W10NS
Network Security Essentials: Applications and Standards
Sixth Edition
Chapter 10
Malicious Software
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
If this PowerPoint presentation contains mathematical equations, you may need to check that your computer has the following installed:
1) MathType Plugin
2) Math Player (free versions available)
3) NVDA Reader (free versions available)
There are application-specific security mechanisms for a number of application
areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access
(Secure Sockets Layer), and others. However, users have security concerns that
cut across protocol layers. For example, an enterprise can run a secure, private IP
network by disallowing links to untrusted sites, encrypting packets that leave the
premises, and authenticating packets that enter the premises. By implementing security
at the IP level, an organization can ensure secure networking not only for
applications that have security mechanisms but also for the many security-ignorant
applications.
IP-level security encompasses three functional areas: authentication, confidentiality,
and key management. The authentication mechanism assures that a received
packet was, in fact, transmitted by the party identified as the source in the packet
header. In addition, this mechanism assures that the packet has not been altered in
transit. The confidentiality facility enables communicating nodes to encrypt messages
to prevent eavesdropping by third parties. The key management facility is concerned
with the secure exchange of keys.
We begin this chapter with an overview of IP security (IPsec) and an introduction
to the IPsec architecture. We then look at each of the three functional areas in
detail. Appendix D reviews Internet protocols.
Table 10.1 Terminology for Malicious Software (1 of 3)
| Name | Description |
| Virus | Malware that, when executed, tries to replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected cod is executed, the virus also executes. |
| Worm | A computer program the can run independently and can propagate a complete working version of itself onto other hosts on a network. |
| Logic bomb | A program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met ; the program then triggers an unauthorized act. |
| Trojan horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entitity that invokes the Trojan horse program. |
| Backdoor (trapdoor) | Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality. |
| Mobile code | Software(e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics. |
| Exploits | Code specific to a single vulnerability or set of vulnerabilities. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
2
(This table can be found on page 323 in the textbook.)
The terminology in this area presents problems because of a lack of universal agreement
on all of the terms and because some of the categories overlap. Table 10.1 is a
useful guide to some of the terms in use.
Table 10.1 Terminology for Malicious Software (2 of 3)
| Name | Description |
| Downloaders | Program that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail. |
| Auto-rooter | Malicious hacker tools used to break into new machines remotely. |
| Kit (virus generator) | Set of tools for generating new viruses automatically. |
| Spammer programs | Used to send large volumes of unwanted e-mail. |
| Flooders | Used to attack networked computer systems with a large volume of traffic to carry out a denial-of-service (DoS) attack. |
| Keyloggers | Captures keystrokes on a compromised system. |
| Rootkit | Set of hacker tools used after attacker has broken into a computer system and gained root level access. |
| Zombie, bot | Program activated on an infected machine that is activated to launch attacks on other machines. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
3
(This table can be found on page 323 in the textbook.)
The terminology in this area presents problems because of a lack of universal agreement
on all of the terms and because some of the categories overlap. Table 10.1 is a
useful guide to some of the terms in use.
Table 10.1 Terminology for Malicious Software (3 of 3)
| Name | Description |
| Spyware | Software that collects information from a computer and transmits it to another system. |
| Adware | Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
4
(This table can be found on page 323 in the textbook.)
The terminology in this area presents problems because of a lack of universal agreement
on all of the terms and because some of the categories overlap. Table 10.1 is a
useful guide to some of the terms in use.
A Broad Classification of Malware (1 to 4)
Can be classified into two broad categories:
Based first on how it spreads or propagates to reach the desired targets
Then on the actions or payloads it performs once a target is reached
Propagation mechanisms:
Include infection of existing executable or interpreted content by viruses that is subsequently spread to other system
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
5
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker. In an important early study of
intrusion, Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
The masquerader is likely to be an outsider, the misfeasor generally is an insider,
and the clandestine user can be either an outsider or an insider.
A Broad Classification of Malware (2 to 4)
Exploit of software vulnerabilities either locally or over a network by worms or drive-by-downloads to allow the malware to replicate
Social engineering attacks that convince users to bypass security mechanisms to install trojans or to respond to phishing attacks
Earlier approaches to malware classification distinguished between:
Those that need a host program, being parasitic code such as viruses
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
6
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker. In an important early study of
intrusion, Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
The masquerader is likely to be an outsider, the misfeasor generally is an insider,
and the clandestine user can be either an outsider or an insider.
A Broad Classification of Malware (3 to 4)
Those that are independent, self-contained programs run on the system such as worms, trojans, and bots
Another distinction used was:
Malware that does not replicate, such as trojans and spam e-mail
Malware that does, including viruses and worms
Payload actions performed by malware once it reaches a target system can include:
Corruption of system or data files
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
7
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker. In an important early study of
intrusion, Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
The masquerader is likely to be an outsider, the misfeasor generally is an insider,
and the clandestine user can be either an outsider or an insider.
