W11NS
Network Security Essentials: Applications and Standards
Sixth Edition
Chapter 11
Intruders
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
If this PowerPoint presentation contains mathematical equations, you may need to check that your computer has the following installed:
1) MathType Plugin
2) Math Player (free versions available)
3) NVDA Reader (free versions available)
There are application-specific security mechanisms for a number of application
areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access
(Secure Sockets Layer), and others. However, users have security concerns that
cut across protocol layers. For example, an enterprise can run a secure, private IP
network by disallowing links to untrusted sites, encrypting packets that leave the
premises, and authenticating packets that enter the premises. By implementing security
at the IP level, an organization can ensure secure networking not only for
applications that have security mechanisms but also for the many security-ignorant
applications.
IP-level security encompasses three functional areas: authentication, confidentiality,
and key management. The authentication mechanism assures that a received
packet was, in fact, transmitted by the party identified as the source in the packet
header. In addition, this mechanism assures that the packet has not been altered in
transit. The confidentiality facility enables communicating nodes to encrypt messages
to prevent eavesdropping by third parties. The key management facility is concerned
with the secure exchange of keys.
We begin this chapter with an overview of IP security (IPsec) and an introduction
to the IPsec architecture. We then look at each of the three functional areas in
detail. Appendix D reviews Internet protocols.
Intruders
Three classes of intruders:
Masquerader
An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
Misfeasor
A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
Clandestine user
An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
2
One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker. In an important early study of
intrusion, Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
collection
The masquerader is likely to be an outsider, the misfeasor generally is an insider,
and the clandestine user can be either an outsider or an insider.
Examples of Intrusion (1 of 2)
Performing a remote root compromise of an e-mail server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data, including payroll records and medical information, without authorization
Running a packet sniffer on a workstation to capture usernames and passwords
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
3
Intruder attacks range from the benign to the serious. At the benign end of the
scale, there are many people who simply wish to explore internets and see what is
out there. At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Examples of Intrusion (2 of 2)
Using a permission error on an anonymous F T P server to distribute pirated software and music files
Dialing into an unsecured modem and gaining internal network access
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
Using an unattended, logged-in workstation without permission
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
4
Intruder attacks range from the benign to the serious. At the benign end of the
scale, there are many people who simply wish to explore internets and see what is
out there. At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Hackers (1 of 2)
Traditionally, those who hack into computers do so for the thrill of it or for status
Intrusion detection systems (I D Ss) and intrusion prevention systems (I P Ss) are designed to counter hacker threats
In addition to using such systems, organizations can consider restricting remote logons to specific IP addresses and/or use virtual private network technology
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
5
Traditionally, those who hack into computers do so for the thrill
of it or for status. The hacking community is a strong meritocracy in which status
is determined by level of competence. Thus, attackers often look for targets
of opportunity and then share the information with others. A typical example is a
break-in at a large financial institution reported in [RADC04]. The intruder took
advantage of the fact that the corporate network was running unprotected services,
some of which were not even needed. In this case, the key to the break-in was the
pcAnywhere application. The manufacturer, Symantec, advertises this program as
a remote control solution that enables secure connection to remote devices. But the
attacker had an easy time gaining access to pcAnywhere; the administrator used the
same three-letter username and password for the program. In this case, there was
no intrusion detection system on the 700-node corporate network. The intruder was
only discovered when a vice-president walked into her office and saw the cursor
moving files around on her Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance to
know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this problem.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter this type of hacker threat. In addition to using such systems,
organizations can consider restricting remote logons to specific IP addresses and/or
use virtual private network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software. Hence the need for multiple layers of
defense in managing security threats to IT systems.
Hackers (2 of 2)
C E R Ts
Computer emergency response teams
These cooperative ventures collect information about system vulnerabilities and disseminate it to systems managers
Hackers also routinely read C E R T reports
It is important for system administrators to quickly insert all software patches to discovered vulnerabilities
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
6
Traditionally, those who hack into computers do so for the thrill
of it or for status. The hacking community is a strong meritocracy in which status
is determined by level of competence. Thus, attackers often look for targets
of opportunity and then share the information with others. A typical example is a
break-in at a large financial institution reported in [RADC04]. The intruder took
advantage of the fact that the corporate network was running unprotected services,
some of which were not even needed. In this case, the key to the break-in was the
pcAnywhere application. The manufacturer, Symantec, advertises this program as
a remote control solution that enables secure connection to remote devices. But the
attacker had an easy time gaining access to pcAnywhere; the administrator used the
same three-letter username and password for the program. In this case, there was
no intrusion detection system on the 700-node corporate network. The intruder was
only discovered when a vice-president walked into her office and saw the cursor
moving files around on her Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance to
know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this problem.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs)
are designed to counter this type of hacker threat. In addition to using such systems,
organizations can consider restricting remote logons to specific IP addresses and/or
use virtual private network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems,
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software. Hence the need for multiple layers of
defense in managing security threats to IT systems.
Criminal Hackers
Organized groups of hackers
Usually have specific targets, or at least classes of targets in mind
Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting
I D Ss and I P Ss can be used for these types of attackers, but may be less effective because of the quick in-and-out nature of the attack
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
7
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Insider Attacks
Among the most difficult to detect and prevent
Can be motivated by revenge or simply a feeling of entitlement
Countermeasures:
Enforce least privilege, only allowing access to the resources employees need to do their job
Set logs to see what users access and what commands they are entering
Protect sensitive resources with strong authentication
Upon termination, delete employee’s computer and network access
Upon termination, make a mirror image of employee’s hard drive before reissuing it (used as evidence if your company information turns up at a competitor
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
8
Insider attacks are among the most difficult to detect and prevent.
Employees already have access and knowledge about the structure and content of
corporate databases. Insider attacks can be motivated by revenge or simply a feeling
of entitlement. An example of the former is the case of Kenneth Patterson, fired
from his position as data communications manager for American Eagle Outfitters.
