UNIT IV

SECURITY PRACTICE & SYSTEM SECURITY

Authentication applications – Kerberos – X.509 Authentication

services - Internet Firewalls for Trusted System: Roles of
Firewalls – Firewall related terminology-Types of Firewalls -
Firewall designs – SET for E-Commerce Transactions. Intruder
– Intrusion detection system – Virus and related threats –
Countermeasures – Firewalls design principles – Trusted
systems – Practical implementation of cryptography and
security
Kerberos
 Assume an open distributed environment in which users at workstations wish
to access services on servers distributed throughout the network.
 The following three threats exist
1. A user may gain access to a particular workstation and pretend to be
another user operating from that workstation.
2. A user may alter the network address of a workstation so that the requests
sent from the altered workstation appear to come from the impersonated
workstation.
3. A user may eavesdrop on exchanges and use a replay attack to gain
entrance to a server or to disrupt operations.
Kerberos
 Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users.
 Two Version of Kerberos is Version 4 and Version 5.
 Kerberos requirements.
1. Secure
2. Reliable
3. Transparent
4. Scalable
 To support these requirements, the overall scheme of Kerberos is that of a
trusted third-party authentication service
Kerberos version 4
 In an unprotected network environment, any client can apply to any server
for service.
 Security Risk is also possible because an opponent can pretend to be another
client and obtain unauthorized privileges on server machines.

AUTHENTICATION
IDc || Pc || IDv SEVER DATABASE

Ticket KERBEROS

IDc || Ticket
CLIENT SERVER
Simple authentication Dialogue
To use an authentication server (AS) that knows the passwords of all users and stores these in a
centralized database.
 The AS shares a unique secret key with each server.
(1) C → AS : IDC || PC || IDV
(2) AS → C : Ticket
(3) C → V : IDC || Ticket
Ticket = E(Kv, [IDC || ADC || IDV])
where
C = client
AS = authentication server
V = server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
Kv = secret encryption key shared by AS and V
More Secure authentication Dialogue
 The problems of authentication in an open network environment.
1) We would like to minimize the number of times that a user has to enter a
password.
 If user C logs on to a workstation in the morning and wishes to check
his or her mail at a mail server, C must supply a password to get a ticket
for the mail server.
 If C wishes to check the mail several times during the day, each attempt
requires re-entering the password.
 For a single logon session, the workstation can store the mail server
ticket after it is received and use it on behalf of the user for multiple
accesses to the mail server.
 It remains the case that a user would need a new ticket for every
different service.
 2) The earlier scenario involved a plaintext transmission of the password.
An eavesdropper could capture the password and use any service
accessible to the victim.
 To solve these problems, we introduce a scheme for avoiding plaintext
passwords and a new server, known as the ticket-granting server (TGS).
 Once per user logon session:
(1) C→AS: IDC||IDtgs
(2) AS→C: E(Kc, Tickettgs)
 Once per type of service:
(3) C→TGS: IDC||IDV||Tickettgs
(4) TGS→C: Ticketv
 Once per service session:
(5) C→V: IDC||Ticketv
Tickettgs = E(Ktgs, [IDC||ADC||IDtgs||TS1||Lifetime1])
Ticketv = E(Kv, [IDC||ADC||IDv||TS2||Lifetime2])
Summarize all the transaction as follows:
1) The client requests a ticket-granting ticket of the user by sending its user's ID,
TGS ID, and password to AS
2) The AS responds with a ticket that is encrypted with a key that is derived from
the user's password.
3) The client requests a TGS with user's ID, the ID of the desired service, and the
ticket-granting ticket.
4) The TGS decrypts the incoming ticket and verifies the success of the decryption
by the presence of its ID If the user is permitted access to the server V, the TGS
issues a ticket to grant access to the requested service.
5) The client requests access to a server with user's ID and the service-granting
ticket. The server authenticates by using the contents of the ticket.
A full-service Kerberos environment consisting of a Kerberos server, and
servers requires the following:
1) The Kerberos server must have the user ID and hashed passwords of all
participating users in its database. All users are registered with the Kerberos server.

2) The Kerberos server must share a secret key with each server. All servers are
registered with the Kerberos server.

