L7 - L8 Network Attack & Intrusion

Question 1

Describe the rule-based approach to intrusion detection.

Answer 1

• Develop rules to specify whether observed behaviour is intruder behaviour
• Anomaly Detection
  
  • Rules used to detect changes from previous behaviour
  • Rules developed from known intrusion behaviour.

Question 2

What is profile based Statistical Anomaly Detection?

Answer 2

• Past behaviour of individual or related group of individuals is used to calibrate the current activity.
• Compares the value of metrics measured from current audit records to from those measured on past audit records.

Question 3

What are three categories of intruders?

Answer 3

• Masquerader
  
  • ​Unauthorised user who exploits a legitimate user’s account.
• Misfeasor
  
  • A legitimate user who accesses unauthorised data, programs or resources.
  • A legitimate user who is authorised but misuses their
    privileges.
• Clandestine User
  
  • A user who seizes supervisory control of the system anduses it to evade auditing and access control or to suppress audit collection.

Question 4

What is Distributed Intrusion Detection?

Answer 4

• Organisations typically need to defend multiple hosts
• More effective detection if information can be pooled from systems across the network rather than having one stand-alone intrusion detector for each host
• Difficulties of pooling data
  
  • Different systems may have different audit record formats. This poses a difficulty in combining data from different systems
  • Data needs to be transmitted across the network. This data must maintain integrity (to prevent intruders covering their tracks) and confidentiality.
• Centralized architecture
  
  • One location where reports are collected and analysed.
  • Issues: Potential bottleneck and one point of failure.
• Decentralized architecture.
  
  • Reports analysed at multiple 32 locations
  • Issues: Coordination and information exchange.

Question 5

What are the two types of audit records?

Answer 5

1. Native Audit Records
   
   • Most multiuser operating systems collect Information on user activity
   • Pro: No need to have additional software to collect data
   • Con: Native record may not store data in a form convenient for intrusion detection
2. Detection Specific Audit Records
   
   • Contains only data pertaining to intrusion detection
   • Pro: Can in principle be independent of the specifics of the system.
   • Con: Extra overhead (this data is collected in addition to the native audit)

Question 6

What is Proactive Checking?

Answer 6

User selects a password, the system then evaluates its
strength.

If the password is deemed too weak the system rejects the
password and asks the user for a different password
Additional feedback can be provided which enables the
user to have an understanding why their desired password
was rejected.

Cons

• Naturally the stronger the password the better. However thesystem needs to be carefully tuned to strike a balancebetween acceptability and password strength. If the systemis too strict it may reject too many passwords; Users will find it difficult to invent a suitable password
• If the system has too simple a definition of what is anacceptable password. Password crackers can use thefeedback from the system to refine their own password guessing technique.

Question 7

What are examples of metrics used in profile based anomaly detection?

Answer 7

Counter

• Count certain types of event over a particular period of time,
• e.g. number of logins per hour, number of password failures per minute

Gauge

• Used to measure the current value of an entity
• e.g. number of logical connections assigned to a user. (Value can go up and down during a session)

Interval timer

• Length of time between two related events,
• e.g. the time between successive logins

Resource Utilization

• e.g. Pages printed during a user session
• total amount of program execution time…

Question 8

Describe the Statistical Anomaly Detection based approach to Intrusion Detection.

Answer 8

• Data for legitimate users is collected. Tests are performed to determine whether current observed behaviour is consistent with previous legitimate behaviour.

Question 9

What are the two types of Statistical Anomaly Detection?

Answer 9

1. Threshold Detection
2. Profile Based Dectection

Question 10

Name three intrusion techniques

Answer 10

• Password Guessing
  
  • Default passwords that ship with systems (including dummy accounts placed by the software developers for debugging purposes) Likely password lists (seen these already) Target users and collect personal information such as full name, names of children, hobbies , etc
• Trojan Horse.
  
  • A seemingly legitimate program that bypasses access controls.
• Physical Security, wire tapping.

Question 11

What can be done to make a network safer?

Answer 11

• Encryption:
  
  • use protocols that protect specific parts of the network and/or the transmitted data
• Management:
  
  • keeping system up-to-date, configuring it in a way to minimize attack surface
• Filtering:
  
  • use of firewalls to stop bad things from entering your network
• Intrusion detection:
  
  • monitor network for signs of malicious behavior

Question 12

What is a Honeypot?

Answer 12

• A Honeypot is a decoy system. It is designed to
  
  • divert hacker from accessing the real systems
  • Collect information about the attacker’s activity
  • Encourage attacker to remain on the system long enough for admin to take action
• The system will contain fabricated information that will appear to be valuable
• System will have event loggers and other monitors to collect information about an attack.
• The honeypot can be one machine,they can also be entire networks containing simulated traffic.
• Admin can observe in detail the behaviour of the attacker in order to develop counter-measures

Question 13

What assumptions does intrusion detection make?

Answer 13

• The behaviour of an intruder is different to a legitimate user.
• Typical behaviour of an intruder might be different to legitimate user behaviour but there will likely be overlap.
• There will be behaviours that could equally have been performed by both legitimate users and intruders

Question 14

What is Reactive Checking?

Answer 14

Password cracking software used to determine weak passwords.
Cons

• All accounts whose passwords have been cracked have their passwords canceled and the owner of the account is notified.
• Weak passwords remain vulnerable to attack until the reactive check is performed.
• Running reactive check is computationally intensive.

Question 15

What is Threshold based Statistical Anomaly Detection?

Answer 15

• Count the number of occurrences of a particular event over a specified time interval, if the count exceeds a threshold assume an intrusion has occurred
• Fairly crude approach. Users exhibit considerable variability in their behaviour, so setting a common threshold will likely lead to either too many false positives if the threshold is set to low and too many false negatives if the threshold is set too high