A Broad Classification of Malware (4 to 4)
Theft of service in order to make the system a zombie agent of attack as part of a botnet
Theft of information from the system, especially of logins, passwords, or other personal details by keylogging or spyware programs
Stealthing where the malware hides its presence on the system from attempts to detect and block it
Blended attack
Uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
8
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker. In an important early study of
intrusion, Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
The masquerader is likely to be an outsider, the misfeasor generally is an insider,
and the clandestine user can be either an outsider or an insider.
Attack Kits
Initially the development and deployment of malware required considerable technical skill by software authors
This changed with the development of virus-creation toolkits in the early 1990s and more general attack kits in the 2000s
These toolkits are often known as crimeware
Include a variety of propagation mechanisms and payload modules that even novices can combine, select, and deploy
Can easily be customized with the latest discovered vulnerabilities in order to exploit the window of opportunity between the publication of a weakness and the deployment of patches to close it
These kits greatly enlarged the population of attackers able to deploy malware
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
9
Intruder attacks range from the benign to the serious. At the benign end of the
scale, there are many people who simply wish to explore internets and see what is
out there. At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Attack Sources
Another significant malware development over the last couple of decades is the change from attackers being individuals to more organized and dangerous attack sources
These include politically motivated attackers, criminals, organized crime, organizations that sell their services to companies and nations, and national government agencies
This has significantly changed the resources available and motivation behind the rise of malware leading to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
10
Intruder attacks range from the benign to the serious. At the benign end of the
scale, there are many people who simply wish to explore internets and see what is
out there. At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Advanced Persistent Threat (A P T) (1 of 2)
Have risen to prominence in recent years
A well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets, usually business or political
APTs differ from other types of attack by their careful target selection, and persistent, often stealthy, intrusion efforts over extended periods
Aurora, RSA, APT1, and Stuxnet are often cited as examples
Named as a result of these characteristics:
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
11
Traditionally, those who hack into computers do so for the thrill
of it or for status. The hacking community is a strong meritocracy in which status
is determined by level of competence. Thus, attackers often look for targets
of opportunity and then share the information with others. A typical example is a
break-in at a large financial institution reported in [RADC04]. The intruder took
advantage of the fact that the corporate network was running unprotected services,
some of which were not even needed. In this case, the key to the break-in was the
pcAnywhere application. The manufacturer, Symantec, advertises this program as
a remote control solution that enables secure connection to remote devices. But the
attacker had an easy time gaining access to pcAnywhere; the administrator used the
same three-letter username and password for the program. In this case, there was
no intrusion detection system on the 700-node corporate network. The intruder was
only discovered when a vice-president walked into her office and saw the cursor
moving files around on her Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance to
know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this problem.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter this type of hacker threat. In addition to using such systems,
organizations can consider restricting remote logons to specific IP addresses and/or
use virtual private network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software. Hence the need for multiple layers of
defense in managing security threats to IT systems.
Advanced Persistent Threat (A P T) (2 of 2)
Advanced
The individual components may not necessarily be technically advanced, but are carefully selected to suit the chosen
Persistent
Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success
Threats
Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
12
Traditionally, those who hack into computers do so for the thrill
of it or for status. The hacking community is a strong meritocracy in which status
is determined by level of competence. Thus, attackers often look for targets
of opportunity and then share the information with others. A typical example is a
break-in at a large financial institution reported in [RADC04]. The intruder took
advantage of the fact that the corporate network was running unprotected services,
some of which were not even needed. In this case, the key to the break-in was the
pcAnywhere application. The manufacturer, Symantec, advertises this program as
a remote control solution that enables secure connection to remote devices. But the
attacker had an easy time gaining access to pcAnywhere; the administrator used the
same three-letter username and password for the program. In this case, there was
no intrusion detection system on the 700-node corporate network. The intruder was
only discovered when a vice-president walked into her office and saw the cursor
moving files around on her Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance to
know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this problem.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter this type of hacker threat. In addition to using such systems,
organizations can consider restricting remote logons to specific IP addresses and/or
use virtual private network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software. Hence the need for multiple layers of
defense in managing security threats to IT systems.
