Iss lecture 9
Download as PPT, PDF1 like608 views
This document provides an overview of malicious software, intrusion detection, and firewalls. It defines malware, trojan horses, viruses, and worms. It describes how each functions and spreads. Countermeasures like antivirus software and firewalls are discussed. Intrusion detection approaches like statistical anomaly detection and rule-based detection are also summarized. Common intrusion detection systems and firewall types are briefly mentioned.
Iss lecture 9
- 1. Information SystemsInformation Systems SecuritySecurity Lecture 9Lecture 9 Malicious Software, Intrusion Detection,Malicious Software, Intrusion Detection, and Firewallsand Firewalls
- 2. 22 OutlineOutline 1.1. Malicious codeMalicious code 2.2. Trojan horsesTrojan horses 3.3. VirusesViruses 4.4. WormsWorms 5.5. Other malicious codesOther malicious codes 6.6. CountermeasuresCountermeasures 7.7. Intrusion DetectionIntrusion Detection 8.8. FirewallsFirewalls
- 3. 33 What is Malicious Code?What is Malicious Code? Any code which:Any code which: – Modifies or destroys dataModifies or destroys data – Steals dataSteals data – Allows unauthorized accessAllows unauthorized access – Exploits or damages a systemExploits or damages a system – Does something user did not intend to doDoes something user did not intend to do Malware is a MALicious softWAREMalware is a MALicious softWARE Malware can be any things: viruses, worms, trojan horses, etc.Malware can be any things: viruses, worms, trojan horses, etc.
- 4. 44 Trojan HorseTrojan Horse A Trojan horse is a program that appears to be useful orA Trojan horse is a program that appears to be useful or harmless but that contains hidden code designed to exploit orharmless but that contains hidden code designed to exploit or damage the system on which it is run.damage the system on which it is run. Originally Trojan horses were not designed to spreadOriginally Trojan horses were not designed to spread themselves.themselves. A Trojan horse tricks user into executing malicious code.A Trojan horse tricks user into executing malicious code. Examples:Examples: – A simple example of a Trojan Horse would be a program namedA simple example of a Trojan Horse would be a program named “Bush.EXE" that is posted on a website with a promise to be a fun“Bush.EXE" that is posted on a website with a promise to be a fun animation.animation. – On the Microsoft Windows platform, an attacker might attach a TrojanOn the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message whichhorse with an innocent-looking filename to an email message which entices the recipient into opening the file.entices the recipient into opening the file. – Phish-BuyPhone (1/7/2007).Phish-BuyPhone (1/7/2007).
- 5. 55
- 6. 66
- 7. 77 VirusVirus A virus uses code written with the express intention ofA virus uses code written with the express intention of replicating itself.replicating itself. A virus attempts to spread from computer to computer byA virus attempts to spread from computer to computer by attaching itself to a host program.attaching itself to a host program. It may damage hardware, software, or data. When the host isIt may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts andexecuted, the virus code also runs, infecting new hosts and sometimes delivering an additional malicious actions.sometimes delivering an additional malicious actions. Example:Example: – Melissa: MacrovirusMelissa: Macrovirus
- 8. 88 Virus structureVirus structure Program V:= {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; subroutine do-damage := {what ever damage to be done} subroutine trigger-pulled := {return true if some condition holds} Main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } (on right) A virus structure that is prepended to infected programs Type of this virus: File virus. A virus can be prepended orA virus can be prepended or postpended to an executablepostpended to an executable programprogram When an infected programWhen an infected program (containing a virus) is invoked,(containing a virus) is invoked, will first execute the virus codewill first execute the virus code then execute the original code tothen execute the original code to the programthe program..