Patterson disabled the company’s ability to process credit card purchases during
five days of the holiday season of 2002. As for a sense of entitlement, there have
always been many employees who felt entitled to take extra office supplies for home
use, but this now extends to corporate data. An example is that of a vice-president
of sales for a stock analysis firm who quit to go to a competitor. Before she left, she
copied the customer database to take with her. The offender reported feeling no
animus toward her former employee; she simply wanted the data because it would
be useful to her.
Although IDS and IPS facilities can be useful in countering insider attacks,
other more direct approaches are of higher priority. Examples include the
following:
• Enforce least privilege, only allowing access to the resources employees need
to do their job.
• Set logs to see what users access and what commands they are entering.
• Protect sensitive resources with strong authentication.
• Upon termination, delete employee’s computer and network access.
• Upon termination, make a mirror image of employee’s hard drive before reissuing
it. That evidence might be needed if your company information turns up
at a competitor.
In this section, we look at the techniques used for intrusion. Then we examine
ways to detect intrusion.
Intrusion Techniques
Objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system
Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a backdoor into the system
Ways to protect a password file:
One-way functioning
The system stores only the value of a function based on the user’s password
Access control
Access to the password file is limited to one or a very few accounts
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
9
The objective of the intruder is to gain access to a system or to increase the range of
privileges accessible on a system. Most initial attacks use system or software vulnerabilities
that allow a user to execute code that opens a backdoor into the system.
Alternatively, the intruder attempts to acquire information that should have been
protected. In some cases, this information is in the form of a user password. With
knowledge of some other user’s password, an intruder can log in to a system and
exercise all the privileges accorded to the legitimate user.
Typically, a system must maintain a file that associates a password with each
authorized user. If such a file is stored with no protection, then it is an easy matter
to gain access to it and learn passwords. The password file can be protected in one
of two ways:
• One-way function: The system stores only the value of a function based on the
user’s password. When the user presents a password, the system transforms
that password and compares it with the stored value. In practice, the system
usually performs a one-way transformation (not reversible), in which the password
is used to generate a key for the one-way function and in which a fixed length
output is produced.
• Access control: Access to the password file is limited to one or a very few
accounts.
Password Guessing (1 of 2)
Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.
Exhaustively try all short passwords (those of one to three characters).
Try words in the system’s online dictionary or a list of likely passwords. Examples of the latter are readily available on hacker bulletin boards.
Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
10
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Password Guessing (2 of 2)
Try users’ phone numbers, Social Security numbers, and room numbers.
Try all legitimate license plate numbers for this state.
Use a Trojan horse to bypass restrictions on access.
Tap the line between a remote user and the host system.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
11
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these gangs
are young, often Eastern European, Russian, or southeast Asian hackers who do
business on the Web [ANTE06]. They meet in underground forums with names like
DarkMarket.org and theftservices.com to trade tips and data and coordinate attacks.
A common target is a credit card file at an e-commerce server. Attackers attempt to
gain root access. The card numbers are used by organized crime gangs to purchase
expensive items and are then posted to carder sites, where others can access and use
the account numbers; this obscures usage patterns and complicates investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site
is penetrated, the attacker acts quickly, scooping up as much valuable information as
possible and exiting.
IDSs and IPSs can also be used for these types of attackers, but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information, especially
credit cards. For hosted e-commerce sites (provided by an outsider service),
the e-commerce organization should make use of a dedicated server (not used to
support multiple customers) and closely monitor the provider’s security services.
Intrusion Detection
A system’s second line of defense
Is based on the assumption that the behaviour of the intruder differs from that of a legitimate user in ways that can be quantified
Considerations:
If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised
An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions
Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
12
Inevitably, the best intrusion prevention system will fail. A system’s second line
of defense is intrusion detection, and this has been the focus of much research in
recent years. This interest is motivated by a number of considerations, including the
following:
1. If an intrusion is detected quickly enough, the intruder can be identified and
ejected from the system before any damage is done or any data are compromised.
Even if the detection is not sufficiently timely to preempt the intruder,
the sooner that the intrusion is detected, the less the amount of damage and
the more quickly that recovery can be achieved.
2. An effective intrusion detection system can serve as a deterrent, so acting to
prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques
that can be used to strengthen the intrusion prevention facility.
Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified. Of
course, we cannot expect that there will be a crisp, exact distinction between an
attack by an intruder and the normal use of resources by an authorized user. Rather,
we must expect that there will be some overlap.
Figure 11.1 Profiles of Behavior of Intruders and Authorized Users
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Approaches to Intrusion Detection (1 of 2)
Statistical anomaly detection
Involves the collection of data relating to the behavior of legitimate users over a period of time
Then statistical tests are applied to observed behavior to determine whether that behavior is not legitimate user behavior
Threshold detection
This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
14
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Approaches to Intrusion Detection (2 of 2)
Profile based
A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts
Rule-based detection
Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder
Often referred to as signature detection
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
15
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Audit Records (1 of 2)
Fundamental tool for intrusion detection
Native audit records
Virtually all multiuser operating systems include accounting software that collects information on user activity
The advantage of using this information is that no additional collection software is needed
The disadvantage is that the native audit records may not contain the needed information or may not contain it in a convenient form
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
16
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Audit Records (2 of 2)
Detection-specific audit records
A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system
One advantage of such an approach is that it could be made vendor independent and ported to a variety of systems
The disadvantage is the extra overhead involved in having two accounting packages running on a machine
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
17
A fundamental tool for intrusion detection is the audit record. Some record of
ongoing activity by users must be maintained as input to an intrusion detection
system. Basically, two plans are used:
• Native audit records: Virtually all multiuser operating systems include
accounting software that collects information on user activity. The advantage
of using this information is that no additional collection software is needed.
The disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
• Detection-specific audit records: A collection facility can be implemented that
generates audit records containing only that information required by the intrusion
detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting
packages running on a machine.