Viruses
Parasitic software fragments that attach themselves to some existing executable content
Can “infect” other programs or any type of executable content and modify them
The modification includes injecting the original code with a routine to make copies of the virus code, which can then go on to infect other content
One reason viruses dominated the malware scene in earlier years was the lack of user authentication and access controls on personal computer systems
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
13
Traditionally, those who hack into computers do so for the thrill
of it or for status. The hacking community is a strong meritocracy in which status
is determined by level of competence. Thus, attackers often look for targets
of opportunity and then share the information with others. A typical example is a
break-in at a large financial institution reported in [RADC04]. The intruder took
advantage of the fact that the corporate network was running unprotected services,
some of which were not even needed. In this case, the key to the break-in was the
pcAnywhere application. The manufacturer, Symantec, advertises this program as
a remote control solution that enables secure connection to remote devices. But the
attacker had an easy time gaining access to pcAnywhere; the administrator used the
same three-letter username and password for the program. In this case, there was
no intrusion detection system on the 700-node corporate network. The intruder was
only discovered when a vice-president walked into her office and saw the cursor
moving files around on her Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance to
know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this problem.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter this type of hacker threat. In addition to using such systems,
organizations can consider restricting remote logons to specific IP addresses and/or
use virtual private network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software. Hence the need for multiple layers of
defense in managing security threats to IT systems.
Virus Structure (1 of 2)
A computer virus and many contemporary types of malware includes one or more variants of each of these components:
Infection mechanism
The means by which a virus spreads or propagates, enabling it to replicate
Also referred to as the infection vector
Trigger
The event or condition that determines when the payload is activated or delivered
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
14
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Virus Structure (2 of 2)
Sometimes known as a logic bomb
Payload
What the virus does, besides spreading
May involve damage or benign but noticeable activity
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
15
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Virus Phases (1 of 2)
During its lifetime, a typical virus goes through the following four phases:
Dormant phase
The virus is idle
Will eventually be activated by some event
Not all viruses have this stage
Propagation phase
The virus places a copy of itself onto other programs or into certain system areas on the disk
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
16
Insider attacks are among the most difficult to detect and prevent.
Employees already have access and knowledge about the structure and content of
corporate databases. Insider attacks can be motivated by revenge or simply a feeling
of entitlement. An example of the former is the case of Kenneth Patterson, fired
from his position as data communications manager for American Eagle Outfitters.
Patterson disabled the company’s ability to process credit card purchases during
five days of the holiday season of 2002. As for a sense of entitlement, there have
always been many employees who felt entitled to take extra office supplies for home
use, but this now extends to corporate data. An example is that of a vice-president
of sales for a stock analysis firm who quit to go to a competitor. Before she left, she
copied the customer database to take with her. The offender reported feeling no
animus toward her former employee; she simply wanted the data because it would
be useful to her.
Although IDS and IPS facilities can be useful in countering insider attacks,
other more direct approaches are of higher priority. Examples include the
following:
• Enforce least privilege, only allowing access to the resources employees need
to do their job.
• Set logs to see what users access and what commands they are entering.
• Protect sensitive resources with strong authentication.
• Upon termination, delete employee’s computer and network access.
• Upon termination, make a mirror image of employee’s hard drive before reissuing
it. That evidence might be needed if your company information turns up
at a competitor.
In this section, we look at the techniques used for intrusion. Then we examine
ways to detect intrusion.
Virus Phases (2 of 2)
Triggering phase
The virus is activated to perform the function for which it was intended
Can be caused by a variety of system events
Execution phase
The function is performed
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
17
Insider attacks are among the most difficult to detect and prevent.
Employees already have access and knowledge about the structure and content of
corporate databases. Insider attacks can be motivated by revenge or simply a feeling
of entitlement. An example of the former is the case of Kenneth Patterson, fired
from his position as data communications manager for American Eagle Outfitters.
Patterson disabled the company’s ability to process credit card purchases during
five days of the holiday season of 2002. As for a sense of entitlement, there have
always been many employees who felt entitled to take extra office supplies for home
use, but this now extends to corporate data. An example is that of a vice-president
of sales for a stock analysis firm who quit to go to a competitor. Before she left, she
copied the customer database to take with her. The offender reported feeling no
animus toward her former employee; she simply wanted the data because it would
be useful to her.
Although IDS and IPS facilities can be useful in countering insider attacks,
other more direct approaches are of higher priority. Examples include the
following:
• Enforce least privilege, only allowing access to the resources employees need
to do their job.
• Set logs to see what users access and what commands they are entering.
• Protect sensitive resources with strong authentication.
• Upon termination, delete employee’s computer and network access.
• Upon termination, make a mirror image of employee’s hard drive before reissuing
it. That evidence might be needed if your company information turns up
at a competitor.
In this section, we look at the techniques used for intrusion. Then we examine
ways to detect intrusion.
Figure 10.1 Example Virus Logic
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
18
Traditional machine-executable virus code can be
prepended or postpended to some executable program, or it can be embedded into
the program in some other fashion. The key to its operation is that the infected program,
when invoked, will first execute the virus code and then execute the original
code of the program.
A very general depiction of virus structure is shown in Figure 10.1a. In this
case, the virus code, V, is prepended to infected programs, and it is assumed that the
entry point to the program, when invoked, is the first line of the program.
The infected program begins with the virus code and works as follows.
