Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia

Application Intrusion
Detection
Anita Jones
Robert Sielken
University of Virginia
Introduction
• Intrusion Detection
– determining whether or not some entity, the
intruder, has attempted to gain, or has gained
unauthorized access to the system
• Intruder Types
– External
– Internal -- our greater concern
August 99 Application Intrusion Detection 2

State of Practice
• Assume the Operating System as the basis
• Use what an OS knows about -- OS semantics
– users, processes, devices
– controls on access and resource usage
• Record events in the life of the OS
• Use OS audit records
OS Intrusion Detection Systems -- OS IDS

OS IDS - the two Approaches
• Anomaly Detection
– assume that behavior can be characterized
• statically -- by known, fixed data encoding
• dynamically -- by patterns of event sequences or by
threshold limits on event occurrences (e.g. system calls)
– detect errant behavior that deviates from expected,
normal behavior
• Misuse Detection
– look for known patterns (signatures) of intrusion,
typically as the intrusion unfolds

OS IDS - the two Approaches
• Anomaly Detection
– Static: e.g. Tripwire, Self-Nonself
– Dynamic: e.g. NIDES, Pattern Matching (UNM)
• Misuse Detection
– e.g. NIDES, MIDAS, STAT
• Networks are handled as “extensions”
– I.e. Use same two approaches listed above
– Centralized: e.g. DIDS, NADIR, NSTAT
– Decentralized: e.g. GrIDS, EMERALD

OS IDS -- a Particular Problem
• OS IDS has problems when
– anomalous & normal behavior can’t be
distinctly characterized
– OS IDS has no pattern for a newly invented
intrusion (misuse)
• But, the greatest problem is
– to distinguish abusive internal (legit user)
activity

An OS IDS
is inherently limited
by the semantics of the OS
You can’t talk about something

for which you have no words!
A Complementary Approach
Assume that the OS IDS does its job.
Use the semantics of the application

as a further basis
for detection of intruders
Application Intrusion Detection

App IDS
App IDS -- What’s Possible?
• How do you define intrusion in the context of (in the
semantics of) an application?
• Can an intrusion be “seen”?
– Seen in progress?
• Can intrusive behavior be linked to users?
• Is there a richer notion of history (of intrusion)?
• Is there a richer notion of “abused system state”?

App IDS -- Guiding Questions
• Opportunity – what types of intrusions can
be detected by an AppIDS?
• Effectiveness – how well can those
intrusions be detected by an AppIDS?
• Cooperation – how can an AppIDS
cooperate with the OS IDS to be more
effective than either alone?

Case Studies
• Electronic Toll • Health Record
Collection Management
– hierarchical – non-hierarchical; modular
– numerous devices – no devices beyond
distributed controlling computer
– complementary device – limited access in app’n
state values – bound by known physical &
– monitors external medical realities
behavior – no financial component
– accounting component – complex scheduling
components
Electronic Toll Collection (ETC)
• Devices
– Toll Lane
• Tag Sensor
• Automated Coin Basket
• Toll Booth Attendant
• Loop Sensor
• Axle Reader
• Weigh-In-Motion Scale
• Traffic Signal
• Video Camera
- Vehicle
Tag (Active/Passive)

ETC - Hierarchy
T o ll M a n a g e m e n t C e n t e r
T o ll P la z a T o ll P la z a T o ll P la z a O t h e r D e v ic e s
T o ll L a n e T o ll L a n e T o ll L a n e T o ll L a n e T o ll L a n e

Need Analysis Technique
• What intrusions make sense in app’n terms?
• How do you derive them?
• Is there a disciplined analysis approach that
ensures that “all” intrusions are found?
• Once an intrusion is defined, is there a way to
monitor for it within the application?
• Is there a relation to the OS, and information
that it has?
ETC - One Approach
Threat Specific
Methods Relations
Categories Intrusions
• Start with the known threat categories

• How can they be manifested in app’n terms
• Define app’n specific intrusions
• Determine method that abuser would use
• Define relations based on app’n state values that
can be the basis for monitoring method

Threat Categories
• Denial of Service
• Disclosure
• Manipulation
• Masqueraders
• Replay
• Repudiation
• Physical Impossibilities
• Device Malfunctions