Such an environment is referred to as a Kerberos realm

3) The Kerberos server in each interoperating realm shares a secret key with the
server in the other realm. The two Kerberos servers are registered with each other.
The details of the exchanges from one Realm to another Realm
The details of the exchanges
(1) C→AS: IDc||IDtgs||TS1

(2) AS →C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs])

(3) C→ TGS: IDtgsrem||Tickettgs||Authenticatorc

(4) TGS → C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem])

(5) C →TGSrem: IDvrem||Tickettgsrem||Authenticatorc

(6) TGSrem →C: E(Kc,tgsrem, [Kc,vrem||IDvrem||TS6||Ticketvrem])

(7) C →Vrem: Ticketvrem||Authenticatorc

Differences between Versions 4 and 5
Parameter Version 4 Version 5
Encryption system It requires the use of DES ciphertext is tagged with an
dependence encryption type identifier
Internet protocol use of Internet Protocol (IP) network addresses are tagged
dependence addresses with type and length
Message byte ordering byte ordering of its least Abstract Syntax Notation One
significant byte in lowest address (ASN.1) and Basic Encoding
Rules (BER).
Ticket lifetime 8-bit quantity in units of five allowing tickets with arbitrary
minutes. lifetimes.
Authentication forwarding It does not allow credentials issued A client to access a server and
to one client to be forwarded to have that server access another
some other host and used by some server on behalf of the client.
other client.
Interrealm authentication interoperability among N realms requires fewer relationships,
X.509 CERTIFICATE
 X.509 is the application Authentication, that defines a directory service.
 The directory is a server or distributed set of servers that maintains a
database of information about users.
 The directory may serve as a repository of public-key certificates.
 Each certificate contains the public key of a user and is signed with the
private key of a trusted certification authority.
 X.509 is based on the use of public-key cryptography and digital signatures.
 X.509 does not specify the specific algorithm used for both public
cryptography and digital signature.
CERTIFICATE
 The heart of the X.509 scheme is the public-key certificate associated with
each user.
 These user certificates created by trusted certification authority (CA) and
placed in the directory by the CA or by the user.
 This directory server is not responsible for the creation of public keys but it
provide an easily accessible location for users to obtain certificates.
 The general format of a certificate
Version – Differentiate successive versions – version 1, version 2 and
version 3.
Serial number: Unique integer value issued by CA
Signature algorithm identifier : The algorithm used to sign the certificate
CERTIFICATE
Issuer name : X.500 name of the CA that created and signed this
certificate.
Period of validity: Consists of two dates: the first and last on which the
certificate is valid.
Subject name: The name of the user to whom this certificate refers.
Subject’s public-key information: The public key of the subject, plus an
identifier of the algorithm
Issuer unique identifier: An optional-bit string field used to identify
uniquely the issuing CA
Subject unique identifier: An optional-bit string field used to identify
uniquely the subject.
CERTIFICATE
Extensions: A set of one or more extension fields.
Signature: Covers all of the other fields of the certificate;
The standard uses the following notation to define a certificate:
CA << A >> = CA {V, SN, AI, CA, UCA, A, UA, Ap, TA }
where
Y <<X>> = the certificate of user X issued by certification authority Y
Y {I} = the signing of I by Y. It consists of I with an encrypted hash
code appended
V = version of the certificate
SN = serial number of the certificate
CERTIFICATE
AI = identifier of the algorithm used to sign the certificate
CA = name of certificate authority
UCA = optional unique identifier of the CA
A = name of user A
UA = optional unique identifier of the user A
Ap = public key of user A
TA = period of validity of the certificate
OBTAINING CERTIFICATE
User certificates generated by a CA have the following characteristics:
1) Any user with access to the public key of the CA can verify the user
public key
2) No party other than the certification authority can modify.
Now suppose that A has obtained a certificate from certification authority X1
X1<<A>>
B has obtained a certificate from CA X2.
X2<<B>>
X1 X2