The first line of code labels the program, which then begins execution with the
main action block of the virus. The second line is a special marker that is used
by the virus to determine whether or not a potential victim program has already
been infected with this virus. When the program is invoked, control is immediately
transferred to the main virus program. The virus program may first seek
out uninfected executable files and infect them. Next, the virus may execute its
payload if the required trigger conditions, if any, are met. Finally, the virus
transfers control to the original program. If the infection phase of the program
is reasonably rapid, a user is unlikely to notice any difference between the
execution of an infected and an uninfected program.
A virus such as the one just described is easily detected because an infected version
of a program is longer than the corresponding uninfected one. A way to thwart
such a simple means of detecting a virus is to compress the executable file so that
both the infected and uninfected versions are of identical length. Figure 10.1b shows
in general terms the logic required. The key lines in this virus are labeled with times,
and Figure 10.2 illustrates the operation.
Figure 10.2 A Compression Virus
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
19
Traditional machine-executable virus code can be
prepended or postpended to some executable program, or it can be embedded into
the program in some other fashion. The key to its operation is that the infected program,
when invoked, will first execute the virus code and then execute the original
code of the program.
A very general depiction of virus structure is shown in Figure 10.1a. In this
case, the virus code, V, is prepended to infected programs, and it is assumed that the
entry point to the program, when invoked, is the first line of the program.
The infected program begins with the virus code and works as follows.
The first line of code labels the program, which then begins execution with the
main action block of the virus. The second line is a special marker that is used
by the virus to determine whether or not a potential victim program has already
been infected with this virus. When the program is invoked, control is immediately
transferred to the main virus program. The virus program may first seek
out uninfected executable files and infect them. Next, the virus may execute its
payload if the required trigger conditions, if any, are met. Finally, the virus
transfers control to the original program. If the infection phase of the program
is reasonably rapid, a user is unlikely to notice any difference between the
execution of an infected and an uninfected program.
A virus such as the one just described is easily detected because an infected version
of a program is longer than the corresponding uninfected one. A way to thwart
such a simple means of detecting a virus is to compress the executable file so that
both the infected and uninfected versions are of identical length. Figure 10.1b shows
in general terms the logic required. The key lines in this virus are labeled with times,
and Figure 10.2 illustrates the operation.
Virus Classification By Target (1 of 2)
Includes the following categories:
Boot sector infector
Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus
File infector
Infects files that the operating system or shell consider to be executable
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
20
The objective of the intruder is to gain access to a system or to increase the range of
privileges accessible on a system. Most initial attacks use system or software vulnerabilities
that allow a user to execute code that opens a backdoor into the system.
Alternatively, the intruder attempts to acquire information that should have been
protected. In some cases, this information is in the form of a user password. With
knowledge of some other user’s password, an intruder can log in to a system and
exercise all the privileges accorded to the legitimate user.
Typically, a system must maintain a file that associates a password with each
authorized user. If such a file is stored with no protection, then it is an easy matter
to gain access to it and learn passwords. The password file can be protected in one
of two ways:
• One-way function: The system stores only the value of a function based on the
user’s password. When the user presents a password, the system transforms
that password and compares it with the stored value. In practice, the system
usually performs a one-way transformation (not reversible), in which the password
is used to generate a key for the one-way function and in which a fixed length
output is produced.
• Access control: Access to the password file is limited to one or a very few
accounts.
Virus Classification By Target (2 of 2)
Macro virus
Infects files with macro or scripting code that is interpreted by an application
Multipartite virus
Infects files in multiple ways
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
21
The objective of the intruder is to gain access to a system or to increase the range of
privileges accessible on a system. Most initial attacks use system or software vulnerabilities
that allow a user to execute code that opens a backdoor into the system.
Alternatively, the intruder attempts to acquire information that should have been
protected. In some cases, this information is in the form of a user password. With
knowledge of some other user’s password, an intruder can log in to a system and
exercise all the privileges accorded to the legitimate user.
Typically, a system must maintain a file that associates a password with each
authorized user. If such a file is stored with no protection, then it is an easy matter
to gain access to it and learn passwords. The password file can be protected in one
of two ways:
• One-way function: The system stores only the value of a function based on the
user’s password. When the user presents a password, the system transforms
that password and compares it with the stored value. In practice, the system
usually performs a one-way transformation (not reversible), in which the password
is used to generate a key for the one-way function and in which a fixed length
output is produced.
• Access control: Access to the password file is limited to one or a very few
accounts.
