some Internet location and execute it

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

46

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload -Information Theft (1 of 2)

Keylogger

Captures keystrokes on the infected machine to allow an attacker to monitor user login and password credentials

Spyware

Developed in response to efforts to try and stop keylogging

Subvert the compromised machine to allow monitoring of a wide range of activity on the system which can result in significantly compromising the user’s personal information

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

47

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload -Information Theft (2 of 2)

Phishing

Exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source

Spear-phishing

An e-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

48

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload -Stealthing (1 of 2)

Backdoor

Also know as a trapdoor

Is a secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures

Code that recognizes some special sequence of input or is triggered by being run from a certain user ID or by an unlikely sequence of events

Usually implemented as a network service listening on some nonstandard port that the attacker can connect to and issue commands through to be run on the compromised system

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

49

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Payload -Stealthing (2 of 2)

Rootkit

A set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, while hiding evidence of its presence to the greatest extent possible

Alters the host’s standard functionality in a malicious and stealthy way

An attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand

Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

50

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Rootkits (1 of 2)

Can be classified using the following characteristics:

Persistent

Activates each time the system boots

Memory based

Has no persistent code and therefore cannot survive a reboot

User mode

Intercepts calls to application program interfaces (APIs) and modifies returned results

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

51

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Rootkits (2 of 2)

Kernel mode

Can intercept calls to native A P Is in kernel mode

Virtual machine based

Installs a lightweight virtual machine monitor and then runs the operating system in a virtual machine above it

External mode

Malware is located outside the normal operation mode of the targeted system, in B I O S or system management mode, where it can directly access hardware

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

52

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Countermeasures (1 of 2)

Elements of prevention:

Policy

Awareness

Vulnerability mitigation

Threat mitigation

One of the first countermeasures that should be employed is to ensure all systems are as current as possible, with all patches applied, in order to reduce the number of vulnerabilities that might be exploited on the system

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

53

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Countermeasures (2 of 2)

The next is to set appropriate access controls on the applications and data stored on the system, to reduce the number of files that any user can access, and hence potentially infect or corrupt, as a result of them executing some malware code

The third common propagation mechanism, which targets users in a social engineering attack, can be countered using appropriate user awareness and training

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

54

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Malware Countermeasure Approaches

If prevention fails, then technical mechanisms can be used to support the following threat mitigation options:

Detection

Identification

Removal

Requirements for effective malware countermeasures:

Generality

Timeliness

Resiliency

Minimal denial-of-service costs

Transparency

Global and local coverage

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

55

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Host-Based Scanners (1 of 2)

Four generations of antivirus software:

First generation

Simple scanners

Scanner requires a malware signature to identify the malware

Second generation

Heuristic scanners

Uses heuristic rules to search for probable malware instances

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

56

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Host-Based Scanners (2 of 2)

Integrity checking

Third generation

Activity traps

Memory-resident programs that identify malware by its actions rather than its structure in an infected program

Fourth generation

Full-feature protection

Packages consisting of a variety of antivirus techniques used in conjunction

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

57

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Host-Based Behavior-Blocking Software

Integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions

The software then blocks potentially malicious actions before they have a chance to affect the system

Can block suspicious software in real time so it has an advantage over antivirus detection techniques such as fingerprinting or heuristics

Limitations:

Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

58

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Perimeter Scanning Approaches (1 of 2)

Antivirus software is used on an organization’s firewall and I D S

Typically included in e-mail and Web proxy services running on these systems

May also be included in the traffic analysis component of an I D S

Two types of monitoring software may be used:

Ingress monitors

Located at the border between the enterprise network and the Internet

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

59

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Perimeter Scanning Approaches (2 of 2)

They can be part of the ingress-filtering software of a border router or external firewall or a separate passive monitor

Egress monitors

These can be located at the egress point of individual LANs on the enterprise network as well as at the border between the enterprise network and the Internet

Designed to catch the source of a malware attack by monitoring outgoing traffic for signs of scanning or other suspicious behavior

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

60

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Perimeter Worm Countermeasures (1 of 2)

(Class A) Signature-based worm scan filtering

This type of approach generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host

