View
248
Download
2
Tags:
Embed Size (px)
Citation preview
Chapter 8
Deworming
Deworming Deworming? Here, we discuss…1. Defenses2. Capture and containment3. Automatic counter-measures
Example Network
Example Network Perimeter computer
o Dedicated router or other computero Shuffles packets back and fortho May also perform defensive tasks
User --- self-explanatory Internal network
o Some critical machines to protect Honeypot is optional (discussed
later)
Defenses We consider defenses from
perspective of…o Userso Hosts (i.e., users’ computers)o Perimeter
Defenses: User User education
o Email worms User might detect suspicious
activityo E.g., slowdown in network responseo So, users might act as a type of IDS
Defenses: Host Most effective host-based defenses
are the most mundane1. Apply patches2. Limit available services3. Defend against likely attack
vectors4. Anti-virus software
Patching Most worms
exploit known problems
Patching follows curve something like this o Curve never
reaches 0
Patching Many machines remain vulnerable
long after patch is available Some machines never patched Strangely, patching rate does not
increase much when highly publicized attack occurs
Patching Why so slow?
o Nobody available to install patcho Don’t know about patcho Some don’t want to install patch early
(Why?) Modern OSs use automatic
updateso Is this a good idea?
Limit Available Services Why limit services?1. Worms often exploit technical
weaknesses in servers2. Technical weaknesses likely to be
uniformly distributed in server code
3. Other reasons? Which services to shut down?
Specific Countermeasures
1. Canaries, ASLR, and other buffer overflow prevention/detection
2. Anomaly detection These are of little/no use against
new vulnerabilities or attacks Might not catch worms that use
social engineering to spread
Anti-Virus Software AV does look for worms But 3 problems limit effectiveness1. Rapidly spreading worms may not
be detected using signatures2. Integrity check and emulation
might not worko Worm could be injected into “clean”
code
3. Worm might reside in memory only
Memory Scanning Search for malware in memory Once upon a time this was easy,
now complicated due to…o Memory protection, which keeps
process memory separateo Virtual memory, which is “extra”
memory on disk, not readily available for scanning
Aside: Hash check code in memory…
Memory Scanning How to scan?
o Challenging due to memory protection and virtual memory
Use API available for debugging?o Avoids memory protection, but slow if
scan virtual memoryo Ideally, only scan memory that
changeso But not all processes can be
debugged…o …unless AV runs as part of kernel
Memory Scanning What to do when malware found?
o Terminate infected process?o Terminate infected thread(s)?o Patch process as it runs?
Scanning cannot be continuouso Opens a window of vulnerability
Philosophically speaking, is memory scanning a good idea?
Perimeter Perimeter is 1st line of defense Perimeter computer might
include…o Firewall and/oro IDS
Discuss firewalls and IDS next
Firewalls
Firewalls
Firewall decides what to let in to internal network and/or what to let out
Access control for the network
InternetInternalnetworkFirewall
Firewall as Secretary A firewall is like a secretary To meet with an executive
o First contact the secretaryo Secretary decides if meeting is importanto So, secretary filters out many requests
You want to meet chair of CS department?o Secretary does some filtering
You want to meet the POTUS?o Secretary does lots of filtering
Firewall Terminology No standard firewall terminology Types of firewalls
o Packet filter works at network layero Stateful packet filter transport
layero Application proxy application layer
Other terms often usedo E.g., “deep packet inspection”
Packet Filter Operates at network layer Can filters based on…
o Source IP addresso Destination IP addresso Source Porto Destination Porto Flag bits (SYN, ACK, etc.)o Egress or ingress
application
transport
network
link
physical
Packet Filter Advantages?
o Speed Disadvantages?