Statistical Anomaly Detection
Threshold detection
Involves counting the number of occurrences of a specific event type over an interval of time
If the count surpasses what is considered a reasonable number that one might expect to occur, then intrusion is assumed
By itself is a crude and ineffective detector of even moderately sophisticated attacks
Profile-based
Focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations
A profile may consist of a set of parameters, so that deviation on just a single parameter may not be sufficient in itself to signal an alert
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
18
[PORR92] identifies the following approaches to intrusion detection:
1. Statistical anomaly detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
a. Threshold detection: This approach involves defining thresholds, independent
of user, for the frequency of occurrence of various events.
b. Profile based: A profile of the activity of each user is developed and used to
detect changes in the behavior of individual accounts.
In essence, anomaly approaches attempt to define normal, or expected,
behavior, whereas signature-based approaches attempt to define proper behavior.
In terms of the types of attackers listed earlier, statistical anomaly detection is
effective against masqueraders, who are unlikely to mimic the behavior patterns of
the accounts they appropriate. On the other hand, such techniques may be unable to
deal with misfeasors. For such attacks, rule-based approaches may be able to recognize
events and sequences that, in context, reveal penetration. In practice, a system may exhibit
a combination of both approaches to be effective against a broad range of attacks.
Table 11.1 Measures that May be Used for Intrusion Detection (1 of 3)
Login and Session Activity
| Measure | Model | Type of Intrusion Detected |
| Login frequency by day and time | Mean and standard deviation | Intruders may be likely to log in during off-hours. |
| Frequency of login at different locations | Mean and standard deviation | Intruders may login from a location that a particular user rarely or never uses. |
| Time since last login | Operational | Break-in on a “dead” account. |
| Elapsed time per session | Mean and standard deviation | Significant deviations might indicate masquerader. |
| Quantity of output to location | Mean and standard deviation | Excessive amounts of data transmitted to remote locations could signify leakage of sensitive data. |
| Session resource utilization | Mean and standard deviation | Unusual processor or I/O levels could signal an intruder. |
| Password failures at login | Operational | Attempted break-in by password guessing. |
| Failures to login from specified terminals | Operational | Attempted break-in. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 371 in the textbook.)
As an example of the use of these various metrics and models, Table 11.1
shows various measures considered or tested for the Stanford Research Institute
(SRI) Intrusion Detection System (IDES) [ANDE95, JAVI91] and the follow-on
program Emerald [NEUM99].
The main advantage of the use of statistical profiles is that a prior knowledge
of security flaws is not required. The detector program learns what is “normal” behavior
and then looks for deviations. The approach is not based on system-dependent
characteristics and vulnerabilities. Thus, it should be readily portable among a
variety of systems.
19
Table 11.1 Measures that May be Used for Intrusion Detection (2 of 3)
Command or Program Execution Activity
| Measure | Model | Type of Intrusion Detected |
| Execution Frequency | Mean and standard deviation | May detect intruders, who are likely to use different commands or a successful penetration by a legitimate user, who has gained access to privileged commands. |
| Program resource utilization | Mean and standard deviation | An abnormal value might suggest injection of a virus or Trojan horse, which performs side effects that increase I/O or processor utilization. |
| Execution denials | Operational model | May detect penetration attempt by individual user who seeks higher privileges. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 371 in the textbook.)
As an example of the use of these various metrics and models, Table 11.1
shows various measures considered or tested for the Stanford Research Institute
(SRI) Intrusion Detection System (IDES) [ANDE95, JAVI91] and the follow-on
program Emerald [NEUM99].
The main advantage of the use of statistical profiles is that a prior knowledge
of security flaws is not required. The detector program learns what is “normal” behavior
and then looks for deviations. The approach is not based on system-dependent
characteristics and vulnerabilities. Thus, it should be readily portable among a
variety of systems.
20
Table 11.1 Measures that May be Used for Intrusion Detection (3 of 3)
File Access Activity
| Measure | Model | Type of Intrusion Detected |
| Read, write, create, delete frequency | Mean and standard deviation | Abnormalities for read and write access for individual users may signify masquerading or browsing. |
| Records read, written | Mean and standard deviation | Abnormality could signify an attempt to obtain sensitive data by inference and aggregation. |
| Failure count for read, write, create, delete | Operational | May detect users who persistently attempt to access. |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 371 in the textbook.)
As an example of the use of these various metrics and models, Table 11.1
shows various measures considered or tested for the Stanford Research Institute
(SRI) Intrusion Detection System (IDES) [ANDE95, JAVI91] and the follow-on
program Emerald [NEUM99].
The main advantage of the use of statistical profiles is that a prior knowledge
of security flaws is not required. The detector program learns what is “normal” behavior
and then looks for deviations. The approach is not based on system-dependent
characteristics and vulnerabilities. Thus, it should be readily portable among a
variety of systems.
21
Rule-Based Intrusion Detection (1 of 2)
Techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious
Rule-based anomaly detection
Is similar in terms of its approach and strengths to statistical anomaly detection
Historical audit records are analyzed to identify usage patterns and to automatically generate rules that describe those patterns
Current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior
In order for this approach to be effective, a rather large database of rules will be needed
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
22
Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity
is or is not suspicious. In very general terms, we can characterize all approaches as
focusing on either anomaly detection or penetration identification, although there is
some overlap in these approaches.
Rule-based anomaly detection is similar in terms of its approach and strengths
to statistical anomaly detection. With the rule-based approach, historical audit
records are analyzed to identify usage patterns and to automatically generate rules
that describe those patterns. Rules may represent past behavior patterns of users,
programs, privileges, time slots, terminals, and so on. Current behavior is then
observed, and each transaction is matched against the set of rules to determine if it
conforms to any historically observed pattern of behavior.
As with statistical anomaly detection, rule-based anomaly detection does not
require knowledge of security vulnerabilities within the system. Rather, the scheme
is based on observing past behavior and, in effect, assuming that the future will be
like the past. In order for this approach to be effective, a rather large database of
rules will be needed.
Rule-Based Intrusion Detection (2 of 2)
Rule-based penetration identification
Typically, the rules used in these systems are specific to the machine and operating system
The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet
These rules can be supplemented with rules generated by knowledgeable security personnel
U S T A T
A model independent of specific audit records
Deals in general actions rather than the detailed specific actions recorded by the U N I X auditing mechanism
Implemented on a SunOS system that provides audit records on 239 events
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
23
Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity
is or is not suspicious. In very general terms, we can characterize all approaches as
focusing on either anomaly detection or penetration identification, although there is
some overlap in these approaches.