ETC - Appl’n Specific Intrusions
Threat Specific
Methods Relations
• Annoyance (3 methods)
• Steal Electronic Money (10 methods)
• Steal Vehicle (4 methods)
• Device Failure (1 method)
• Surveillance (2 methods)
ETC Intrusion - Steal Service
Rel Relation Execution
Relation Steal Service
# Description Location
No tag Packet filter
and Copy that discards
cover tag all a tag's
plate packets
1 Tag vs. Historical (Time) (stat) TBP/TMC X
4 Tag vs. Historical (Sites) (stat) TMC X
5 Tag vs. Time (rule) TMC X
9 Tag vs. Axles (rule) TBL X X X
25 Unreadable Tags (stat) TBP/TMC X
5 relations 3 methods
Health Record Management (HRM)
• Components
– Patient Records
– Orders – lists of all requests for drugs,
tests, or procedures
– Schedule – schedule for rooms for patient
occupancy, laboratory tests, or surgical
procedures (does not include personnel)
• Users
– doctors, laboratory technicians, and nurses
HRM - App’n Specific Intrusions
Threat Specific
Methods Relations
• Annoyance (4 methods)
• Steal Drugs (1 method)
• Patient Harm (6 methods)
• Surveillance (2 methods)
HRM - Patient Harm Intrusion
Rel Relation
Relation Patient Harm
# Description
Admin. an Allergic
Perform Needless
Admin. Too Much
Admin. Improper
Order Needless
Admin. Wrong
Procedure
of Drug
Drugs
Drug
Drug
Diet
2 Drug vs. Allergy (rule) X X
5 Drug vs. Diet (rule) X X
8 Drug vs. Historical (dosage) (stat) X X
Patient Test Results vs. Test
24 (stat) X X X X
Results (Historical)
4 relations 6 methods
Relate OS IDS to App IDS
• Similarities • Differences
– detect intrusions by – anomaly detection using
evaluating relations to statistical and rule-based
differentiate between app’n relations
anomalous and normal – internal intruders/abusers
behavior – event causing entity
– centralized or decentralized • outside system
(hierarchical) – resolution -- finer grain
– similar threat categories
– tightness of thresholds

Relate OS IDS to App IDS (cont’d)
• Dependencies • Cooperation
– OS IDS on App IDS – correlate audit/event record
• None – communication
– App IDS on OS IDS • bi-directional
• basic security services • request-response
• prevent abuser from – complications
bypassing application • terms of communication
control to access • resource usage - lowest
application components common denominator

Conclusion -- App IDS
• Opportunity
– app’n semantics are a rich basis for detecting
internal intruders (abusers)
– can detect intrusions not visible to OS
– intrusions relate to real world!
– monitors similar: rule-based & statistical relations
• Effectiveness
– grain and units of resolution much richer
– tighter of thresholds
– less ambiguity of anomalous and normal behavior
Conclusion -- Next
• Have developed an analysis technique that permits
systematic derivation of intrusions; apply more
broadly
– heuristic; no guarantee of completeness
• Create definition of attacks; contrast to OS attacks
– Are there new categories of attacks -- beyond what we
see in OS’s/networks -- especially latent/lurking attacks
– Focus on critical national infrastructure applications
– Describe in CISL or other extant languages for attack
description

Conclusion -- Next (cont)
• Explore basis for a “generic” App IDS
– Define generic architecture and a set of tools
– To what extent can OS techniques/tools be extended
• Determine how and when OS IDS & App IDS can

exchange questions & answers
– Resolve semantic mismatch

Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia

Uploaded by

Copyright:

Available Formats

You might also like

Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Application Intrusion Detection: Anita Jones Robert Sielken University of Virginia

Uploaded by

Copyright:

Available Formats

Application Intrusion

August 99 Application Intrusion Detection 2

OS Intrusion Detection Systems -- OS IDS

August 99 Application Intrusion Detection 3

August 99 Application Intrusion Detection 4

August 99 Application Intrusion Detection 5

August 99 Application Intrusion Detection 6

You can’t talk about something

Use the semantics of the application

Application Intrusion Detection

August 99 Application Intrusion Detection 9

August 99 Application Intrusion Detection 10

August 99 Application Intrusion Detection 12

August 99 Application Intrusion Detection 13

• Start with the known threat categories

August 99 Application Intrusion Detection 15

August 99 Application Intrusion Detection 16

August 99 Application Intrusion Detection 22

August 99 Application Intrusion Detection 23

August 99 Application Intrusion Detection 25

• Determine how and when OS IDS & App IDS can

August 99 Application Intrusion Detection 26

You might also like