o No concept of stateo Cannot see TCP connectionso Blind to application data
application
transport
network
link
physical
Packet Filter Configured via Access Control Lists
(ACLs)o Different meaning than at start of Chapter 8
Allow Inside Outside Any 80 HTTP
Allow Outside Inside 80 > 1023 HTTP
Deny All All All All All
Action
Source IP
Dest IP
Source
Port
Dest Port Protoco
l
Q: Intention? A: Restrict traffic to Web browsing
Any
ACK
All
FlagBits
TCP ACK Scan Attacker scans for open ports thru
firewallo Port scanning is first step in many attacks
Attacker sends packet with ACK bit set, without prior 3-way handshakeo Violates TCP/IP protocolo ACK packet pass thru packet filter firewallo Appears to be part of an ongoing connectiono RST sent by recipient of such packet
TCP ACK Scan
Attacker knows port 1209 open thru firewall
A stateful packet filter can prevent thiso Since scans not part of established
connections
PacketFilter
Trudy InternalNetwork
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
RST
Stateful Packet Filter
Adds state to packet filter Operates at transport layer Remembers TCP
connections, flag bits, etc. Can even remember UDP
packets (e.g., DNS requests)
application
transport
network
link
physical
Stateful Packet Filter Advantages?
o Can do everything a packet filter can do plus...
o Keep track of ongoing connections (e.g., prevents TCP ACK scan)
Disadvantages?o Cannot see application data
o Slower than packet filtering
application
transport
network
link
physical
Application Proxy A proxy is something
that acts on your behalf Application proxy looks at
incoming application data Verifies that data is safe
before letting it in
application
transport
network
link
physical
Application Proxy Advantages?
o Complete view of connections and applications data
o Filter bad data at application layer (viruses, Word macros)
Disadvantages?o Speed
application
transport
network
link
physical
Application Proxy Creates a new packet before sending it
thru to internal network Attacker must talk to proxy and
convince it to forward message Proxy has complete view of connection Prevents some scans stateful packet
filter cannot next slides
Firewalk Tool to scan for open ports thru firewall Attacker knows IP address of firewall
and IP address of one system inside firewallo Set TTL to 1 more than number of hops to
firewall, and set destination port to N
If firewall allows data on port N thru firewall, get time exceeded error message o Otherwise, no response
Firewalk and Proxy Firewall
This will not work thru an application proxy (why?)
The proxy creates a new packet, destroys old TTL
Dest port 12345, TTL=4
Dest port 12344, TTL=4
Dest port 12343, TTL=4
Time exceeded
Trudy
Packetfilter
RouterRouterRouter
Deep Packet Inspection Many buzzwords used for firewalls
o One example: deep packet inspection
What could this mean? Look into packets, but don’t really
“process” the packetso Like an application proxy, but faster
Firewalls and Defense in Depth
Typical network security architecture
Internet
Intranet withadditionaldefense
PacketFilter
ApplicationProxy
DMZ
FTP server
DNS server
Web server
Intrusion Detection Systems
Intrusion Prevention Want to keep bad guys out Intrusion prevention is a
traditional focus of computer securityo Authentication is to prevent intrusionso Firewalls a form of intrusion
preventiono Virus defenses aimed at intrusion
prevention Like locking the door on your car
Intrusion Detection In spite of intrusion prevention, bad
guys will sometime be successful Intrusion detection systems (IDS)
o Detect attacks in progress (or soon after)o Look for unusual or suspicious activity
IDS evolved from log file analysis IDS is currently a hot research topic How to respond when intrusion
detected?o We don’t deal with this topic here…
Intrusion Detection Systems
Who is likely intruder?o May be outsider who got thru firewallo May be evil insider
What do intruders do?o Launch well-known attackso Launch variations on well-known attackso Launch new/little-known attackso “Borrow” system resourceso Use compromised system to attack others.
etc.
IDS Intrusion detection approaches
o Signature-based IDSo Anomaly-based IDS
Intrusion detection architectureso Host-based IDSo Network-based IDS
Any IDS can be classified as aboveo In spite of marketing claims to the contrary!
Host-Based IDS Monitor activities on hosts for
o Known attackso Suspicious behavior
Designed to detect attacks such aso Buffer overflowo Escalation of privilege, …
Little or no view of network activities
Network-Based IDS Monitor activity on the network for…
o Known attackso Suspicious network activity
Designed to detect attacks such aso Denial of service (DoS)o Network probes (e.g., port scanning)o Malformed packets, etc.