Rule-based anomaly detection is similar in terms of its approach and strengths
to statistical anomaly detection. With the rule-based approach, historical audit
records are analyzed to identify usage patterns and to automatically generate rules
that describe those patterns. Rules may represent past behavior patterns of users,
programs, privileges, time slots, terminals, and so on. Current behavior is then
observed, and each transaction is matched against the set of rules to determine if it
conforms to any historically observed pattern of behavior.
As with statistical anomaly detection, rule-based anomaly detection does not
require knowledge of security vulnerabilities within the system. Rather, the scheme
is based on observing past behavior and, in effect, assuming that the future will be
like the past. In order for this approach to be effective, a rather large database of
rules will be needed.
Table 11.2 U S T A T Actions versus SunOS Event Types
| U T S A T Action | SunOS Event Type |
| Read | open_r,open_rc,open_rtc,open_rwc,open_rwtc,open_rt,open_rw,open_rwt |
| Write | truncate,ftruncate,creat,open_r,open_rc,open_rtc,open_rwc,open_rwtc,open_rt,open_rw,open_rwt,open_w,open_wt,open_wc,open_wct |
| Create | mkdir,creat,open_rc,open_rtc,open_rwc,open_rwtc,open_wc,open_wtc,mknod |
| Delete | rmdir, unlink |
| Execute | exec, execve |
| Exit | exit |
| Modify_Owner | chown, fchown |
| Modify_Perm | chmod, fchmod |
| Rename | rename |
| Hardlink | link |
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
USTAT Actions versus SunOS Event Types
24
Base-Rate Fallacy (1 of 2)
To be of practical use, an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level
If only a modest percentage of actual intrusions are detected, the system provides a false sense of security
If the system frequently triggers an alert when there is no intrusion, then either system managers will begin to ignore the alarms or much time will be wasted analyzing the false alarms
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
25
To be of practical use, an intrusion detection system should detect a substantial
percentage of intrusions while keeping the false alarm rate at an acceptable
level. If only a modest percentage of actual intrusions are detected, the system
provides a false sense of security. On the other hand, if the system frequently
triggers an alert when there is no intrusion (a false alarm), then either system
managers will begin to ignore the alarms or much time will be wasted analyzing
the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very difficult
to meet the standard of high rate of detections with a low rate of false alarms.
In general, if the actual numbers of intrusions is low compared to the number of
legitimate uses of a system, then the false alarm rate will be high unless the test is
extremely discriminating. This is an example of a phenomenon known as the base rate
fallacy . A study of existing intrusion detection systems, reported in [AXEL00],
indicated that current systems have not overcome the problem of the base-rate fallacy.
See Appendix J for a brief background on the mathematics of this problem.
Base-Rate Fallacy (2 of 2)
Because of the nature of the probabilities involved, it is very difficult to meet the standard of high rate of detections with a low rate of false alarms
If the actual numbers of intrusions is low compared to the number of legitimate uses of a system, then the false alarm rate will be high unless the test is extremely discriminating
See Appendix J for a brief background on the mathematics of this problem
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
26
To be of practical use, an intrusion detection system should detect a substantial
percentage of intrusions while keeping the false alarm rate at an acceptable
level. If only a modest percentage of actual intrusions are detected, the system
provides a false sense of security. On the other hand, if the system frequently
triggers an alert when there is no intrusion (a false alarm), then either system
managers will begin to ignore the alarms or much time will be wasted analyzing
the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very difficult
to meet the standard of high rate of detections with a low rate of false alarms.
In general, if the actual numbers of intrusions is low compared to the number of
legitimate uses of a system, then the false alarm rate will be high unless the test is
extremely discriminating. This is an example of a phenomenon known as the base rate
fallacy . A study of existing intrusion detection systems, reported in [AXEL00],
indicated that current systems have not overcome the problem of the base-rate fallacy.
See Appendix J for a brief background on the mathematics of this problem.
Distributed Intrusion Detection
Traditional systems focused on single-system stand-alone facilities
The typical organization, however, needs to defend a distributed collection of hosts supported by a L A N or internetwork
A more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network
Major design issues:
A distributed intrusion detection system may need to deal with different audit record formats
One or more nodes in the network will serve as collection and analysis points for the data from the systems on the network
Either a centralized or decentralized architecture can be used
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
27
Traditionally, work on intrusion detection systems focused on single-system standalone
facilities. The typical organization, however, needs to defend a distributed
collection of hosts supported by a LAN or internetwork. Although it is possible to
mount a defense by using stand-alone intrusion detection systems on each host, a
more effective defense can be achieved by coordination and cooperation among
intrusion detection systems across the network.
Porras points out the following major issues in the design of a distributed
intrusion detection system [PORR92]:
• A distributed intrusion detection system may need to deal with different
audit record formats. In a heterogeneous environment, different systems will
employ different native audit collection systems and, if using intrusion
detection, may employ different formats for security-related audit records.
• One or more nodes in the network will serve as collection and analysis points
for the data from the systems on the network. Thus, either raw audit data or
summary data must be transmitted across the network. Therefore, there is a
requirement to assure the integrity and confidentiality of these data. Integrity
is required to prevent an intruder from masking his or her activities by altering
the transmitted audit information. Confidentiality is required because the
transmitted audit information could be valuable.
• Either a centralized or decentralized architecture can be used. With a centralized
architecture, there is a single central point of collection and analysis of all
audit data. This eases the task of correlating incoming reports but creates a
potential bottleneck and single point of failure. With a decentralized architecture,
there are more than one analysis centers, but these must coordinate their
activities and exchange information.
Figure 11.2 Architecture for Distributed Intrusion Detection
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.3 Agent Architecture
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Honeypots (1 of 2)
Decoy systems that are designed to lure a potential attacker away from critical systems
Has no production value
These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldn’t access
Thus, any attempt to communicate with the system is most likely a probe, scan, or attack
Designed to:
Divert an attacker from accessing critical systems
Collect information about the attacker’s activity
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
30
A relatively recent innovation in intrusion detection technology is the honeypot.