A B
OBTAINING CERTIFICATE
A can read B’s certificate
Step 1
A obtains from the directory the certificate of X2 signed by X1.
A securely knows X1’s public key,
A can obtain X2’s public key from its certificate.
Verify it by means of X1’s signature on the certificate.
Step 2
A then goes back to the directory and obtains the certifcate of B signed by
X2.
Because A now has a trusted copy of X2’s public key,
A can verify the signature and securely obtain B’s public key.
OBTAINING CERTIFICATE
A has used a chain of certificates to obtain B’s public key.
X1 << X2 >> X2 << B >>
B can obtain A’s public key with the reverse chain:
X2 << X1 >> X1 << A >>
In this example, user A can acquire the following certificates from the directory
to establish a certification path to B:
X<<W>> W <<V>> V <<Y>> <<Z>> Z <<B>>
When A has obtained these certificates, it can unwrap the certification path in
sequence to recover a trusted copy of B's public key.
Using this public key, A can send encrypted messages to B.
If A wishes to receive encrypted messages back from B, or to sign messages
sent to B, then B will require A's public key, which can be obtained from the
following certification path:
Z<<Y>> Y <<V>> V <<W>> W <<X>>X <<A>>
REVOCATION CERTIFICATE
 The user's private key is assumed to be compromised.

 The user is no longer certified by this CA.

 The CA's certificate is assumed to be compromised.

FIREWALL
 A firewall forms a barrier through which the traffic going in each direction
must pass.
 A firewall security policy dictates which traffic is authorized to pass in each
direction.
 Firewall is a network security device, either hardware or software based.
The Need For Firewall
 Due to the evolution of internet all organization need internet. This creates
threats to the organization.
 Workstation need strong security features to protect from outside intruders.
 Protect network from internet based attack.
 Firewall provides additional layer of defence
FIREWALL Characteristics
 All traffic from inside to outside, and vice versa, must pass through the
firewall.
 Only authorized traffic, as defined by the local security policy, will be
allowed to pass.
 The firewall itself is immune to penetration.
Firewall Control Access
 Service control
 Direction control
 User control
 Behaviour control
FIREWALL SCOPE
 A single choke point that keeps unauthorized users out of the protected
network.
 Monitoring security-related events.
 Several Internet functions that are not security related.
 A firewall can serve as the platform for IPsec.
LIMITATION
 The firewall cannot protect against attacks that bypass the firewall.
 The firewall may not protect fully against internal threats.
 Wireless LAN may be accessed from outside the organization.
 A laptop, PDA or any device may be infected from outside network and then
attack internally.
 Firewall

e.g., enterprise network e.g., Internet

FIREWALL TYPES
 Four Types of Firewall
 Packet Filtering Firewall
 Stateful Inspection Firewalls
 Application-Level Gateway
 Circuit-Level Gateway
 Packet Filtering Firewall
 A packet filtering firewall applies a set of rules to each incoming and
outgoing IP packet and then forwards or discards the packet.
 The firewall is typically configured to filter packets going in both
directions
Packet Filtering Firewall
 Filtering Rules
Source IP address – Source IP packet
Destination IP address - Destination IP packet
Source and destination transport-level address - The transport-level (e.g.,
TCP or UDP)
IP protocol field - Defines the transport protocol
Interface - For a firewall with three or more ports, which interface of the
firewall the packet came.
 Two default policies are possible:
Default = discard: That which is not expressly permitted is prohibited.
Default = forward: That which is not expressly prohibited is permitted
Table 22.1Packet-Filtering Examples
Rule Set A
action ourhost port theirhost port Comment

block * * SPIGOT * we don’t trust these people

allow OUR-GW 25 * * connection to our SMTP port

Rule Set B
action ourhost port theirhost port Comment

block * * * * Default

Rule Set C

action ourhost port theirhost port Comment

allow * * * 25 connection to their SMTP port

Rule Set D
action src port dest port flags comment

allow {our hosts} * * 25 our packets to their SMTP port

allow * 25 * * ACK their replies

Rule Set E
action src port dest port flags comment

allow {our hosts} * * * our outgoing calls

allow * * * * ACK replies to our calls

allow * * * >1024 traffic to nonservers

Advantages
 Simplicity
 Very Fast
Disadvantages
 Packet filter firewalls do not examine upper-layer data.
 The logging functionality present in packet filter firewalls is limited.
 Do not support advanced user authentication schemes.
 generally vulnerable to attacks.
Attacks
 IP address spoofing: - The intruder transmits packets from the outside with
a source IP address field containing an address of an internal host.
 Source routing attacks: The source station specifies the route that a packet
should take as it crosses the Internet.
 Tiny fragment attacks: The intruder uses the IP fragmentation option to
create extremely small fragments and force the TCP header information.
Stateful Inspection Firewalls
 The rules for TCP traffic by creating a directory of outbound TCP
connections.
 There is an entry for each currently established connection.
 The packet filter will now allow incoming traffic to high-numbered
ports fit the profile of one of the entries in this directory.
 A stateful packet inspection firewall reviews the same packet
information as a packet filtering firewall, but also records information
about TCP connections.
 Some stateful firewalls also keep track of TCP sequence numbers to
prevent attacks that depend on the sequence number, such as session
hijacking.
Example Stateful Firewall Connection State Table
Source Address Source Port Destination Destination Port Connection
Address State

