 So intrusion detection, how to detect intruders, intruders into our network. You think of your home and intruder is someone who breaks into your home and steals some things or does something bag it in your home. How do you detect them? How do you prevent them? Well now we're dealing with a computer system, the same thing. We want to detect and prevent intruders for getting access to our computer system. We're focusing on intrusion detection. We will not go into much detail about intrusion prevention. There are some subtle differences and there are some specific software systems that will support this. First, assume attacks will occur. Don't be naive and think you build your computer system and no one's going to attack it. So you need to approach security assuming that someone's going to attack your system. So successful attacks will allow someone to get access, unauthorized access to your system resources. So sometimes we want to prevent attacks or all the times we'd like to prevent attacks. But sometimes it's too costly to prevent all attacks. Therefore we make a trade-off and say okay if we cannot prevent them then at least we should be able to detect them if they happen. So the ideal world would be I build my computer system and I build some security features such that I prevent all attacks. I set the access control, the permissions correctly, I set a firewall, I use secure software and I build the system so that no attacks can happen. I prevent all attacks. Unfortunately in complex systems that's very hard to do. It's hard to in a manageable cost build a truly secure system. Therefore that is it's cheaper to prevent some attacks and detect the rest. So we're going to focus on detection of attacks. How to prevent attacks? Well we've seen access control already. How to prevent someone getting unauthorized access? Set up the access control on the files correctly. Set up user authentication so we authenticate the correct user. Next topic, firewalls and other topics on software and web security will look at ways to prevent attacks. But assuming we can't prevent all attacks we want to be able to detect if an attack does happen. That's what an intrusion detection system, IDS, does. It monitors and analyzes events within the computer system. So when things happen in the system an IDS monitors, analyzes to try and find, to log, to keep track of and warn about intrusions. So when some intrusion takes place we want to know about it. Once we know about an intrusion we can take other measures. Maybe we can take technical measures, we can improve our system. If we know someone can intrude through this hole then we can block that hole in the future. So they can't do it in the future. Or we can find out who did it and take legal measures. Get some financial reimbursement or some penalty on the attacker. So who are the intruders? Some different terminology here. But the first two, the main two types, outsiders and insiders. We were distinguished between intruders who are normally outside of the computer system and those that have authorized access to the system. The words and these come from the textbook. A masquerader is an outsider. Someone who's not normally authorized to access the system. But somehow they penetrate the authentication or the access control systems and get access. As a normal user's account. That is someone out on the internet logs into the Moodle website using my login. They're an outsider getting access to our system. Misfeasor, okay, an insider. Some normal user who accesses resources on the system that they shouldn't access. So a student who has an account in Moodle can somehow get access to resources that they shouldn't get access to. So a student, for example, can escalate their privileges to become an administrator in Moodle so that they can change the quizzes or change their scores in Moodle. So they're a legitimate user, they're a normal user, but they do something bad. So an insider, they misuse their privileges that they normally have. A clandestine user is someone either insider or outsider who takes some control of the system or gets some extra privileges and tries to evade detection, okay, tries to hide. What are some examples and just several types of intrusion? What can an intruder do? They can get access to some server, for example. So you get some root access ones. You have root access or administrator access to the server. You can do anything you like on it, usually. Deface a website so you can get access to the system and put something on the website that makes the organization look bad, for example. Try and guess passwords so a user, maybe an inside user, if they can get access to the database of passwords, then they can try and obtain information of other users, their passwords. Or they can try and guess passwords. Copy private information, okay, so just some different examples. View sensitive information, financial information, medical information if you can get access to a system. Again, get passwords. And then use this information to do further attacks on the system. Use resources in an inappropriate way, so log in or get access to one system, intrude into one system, and then use that system to access some illegal resource or do something illegally from that system so that when someone traces back, it looks like it comes from the one that the malicious user intruded into, okay. So I'm sure you can think of examples of that. Pretending to be others, to gain passwords, to gain back to passwords, getting access to computers by just going to ones which are unattended but logged in. Just some examples. We can often distinguish between different types of intruders and what their aims and intentions are. And we may have different responses. So this will look at three types of intruders or three intruder behaviors. And the names, it may not be the best, but a cracker, a criminal enterprise, and an internal threat. So the first two are external, and the third one is from someone internal, an insider. What's a cracker? Maybe other names you hear of as a hacker sometimes is used. But someone who is trying to get access to the system to intrude, why are they doing it? Well, for the thrill of doing it, for the recognition of being able to do it, for the status. They may not get any financial gain from doing the intrusion, but they may get recognition from their