Sunday, 25 August 2019

Intrusion Detection

Okay, we have already looked at Authentication and access control, namely where you are proving to each other who you say you are, however here we will look at authorisation, and intrusion detection - namely once you have access what can you do, and how to detect whether somebody, or something, who shouldn't have access is attempting to gain access.

So, one of the best ways to deal with authorisation is to have a spreadsheet, namely a list of names, and a list of applications, and in the boxes that intersect, whether they can read, write, or execute the file. However, this spreadsheet can become particularly large when we are dealing with something the size of, say, McDonalds, or maybe even a bank like JP Morgan.


Actually, this matrix could form a part of a database, but the thing is that before we allow somebody to access something we need to check the matrix. Say Bob accesses the system, and wants to change the accounting data. Well, we go to the column for the data, and the row for Bob, and notice that he only has read authority. As such, we basically disable any function that will enable him to write, or change, the data.

Well, we could use what are termed access control lists:

You also have the functions working in the opposite direction, with regards to capabilities. This helps when the users manage their own data, and the protection is data orientated. Further, it is easy to change the rights to a resource. With capabilities, it is easier to delegate, and easier to add and remove users, but can be pretty complicated to implement.

Inference Control

Let us consider the following question: what was the average salary of a female minister on the Abbott Government's front bench? Well, the answer is, say, $150,000.

How many women sat on the Abbott Government's front bench? Well, there is a pretty easy answer to that one, namely Julie Bishop, and that is it.

Well, that is probably a bad example because I believe that all government ministers get paid the same amount, however you can see what is happening here. We are asking for an average, but the answer that we are getting isn't an average because, well, there is only one candidate that fulls the criteria. This could be the same when it comes to asking for the average household income of a town in which there is only one household - it gives away information, in a round-a-bout way, that should actually be private (not that the salary of government ministers are private).

So, how do we solve this quandary, particularly when it comes to research? Well, one method involves not releasing information if K% or more is contributed to by less than N respondents. This is referred to as the K dominance rule. The problem is that robust control might not be sufficient, or even work, so we reach the position where weak inference control and channel protect is probably better than none, namely because it at least prevents some leaking.

However, is weak cryptography better than no cryptography? Probably not, because if you are hiding something, and it is easy to crack the code, then honestly, you might as well place it up on a billboard for everybody to see, because that is probably where it is going to end up anyway. In fact, sometimes having no encryption is better because if something is not encrypted, then nobody will consider it important - such as an open front door probably signals to a potential burgler that somebody is home, so they will go somewhere else.

I call this hiding in plain sight.

Let us look at a typical security network:


When it comes to firewalls there is no actual strict terminology. However what it does is that it provides access control to the network, and decides what to let in, and what can go out. Three common types are the packet filter, which works at the network layer, the stateful packet filter which works at the transport layer, and the application proxy, which works at the application layer (take a look at the OSI model for references to them).

The packet filter can filter out packets based on a number of factors, including the source and destination IP address, the source and destination port, as well as flag bits, and also ingress and egress (that is whether it is going in, or out). Like the access control, the functions of the packet filter can also work on a matrix, as outlined below, which is designed to limit traffic to web browsing:


There is also this concept of the DMZ, which is a military term known as the demilitarized zone. In military parlance this is an area where no military activity is supposed to occur - the most famous one being the border of North and South Korea. One of the most common uses of a DMZ is for public wifi. Starbucks, for instance, has free wifi for people who order coffee there. Basically what it does is that it partitions off a part of the network to allow a larger access than what the network would normally allow. In fact, when you try to connect to the Starbuck's wifi, you will probably note that they have two channels, one for the public, and another, more secure one, for the staff.

Preventing Intrusion

This is the more traditional form of computer security. Passwords, access control, and firewalls are all a form of intrusion prevention, as well as virus scanners. Viruses are an interesting thing because many of them are designed to circumvent such protocols, such as giving an attacker direct access to one's system. For instance, they might actually open a port that the intruder can use to completely bypass any form of password protection.

However, despite all of our attempts to keep intruders out, sometimes they do get in, so we also need systems that will detect specific activity, or attacks in process. While the traditional hacker is usually gaining access from the outside, sometimes you might have somebody inside the company accessing something that they aren't supposed to access. For instance, in one of my former jobs, if you accessed a file that you were not supposed to access, our compliance department would actually be notified.