Honeypots are decoy systems that are designed to lure a potential attacker away
from critical systems. Honeypots are designed to
• divert an attacker from accessing critical systems
• collect information about the attacker’s activity
• encourage the attacker to stay on the system long enough for administrators
to respond
These systems are filled with fabricated information designed to appear valuable
but that a legitimate user of the system wouldn’t access. Thus, any access to
the honeypot is suspect. The system is instrumented with sensitive monitors and
event loggers that detect these accesses and collect information about the attacker’s
activities. Because any attack against the honeypot is made to seem successful,
administrators have time to mobilize and log and track the attacker without ever
exposing productive systems.
The honeypot is a resource that has no production value. There is no legitimate
reason for anyone outside the network to interact with a honeypot. Thus, any
attempt to communicate with the system is most likely a probe, scan, or attack.
Conversely, if a honeypot initiates outbound communication, the system has probably
been compromised.
Initial efforts involved a single honeypot computer with IP addresses designed
to attract hackers. More recent research has focused on building entire honeypot networks
that emulate an enterprise, possibly with actual or simulated traffic and data.
Once hackers are within the network, administrators can observe their behavior
in detail and figure out defenses.
Honeypots (2 of 2)
Encourage the attacker to stay on the system long enough for administrators to respond
Because any attack against the honeypot is made to seem successful, administrators have time to mobilize and log and track the attacker without ever exposing productive systems
Recent research has focused on building entire honeypot networks that emulate an enterprise, possible with actual or simulated traffic and data
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
31
A relatively recent innovation in intrusion detection technology is the honeypot.
Honeypots are decoy systems that are designed to lure a potential attacker away
from critical systems. Honeypots are designed to
• divert an attacker from accessing critical systems
• collect information about the attacker’s activity
• encourage the attacker to stay on the system long enough for administrators
to respond
These systems are filled with fabricated information designed to appear valuable
but that a legitimate user of the system wouldn’t access. Thus, any access to
the honeypot is suspect. The system is instrumented with sensitive monitors and
event loggers that detect these accesses and collect information about the attacker’s
activities. Because any attack against the honeypot is made to seem successful,
administrators have time to mobilize and log and track the attacker without ever
exposing productive systems.
The honeypot is a resource that has no production value. There is no legitimate
reason for anyone outside the network to interact with a honeypot. Thus, any
attempt to communicate with the system is most likely a probe, scan, or attack.
Conversely, if a honeypot initiates outbound communication, the system has probably
been compromised.
Initial efforts involved a single honeypot computer with IP addresses designed
to attract hackers. More recent research has focused on building entire honeypot networks
that emulate an enterprise, possibly with actual or simulated traffic and data.
Once hackers are within the network, administrators can observe their behavior
in detail and figure out defenses.
Figure 11.4 Example of Honeypot Deployment
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Intrusion detection exchange format
To facilitate the development of distributed intrusion detection systems that can function across a wide range of platforms and environments, standards are needed to support interoperability
I E T F Intrusion Detection Working Group
Purpose of the group is to define data formats and exchange procedures for sharing information of interest to intrusion detection with response systems and to management systems that may need to interact with them
Have issued the following RFCs:
Intrusion Detection Message Exchange Requirements (RFC 4766)
The Intrusion Detection Message Exchange Format (RFC 4765)
The Intrusion Detection Exchange Protocol (RFC 4767)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
To facilitate the development of distributed intrusion detection systems that can
function across a wide range of platforms and environments, standards are needed
to support interoperability. Such standards are the focus of the IETF Intrusion
Detection Working Group. The purpose of the working group is to define data
formats and exchange procedures for sharing information of interest to intrusion
detection and response systems and to management systems that may need to
interact with them.
The working group issued the following RFCs in 2007:
• Intrusion Detection Message Exchange Requirements (RFC 4766): This document
defines requirements for the Intrusion Detection Message Exchange
Format (IDMEF). The document also specifies requirements for a communication
protocol for communicating IDMEF.
• The Intrusion Detection Message Exchange Format (RFC 4765): This document
describes a data model to represent information exported by intrusion
detection systems and explains the rationale for using this model. An implementation
of the data model in the Extensible Markup Language (XML) is
presented, an XML Document Type Definition is developed, and examples
are provided.
• The Intrusion Detection Exchange Protocol (RFC 4767): This document
describes the Intrusion Detection Exchange Protocol (IDXP), an application level
protocol for exchanging data between intrusion detection entities. IDXP
supports mutual authentication, integrity, and confidentiality over a connection-
oriented protocol.
33
Figure 11.5 Model for Intrusion Detection Message Exchange
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Password Management
Front line of defense against intruders
Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password
Password serves to authenticate the ID of the individual logging on to the system
The ID provides security by:
Determining whether the user is authorized to gain access to a system
Determining the privileges accorded to the user
Used in discretionary access control
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
35
The front line of defense against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID)
but also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following
ways:
• The ID determines whether the user is authorized to gain access to a system.
In some systems, only those who already have an ID filed on the system are
allowed to gain access.
• The ID determines the privileges accorded to the user. A few users may have
supervisory or “superuser” status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems
have guest or anonymous accounts, and users of these accounts have more
limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For
example, by listing the IDs of the other users, a user may grant permission to
them to read files owned by that user.
Attack strategies and countermeasures (1 of 4)
Workstation hijacking
The attacker waits until a logged-in workstation is unattended
The standard countermeasure is automatically logging the workstation out after a period of inactivity
Exploiting user mistakes
Attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password; a user may intentionally share a password to enable a colleague to share files; users tend to write passwords down because it is difficult to remember them
Countermeasures include user training, intrusion detection, and simpler passwords combined with another authentication mechanism
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
36
The front line of defense against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID)
but also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following
ways:
• The ID determines whether the user is authorized to gain access to a system.