- 9. 99 Types of virusesTypes of viruses 1.1. File virus, also called parasitic virus.File virus, also called parasitic virus. 2.2. Boot sector infectors: Infects a master boot record or boot record andBoot sector infectors: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.spreads when a system is booted from the disk containing the virus. 3.3. Macro virus: infects macro programming environment (e.g., MicrosoftMacro virus: infects macro programming environment (e.g., Microsoft office application such as Word) rather than specific operating systems .office application such as Word) rather than specific operating systems . – A macro is a an executable program embedded in a word processing documentA macro is a an executable program embedded in a word processing document or other types of files.or other types of files. – A macros is an executable file that can modify commands within the applicationA macros is an executable file that can modify commands within the application menu.menu. – Macro virus infects data files rather than executable files.Macro virus infects data files rather than executable files. 1.1. Stealth virus: a form of virus explicitly designed to hide itself fromStealth virus: a form of virus explicitly designed to hide itself from detection by antivirus softwares.detection by antivirus softwares. 2.2. Polymorphic virus: a virus that mutates with every infection, making itsPolymorphic virus: a virus that mutates with every infection, making its detection impossible.detection impossible. 3.3. ……
- 10. 1010 WormsWorms A worm uses self-propagating malicious code that canA worm uses self-propagating malicious code that can automatically distribute itself from one computer to anotherautomatically distribute itself from one computer to another through network connections.through network connections. – i.e.i.e., Worms can execute and spread without user intervention., Worms can execute and spread without user intervention. A worm can take harmful actions, such as:A worm can take harmful actions, such as: – consuming network or local system resourcesconsuming network or local system resources – causing a denial of service attack.causing a denial of service attack. – deleting data, spying users, …deleting data, spying users, …
- 11. 1111 WormsWorms By denition, a worm is supposed to hop from machine to machine on its own, it needs to come equipped with considerable networking support. With regard to autonomous network hopping, the important question to raise is: What does it mean for a program to hop from machine to machine? A program may hop from one machine to another by a variety of means: – By using the remote shell facilities, as provided by rsh and rexec in Unix, to execute a command on the remote machine. – By cracking the passwords and logging in as a regular user on a remote machine. Example: The Slammer Worm (online info)
- 12. 1212 Other malwaresOther malwares Trap door: a secret entry point into a program that allowsTrap door: a secret entry point into a program that allows someone that is aware of the trapdoor to gain access withoutsomeone that is aware of the trapdoor to gain access without going through the usual security procedures.going through the usual security procedures. Logic bomb: is a code embedded in some legitimate programLogic bomb: is a code embedded in some legitimate program that is set to explode when certain conditions are met (time, orthat is set to explode when certain conditions are met (time, or data).data). Zombie: is a program that secretly takes over another Internet-Zombie: is a program that secretly takes over another Internet- attached computer and then uses this computer to launch attacksattached computer and then uses this computer to launch attacks
- 13. 1313 Other malwaresOther malwares What is not malware?What is not malware? – Spyware (also calledSpyware (also called spybotspybot oror tracking software)tracking software). programs that conduct. programs that conduct certain activities (collecting personal information) on a computer withoutcertain activities (collecting personal information) on a computer without obtaining appropriate consent from the user.obtaining appropriate consent from the user. – Adware:Adware: pop-up advertisementspop-up advertisements – Spam: is unsolicited e-mail generated to advertise some service orSpam: is unsolicited e-mail generated to advertise some service or productproduct – Scams: An e-mail message that attempts to trick the recipient intoScams: An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposesrevealing personal information that can be used for unlawful purposes
