Digital Envelopes

– protects a message without needing to first arrange for sender and receiver to have the same secret key
– Equates to the same thing as a sealed envelope containing an unsigned letter

Message
random symmetric key -> encrypted message -> digital envelop
receiver’s public key -> encrypted symmetric key -> digital envelope

Symmetric Encryption

plaintext input -> encryption algorithm -> decryption algorithm(reverse of encryption algorithm)-> plaintext output

y = E[K,X], X=D[K,Y]

Comparison of Encryption Algorithm
DES = Data Encryption Standard
AES = Advanced Encryption Standard

Plaintext block size(bits)
Ciphertext block size(bits)
Key size(bits)

Asymmetric Encryption
– plain text:readable message or data that is fed into the algorithm
– encryption algorithm: perform transformations on the plaintext
– public and private key: pair of keys, one for encryption, one for decryption
– ciphertext: scrambled message produced as output
– Decryption key: produces the original plaintext

Digital Signatures:
plaintext message -> hash function -> hashtag -> encrypted signed message -> compare the hash value sent with hash value generated -> reject message

Generate hash code of unsigned certificate -> Encrypt hash code with CA’s private key to form signature -> signed certificate -> decrypt signature with CA’s public key to recover hash code -> recepient can verify signature by comparison hash code values

Simple Ciphers

Simple Ciphers
– Caesar’s cipher(or, shift cipher):
e.g., A->D, B->E
that is, shift by an offset n:
-(letter + n) mod 26
only 26 possible ways of secret coding
– Monoalphabetic cipher(or, substitution cipher):
generalization, arbitrary mapping of one letter to another
26!, ~4*10^26 or ~ 2^88
Attack with statistical analysis of letter frequencies

Vigenere Cipher

What should be kept secret?
Kerchhoff’s principle
a cryptosystem should be secure even if the attacker knows all details about the system, with exception of the secret key
In practice:
Only use widely known ciphers that have been crypto analyzed for several years by good cryptographers
e.g., established standards

secret key cryptography:
one key same key for encryption and decryption
public key cryptography:
two keys
public for encryption, private for decryption
private for signing and public for verification

Hash Functions
compute message digest of data of any size
fixed length output: 128-512 bits
easy to compute H(m)
Given H(m), no easy way to find m
– one-way function
Given m1, it is computationally infeasible to find m2=m1 s.t. H(m2)= H(m1)
weak collision resistant
Computationally infeasible to find m1 = m2 s.t. H(m1)=H(m2)
strong collision resistant

Hash Functions for passwords
hash function, stored hash of password -> access granted

Intro to Cryptography

Encryption/Decryption

plaintext -> Encryption -> ciphertext -> Decryption -> plaintext

there is a one-to-one mapping
provides confidentiality protection

Other services:
Integrity checking: no tampering
Authenticity: verified authorship
Authentication: not an imposter

Encryption basics
ancient crypto:
early sings of encryption in Egypt in ~2000 B.C.
letter-based scheme (e.g., Caesar’s cipher) ever since

Symmetric ciphers:
from ancient time to the presence
Asymmetric ciphers:
first by diffie-Hellman-

DoS Attacks on Network IDS

– Resource exhaustion
– cpu resources
– memory
– Network bandwidth

– Abusing reactive IDS
– false positives
– nuisance attacks or “error” packets/connections

Intrusion Prevention System(IPS)
also known as intrusion detection and prevention system(IDPS)
is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity
can be host-based, network-based, or distributed/hybrid
can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so

Bayesian Detection Rate

P(I) is base rate: prior probability of attacks

base-rate fallacy
– even if false alarm rate P(A|¬I) is very low, Bayesian detection rate P(I|A) is still low if base-rate P(I) is low
– E.g. if P(A|I)=1, P(A|¬l)=10^-5, P(I)=2×10^-5, P(I|A)=66%

When the IDS produces an alert, the probability that an intrusion has actually occurred is low.

