Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Mohamed Hamdi
1
Part I: Security
Fundamentals
Mohamed Hamdi
2
The need for security
Many companies rely on information and
communication technologies for their daily
business and private communication
Electronic services are increasingly developed
and deployed
Thousands of attacks per year are conducted
against these infrastructures resulting in huge
losses
Securing information systems is an urgent need
Mohamed Hamdi
The number of services which are (partially or completely) provided via modern communications
infrastructures and information systems is growing explosively. Unfortunately, as these systems
get more sophisticated, so do the attacks carried out against them. Effectively, it appears that
every attack is linked to one or more specific services. This chapter addresses the relationship
between the attacker’s goals and the characteristics of the target service. More precisely, several
factors such as the proportionality of the complexity of the attack process to the budget spent to
conduct it will be investigated. Finally, novel attack trends will explored based on intruder activity
during the last years.
3
Security services
A security service enhances the security of the
data processing and the information transfer of
an organization. It thwarts security attacks and
encompasses the use of security mechanisms
Service classes: Many classes can be
considered. The most important are
confidentiality, authentication, integrity, non-
repudiation, access control, availability,
anonymity, and data freshness
Mohamed Hamdi
1. Confidentiality requires that the information in a computer system, as well as the transmitted
information, is accessible in read mode only by authorized parties
2. Authentication requires that the origin of a message is correctly identified, with assurance
that the identity is not false
3. Integrity requires that computer systems assets and transmitted information are accessible in
write mode only by authorized parties
4. Non-repudiation requires that neither the sender nor the receiver of a message is able to
deny the transmission
5. Access control requires that access to information is controlled by or for the target system
6. Availability requires that the information system assets can be accessed by authorized
parties when needed
7. Anonymity requires that the identity of the sender or the receiver is hidden to non-authorized
parties
8. Data freshness requires that the data transmitted between two parties has been generated
during the active session
4
Vulnerability
A feature or a combination of features of a
system that allows an adversary to place the
system in a state that is contrary to its normal
behavior
“A vulnerability is a feature or bug in a system or
program which enables an attacker to bypass
security measures.”
Schultz Jr. et al. 1990
A vulnerability is “an aspect of a system or
network that leaves it open to attack”
CERT 1993
Mohamed Hamdi
5
Classifying vulnerabilities
Application-level vulnerabilities
– Operating systems
– Web applications (e.g., servers, servlets)
– Database applications
– Network protocol implementations
Protocol vulnerabilities
Human-related vulnerabilities
Equiment miconfiguration (i.e firewall, router, switch
…)
Weak password protection
Confidentiality violations
Mohamed Hamdi
6
Threats, intrusions, alerts
Threat: Any event that can result in a loss
for the target system
Intrusion: An activity that does not respect
the system’s security policy
Alert: A description of an attack which is
achieved by monitoring several system
parameters.
Mohamed Hamdi
Generally, a threat is any event that can result in a loss for the target system. It can be
malevolent, accidental, or even due to a natural disaster. Threat modeling is an important practice
that provides the capability to secure a network environment. It is critical to be aware of the types
of threats and how to reduce or mitigate the risk both in systems and applications on network
devices.
To explain what an intrusion is, some fundamentals about security policy should be given. In its
broadest definition, a security policy consists of a set of rules that define how critical assets should
be secured. Based on this definition, an intrusion in an information system can be thought of as an
activity that does not respect the system’s security policy. In other terms, an action that violates
one or more security property (i.e., confidentiality, integrity, availability) of the protected system is
considered as an intrusion. As an extension to this reasoning, an attack against a communication
network is not perceived as an intrusion if it does not violate the security rules of the target
system. In this case of figure, the attack is not detected at time and the only information available
for the response team is the intrusion outcome; consequently, novel rules should be appended to
the security policy to prevent future occurrences of the experienced attack.
An alert can be loosely defined as a description of an attack which is achieved by monitoring
several system parameters. Alert generation is an event which is triggered by the occurrence of a
network attack. The main role of alert generation is that it allows the security analyst to identify the
attacks that are carried out against the system to proceed to the appropriate reaction. However,
the alert-attack association is never certain and a single alert can be related to more than one
attack. Hence, mechanisms to determine the most probable attack linked to a specific alert should
be available. Generally, the decision errors that confuse the alert-based incident response break
into two categories: (1) false positives (i.e., an alert is generated in the absence of a network
attack), and (2) false negatives (i.e., no alert is generated while an attack did occur).