- 14. 1414 Virus countermeasuresVirus countermeasures The antivirus approach: the ideal solution to the threat of virusesThe antivirus approach: the ideal solution to the threat of viruses is prevention:is prevention: – Don’t allow malware to get into the systemDon’t allow malware to get into the system This is difficult (even impossible) to achieveThis is difficult (even impossible) to achieve Follow the following approach:Follow the following approach: – Detection: once the infection has occurred, locate the virus.Detection: once the infection has occurred, locate the virus. – Identification: identify the specific virus that has infected a program.Identification: identify the specific virus that has infected a program. – Removal: remove all traces of the virus from the infected program andRemoval: remove all traces of the virus from the infected program and restore it to its original state.restore it to its original state. Follow Virus Alert’s website: (eg, next slide)Follow Virus Alert’s website: (eg, next slide) Example:Example: – The Windows case (the antivirus Defense-in-Depth Guide, Ch4)The Windows case (the antivirus Defense-in-Depth Guide, Ch4)
- 15. 1515
- 16. 1616 Windows’s antivirus Defense-Windows’s antivirus Defense- in-Depth Guidein-Depth Guide 1.1. Active processes and servicesActive processes and services – Task Manager, Ps Tools, Process ExplorerTask Manager, Ps Tools, Process Explorer 1.1. The local registryThe local registry – Regedit (the registry editor)Regedit (the registry editor) 1.1. Files in the Microsoft Windows system folders.Files in the Microsoft Windows system folders. – Use the “Windows Search”Use the “Windows Search” 1.1. New user or group accounts, especially with AdministratorNew user or group accounts, especially with Administrator privilegesprivileges 2.2. Shared folders (including hidden folders).Shared folders (including hidden folders). 3.3. Newly created files with normal looking file names but inNewly created files with normal looking file names but in unusual locationsunusual locations 4.4. Opened network portsOpened network ports – Netstat, FPortNetstat, FPort
- 18. 1818 Intrusion detectionIntrusion detection Viruses and intrusion are the most publicized threats to systemViruses and intrusion are the most publicized threats to system securitysecurity Intrusion: illegally gaining access to systemsIntrusion: illegally gaining access to systems Intrusion techniques: acquiring protected information (often userIntrusion techniques: acquiring protected information (often user passwords)passwords) – Passwords are associated with users in filesPasswords are associated with users in files Password files must be protectedPassword files must be protected Countermeasures: prevention and detectionCountermeasures: prevention and detection – If intrusion prevention fails,If intrusion prevention fails, – Intrusion detection is the real defense line.Intrusion detection is the real defense line.
- 19. 1919 Intrusion detectionIntrusion detection Intrusion detection is based on the assumption that the behaviorIntrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways thatof the intruder differs from that of a legitimate user in ways that can be quantified.can be quantified. Intrusion detection approaches:Intrusion detection approaches: – Statistical anomaly detectionStatistical anomaly detection – Rule-based detectionRule-based detection Audit Records: is a fundamental tool for intrusion detectionAudit Records: is a fundamental tool for intrusion detection – A detection record may contain subject (user, process), action (login,A detection record may contain subject (user, process), action (login, read, write), object (files, programs), resource usage, timestampread, write), object (files, programs), resource usage, timestamp Examples of IDS:Examples of IDS: – Cisco’s Secure IDSCisco’s Secure IDS – ISS RealSecureISS RealSecure – SnortSnort
- 20. 2020 Firewall
- 21. 2121 FirewallFirewall A firewall is any device used as a network-level access controlA firewall is any device used as a network-level access control mechanism for a particular network or a set of networksmechanism for a particular network or a set of networks – Firewall is used to prevent outsiders from accessing an internal network.Firewall is used to prevent outsiders from accessing an internal network. Firewalls may be stand-alone computers, routers, or firewallFirewalls may be stand-alone computers, routers, or firewall appliances (sometimes with their own OS)appliances (sometimes with their own OS) They serve as control points to and from networksThey serve as control points to and from networks They check whether or not network traffic should be allowedThey check whether or not network traffic should be allowed according to sets of rules or policies.according to sets of rules or policies. Pitfalls: slowing data transmission, impairing networkingPitfalls: slowing data transmission, impairing networking
- 22. 2222 Types of firewallsTypes of firewalls Packet filtering routersPacket filtering routers Stateful-inspection firewallsStateful-inspection firewalls Application-level gateway (also called proxy server)Application-level gateway (also called proxy server) Circuit-level gatewayCircuit-level gateway Examples:Examples: – CheckPoint’s Firewall-1: Stateful-inspection-basedCheckPoint’s Firewall-1: Stateful-inspection-based – Cisco’s PIX:stateful packet filter-basedCisco’s PIX:stateful packet filter-based – Border’s FireWall Server: Proxy-basedBorder’s FireWall Server: Proxy-based – Tiny Software’s Tiny Personal Firewall: Packet filter-basedTiny Software’s Tiny Personal Firewall: Packet filter-based
Editor's Notes
- #5: Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file