Some overlap with firewall Little or no view of host-base attacks Can have both host and network IDS
Signature Detection Example
Failed login attempts may indicate password cracking attack
IDS could use the rule “N failed login attempts in M seconds” as a signatureo So, if N or more failed login attempts in M
seconds, IDS warns of attack Note that such a warning is specific
o Admin knows what attack is suspectedo Easy to verify attack (or false alarm)
Signature Detection
Suppose IDS warns whenever N or more failed logins in M secondso Set N and M so false alarms not common
o Can do this based on “normal” behavior
But, if Trudy knows signature threshold, she can try N − 1 logins every M seconds…
Then signature detection could slow down Trudy, but might not stop her
Signature Detection
Many techniques used to make signature detection more robust
Goal is to detect “almost” signatures For example, if “about” N login attempts
in “about” M secondso Warn of possible password cracking attempto What are reasonable values for “about”?o Can use statistical analysis, heuristics, etc.o Must not increase false alarm rate too much
Signature Detection Advantages of signature detection
o Simpleo Detect known attackso Know which attack at time of detectiono Efficient (if reasonable number of
signatures) Disadvantages of signature detection
o Signature files must be kept up to dateo Number of signatures may become largeo Can only detect known attackso Variation on known attack may not be
detected
Anomaly Detection Anomaly detection systems look for
unusual or abnormal behavior There are (at least) two challenges
o What is normal for this system?o How “far” from normal is abnormal?
No avoiding statistics here!o mean defines normalo variance gives distance from normal to
abnormal
How to Measure Normal?
How to measure normal?o Must measure during “representative”
behavioro Must not measure during an attack…o …or else attack will seem normal!o Normal is statistical meano Must also compute variance to have
any reasonable idea of abnormal
How to Measure Abnormal?
Abnormal is relative to some “normal”o Abnormal indicates possible attack
Statistical discrimination techniques include o Bayesian statisticso Linear discriminant analysis (LDA)o Quadratic discriminant analysis (QDA)o Neural nets, hidden Markov models (HMMs),
etc. Fancy modeling techniques also used
o Artificial intelligenceo Artificial immune system principleso Many, many, many others
Anomaly Detection (1) Spse we monitor use of three commands:
open, read, close Under normal use we observe Alice:
open, read, close, open, open, read, close, … Of the six possible ordered pairs, we see
four pairs are normal for Alice,(open,read), (read,close), (close,open), (open,open)
Can we use this to identify unusual activity?
Anomaly Detection (1)
We monitor use of the three commands open, read, close
If the ratio of abnormal to normal pairs is “too high”, warn of possible attack
Could improve this approach by o Also use expected frequency of each pairo Use more than two consecutive commandso Include more commands/behavior in the
modelo More sophisticated statistical discrimination
Anomaly Detection (2) Over time, Alice
has accessed file Fn at rate Hn
H0 H1 H2 H3
.10 .40 .40 .10
Is recent activity normal for Alice? We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2
= .02o We consider S < 0.1 to be normal, so this is normal
How to account for use that varies over time?
Recently, “Alice” has accessed Fn at rate An
A0 A1 A2 A3
.10 .40 .30 .20
Anomaly Detection (2)
To allow “normal” to adapt to new use, we update averages: Hn = 0.2An + 0.8Hn
In this example, Hn are updated… H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And we now have new long-term averages:
H0 H1 H2 H3
.10 .40 .38 .12
Anomaly Detection (2) The updated
long term average is
H0 H1 H2 H3
.10 .40 .38 .12
Is this normal use? Compute S = (H0A0)2+…+(H3A3)2 = .0488
o Since S = .0488 < 0.1 we consider this normal And we again update the long term
averages:
Hn = 0.2An + 0.8Hn
Suppose new observed rates…
A0 A1 A2 A3
.10 .30 .30 .30
Anomaly Detection (2) The starting
averages were:
H0 H1 H2 H3
.10 .40 .40 .10
Statistics slowly evolve to match behavior This reduces false alarms… …but also opens an avenue for attack
o Suppose Trudy always wants to access F3
o Can she convince IDS this is normal for Alice?