peers, from other people, and people say, yeah, okay, you're good because you can intrude into this secure system. So there are such intruders that will do it not so much for financial gain, but for their own recognition. Not always the case, but usually they're looking for easy targets in this case. And they may share information with others about those targets. So someone who wants to intrude into their SIT system may first communicate with other potential intruders and see what they've learned about the SIT system to try and make their task easier. They'll usually use flaws in software to gain access. So bugs in software take advantage of those bugs to try and get some access to the unauthorized system. Intrusion detection systems are useful for such intruders because we'll see how they work, that they can detect, I won't say simple attacks, but attacks by people who often are not motivated by financial rewards. They may not be as complex as the next type of attacks. So intrusion detection are usually quite useful in these cases. IPS is intrusion prevention systems, which are systems specifically built to try and not just detect, but to stop attacks. We will not cover them in any detail, but there's another chapter in the textbook that looks at IPS. Other types of intruders are usually those who get some financial reward from intruding. They'll get some confidential information and sell that to someone else. Or they'll get some commercial advantage for their business. Or maybe some political or religious reasons. They want to perform an intrusion. They're often more motivated than the crackers. They have more to gain from it. And in many cases they are more organized. So they may not just be individuals, or a small group of individuals, they may be companies, governments, or organizations funded by governments, or criminal gangs, or criminal organizations. So usually we separate these as being larger organizations with more to gain from an intrusion. Often they are looking for specific targets. A cracker we say looking for open targets, looking for any target that they can intrude into. It doesn't matter who it is, they just want to get status that they can intrude. Whereas in this case they'll be looking at specific targets that they can get the most reward from. And often they don't want to be known that they've done the intrusion. They want to avoid publicity. Whereas a cracker may want to advertise the fact, yes I could intrude into this one to get that extra recognition. Again use flaws in software to do the intrusion, but often will also use social engineering. So you want to get access into some company, then maybe call up some people in that company pretending to be someone else and try and get information from them that will make the intrusion easier. Again, intrusion detection systems useful, and so intrusion prevention systems. But why do we say useful here and very useful? Maybe we can distinguish that the first set of intruders, the attacks may not be as advanced. When you compare it to companies, governments that are doing the attack. And therefore the more advanced attacks are harder to detect and harder to prevent. The third type are internal users, internal threats. An employee, or maybe even an ex-employee who's just been fired, wants to take some revenge on people or an organisation. Or they think they're entitled to do something. So they already have access to the system. So they are internal users or they recently were internal users. Therefore very difficult to detect. So they already have authorised access to the system. How do you detect being able to use the system? Intrusion detection systems are not as useful for these types of attacks. IDS is mainly for attacks from outsiders. To stop internal users, there are different mechanisms to use. Least privilege, remember this concept that those users only get access to things that they need to do their job. So don't give them access to the entire system just because they're an internal user. Good authentication so that they can only log in as themselves even if they know about others. Keeping track of what happens. Logging and auditing. Logging is keeping records of all the things that happen on the computer system. So after the fact you can go back and see what happened. Who logged in at this time? What did they do? What commands did they run? What files did they access? And auditing is the process of then analysing those logs. So you don't just keep the logs, you need to go back and check the logs. If you fire someone make sure you have a policy to make sure that once they have officially left the position that they cannot do damage or even before they leave their position reduce their privileges. So as soon as you terminate someone's employment make sure that the computer system is updated to indicate that this person is going to has been notified that they're going to lose their job in two weeks time. Therefore let's reduce their privileges just in case they try to take revenge before they are removed. So let's say that the user had admin privileges. If we're talking about terminating the employee that is firing them for some reason they're moving on to another job then again the similar principle of making sure that once that's known that they're going to be terminated then change their privileges. And with admins in large networks again an admin user doesn't need to be able to have access to all information systems. Usually just the system that they need for their job. So at least privilege becomes important here. So an admin, I'm the admin on the Moodle server doesn't mean I get access to the entire registration system. I just need the privileges to do it on the Moodle server. So I think you can use similar concepts. How does someone intrude? How does someone gain access to an unauthorized system as an external or an outsider? They want to gain access to the system or if they're insider increase their privileges. That is you're a normal user but set your privileges so that you can do anything an admin user can do. Well one common way is to exploit flaws in software. Bugs in software are a common form for intrusions. We'll see some examples in later topics we'll look a little bit about software security but more about web security as an example of that in its normal operation with some bugs or some