Virus Classification by Concealment Strategy (1 of 2)
Includes the following categories:
Encrypted virus
Portion of the virus creates a random encryption key and encrypts the remainder of the virus
When an infected program is invoked, the virus uses the stored random key to decrypt the virus
When the virus replicates, a different random key is selected
Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
22
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Virus Classification by Concealment Strategy (2 of 2)
Stealth virus
A form of virus explicitly designed to hide itself from detection by antivirus software
The entire virus, not just a payload is hidden
Polymorphic virus
A virus that mutates with every infection, making detection by the “signature” of the virus impossible
Metamorphic virus
Mutates with every infection
Rewrites itself completely at each iteration, increasing the difficulty of detection
May change their behavior as well as their appearance
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
23
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Macro and Scripting Viruses
Macro viruses infect scripting code used to support active content in a variety of user document types
Threatening for a number of reasons:
A macro virus is platform independent
Macro viruses infect documents, not executable portions of code
Macro viruses are easily spread, as the documents they exploit are shared in normal use
Because macro viruses infect user documents rather than system programs, traditional file system access controls are of limited use in preventing their spread
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
24
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Worms
A program that actively seeks out more machines to infect
Upon activation, the worm may replicate and propagate again
To replicate itself, a worm uses some means to access remote systems:
Electronic mail or instant messenger facility
File sharing
Remote execution capability
Remote file access or transfer capability
Remote login capability
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
25
Inevitably, the best intrusion prevention system will fail. A system’s second line
of defense is intrusion detection, and this has been the focus of much research in
recent years. This interest is motivated by a number of considerations, including the
following:
1. If an intrusion is detected quickly enough, the intruder can be identified and
ejected from the system before any damage is done or any data are compromised.
Even if the detection is not sufficiently timely to preempt the intruder,
the sooner that the intrusion is detected, the less the amount of damage and
the more quickly that recovery can be achieved.
2. An effective intrusion detection system can serve as a deterrent, so acting to
prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques
that can be used to strengthen the intrusion prevention facility.
Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified. Of
course, we cannot expect that there will be a crisp, exact distinction between an
attack by an intruder and the normal use of resources by an authorized user. Rather,
we must expect that there will be some overlap.
Worm Phases
A worm typically uses the same phases as a computer virus:
Dormant
Propagation
Triggering
Execution
The propagation phase generally performs the following functions:
Search for appropriate access mechanisms to other systems to infect by examining host tables, address books, buddy lists, trusted peers, and other similar repositories of remote system access details
Use the access mechanisms found to transfer a copy of itself to the remote system and cause the copy to be run
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
26
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Target Discovery (1 of 2)
Scanning/fingerprinting
The function in the propagation phase for a network worm to search for other systems to infect
Worm network scanning strategies:
Random
Each compromised host probes random addresses in the IP address space, using a different seed
Produces a high volume of Internet traffic, which may cause generalized disruption even before the actual attack is lunched
Hit list
The attacker first compiles a long list of potential vulnerable machines
Once the list is compiled, the attacker begins infecting machines on the list
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
27
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Target Discovery (2 of 2)
Each infected machine is provided with a portion of the list to scan
This results in a very short scanning period, which may make it difficult to detect that infection is taking place
Topological
Uses information contained on an infected victim machine to find more hosts to scan
Local subnet
If a host is infected behind a firewall, that host then looks for targets in its own local network
The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
28
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Figure 10.3 Worm Propagation Model
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The Morris Worm
Released onto the Internet by Robert Morris in 1988
Designed to spread on U N I X systems and used a number of different techniques for propagation
When a copy began execution its first task was to discover other hosts known to this host that would allow entry from this host
For each discovered host, the worm tried a number of methods for gaining access:
It attempted to log on to a remote host as a legitimate user
It exploited a bug in the U N I X finger protocol, which reports the whereabouts of a remote user
It exploited a trapdoor in the debug option of the remote process that receives and sends mail
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
30
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Worm Technology (1 of 3)
Multiplatform
Newer worms can attack a variety of platforms
Multi-exploit
New worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications, or via shared media
Ultrafast spreading
Exploit various techniques to optimize the rate of spread of a worm to maximize its likelihood of locating as many vulnerable machines as possible in a short time period
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
31
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Worm Technology (2 of 3)
Polymorphic
To evade detection, skip past filters, and foil real-time analysis, each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques
Metamorphic
In addition to changing their appearance, metamorphic worms have a repertoire of behavior patterns that are unleashed at different stages of propagation
Transport vehicles
Because worms can rapidly compromise a large number of systems, they are ideal for spreading a wide variety of malicious payloads
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
32
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Worm Technology (3 of 3)
Zero-day exploit
To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
33
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Mobile Code (1 of 2)
Refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
Transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction
Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation
Popular vehicles for mobile code include:
Java applets
ActiveX
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
34
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Mobile Code (2 of 2)
JavaScript
VBScript
The most common ways of using mobile code for malicious operations on local system are:
Cross-site scripting
Interactive and dynamic Web sites
E-mail attachments
Downloads from untrusted sites or of untrusted software