After 2 iterations, averages are:
H0 H1 H2 H3
.10 .38.364
.156
Anomaly Detection (2) To make this approach more robust,
must incorporate the variance Can also combine N stats Si as, say,
T = (S1 + S2 + S3 + … + SN) / N
to obtain a more complete view of “normal”
Similar (but more sophisticated) approach is used in an IDS known as NIDES
NIDES combines anomaly & signature IDS
Anomaly Detection Issues Systems constantly evolve and so must
IDSo Static system would place huge burden on SAs o But evolving IDS makes it possible for attacker
to (slowly) convince IDS that an attack is normal
o Attacker may win by simply “going slow” What does “abnormal” really mean?
o Indicates there may be an attacko Might not be any specific info about “attack”o How to respond to such vague information?o In contrast, signature detection is very specific
Anomaly Detection Advantages?
o Chance of detecting unknown attacks Disadvantages?
o Cannot use anomaly detection alone…o …must be used with signature detectiono Reliability is unclearo May be subject to attacko Anomaly detection indicates “something
unusual”, but lacks specific info on possible attack
Anomaly Detection: The Bottom Line
Anomaly-based IDS is active research topic Many people have high hopes for its
ultimate success Often cited as key future security
technology Hackers are not convinced
o Title of a talk at Defcon: “Why Anomaly-based IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky As hard as AI?
Capture and Containment Defense --- keep worms out Capture and contain --- keep
worms ino That is, prevent further spreado Might “sacrifice” some machines
Early capture is usefulo Honeypot
Containment measures?o Reverse firewalls and throttling
Honeypots Designed to look like a good target Originally aimed at human
attackers But now, for viruses, worms, etc. Used by researchers and AV
vendorso AV vendor sees new attackso Researchers study new attacks,
attack patterns, malware development cycle, etc.
Honeypots Properties of honeypot?
o Must be complete enough to look realo Impossible for worm to “break out”o Easy to restore after attack
How is honeypot built?o Emulation --- many of same
difficulties as in virus detection
Honeypots How do you know if it’s a worm in
the honeypot?o Perhaps honeypot does not attract any
legitimate traffico This won’t attract passive scanning
worm For random scanning worm, need
lots of honeypots For “smart” worm, honeypot must
make itself look attractive --- how?
Honeypots What does honeypot do with
worm?o Samples for analysiso Early warningo Measure of worm activity
Honeypot might act as a “tarpit”o Respond slowly --- slow down rapid
wormo No response --- could be devastating
to “hit list” worm
Reverse Firewalls Filter outgoing traffic
o Same principles as inbound firewalls Host-based reverse firewall
o Can limit activity based on application Worm might still succeed…
o Use shared network directorieso Subvert previously-checked codeo Use social engineeringo Take advantage of false positives
Throttling Limit rate of
connectionso For
outbound connections
o Throttle all applications
Throttling Can be refined
o Allow more connections to those recently connected to
o Take success into accounto “Safe” connections delayed by a littleo Lots of waiting connections is
suspicious Load balancing/fair share?
o Might adversely affect fast worms
Automatic Countermeasures
How to respond automatically?o I.e., no human intervention requiredo Why would we want to do this?
Two questions to consider… How to detect worm activity? What countermeasures to take?
How to Detect Worms? Automatic detection, that is Already considered honeypots,
throttling issues, IDS, etc. Others?
o Lots of traffic on one port with many different destination IPs (Why?)
o Few DNS queries relative to number of connection attempts (Why?)
Worm Detected? Automatic countermeasures?
o Isolate affected machineso Isolate critical networkso Shut down targeted serverso Automatically insert filtering rules into
firewallso Drop traffic to affected servers
Risks of automatic countermeasures?