192.168.1.100 1030 210.22.88.29 80 Established

192.168.1.102 1031 216.32.42.123 80 Established

192.168.1.101 1033 173.66.32.122 25 Established

192.168.1.106 1035 177.231.32.12 79 Established

223.43.21.231 1990 192.168.1.6 80 Established

2122.22.123.32 2112 192.168.1.6 80 Established

210.922.212.18 3321 192.168.1.6 80 Established

24.102.32.23 1025 192.168.1.6 80 Established

223.21.22.12 1046 192.168.1.6 80 Established

Application-Level Gateway
 An application-level gateway, also called an application proxy.
 It acts as a relay of application-level traffic.
 The user contacts the gateway using a TCP/IP application, such as Telnet or
FTP.
 The gateway asks the user for the name of the remote host to be accessed.
 The user responds and provides a valid user ID and authentication
information.
 The gateway contacts the application on the remote host.
 If the gateway does not implement the proxy code for a specific application,
the service is not supported and cannot be forwarded.
 Disadvantage
 overhead on each connection.
Circuit-Level Gateway
 Circuit-level gateway also called as circuit-level proxy.
 This can be a stand-alone system
 A circuit-level gateway does not permit an end-to-end TCP connection;
 The gateway sets up two TCP connections
 one between itself and a TCP user on an inner host
 one between itself and a TCP user on an outside host.
 An example of a circuit-level gateway implementation is the SOCKS package
SOCKS
 To provide a framework for client-server applications.
 both the TCP and UDP domains to conveniently and securely use the services
of a network firewall.
SOCKS components
 The SOCKS server - runs on a UNIX-based firewall.
 The SOCKS client library - runs on internal hosts
 SOCKS-ified versions of several standard client programs - FTP and
TELNET.
VIRUS
 A computer virus is a piece of software that can “infect” other programs by
modifying them;
 The modification includes
- injecting the original program with a routine to make copies of the virus
program,
- then go on to infect other programs.
 Computer viruses first appeared in the early 1980s.
 The typical virus becomes embedded in a program on a computer.
 Whenever the infected computer comes into contact with an uninfected piece
of software.
 Copy of the virus passes into the new program.
 The infection can be spread from computer to computer by
- Swap disks
- Send programs to one another over a network.
 In a network environment, access applications and system services on other
computers provides a perfectly spreading a virus.
 A virus can do anything that other programs do.
 A virus executes secretly when the host program is run.
 Function of virus.
- Virus can do any function such as
* Erasing files
* Allowed by the privileges of the current user.
 A computer virus has three parts
1) Infection mechanism (infection vector) : A virus spreads, enabling it to
replicate.
2) Trigger : The event or condition that determines.
3) Payload : Involve damage or may involve other activity
Viruses and Related Threats
Name Description
Virus Attaches itself to a program and propagates copies of itself to other
programs
Worm Program that propagates copies of itself to other computers
Logic bomb Triggers action when condition occurs
Trojan horse Program that contains unexpected additional functionality
Backdoor Program modification that allows unauthorized access to
(trapdoor) functionality
Exploits Code specific to a single vulnerability or set of vulnerabilities
Downloaders Program that installs other items on a machine that is under attack.
Usually, a downloader is sent in an e-mail.
Auto-rooter Malicious hacker tools used to break into new machines remotely
Kit (virus Set of tools for generating new viruses automatically
generator)
Spammer Used to send large volumes of unwanted e-mail
programs
Flooders Used to attack networked computer systems with a large volume of
traffic to carry out a denial of service (DoS) attack
Keyloggers Captures keystrokes on a compromised system
Rootkit Set of hacker tools used after attacker has broken into a computer
system and gained root-level access
Zombie Program activated on an infected machine that is activated to launch
attacks on other machines
PHASES OF VIRUS
 Four phases of virus
1) Dormant phase
- The virus is idle
- The virus will activated by some event, such as a date, the presence
of another program or file.
2) Propagation phase
- The virus places a copy of itself into other programs
- Each infected program will now contain a clone of the virus.
3) Triggering phase
- The virus is activated to perform the function for which it was
intended.
- Example a count of the number of times that this copy of the virus.
4) Execution phase:
- The function is performed.
- The function may be harmless or damaging.
VIRUS STRUCTURE
 The key operation is
- First execute the virus code then
- Execute the original code of the program
 The infected program begins with the virus code
 The first line of code is a jump to the main virus program.
 The second line is a special marker that is used by the virus to determine
already infected or not.
 The virus program may first seek out uninfected executable files and infect
them.
 The virus may perform some action, usually detrimental to the system.
 Finally, the virus transfers control to the original program.
program V :=
{goto main;
1234567;
subroutine infect-executable :
{loop:
file := get-random-executable-file;
if (first-line-of-file 1234567)
then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :
{return true if some condition holds}
main: main-program :
{infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
VIRUS OPERATION
 Detecting a virus is to compress the executable file so that both the infected
and uninfected versions are of identical length.
 We assume that program P1 is infected with the virus CV.
 Control passes to its virus, which performs the following steps:
1. For each uninfected file P2 that is found, the virus first compresses that
file to produce , which is shorter than the original program by the size of the
virus.
2. A copy of the virus is prepended to the compressed program.
3. The compressed version of the original infected program, , is
uncompressed.
4. The uncompressed original program is executed.
3.