(Class B) Filter-based worm containment

This approach is similar to class A but focuses on worm content rather than a scan signature

(Class C) Payload-classification-based worm containment

These network-based techniques examine packets to see if they contain a worm

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

61

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Perimeter Worm Countermeasures (2 of 2)

(Class D) Threshold random walk (T R W) scan detection

Exploits randomness in picking designations to connect to as a way of detecting if a scanner is in operation

(Class E) Rate limiting

This class limits the rate of scanlike traffic from an infected host

(Class F) Rate halting

This approach immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

62

[PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the

behavior of legitimate users over a period of time. Then statistical tests are

applied to observed behavior to determine with a high level of confidence

whether that behavior is not legitimate user behavior.

a. Threshold detection: This approach involves defining thresholds, independent

of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to

detect changes in the behavior of individual accounts.

In essence, anomaly approaches attempt to define normal, or expected,

behavior, whereas signature-based approaches attempt to define proper behavior.

In terms of the types of attackers listed earlier, statistical anomaly detection is

effective against masqueraders, who are unlikely to mimic the behavior patterns of

the accounts they appropriate. On the other hand, such techniques may be unable to

deal with misfeasors. For such attacks, rule-based approaches may be able to recognize

events and sequences that, in context, reveal penetration. In practice, a system may exhibit

a combination of both approaches to be effective against a broad range of attacks.

Figure 10.4 Placement of Worm Monitors

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Distributed Denial of Service Attacks (D D o S)

Attacks that make computer systems inaccessible by flooding servers, networks, or even end-user systems with useless traffic so that legitimate users can no longer gain access to those resources

One way to classify DDoS attacks is in terms of the type of resources that is consumed

The resource consumed is either an internal host resource on the target system or data transmission capacity in the local network to which the target is attacked

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

64

Rule-based techniques detect intrusion by observing events in the system and applying

a set of rules that lead to a decision regarding whether a given pattern of activity

is or is not suspicious. In very general terms, we can characterize all approaches as

focusing on either anomaly detection or penetration identification, although there is

some overlap in these approaches.

Rule-based anomaly detection is similar in terms of its approach and strengths

to statistical anomaly detection. With the rule-based approach, historical audit

records are analyzed to identify usage patterns and to automatically generate rules

that describe those patterns. Rules may represent past behavior patterns of users,

programs, privileges, time slots, terminals, and so on. Current behavior is then

observed, and each transaction is matched against the set of rules to determine if it

conforms to any historically observed pattern of behavior.

As with statistical anomaly detection, rule-based anomaly detection does not

require knowledge of security vulnerabilities within the system. Rather, the scheme

is based on observing past behavior and, in effect, assuming that the future will be

like the past. In order for this approach to be effective, a rather large database of

rules will be needed.

Figure 10.5 Examples of Simple D D o S Attacks

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Figure 10.6 Types of Flooding-Based D D o S Attacks

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

Constructing the Attack Network (1 of 2)

The first step in a DDoS attack is for the attacker to infect a number of machines with zombie software that will ultimately be used to carry out the attack

Essential ingredients:

Software that can carry out the DDoS attack

A vulnerability in a large number of systems

A strategy for locating vulnerable machines (scanning)

Scanning strategies:

Random

Each compromised host probes random addresses in the IP address space, using a different seed

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

67

Rule-based techniques detect intrusion by observing events in the system and applying

a set of rules that lead to a decision regarding whether a given pattern of activity

is or is not suspicious. In very general terms, we can characterize all approaches as

focusing on either anomaly detection or penetration identification, although there is

some overlap in these approaches.

Rule-based anomaly detection is similar in terms of its approach and strengths

to statistical anomaly detection. With the rule-based approach, historical audit

records are analyzed to identify usage patterns and to automatically generate rules

that describe those patterns. Rules may represent past behavior patterns of users,

programs, privileges, time slots, terminals, and so on. Current behavior is then

observed, and each transaction is matched against the set of rules to determine if it

conforms to any historically observed pattern of behavior.