poorly implemented mechanisms that software will allow some external user to execute some code to perform some things that were unexpected. So if the bug in some software on our computer system allows an intruder to execute the code that they want to be executed then they use that to execute some code to for example set up an account for them or to change the password for someone or to change the privileges for a particular user. So many attacks take advantage of the fact that the software that the system is using has bugs in it. How do we fix that? Make sure bugs don't exist. That's not possible in software development. Make sure the software we're using is up to date and as few bugs as possible is the main thing. So to prevent attackers from being able to use software flaws make sure the software you're using has as few flaws as possible and there are websites, databases that keep track of many known flaws in software. Vulnerabilities. I'll show you some examples in a moment. So that an organization should keep should monitor the vulnerabilities in the software and systems that they're using. For example, we use Moodle as a piece of software that runs the website. That is, think of Moodle as a piece of software. It goes, it's updated every few weeks. So there are many different versions of Moodle. So what we should do is what I should do as the administrator is keep track of I'm using version 2.5 have there been any advertised or known bugs in version 2.5? Where would I look? Well there are usually dedicated websites which keep track of these vulnerabilities the bugs and different pieces of software. So I could keep from a mailing list and get an automated email saying Moodle 2.5 has a bug you should now upgrade to 2.5.1 and perform those updates and do it on a regular basis. On the course website there's a link to some further links about security. You can browse through and one I've listed just some examples of organizations or websites that provide alerts. So they keep track of attacks and bugs and keep a list and you can get an alert when that happens. So there's a list of them here. There's a national vulnerability database from the US which just has a database of essentially bugs in known software similar a database of common vulnerabilities and exposures from a security perspective and different mailing lists and forums and so on that people post announcements of known bugs and known attacks bug track full disclosure at examples. We have an example, the US CERT. CERT is a more general computer emergency response team or computer emergency readiness team but it's a common acronym that refers to organizations that keep track of security incidents and try and alert others about it. So usually each country may have their own CERT. So there is Thai CERT which tries to inform organizations inside the country about different attacks. So US CERT is an example so they have a website and I think you can follow through and get different alerts that they announce. So on their front page Apple releases iTunes Apple has released a security update so it's related to the software has been updated because they found some flaws in the software some security flaws. Cisco releases multiple security advisories advising people that their software and hardware may have vulnerabilities. And there are other sites that do similar things. What's another one? Security focus. Again, here's a mailing list. Sorry, hard to see. You have a look in your own time. Just a mailing list where people post security announcements. This software graph has a bug and there's been a recent update, for example. Vulnerabilities in some software. So there are many such lists. If you're running a system you should keep up to date with the vulnerabilities of the system that you're running. Alright, let's keep moving on. So what we just looked at as examples is that these announcements of the vulnerabilities are made once they're known. So I think you're asking a question about, okay, when are they known? So in some enterprise software or some software they're not known. So what we just looked at as examples is that these announcements of the vulnerabilities are made once they're known. So in some software or some software they may not be known. If the bugs are not known then you cannot learn about it. So that's still a flaw or a vulnerability. Is that part of your question? I mean, if the bug is known already but the client cannot update right now because they have to have tests before. Okay, yes. Right. So let's say again I have Moodle and I'm using 2.5 version 2.5 and there's an announcement. Version 2.5 has a bug in it. Upgrade to 2.5.1. I don't necessarily go to the server and upgrade immediately because the upgrade may cause other consequences. So the upgrade of a software doesn't necessarily mean the software will work with the existing system. So I need to do some testing and make sure that version 2.6 still works for what I need it to do. For example, all the plugins work. All the extra features that I've developed still work. So just because an announcement has been made it doesn't mean you immediately upgrade but the time you take to upgrade is this time that the vulnerability still exists in your system. How do you deal with that? Do you use the time to upgrade? So have some way to automate the testing? Maybe you could temporarily block access to the system before the upgrade takes place if it's a very important system. But yes, upgrading takes time. So therefore, from when you learn about the bug until you've fixed it there's still this window of opportunity for an attack. That's about software. Fix the bugs. Make sure you have a few bugs as possible. The other is about protected information. So an intruder finds some passwords, for example and uses that. So they guess passwords or they from some hashed passwords, they crack passwords and then use that to get access to the system. Or social engineering attacks. We mentioned that someone pretends to be me. They call up the SIT staff saying I'm Steve Gordon's brother. I need some information about him and the staff believe who he is but he's actually an intruder who's trying to find that information about me and will use that information to maybe log in as me. So social engineering attacks. How do you stop that? Make sure you have technologies to protect that