CV

P1

Figure 21.3 A Compression Virus

VIRUS CLASSIFICATION OR TYPES
 Virus can be classified as following catagories
1) Boot sector infector
- Infects a master boot record or boot record and spreads when a
system is booted from the disk containing the virus..
2) File infector
- Infects files that the operating system or shell consider to be
Executable.
3) Macro virus
- Infects files with macro code that is interpreted by an application.
4) Encrypted virus:
- A portion of the virus creates a random encryption key
- Encrypts the remainder of the virus.
- The key is stored with the virus.
- The virus uses the stored random key to decrypt the virus.
 5) Stealth virus
- To hide itself from detection by antivirus software.
- Infects files that the operating system or shell consider to be
Executable.
6) Polymorphic virus:
- A polymorphic virus creates copies during replication.
- Combine Stealth and Encrypted virus.
- The “signature” of the virus will vary with each copy.
- The strategy of the encryption virus is followed.
- The portion of the virus that is responsible for generating keys and
performing encryption/decryption is referred to as the mutation engine.
7) Virus Kits
- A toolkit enables to create a number of different viruses.
- Toolkits tend to be less sophisticated than viruses designed from
scratch.
- new viruses that can be generated using
a toolkit creates a problem for antivirus schemes.
Macro Viruses
- In mid 1990 the most popular virus is Macro Viruses.
- Macro viruses are particularly threatening for a number of reasons.
1) A macro virus is platform independent.
2) Macro viruses infect documents, not executable portions of
code.
3) Macro viruses are easily spread.
4) Macro viruses infect user documents rather than system
programs.
8) E-Mail Viruses:
- A more recent development in malicious software is the e-mail virus.
- The first rapidly spreading e-mail viruses, such as Melissa, used with
microsoft word file.
- If the recipient opens the e-mail attachment, the Word macro is
activated.
1. The e-mail virus sends itself to everyone on the mailing list in the
user’s e-mail package.
2. The virus does local damage on the user’s system.
9) Parasitic virus:
- The traditional and still most common form of virus.
- A parasitic virus attaches itself to executable files and replicates,
when the infected program is executed, by finding other executable
files to infect.
10) Memory-resident virus:
- Lodges in main memory as part of a resident system program.
From that point on, the virus infects every program that executes.
11) Metamorphic virus:
- As with a polymorphic virus, a metamorphic virus mutates with
every infection.
VIRUS COUNTERMEASURES
Antivirus Approaches
 The ideal solution to the threat of viruses is prevention:
- Do not enter virus in to the system.
 These approaches followed in antivirus.
1) Detection:
- Once the infection has occurred, determine and locate the virus.
2) Identification:
- Once detection has been achieved, identify the specific virus.
3) Removal:
- Remove all traces of the virus from the infected program.
- Restore it to its original state.
- Remove the virus from all infected systems so that the virus cannot
spread
Antivirus Generation
 First generation: simple scanners
 Second generation: heuristic scanners
 Third generation: activity traps
 Fourth generation: full-featured protection
First generation
 scanner requires a virus signature to identify a virus.
 The virus check wildcard essentially same structure or not
 Such things is limited to find virus.
 This scanner also maintains record of the length.
Second generation
 A second-generation scanner does not rely on a specific signature.
 One class of such scanners looks for fragments of code that are often
associated with viruses.
Third generation
 Third-generation programs are memory-resident programs that identify a
virus by its actions rather than its structure in an infected program
 Such programs have the advantage that it is not necessary to develop
signatures and heuristics for a wide array of viruses.
Fourth generation
 Fourth-generation products are packages consisting of a variety of antivirus
techniques used in conjunction.
 These include scanning and activity trap components.
INTRUDERS
 One of the two most threat in security is intruder and virus.
 Intruders are generally called as hacker or cracker.
 Three classes of intruders are
1) Masquerader :
- An individual who is not authorized to use the computer and
exploits the user account.
2) Misfeasor
- A legitimate user who accesses data, programs, or resources
for which such access is not authorized.
3) Clandestine user:
- An individual who seizes supervisory control of the system
INTRUDERS
lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information, without
authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated software
and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
 An analysis of attack there are two levels of hackers