In some systems, only those who already have an ID filed on the system are
allowed to gain access.
• The ID determines the privileges accorded to the user. A few users may have
supervisory or “superuser” status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems
have guest or anonymous accounts, and users of these accounts have more
limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For
example, by listing the IDs of the other users, a user may grant permission to
them to read files owned by that user.
Attack strategies and countermeasures (2 of 4)
Offline dictionary attack
Determined hackers can frequently bypass access controls and gain access to the system’s password file
Countermeasures include controls to prevent unauthorized access to the password file, intrusion detection measures to identify a compromise, and rapid reissuance of passwords should the password file be compromised
Specific account attack
The attacker targets a specific account and submits password guesses until the correct password is discovered
The standard countermeasure is an account lockout mechanism, which locks out access to the account after a number of failed login attempts
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
37
The front line of defense against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID)
but also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following
ways:
• The ID determines whether the user is authorized to gain access to a system.
In some systems, only those who already have an ID filed on the system are
allowed to gain access.
• The ID determines the privileges accorded to the user. A few users may have
supervisory or “superuser” status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems
have guest or anonymous accounts, and users of these accounts have more
limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For
example, by listing the IDs of the other users, a user may grant permission to
them to read files owned by that user.
Attack strategies and countermeasures (3 of 4)
Electronic monitoring
If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping
Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary
Password guessing against single user
The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password
Countermeasures include training in and enforcement of password policies that make passwords difficult to guess
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
38
The front line of defense against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID)
but also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following
ways:
• The ID determines whether the user is authorized to gain access to a system.
In some systems, only those who already have an ID filed on the system are
allowed to gain access.
• The ID determines the privileges accorded to the user. A few users may have
supervisory or “superuser” status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems
have guest or anonymous accounts, and users of these accounts have more
limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For
example, by listing the IDs of the other users, a user may grant permission to
them to read files owned by that user.
Attack strategies and countermeasures (4 of 4)
Exploiting multiple password use
Attacks can become much more effective or damaging if different network devices share the same or a similar password for a given user
Countermeasures include a policy that forbids the same or similar password on particular network devices
Popular password attack
Attack is to use a popular password and try it against a wide range of user IDs
Countermeasures include policies to inhibit the selection by users of common passwords and scanning the IP addresses of authentication requests and client cookies for submission patterns
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
39
The front line of defense against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID)
but also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following
ways:
• The ID determines whether the user is authorized to gain access to a system.
In some systems, only those who already have an ID filed on the system are
allowed to gain access.
• The ID determines the privileges accorded to the user. A few users may have
supervisory or “superuser” status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems
have guest or anonymous accounts, and users of these accounts have more
limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For
example, by listing the IDs of the other users, a user may grant permission to
them to read files owned by that user.
Figure 11.6 U N I X Password Scheme
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Unix implementations (1 of 2)
Crypt(3)
Was designed to discourage guessing attacks
This particular implementation is now considered inadequate
Despite its known weaknesses, this UNIX scheme is still often required for compatibility with existing account management software or in multivendor environments
MD5 secure hash algorithm
The recommended hash function for many UNIX systems, including Linux, Solaris, and FreeBSD
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Unix implementations (2 of 2)
Far slower than crypt(3)
Bcrypt
Developed for OpenBSD
Probably the most secure version of the UNIX hash/salt scheme
Uses a hash function based on the Blowfish symmetric block cipher
Slow to execute
Includes a cost variable
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.3 Passwords Cracked from a Sample Set of 13,797 Accounts [KLEI90] (1 of 3)
| Type of Password | Search Size | Number of Matches | Percentage of Passwords | Cost/Benefit Ratio |
| User/account name | 130 | 368 | 2.7% | 2.830 |
| Character sequences | 866 | 22 | 0.2% | 0.025 |
| Numbers | 427 | 9 | 0.1% | 0.021 |
| Chinese | 392 | 56 | 0.4% | 0.143 |
| Place names | 628 | 82 | 0.6% | 0.131 |
| Common names | 2239 | 548 | 4.0% | 0.245 |
| Female names | 4280 | 161 | 1.2% | 0.038 |
| Male names | 2866 | 140 | 1.0% | 0.049 |
| Uncommon names | 4955 | 130 | 0.9% | 0.026 |
| Myths & legends | 1246 | 66 | 0.5% | 0.053 |
| Shakespearean | 473 | 11 | 0.1% | 0.023 |
* Computed as the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 386 in the textbook.)
One demonstration of the effectiveness of guessing is reported in [KLEI90].
From a variety of sources, the author collected UNIX password files, containing
nearly 14,000 encrypted passwords. The result, which the author rightly characterizes
as frightening, is shown in Table 11.4. In all, nearly one-fourth of the passwords
were guessed. The following strategy was used:
1. Try the user’s name, initials, account name, and other relevant personal information.
In all, 130 different permutations for each user were tried.
2. Try words from various dictionaries. The author compiled a dictionary of over
60,000 words, including the online dictionary on the system itself, and various
other lists as shown.
3. Try various permutations on the words from step 2. This included making the
first letter uppercase or a control character, making the entire word uppercase,
reversing the word, changing the letter “o” to the digit “zero,” and so on. These
permutations added another 1 million words to the list.
4. Try various capitalization permutations on the words from step 2 that
were not considered in step 3. This added almost 2 million additional words
to the list.
Thus, the test involved in the neighborhood of 3 million words. Using the fastest
Thinking Machines implementation listed earlier, the time to encrypt all these
words for all possible salt values is under an hour. Keep in mind that such a thorough
search could produce a success rate of about 25%, whereas even a single hit
may be enough to gain a wide range of privileges on a system.