information and for the social engineering especially policies and people are aware that confidential information should remain confidential. That if someone calls up on the phone saying can you please reset the password for Steve to be ABC then the person who answers the phone should be aware well no, I'm not going to first I need confirmation as to who you are and be maybe say okay well come into the computer centre and we'll do it for you there. So we need to make people aware that we need to be careful with the confidential information especially to stop social engineering attacks. Intrusion detection. So that's about intruders. How do we detect intruders? General concepts. We can distinguish between host-based intrusion detection or intrusion detection systems an extension of host-based on multiple computers and collecting multiple information so distributed host-based and network-based. So we'll go through the three of them. Host-based think of we have some special software on a computer that tries to detect intruders. It monitors what's happening on that computer with the aim of detecting is someone trying to intrude or not. Distributed host-based now we have this intrusion detection software on many computers which are trying to monitor what's happening and they report back to some other central computer to improve the chance of detecting an intrusion. Network-based is not monitoring what happens on computers but monitors what's sent across a network. So host-based monitor the activities on a computer. Network-based monitor the packets being sent through a network. And from that monitoring trying to determine if some suspicious activity is taking place. All of them use some sensors to collect data. So the monitoring involves collecting data of what's happening. Data includes collecting packets. You know how to collect packets. TCP dump Wireshark collects packets. Those concepts can be used. Log files many software applications keep a log of what the software is doing. It records to a file or a set of files the events that have taken place with respect to that software. So a web server for example whenever whenever anyone accesses a web server that web server writes a line to a log file saying who accessed that page. I'll show you an example later. So any software can keep a log of what's happening. System call traces. So that's with respect to the operating system. A log of the different calls to the operating system. So calls to functions from different applications. So a function to read the password file or a function to open a file or write to a file can be every application that calls that function that's provided by the operating system the operating system can keep a log of which application called it at what time. So some trace of the system. Let's collect data. Then we need to analyze the data. We need to get some information from it. So analyzers receive the collected data and do some analysis on it and they try to determine if an intrusion has taken place. And we also usually need some way for a human to interact with the data the results. So some user interface so that an administrator can view the results of the analysis and can control how the intrusion detection system works. I thought I had a better picture. Later we'll see a picture that shows those different entities. How do we detect intruders? So we monitor what happens on a computer system or in a network and we try and detect is an intruder doing something or is it a normal user doing something? So the principles is that we work on the assumption that an intruder behaves different than a normal user, a legitimate user. They do something different from a normal user. So what this diagram shows is trying to capture the behavior. So this is the behavior of a normal user and if this is the behavior of an intruder if we can determine that behavior somehow and we'll see ways to do that then what we want to do in terms of the monitoring and analysis then is to monitor the behavior, what's happening and then if the behavior of what's currently happening matches that of the intruder then we classify this as being an intrusion. If it looks like normal behavior then don't classify as an intrusion. The idea is to first to be able to distinguish between what an intruder does versus what a normal user does. If we cannot distinguish then we cannot detect intrusions. So we must be able to distinguish that an intruder does something different than a normal user. So for example in this diagram the concept if the profile of the intruder so the behavior of the intruder overlapped fully with the profile of the authorized user then there will be no way to detect intrusions. So the assumption is that they don't overlap or they don't fully overlap there may be some partial overlap that is the things that the intruder does sometimes are the same as what a normal user does. That's this solid green part here. So this is indicating the behavior of the intruder and the normal user overlap. So when we detect such behavior we don't know if it's an intruder or a normal user. But if we detect behavior in this area which matches only the behavior that an intruder would take then our intrusion detection system knows that this is an intruder. Similar if we detect behavior in this area we measure some behavior in the system which corresponds with what a normal user would normally do then we assume it's not an intrusion. Now this is all this is the principle it's hard to get these profiles of the behavior. What does a normal user do what does an intruder do? That's the challenge here. So an intrusion detection system does some results. So some things happen in the system it should return is this intrusion or not. We may get false positives. A normal user is identified as an intruder. So if the system doesn't work perfectly then the normal user may be doing something but the intrusion detection system identifies that as an intruder that's a false positive. We don't want that to happen we want to minimize the false positives. Another thing we don't want to happen is false negatives. We're measuring what the system is doing and it's actually an intruder doing something on our computer system but our intrusion detection system doesn't detect that it thinks it's a normal user so the intruder goes unidentified the intrusion is not detected so we