 High level – hacker with knowledge of the technology.

 Low Level – Supply cracking programs

 The intruders attempted to modify login software to enable them to capture

passwords of users logging on to systems.

Intrusion Techniques
 The objective of the intruder is to gain access to a system or to increase the
range of privileges accessible on a system.
 With knowledge of some other user's password, an intruder can log in to a
system and exercise
 The password file can be protected in one of two ways:
1) One-way function:
- The system stores only the value of a function based on the user's password.
- When the user presents a password, the system transforms that password and
compares it with the stored value
2) Access control:
 Access to the password file is limited to one or a very few accounts.
Techniques for learning passwords:
 Try default passwords used with standard accounts that are shipped with the
system.
 Try all short passwords
 Try words in the system's online dictionary
 Collect information about users, such as their full names, the names of their
spouse and children, and etc.
 Try users' phone numbers, Social Security numbers, and room numbers.
 Try all legitimate license plate numbers for this state.
 Use a Trojan horse to bypass restrictions on access.
 Tap the line between a remote user and the host system.
Intrusion Detection
 The intrusion detection must follow the below criteria.
- The intruder can be identified and ejected from the system before
any damage is done.
- An effective intrusion detection system can serve as a deterrent, so
acting to prevent intrusions.
-To strengthen the intrusion prevention facility.
 The following approaches to intrusion detection.
1) Statistical anomaly detection:
- Involves the collection of data relating to the behaviour of legitimate users
over a period of time.
i) Threshold detection:
-This approach involves defining thresholds, independent of user, for
the frequency of occurrence of various events.
ii) Profile based:
-A profile of the activity of each user is developed and used to detect
changes in the behaviour of individual accounts.
 The Examples for profile based intrusion detection.
1) Counter
- A count of certain event types is kept over a particular period of time.
2) Gauge
- A gauge is used to measure the current value of some entity.
3) Interval timer
- The length of time between two related events.
4) Resource utilization
- Quantity of resources consumed during a specified period.
2) Rule-based detection:
Involves an attempt to define a set of rules that can be used to decide that a
given behaviour is that of an intruder.
i) Anomaly detection:
Rules are developed to detect deviation from previous usage patterns.
ii) Penetration identification:
An expert system approach that searches for suspicious behaviour.
 The Examples of Rules based detection.
1) Users should not read files in other users' personal directories.
2) Users must not write other users' files.
3) Users who log in after hours often access the same files they used earlier.
4) Users do not generally open disk devices directly but rely on higher-level
operating system utilities.
5) Users should not be logged in more than once to the same system.
6) Users do not make copies of system programs.
The combination both approach is
3) Audit Records
A fundamental tool for intrusion detection is the audit record.
Some record of ongoing activity by users must be maintained as input to an
intrusion detection system.
i) Native audit records::
Include accounting software that Collects information on user activity.
The advantage of using this information is that no additional collection
software is needed.
The disadvantage is that the native audit records may not contain the
needed information
 ii) Detection-specific audit records:
A collection facility can be implemented that generates audit records
containing only that information required by the intrusion detection system.
One advantage of such an approach is that it could be made vendor
independent and ported to a variety of systems.
The disadvantage is the extra overhead.
Each audit record contains the following fields:
Subject: - Initiators of actions. A subject is typically a terminal user.
Action: - Operation performed by the subject
Object: - Receptors of actions. Examples include files, programs, etc.
Exception-Condition: Denotes which, if any, exception condition is raised on
return.
Resource-Usage: A list of quantitative elements in which each element gives the
amount used of some resource
Time-Stamp: Unique time-and-date stamp .
Example :
COPY GAME.EXE TO <Library>GAME.EXE
Smith execute <Library>COPY.EXE 0 CPU = 00002 11058721678