43
Table 11.3 Passwords Cracked from a Sample Set of 13,797 Accounts [KLEI90] (2 of 3)
| Type of Password | Search Size | Number of Matches | Percentage of Passwords | Cost/Benefit Ratio |
| Sports terms | 238 | 32 | 0.2% | 0.134 |
| Science fiction | 691 | 59 | 0.4% | 0.085 |
| Movies and actors | 99 | 12 | 0.1% | 0.121 |
| Cartoons | 92 | 9 | 0.1% | 0.098 |
| Famous people | 290 | 55 | 0.4% | 0.190 |
| Phrases and patterns | 933 | 253 | 1.8% | 0.271 |
| Surnames | 33 | 9 | 0.1% | 0.273 |
| Biology | 58 | 1 | 0.0% | 0.017 |
| System dictionary | 19683 | 1027 | 7.4% | 0.052 |
| Machine names | 9018 | 132 | 1.0% | 0.015 |
| Mnemonics | 14 | 2 | 0.0% | 0.143 |
* Computed as the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 386 in the textbook.)
One demonstration of the effectiveness of guessing is reported in [KLEI90].
From a variety of sources, the author collected UNIX password files, containing
nearly 14,000 encrypted passwords. The result, which the author rightly characterizes
as frightening, is shown in Table 11.4. In all, nearly one-fourth of the passwords
were guessed. The following strategy was used:
1. Try the user’s name, initials, account name, and other relevant personal information.
In all, 130 different permutations for each user were tried.
2. Try words from various dictionaries. The author compiled a dictionary of over
60,000 words, including the online dictionary on the system itself, and various
other lists as shown.
3. Try various permutations on the words from step 2. This included making the
first letter uppercase or a control character, making the entire word uppercase,
reversing the word, changing the letter “o” to the digit “zero,” and so on. These
permutations added another 1 million words to the list.
4. Try various capitalization permutations on the words from step 2 that
were not considered in step 3. This added almost 2 million additional words
to the list.
Thus, the test involved in the neighborhood of 3 million words. Using the fastest
Thinking Machines implementation listed earlier, the time to encrypt all these
words for all possible salt values is under an hour. Keep in mind that such a thorough
search could produce a success rate of about 25%, whereas even a single hit
may be enough to gain a wide range of privileges on a system.
44
Table 11.3 Passwords Cracked from a Sample Set of 13,797 Accounts [KLEI90] (3 of 3)
| Type of Password | Search Size | Number of Matches | Percentage of Passwords | Cost/Benefit Ratio |
| King James bible | 7525 | 83 | 0.6% | 0.01 |
| Miscellaneous words | 3212 | 54 | 0.4% | 0.017 |
| Yiddish words | 56 | 0 | 0.0% | 0.000 |
| Asteroids | 2407 | 19 | 0.1% | 0.007 |
| Total | 62727 | 3340 | 24.2% | 0.053 |
* Computed as the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
(This table can be found on page 386 in the textbook.)
One demonstration of the effectiveness of guessing is reported in [KLEI90].
From a variety of sources, the author collected UNIX password files, containing
nearly 14,000 encrypted passwords. The result, which the author rightly characterizes
as frightening, is shown in Table 11.4. In all, nearly one-fourth of the passwords
were guessed. The following strategy was used:
1. Try the user’s name, initials, account name, and other relevant personal information.
In all, 130 different permutations for each user were tried.
2. Try words from various dictionaries. The author compiled a dictionary of over
60,000 words, including the online dictionary on the system itself, and various
other lists as shown.
3. Try various permutations on the words from step 2. This included making the
first letter uppercase or a control character, making the entire word uppercase,
reversing the word, changing the letter “o” to the digit “zero,” and so on. These
permutations added another 1 million words to the list.
4. Try various capitalization permutations on the words from step 2 that
were not considered in step 3. This added almost 2 million additional words
to the list.
Thus, the test involved in the neighborhood of 3 million words. Using the fastest
Thinking Machines implementation listed earlier, the time to encrypt all these
words for all possible salt values is under an hour. Keep in mind that such a thorough
search could produce a success rate of about 25%, whereas even a single hit
may be enough to gain a wide range of privileges on a system.
45
Password selection strategies (1 of 2)
The goal is to eliminate guessable passwords while allowing the user to select a password that is memorable
Four basic techniques are in use:
User education
Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords
Computer-generated passwords
Computer-generated password schemes have a history of poor acceptance by users
Users have difficulty remembering them
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The lesson from the two experiments just described (Tables 11.3 and 11.4) is that,
left to their own devices, many users choose a password that is too short or too easy
to guess. At the other extreme, if users are assigned passwords consisting of eight
randomly selected printable characters, password cracking is effectively impossible.
But it would be almost as impossible for most users to remember their passwords.
Fortunately, even if we limit the password universe to strings of characters that are
reasonably memorable, the size of the universe is still too large to permit practical
cracking. Our goal, then, is to eliminate guessable passwords while allowing the user
to select a password that is memorable. Four basic techniques are in use:
• User education
• Computer-generated passwords
• Reactive password checking
• Proactive password checking
Users can be told the importance of using hard-to-guess passwords and can be
provided with guidelines for selecting strong passwords. This user education strategy
is unlikely to succeed at most installations, particularly where there is a large
user population or a lot of turnover. Many users will simply ignore the guidelines.
Others may not be good judges of what is a strong password. For example, many
users (mistakenly) believe that reversing a word or capitalizing the last letter makes
a password unguessable.
Computer-generated passwords also have problems. If the passwords are
quite random in nature, users will not be able to remember them. Even if the password
is pronounceable, the user may have difficulty remembering it and so be
tempted to write it down. In general, computer-generated password schemes have a
history of poor acceptance by users. FIPS PUB 181 defines one of the best-designed
automated password generators. The standard includes not only a description of
the approach but also a complete listing of the C source code of the algorithm. The
algorithm generates words by forming pronounceable syllables and concatenating
them to form a word. A random number generator produces a random stream of
characters used to construct the syllables and words.
A reactive password checking strategy is one in which the system periodically
runs its own password cracker to find guessable passwords. The system cancels
any passwords that are guessed and notifies the user. This tactic has a number of
drawbacks. First, it is resource intensive if the job is done right. Because a determined
opponent who is able to steal a password file can devote full CPU time to the
task for hours or even days, an effective reactive password checker is at a distinct
disadvantage. Furthermore, any existing passwords remain vulnerable until the
reactive password checker finds them.