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
35
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Client-Side Vulnerabilities and Drive-by-Downloads (1 of 2)
Drive-by-download
Exploits browser vulnerabilities so that when the user views a Web page controlled by the attacker, it contains code that exploits the browser bug to download and install malware on the system without the user’s knowledge or consent
Does not actively propagate as a worm does, but rather waits for unsuspecting users to visit the malicious Web page in order to spread to their systems
Watering-hole attacks are a variant of this used in highly targeted attacks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
36
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Client-Side Vulnerabilities and Drive-by-Downloads (2 of 2)
The attacker researches their intended victims to identify Web sites they are likely to visit and then scans theses sites to identify those with vulnerabilities that allow their compromise with a drive-by-download attack
Malvertising is another technique used to place malware on Web sites without actually compromising them
The attacker pays for advertisements that are highly likely to be placed on their intended target Web sites, and which incorporate malware in them
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
37
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Clickjacking (1 of 2)
Also known as a user-interface (UI) redress attack
Is a vulnerability used by an attacker to collect an infected user’s clicks
The attacker can force the user to do a variety of things from adjusting the user’s computer settings to unwittingly sending the user to Web sites that might have malicious code
Also, by taking advantage of Adobe Flash or JavaScript, an attacker could even place a button under or over a legitimate button, making it difficult for users to detect
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
38
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Clickjacking (2 of 2)
A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
Using a similar technique, keystrokes can also be hijacked
With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their e-mail or bank account but are instead typing into an invisible frame controlled by the attacker
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
39
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Spam
Unsolicited bulk e-mail
Imposes significant costs on both the network infrastructure needed to relay this traffic and on users who need to filter their legitimate e-mails
Most recent spam is sent by botnets using compromised user systems
Is a significant carrier of malware
May be used in a phishing attack
Although a significant security concern, in many cases it requires the user’s active choice to view the e-mail and any attached document or to permit the installation of some program, in order for the compromise to occur
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
40
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Trojan Horses
Is a useful, or apparently useful, program or utility containing hidden code that, when invoked, performs some unwanted or harmful function
Can be used to accomplish functions indirectly that the attacker could not accomplish directly
Fit into one of three models:
Continuing to perform the function of the original program and additionally performing a separate malicious activity
Continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity
Performing a malicious function that completely replaces the function of the original program
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
41
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload - System Corruption (1 of 2)
Once malware is active on the target system, the next concern is what actions it will take on this system
Examples:
Data destruction on the infected system when certain trigger conditions were met
Display unwanted messages or content on the user’s system when triggered
Encrypt the user’s data and demand payment in order to access the key needed to recover this information (ransomware)
Inflict real-world damage on the system
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
42
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload - System Corruption (2 of 2)
Attempt to rewrite the B I O S code used to initially boot the computer
Target specific industrial control system software
Logic bomb
Code embedded in the malware that is set to “explode” when certain conditions are met
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
43
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload -Attack Agent
Malware subverts the computational and network resources of the infected system for use by the attacker
Bot (robot), zombie, drone
Secretly takes over another Internet-attached computer and then uses that computer to launch or manage attacks that are difficult to trace to the bot’s creator
A botnet is a collection of bots often capable of acting in a coordinated manner
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
44
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Uses of Bots
Distributed denial-of-service (D D o S) attacks
Spamming
Sniffing traffic
Keylogging
Spreading new malware
Installing advertisement add-ons and browser helper objects (BHOs)
Attacking Internet Relay Chat (IRC) networks
Manipulating online polls/games
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
45
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Remote Control Facility
Distinguishes a bot from a worm
A worm propagates itself and activates itself, whereas a bot is controlled from some central facility
Typical means of implementing is on an I R C server
More recent botnets use covert communication channels via protocols such as H T T P
Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure
Once a communications path is established between a control module and the bots, the control module can activate the bots
Can also issue update commands that instruct the bots to download a file from some Internet location and execute it
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
46
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload -Information Theft (1 of 2)
Keylogger
Captures keystrokes on the infected machine to allow an attacker to monitor user login and password credentials
Spyware
Developed in response to efforts to try and stop keylogging
Subvert the compromised machine to allow monitoring of a wide range of activity on the system which can result in significantly compromising the user’s personal information
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
47
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload -Information Theft (2 of 2)
Phishing
Exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source
Spear-phishing
An e-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
48
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload -Stealthing (1 of 2)
Backdoor
Also know as a trapdoor
Is a secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures
Code that recognizes some special sequence of input or is triggered by being run from a certain user ID or by an unlikely sequence of events
Usually implemented as a network service listening on some nonstandard port that the attacker can connect to and issue commands through to be run on the compromised system
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
49
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Payload -Stealthing (2 of 2)
Rootkit
A set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, while hiding evidence of its presence to the greatest extent possible
Alters the host’s standard functionality in a malicious and stealthy way
An attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand
Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
50
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Rootkits (1 of 2)
Can be classified using the following characteristics:
Persistent
Activates each time the system boots
Memory based
Has no persistent code and therefore cannot survive a reboot
User mode
Intercepts calls to application program interfaces (APIs) and modifies returned results
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
51
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Rootkits (2 of 2)
Kernel mode
Can intercept calls to native A P Is in kernel mode
Virtual machine based
Installs a lightweight virtual machine monitor and then runs the operating system in a virtual machine above it
External mode
Malware is located outside the normal operation mode of the targeted system, in B I O S or system management mode, where it can directly access hardware
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
52
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Countermeasures (1 of 2)
Elements of prevention:
Policy
Awareness
Vulnerability mitigation
Threat mitigation
One of the first countermeasures that should be employed is to ensure all systems are as current as possible, with all patches applied, in order to reduce the number of vulnerabilities that might be exploited on the system
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
53
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Countermeasures (2 of 2)
The next is to set appropriate access controls on the applications and data stored on the system, to reduce the number of files that any user can access, and hence potentially infect or corrupt, as a result of them executing some malware code
The third common propagation mechanism, which targets users in a social engineering attack, can be countered using appropriate user awareness and training
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
54
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Malware Countermeasure Approaches
If prevention fails, then technical mechanisms can be used to support the following threat mitigation options:
Detection
Identification
Removal
Requirements for effective malware countermeasures:
Generality
Timeliness
Resiliency
Minimal denial-of-service costs
Transparency
Global and local coverage
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
55
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Host-Based Scanners (1 of 2)
Four generations of antivirus software:
First generation
Simple scanners
Scanner requires a malware signature to identify the malware
Second generation
Heuristic scanners
Uses heuristic rules to search for probable malware instances
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
56
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Host-Based Scanners (2 of 2)
Integrity checking
Third generation
Activity traps
Memory-resident programs that identify malware by its actions rather than its structure in an infected program
Fourth generation
Full-feature protection
Packages consisting of a variety of antivirus techniques used in conjunction
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
57
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Host-Based Behavior-Blocking Software
Integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions
The software then blocks potentially malicious actions before they have a chance to affect the system
Can block suspicious software in real time so it has an advantage over antivirus detection techniques such as fingerprinting or heuristics
Limitations:
Because the malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
58
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Perimeter Scanning Approaches (1 of 2)
Antivirus software is used on an organization’s firewall and I D S
Typically included in e-mail and Web proxy services running on these systems
May also be included in the traffic analysis component of an I D S
Two types of monitoring software may be used:
Ingress monitors
Located at the border between the enterprise network and the Internet
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
59
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Perimeter Scanning Approaches (2 of 2)
They can be part of the ingress-filtering software of a border router or external firewall or a separate passive monitor
Egress monitors
These can be located at the egress point of individual LANs on the enterprise network as well as at the border between the enterprise network and the Internet
Designed to catch the source of a malware attack by monitoring outgoing traffic for signs of scanning or other suspicious behavior
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
60
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Perimeter Worm Countermeasures (1 of 2)
(Class A) Signature-based worm scan filtering
This type of approach generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host
(Class B) Filter-based worm containment
This approach is similar to class A but focuses on worm content rather than a scan signature
(Class C) Payload-classification-based worm containment
These network-based techniques examine packets to see if they contain a worm
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
61
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Perimeter Worm Countermeasures (2 of 2)
(Class D) Threshold random walk (T R W) scan detection
Exploits randomness in picking designations to connect to as a way of detecting if a scanner is in operation
(Class E) Rate limiting
This class limits the rate of scanlike traffic from an infected host
(Class F) Rate halting
This approach immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connection rate or in diversity of connection attempts
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
62
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Figure 10.4 Placement of Worm Monitors
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Distributed Denial of Service Attacks (D D o S)
Attacks that make computer systems inaccessible by flooding servers, networks, or even end-user systems with useless traffic so that legitimate users can no longer gain access to those resources
One way to classify DDoS attacks is in terms of the type of resources that is consumed
The resource consumed is either an internal host resource on the target system or data transmission capacity in the local network to which the target is attacked
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
64
Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity
is or is not suspicious. In very general terms, we can characterize all approaches as
focusing on either anomaly detection or penetration identification, although there is
some overlap in these approaches.
Rule-based anomaly detection is similar in terms of its approach and strengths
to statistical anomaly detection. With the rule-based approach, historical audit
records are analyzed to identify usage patterns and to automatically generate rules
that describe those patterns. Rules may represent past behavior patterns of users,
programs, privileges, time slots, terminals, and so on. Current behavior is then
observed, and each transaction is matched against the set of rules to determine if it
conforms to any historically observed pattern of behavior.
As with statistical anomaly detection, rule-based anomaly detection does not
require knowledge of security vulnerabilities within the system. Rather, the scheme
is based on observing past behavior and, in effect, assuming that the future will be
like the past. In order for this approach to be effective, a rather large database of
rules will be needed.