Smith read <Smith>GAME.EXE 0 RECORDS = 0 11058721679

Smith execute <Library>COPY.EXE write-viol RECORDS = 0 11058721680

Distributed Intrusion Detection
 A distributed intrusion detection system may need to deal with different audit
record formats.
 One or more nodes in the network will serve as collection and analysis points
for the data from the systems on the network.
 Either a centralized or decentralized architecture can be used.
i) Host agent module:
- An audit collection module operating as a background process on a
monitored system and sends report to Central manager.
ii) LAN monitor agent module:
- Operates in the same fashion as a host agent module except that it analyses
LAN traffic and reports the results to the central manager.
iii) Central manager module:
Receives reports from LAN monitor and host agents and processes and correlates
these reports to detect intrusion.
Honeypots
 A relatively recent innovation in intrusion detection technology is the
honeypot.
 Honeypots are decoy systems that are designed to lure a potential attacker
away from critical systems.
 Honeypots are designed to

 divert an attacker from accessing critical systems

 collect information about the attacker's activity

 encourage the attacker to stay on the system long enough for

administrators to respond
Trusted System
 To defend against intruders and malicious programs is to implement trusted
system technology.
Data Access Control
 After successful logon the user has allow to a set of hosts and application.
 Generally this is not sufficient for the system has sensitive information.
 The user access control procedure, a user can be identified to the system.
 Associated with each user, there can be a profile that specifies permissible
operations and file accesses.
 The operating system can then enforce rules based on the user profile.
 The database management system must make a decision on each individual
access attempt.
 The decision will depend on only user identity and associated with profile to
be access parts of a system or full.
 A general model of access control as exercised by a file or database
management system is that of an access matrix.
The Basic elements
Subject
- An entity capable of accessing objects.
Object:
- Anything to which access is controlled.
- Examples include files, portions of files, programs, and segments of
memory.
Access right:
- The way in which an object is accessed by a subject.
- Examples are read, write, and execute.
 The matrix may be decomposed by columns, yielding access control lists.
 Decomposition by rows yields capability tickets.
The Concept of Trusted Systems
 The information are categorized as unclassified (U), confidential (C), secret
(S), top secret (TS), or beyond.
 Users can be granted clearances to access certain categories of data.
 For example,
- The high level security data in corporate is documents and data.
- So this can access to only corporate officers and staff.
 When multiple categories or levels of data are defined, the requirement is
referred to as multilevel security.
 This requirement is in two parts
1) No read up:
- A subject can only read an object of less or equal security level.
- This is referred to in the literature as the Simple Security Property.
2) No write down:
- A subject can only write into an object of greater or equal security level.
- This is referred to in the literature as the *-Property.
 For a data processing system, the approach that has been taken, and has been
the object of much research and development, is based on the reference
monitor concept.
 The reference monitor is a controlling element in the hardware and operating
system of a computer.
 The reference monitor has access to a file, known as the security kernel
database, that lists the access privileges (security clearance) of each subject
and the protection attributes (classification level) of each object.
 The reference monitor enforces the security rules (no read up, no write down)
and has the following properties:
1) Complete mediation
2) Isolation
3) Verifiability
 A system that can provide such verification is referred to as a trusted system.
Trojan Horse Defence
 In this case, a Trojan horse is used to get around the standard security
mechanism used by most file management and operating systems: the access
control list.
 A user named Bob interacts through a program with a data file containing the
critically sensitive character string "CPE170KS.“