The most promising approach to improved password security is a proactive
password checker . In this scheme, a user is allowed to select his or her own password.
However, at the time of selection, the system checks to see if the password
is allowable and, if not, rejects it. Such checkers are based on the philosophy that,
with sufficient guidance from the system, users can select memorable passwords
from a fairly large password space that are not likely to be guessed in a dictionary
attack.
The trick with a proactive password checker is to strike a balance between
user acceptability and strength. If the system rejects too many passwords, users will
complain that it is too hard to select a password. If the system uses some simple
algorithm to define what is acceptable, this provides guidance to password crackers
to refine their guessing technique. In the remainder of this subsection, we look at
possible approaches to proactive password checking.
The first approach is a simple system for rule enforcement. For example, the
following rules could be enforced:
• All passwords must be at least eight characters long.
• In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.
These rules could be coupled with advice to the user. Although this approach is
superior to simply educating users, it may not be sufficient to thwart password
crackers. This scheme alerts crackers as to which passwords not to try but may still
make it possible to do password cracking.
Another possible procedure is simply to compile a large dictionary of possible
“bad” passwords. When a user selects a password, the system checks to
make sure that it is not on the disapproved list. There are two problems with this
approach:
• Space: The dictionary must be very large to be effective. For example, the dictionary
used in the Purdue study [SPAF92a] occupies more than 30 megabytes
of storage.
• Time: The time required to search a large dictionary may itself be large. In
addition, to check for likely permutations of dictionary words, either those
words most be included in the dictionary, making it truly huge, or each search
must also involve considerable processing.
46
Password selection strategies (2 of 2)
Reactive password checking
A strategy in which the system periodically runs its own password cracker to find guessable passwords
Proactive password checking
A user is allowed to select his or her own password, however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The lesson from the two experiments just described (Tables 11.3 and 11.4) is that,
left to their own devices, many users choose a password that is too short or too easy
to guess. At the other extreme, if users are assigned passwords consisting of eight
randomly selected printable characters, password cracking is effectively impossible.
But it would be almost as impossible for most users to remember their passwords.
Fortunately, even if we limit the password universe to strings of characters that are
reasonably memorable, the size of the universe is still too large to permit practical
cracking. Our goal, then, is to eliminate guessable passwords while allowing the user
to select a password that is memorable. Four basic techniques are in use:
• User education
• Computer-generated passwords
• Reactive password checking
• Proactive password checking
Users can be told the importance of using hard-to-guess passwords and can be
provided with guidelines for selecting strong passwords. This user education strategy
is unlikely to succeed at most installations, particularly where there is a large
user population or a lot of turnover. Many users will simply ignore the guidelines.
Others may not be good judges of what is a strong password. For example, many
users (mistakenly) believe that reversing a word or capitalizing the last letter makes
a password unguessable.
Computer-generated passwords also have problems. If the passwords are
quite random in nature, users will not be able to remember them. Even if the password
is pronounceable, the user may have difficulty remembering it and so be
tempted to write it down. In general, computer-generated password schemes have a
history of poor acceptance by users. FIPS PUB 181 defines one of the best-designed
automated password generators. The standard includes not only a description of
the approach but also a complete listing of the C source code of the algorithm. The
algorithm generates words by forming pronounceable syllables and concatenating
them to form a word. A random number generator produces a random stream of
characters used to construct the syllables and words.
A reactive password checking strategy is one in which the system periodically
runs its own password cracker to find guessable passwords. The system cancels
any passwords that are guessed and notifies the user. This tactic has a number of
drawbacks. First, it is resource intensive if the job is done right. Because a determined
opponent who is able to steal a password file can devote full CPU time to the
task for hours or even days, an effective reactive password checker is at a distinct
disadvantage. Furthermore, any existing passwords remain vulnerable until the
reactive password checker finds them.
The most promising approach to improved password security is a proactive
password checker . In this scheme, a user is allowed to select his or her own password.
However, at the time of selection, the system checks to see if the password
is allowable and, if not, rejects it. Such checkers are based on the philosophy that,
with sufficient guidance from the system, users can select memorable passwords
from a fairly large password space that are not likely to be guessed in a dictionary
attack.
The trick with a proactive password checker is to strike a balance between
user acceptability and strength. If the system rejects too many passwords, users will
complain that it is too hard to select a password. If the system uses some simple
algorithm to define what is acceptable, this provides guidance to password crackers
to refine their guessing technique. In the remainder of this subsection, we look at
possible approaches to proactive password checking.
The first approach is a simple system for rule enforcement. For example, the
following rules could be enforced:
• All passwords must be at least eight characters long.
• In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.
These rules could be coupled with advice to the user. Although this approach is
superior to simply educating users, it may not be sufficient to thwart password
crackers. This scheme alerts crackers as to which passwords not to try but may still
make it possible to do password cracking.
Another possible procedure is simply to compile a large dictionary of possible
“bad” passwords. When a user selects a password, the system checks to
make sure that it is not on the disapproved list. There are two problems with this
approach:
• Space: The dictionary must be very large to be effective. For example, the dictionary
used in the Purdue study [SPAF92a] occupies more than 30 megabytes
of storage.
• Time: The time required to search a large dictionary may itself be large. In
addition, to check for likely permutations of dictionary words, either those
words most be included in the dictionary, making it truly huge, or each search
must also involve considerable processing.
47
Figure 11.7 Performance of Bloom Filter
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
A technique [SPAF92a, SPAF92b] for developing an effective and efficient
proactive password checker that is based on rejecting words on a list has been
implemented on a number of systems, including Linux. It is based on the use of
a Bloom filter [BLOO70].
48
Summary
Intruders
Behavior patterns
Intrusion techniques
Intrusion detection
Audit records
Statistical anomaly detection
Rule-based intrusion detection
The base-rate fallacy
Distributed intrusion detection
Honeypots
Intrusion detection exchange format
Password management
The vulnerability of passwords
The use of hashed passwords
User password choices
Password selection strategies
Bloom filter
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Chapter 11 summary.
49
Copyright
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
50