Accessing confidential information may not be the only thing because they might also launch attacks, whether they be well known, little known, or even new. Actually, it is probably the amateurs that launch well known attacks, because this whole concept of computer security is like an arms race - every time we find a way to kill a virus, new virus are being developed to counteract that. Actually, it is sort of like biological viruses, that develop immunities to well known drugs.

Signature Detection

Intrustion detection comes down to signatures, which are generally attacks, and anomolies, which is suspicious behaviour. They can also be monitored on a host, or on a network as a whole. For instance, failed log in attempts may be a signature of an attempt to crack a password. As such, an algorithm of so many failed attempts in a certain amount of time will trigger an alert that there is an attack. My bank has something along the lines of five failed attempts, and after the fifth attempt the account is locked. My phone has a similar detection system, except instead on locking me out of my phone, it will institute a delay between attempts, that gradually gets larger and larger the more failed attempts that occur.

Obviously we want to avoid false alarms, such as me forgetting my password, so they generally incorporate a certain number of tries before implementing the intrusion prevention mechanism. Mind you, an attacker might know about this, and if the mechanism is triggered after five attempts, then an attacker might only do four, and then wait. While it isn't perfect, it will actually slow the attacker down, and make brute force attacks even more useless.

The advantages of this approach is that it is simple, it can detect known attacks, it can know which type of attack is occurring at the time of the attack, and it is efficient, though only if there is a reasonable number of signatures. The catch is that it only works on known attacks, the signature files need to be kept up to date, and the number of signatures can become inordinately large.

Anomoly Based

So, say we have Moss, who regularly uses the work system. Now, we have a pattern for how he accesses and uses files - he opens, reads, closes, opens, opens, reads, close. Now, we have a number of pairings that we can work with, such as (open, read), (read, close), (close, open). So, what we can do is we can monitors these three commands, and since we know the common pairs, we can keep an eye on abnormalities. For instance, if there is a spate of (open,open), which rarely happens, then this will trigger an anomaly warning, meaning that maybe there is an intruder using Moss' account.
This is actually a pretty basic one, and we could increase the chance of picking up an anomaly by including more commands, increase the number of commands to beyond two, and even consider the frequency of each of the pairs. Another way of detecting anomalies is the frequency, and length of time, that a file is accessed. Consider below:

On the left we have the average recording of the files being accessed, and on the right we have the current recording of the access over, say, the day. So, is there an anomaly? Well, time for some more maths.

S = (H0 - A0)2 + (H1 - A1)2 + (H2 - A2)2 + (H3 - A3)2

S =(0.1 - 0.1)2 + (0.4 - 0.4)2 + (0.4 - 0.3)2 + (0.1 - 0.2)2
S= (0)2 + (0)2 + (0.1)2 + (-0.1)2
S = 0.01 + 0.01 = 0.02.

We basically consider that an anomaly that is less than 0.1 to be normal, and since we have come out with 0.02 then we consider this to be a normal variation.

Since there are going to be variations, and changes in the usage, we do need to regularly update them, and we do so with this formula: Hi = 0.2*Ai + 0.8*Hi

In this case, it will be 0.2*0.3 + 0.8*0.4 = 0.06 + 0.32 = 0.38, which then becomes the new H2. We also do the same for H3 to generate the new H3.

So, with this method the averages regularly update to reflect changes in behaviour, and to also reduce the number of false alarms.

As for attacks, well, we will have one where the intruder attacks all of the hosts in an attempt to locate the weakest link, and then access the network through the weakest link:


And finally, we have the attack where a victim is attacked from many sectors at once.


And so, this was computer security. I no doubt will be coming back to this topic again in the future, but I shall be leaving it here now. Sure, this may have seemed like a hodge podge of stuff, but that is basically our lecture notes.


Creative Commons License

Intrusion Detection by David Alfred Sarkies is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. This license only applies to the text and any image that is within the public domain. Any images or videos that are the subject of copyright are not covered by this license. Use of these images are for illustrative purposes only are are not intended to assert ownership. If you wish to use this work commercially please feel free to contact me

No comments:

Post a Comment