Implications to IDS
– Design algorithms to reduce false alarm rate
– Deploy IDS to appropriate point/layer with sufficiently high base rate
– Multiple independent detection models

Architecture of Network IDS
– Packet data volume can be huge
– Base rate at the packet level is typically low
– Applying detection algorithms at this level may result in a low bayesian detection rate

Network -> libcap -> Event Engine -> Detection Engine

Eluding Network IDS
What the IDS sees may not be what the end system gets
Ambiguities in protocols lead different implementations in operating systems:
E.G, TTL, fragments

Evaluating IDS

Detection rate or True Positive(TP) rate:
given that there is an intrusion, how likely will the IDS correct output an alert.

False Negative Rate: FN = 1- TP

False alarm or False Positive(FP) rate:given that there is no intrusion, how likely is the IDS to falsely output an alert.

True Negative Rate: TN = 1 – FP

Bayesian detection rate: given that the IDS produces an alert, how likely is it that an intrusion actually occurs?

Alarm/positive: A; Intrusion: I
Detection (true positive) rate: P(A|I)
false negative rate P(¬A|I)
False alarm rate: P(A|¬I)
true negative rate P(¬A|¬I)
Bayesian detection rate: P(I|A)

System should be: scalable, resilient to attacks

Bayesian Detection Rate
P(I|A) = P(I)P(A|I)/P(I)P(A|I)+P(¬I)P(A|¬I)
P(I) is prior probability of attacks: this is the probability of intrusion evidences in the data.

Snort Rules

(a)Rule header
Action, Protocol, Source IP Address, Source Port, Action, Dest IP address, Dest Port

(b)Options
Option Keyword, Protocol Arguments

Meta-data:provides information about the rule but do not have any effect during detection
Payload:look for data inside the packet
Post-detection: rule-specific triggers that happen after a rule has matched a packet

snort rule actions
alert, log, pass, activate, dynamic, drop, reject, sdrop

snort rule example
alert tcp any any -> 192.168.1.0/24 25(content:”mail from:root”;msg:”root users attempts to send an email”;)

Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems

Honeypots are designed to:
divert an attacker
collect information about an attacker
encourage an attacker to stay long enough for administrators to respond

Honeypots are filled with fabricated information
Any accesses to a honeypot trigger monitors and event loggers
An attack against a honeypot is made to seem successful

A honeypot has no production value
there is no legitimate reason to access a honeypot
any attempt to communicate with a honeypot is most likely a probe, scan, or attack
if a honeypot initiates outbound traffic, the system is most likely compromised

Firewall Versus Network IDS

Firewall
-active filtering
-fail-close

Network IDS
-passive monitoring
-fail-open

NIDS Sensor Deployment

SNORT
-open source
-Highly configurable
-Lightweight IDS

Characteristics:
easily deployed on most nodes
efficient operation
easily configured by system administrators

Performs real-time packet capture
Detects a variety of attacks and probes

Packet -> Decoder -> Detection Engine -> Alert

Configured as passive
– Monitors traffic
– Is not in the main transmission path
– Is not an inline sensor

Configured as Intrusion Detection

Misuse Signature Intruder Detection

Example: if(src_ip == dsp_ip && src_prt == dst_prt)
then “land attack”

Monitoring Networks and Host
An IDS performs passive monitoring:
it records and analyzes data about system and network activity
if the IDS sends out an alert AND the response policy dictates intervention, then activities are affected

Network Based IDS
– Monitors traffic at selected points on a network in real or close to real time
– May examine network, transport, and/or application-level protocol activity
– Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
– Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

Host IDS
– Operating System Event

Inline Sensors
– used to block an attack when one is detected, performing both intrusion detection and prevention functions
– An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
– Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
– Using a stand-alone inline NIDS sensor

Passive Sensors
– A passive sensor monitors a copy of network traffic; the actural traffic does not pass through the device
– Passive sensors are more efficient
Network traffic: monitoring interface, management interface(with IP)