want to minimize false positives but also minimize the false negatives and they conflict in some ways. Let's look at some details and in the last 10 minutes let's come back to the requirements next lecture let's look at a host based intrusion detection system just skipping through I want to okay we'll get there. So a host based intrusion detection system assume there's some special software on your computer, the host its goal, detect intruders. What it does is it monitors what's happening on your computer and uses some algorithm to determine are these actions the result of an intrusion or not? So some special software on your computer to do this to detect intrusions and to inform people if something looks like an intrusion and maybe you can even stop attacks if the attack is detected or the intrusion is detected early. Let's look at how to do that. Anomaly detection is we measure or observe the behavior what's happening on the computer system and compare it against previous records of the behavior. So say with an ICT server I record over a period of a month of when students log in how often they log in to the ICT server how often they access Moodle at what times of the day that they access how long they're logged in for I record that for the normal users okay so I have some knowledge of what the normal users do with that computer the normal behavior and now I start my intrusion detection system which has that knowledge of the normal users and now it monitors what's happening right now and compares it against the past behavior and with that if the current behavior crosses some threshold that is the number of attempts to log in exceeds some threshold compared to what I've measured in the past that's an indicator of an intrusion so before we go through the other parts let's go to the examples just to give you an idea of how do we measure the behavior and it's maybe hard to see but in front of you some different examples of okay one is about monitoring log ins and when someone logs into a system what they do and how long they do things for so the measure may be how frequently someone logs in by day or time so with the idea that intruders are more likely to or maybe more likely to log in in off hours that is late at night as opposed to during the day the idea is that if we know how often people log in and I know from the ICT server that students only log in during labs the only time they use Moodle is during the lab which is Monday 9 to 4 and Friday 1 to 12 if I know that and then I monitor someone's logging in on Saturday at 11pm that may be an indicator that that behavior is outside the profile of the normal user and therefore detect an intrusion now it's not that simple or it may not be that effective if we keep it that simple but then we can use other information so where did they log in from I think you may experience this with email systems you log into Gmail and if you've logged in from a different country then you normally log in Gmail may present some warning or even require some other authentication because what it's doing is it's recording because your normal behavior you normally log in from this location but then one day later there's a login attempt from another country to your account well that raises a trigger something may be going wrong this may be an intrusion so log in location may be used not just on country but based upon IP addresses as well time since login so intruder tries to break into accounts which are no longer used so the old students from SIT from three or four years ago who had accounts on in SIT but no longer or no longer active but then we suddenly see a login attempt for that account then that may be an indicator of an intrusion sessions refers to how long you're logged in for so we can use the statistics of the average time that you stay logged in for and between sessions and use that to indicate if something looks not normal then that may be an intrusion amount of output to a location a normal login involves copying one file from the server to your home computer but then there's a login that results in the copying of thousands of files gigabytes of data from the server to some computer maybe that's abnormal and indicates a possible intrusion maybe the intruder is copying or downloading as many details as possible from the server utilization of the the resources on the computer the CPU the disk activity again if we have a profile of normal CPU activity from the normal users then something outside of that we can detect as an intrusion failed passwords and failed logins related to that so failure attempts to log in may be an indicator of an intrusion alright we'll go through the others I don't have time to give an example today Thursday we'll give some examples of these on a real system execution of programs on the computer system execution of software so on the system they execute commands normally the normal user executes commands to list their contents of their directory to change directories so that's the normal behavior but then someone logs in and starts to run sudo rm star trying to delete all the files as the sudo user when they don't have access it's an indicator of a potential intrusion someone has intruded and is trying to get admin rights so that executing programs and that execution gives an indicator that that's not normal file access is the other way normally users access files according to certain patents but if someone tries to access files outside those patents that can be used to detect an intrusion so if someone tries to read normally confidential files again that may be a detector or the rate at which they read files or that they delete files normally a user may only delete files in their own account at some rate but if someone tries to delete as many files as possible as fast as possible that may be an indicator of an intruder so these are just examples of how can we measure computer systems what can we measure and how can we use that to indicate that this behavior is different from the normal behavior and therefore classify as an intrusion we'll go back on Thursday and look at these different ways of anomaly detection and signature detection and go through host based and distributed host based in a bit more detail and I'll show some examples of some of those measures say on the ICT server on other computer systems let's stop there