As with statistical anomaly detection, rule-based anomaly detection does not

require knowledge of security vulnerabilities within the system. Rather, the scheme

is based on observing past behavior and, in effect, assuming that the future will be

like the past. In order for this approach to be effective, a rather large database of

rules will be needed.

Constructing the Attack Network (2 of 2)

Hit list

The attacker first compiles a long list of potential vulnerable machines

Topological

This method uses information contained on an infected victim machine to find more hosts to scan

Local subnet

If a host is infected behind a firewall, that host then looks for targets in its own local network

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

68

Rule-based techniques detect intrusion by observing events in the system and applying

a set of rules that lead to a decision regarding whether a given pattern of activity

is or is not suspicious. In very general terms, we can characterize all approaches as

focusing on either anomaly detection or penetration identification, although there is

some overlap in these approaches.

Rule-based anomaly detection is similar in terms of its approach and strengths

to statistical anomaly detection. With the rule-based approach, historical audit

records are analyzed to identify usage patterns and to automatically generate rules

that describe those patterns. Rules may represent past behavior patterns of users,

programs, privileges, time slots, terminals, and so on. Current behavior is then

observed, and each transaction is matched against the set of rules to determine if it

conforms to any historically observed pattern of behavior.

As with statistical anomaly detection, rule-based anomaly detection does not

require knowledge of security vulnerabilities within the system. Rather, the scheme

is based on observing past behavior and, in effect, assuming that the future will be

like the past. In order for this approach to be effective, a rather large database of

rules will be needed.

D D o S Countermeasures

In general, there are three lines of defense against DDoS attacks:

Attack prevention and preemption (before the attack)

These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients

Attack detection and filtering (during the attack)

These mechanisms attempt to detect the attack as it begins and respond immediately

Attack source traceback and identification (during and after the attack)

This is an attempt to identify the source of the attack as a first step in preventing future attacks

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

69

To be of practical use, an intrusion detection system should detect a substantial

percentage of intrusions while keeping the false alarm rate at an acceptable

level. If only a modest percentage of actual intrusions are detected, the system

provides a false sense of security. On the other hand, if the system frequently

triggers an alert when there is no intrusion (a false alarm), then either system

managers will begin to ignore the alarms or much time will be wasted analyzing

the false alarms.

Unfortunately, because of the nature of the probabilities involved, it is very difficult

to meet the standard of high rate of detections with a low rate of false alarms.

In general, if the actual numbers of intrusions is low compared to the number of

legitimate uses of a system, then the false alarm rate will be high unless the test is

extremely discriminating. This is an example of a phenomenon known as the base rate

fallacy . A study of existing intrusion detection systems, reported in [AXEL00],

indicated that current systems have not overcome the problem of the base-rate fallacy.

See Appendix J for a brief background on the mathematics of this problem.

Summary

Types of malicious software (malware)

Advanced persistent threats

Propagation:

Infected content - viruses

Vulnerability exploit - worms

Social engineering - spam e-mail, trojans

Payload:

Attack agent - zombie, bots

Information theft - keyloggers, phishing, spyware

Stealthing - backdoors, rootkits

Countermeasures

DDoS attacks

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

70

To be of practical use, an intrusion detection system should detect a substantial

percentage of intrusions while keeping the false alarm rate at an acceptable

level. If only a modest percentage of actual intrusions are detected, the system

provides a false sense of security. On the other hand, if the system frequently

triggers an alert when there is no intrusion (a false alarm), then either system

managers will begin to ignore the alarms or much time will be wasted analyzing

the false alarms.

Unfortunately, because of the nature of the probabilities involved, it is very difficult

to meet the standard of high rate of detections with a low rate of false alarms.

In general, if the actual numbers of intrusions is low compared to the number of

legitimate uses of a system, then the false alarm rate will be high unless the test is

extremely discriminating. This is an example of a phenomenon known as the base rate

fallacy . A study of existing intrusion detection systems, reported in [AXEL00],

indicated that current systems have not overcome the problem of the base-rate fallacy.

See Appendix J for a brief background on the mathematics of this problem.

Copyright

Copyright © 2017 Pearson Education, Inc. All Rights Reserved

71