Figure 10.5 Examples of Simple D D o S Attacks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 10.6 Types of Flooding-Based D D o S Attacks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Constructing the Attack Network (1 of 2)
The first step in a DDoS attack is for the attacker to infect a number of machines with zombie software that will ultimately be used to carry out the attack
Essential ingredients:
Software that can carry out the DDoS attack
A vulnerability in a large number of systems
A strategy for locating vulnerable machines (scanning)
Scanning strategies:
Random
Each compromised host probes random addresses in the IP address space, using a different seed
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
67
Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity
is or is not suspicious. In very general terms, we can characterize all approaches as
focusing on either anomaly detection or penetration identification, although there is
some overlap in these approaches.
Rule-based anomaly detection is similar in terms of its approach and strengths
to statistical anomaly detection. With the rule-based approach, historical audit
records are analyzed to identify usage patterns and to automatically generate rules
that describe those patterns. Rules may represent past behavior patterns of users,
programs, privileges, time slots, terminals, and so on. Current behavior is then
observed, and each transaction is matched against the set of rules to determine if it
conforms to any historically observed pattern of behavior.
As with statistical anomaly detection, rule-based anomaly detection does not
require knowledge of security vulnerabilities within the system. Rather, the scheme
is based on observing past behavior and, in effect, assuming that the future will be
like the past. In order for this approach to be effective, a rather large database of
rules will be needed.
Constructing the Attack Network (2 of 2)
Hit list
The attacker first compiles a long list of potential vulnerable machines
Topological
This method uses information contained on an infected victim machine to find more hosts to scan
Local subnet
If a host is infected behind a firewall, that host then looks for targets in its own local network
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
68
Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity
is or is not suspicious. In very general terms, we can characterize all approaches as
focusing on either anomaly detection or penetration identification, although there is
some overlap in these approaches.
Rule-based anomaly detection is similar in terms of its approach and strengths
to statistical anomaly detection. With the rule-based approach, historical audit
records are analyzed to identify usage patterns and to automatically generate rules
that describe those patterns. Rules may represent past behavior patterns of users,
programs, privileges, time slots, terminals, and so on. Current behavior is then
observed, and each transaction is matched against the set of rules to determine if it
conforms to any historically observed pattern of behavior.
As with statistical anomaly detection, rule-based anomaly detection does not
require knowledge of security vulnerabilities within the system. Rather, the scheme
is based on observing past behavior and, in effect, assuming that the future will be
like the past. In order for this approach to be effective, a rather large database of
rules will be needed.
D D o S Countermeasures
In general, there are three lines of defense against DDoS attacks:
Attack prevention and preemption (before the attack)
These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients
Attack detection and filtering (during the attack)
These mechanisms attempt to detect the attack as it begins and respond immediately
Attack source traceback and identification (during and after the attack)
This is an attempt to identify the source of the attack as a first step in preventing future attacks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
69
To be of practical use, an intrusion detection system should detect a substantial
percentage of intrusions while keeping the false alarm rate at an acceptable
level. If only a modest percentage of actual intrusions are detected, the system
provides a false sense of security. On the other hand, if the system frequently
triggers an alert when there is no intrusion (a false alarm), then either system
managers will begin to ignore the alarms or much time will be wasted analyzing
the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very difficult
to meet the standard of high rate of detections with a low rate of false alarms.
In general, if the actual numbers of intrusions is low compared to the number of
legitimate uses of a system, then the false alarm rate will be high unless the test is
extremely discriminating. This is an example of a phenomenon known as the base rate
fallacy . A study of existing intrusion detection systems, reported in [AXEL00],
indicated that current systems have not overcome the problem of the base-rate fallacy.
See Appendix J for a brief background on the mathematics of this problem.
Summary
Types of malicious software (malware)
Advanced persistent threats
Propagation:
Infected content - viruses
Vulnerability exploit - worms
Social engineering - spam e-mail, trojans
Payload:
Attack agent - zombie, bots
Information theft - keyloggers, phishing, spyware
Stealthing - backdoors, rootkits
Countermeasures
DDoS attacks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
70
To be of practical use, an intrusion detection system should detect a substantial
percentage of intrusions while keeping the false alarm rate at an acceptable
level. If only a modest percentage of actual intrusions are detected, the system
provides a false sense of security. On the other hand, if the system frequently
triggers an alert when there is no intrusion (a false alarm), then either system
managers will begin to ignore the alarms or much time will be wasted analyzing
the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very difficult
to meet the standard of high rate of detections with a low rate of false alarms.
In general, if the actual numbers of intrusions is low compared to the number of
legitimate uses of a system, then the false alarm rate will be high unless the test is
extremely discriminating. This is an example of a phenomenon known as the base rate
fallacy . A study of existing intrusion detection systems, reported in [AXEL00],
indicated that current systems have not overcome the problem of the base-rate fallacy.
See Appendix J for a brief background on the mathematics of this problem.
Copyright
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
71