7
Attacks
An abstract concept which is represented
by some pieces of information that may
vary according to the situation
Threat: outcome, probability
Intrusion: elementary actions, composition
rules
Alert: FP probability, FN probability,
alert/attack weight
Mohamed Hamdi
It comes from the previous discussion that a network attack is rather an abstract concept which is
represented by some pieces of information that may vary according to the situation. For instance,
in the context of threat analysis, the information one is seeking is the knowledge of whether a
security breach has been experienced, and, if the answer is positive, what are the probability and
the impact. Conversely, when studying an alert, the main concern is to identify the malicious
action that is being carried out in order to react at the convenient moment and in a cost-effective
manner. Despite the pervasiveness of network attacks, several fundamental characteristics
should be taken into consideration independently from the way the attack is viewed.
8
Caracterizing digital
attacks
Digitalattacks have additional properties
with regard to traditional ones
Coordination
Tracing difficulty
Rapid propagation
Self-propagation
Remote execution
Mohamed Hamdi
9
Most known attacks
Password attacks
Malicious codes
Sniffing
Scanning
Identity spoofing
Denial of service
Integrity violations
Intrusions
Mohamed Hamdi
10
Attack features
Coordination: the attacker often combines
multiple elementary attacks or uses
several external resources
difficult to detect, difficult to characterize
Incomplete knowledge: an amount of
uncertainty always characterizes the
attack events
Versioning: the attack scheme is kept
modulo slight modifications
Mohamed Hamdi
Analyzing attack common features is helpful in the sense that it conveys a better understanding of
both the attacker behavior and the defense capabilities. The most prominent attack
characteristics can be summarized in the following points:
1. Coordination: To achieve a major objective, the attacker often combines multiple elementary
attacks or uses several external resources. This is due to the fact that organized attacks
aiming at disrupting critical infrastructure are beyond the capabilities of a single attacker.
Therefore, multiple attackers can cooperate by resource sharing, task allocation, and
synchronization. Obviously, such attacks are more difficult to detect and to counter.
2. Threats and alerts, which are often used to select the optimal set of countermeasures for a
specific attack scenario, are characterized by an amount of uncertainty. This uncertainty
should be taken into consideration when making decisions based on threat or alert
representation of network attacks. Practically, threats and alerts are used to select the best
set of countermeasures according to a cost-benefit balance. On the one hand, modeling a
threat allows thwarting the attack before its occurrence by adding rules to the security policy.
On the other hand, alerts provide a strong means for reacting against intrusions.
3. Versioning: Statistics show that attack schemes seldom vary. Attackers often introduce
several slight modifications on the attack tool in order to adapt to the existing vulnerabilities or
to bypass the protection mechanisms.
11
Active/passive attacks
Active attacks: involve some modification of the
data stream or the creation of a false stream
Passive attacks: provide information about the
information system
Footprinting: creating a complete profile of an
organization’s security capabilities
Scanning: determining what systems are alive and
reachable from the network
Enumeration: identifying the accounts allowing to
access the victim information system
Mohamed Hamdi
Similarly to physical attacks, a network attack is commonly carried out through two phases. The
first phase, called reconnaissance, consists in collecting the necessary information in
preparation for the effective attack activity. The second phase, which is the actual attack,
consists in conducting the actions that lead to the final attacker objectives. Customarily, active
attacks occur in the second phase whilst passive attacks are carried out during the early
attack steps.
1. Active attacks: These attacks can have many schemes and achieve different goals (e.g.,
violating confidentiality, compromising integrity). They encompass several modification of the
transmitted streams or the creation of active connections that do not conform with the ‘normal’
system behaviour.The most important categories of active attacks include: session
highjacking, password cracking, malicious codes, denial of service, and buffer overflow.
2. Passive attacks: These attacks are conducted to methodically gather information about the
information system of the victim organization. They basically break into three categories:
1. Footprinting
2. Scanning
3. Enumeration
It is noteworthy that several scanning and enumeration techniques can, in some situations, be
considered as active attacks.
12
Footprinting
Footprinting activities break into four
categories:
Identifying the major activities supported by
the information system
Enumerating the networks and the associated
domain names
DNS interrogation
Network reconnaissance
Mohamed Hamdi
Footprinting basically aims at gathering general information about the target information system.
The objective is to facilitate the next attack steps in the sense that their complexity is reduced.
Four fundamental footprinting activities can be considered:
1. Identifying the major activities supported by the information system: Organizations’ web
servers often aid the attackers in finding useful information. Therefore, HTML pages are
scrupulously reviewed y attackers in order to extract coarse information about the victim
organization. Moreover, the source code of these HTML pages is of utmost importance to the
attacker because items hidden within comment clauses (e.g., “<”, “!”) often conceal important
data. To this end, downloading a mirror of the website of interest can be performed to
scrutinize the source code offline.
2. Enumerating the networks and the associated domain names: Using the different options of
the “whois”-based queries allows the attacker to glean useful information about the registrar,
the organization, the domain name, the network, or even the point of contact.
3. DNS interrogation: The real problem with DNS queries occurs when an organization does not
use a public/private DNS mechanism to segregate their external DNS information (which is
public) from its internal, private DNS information. In this case, internal hostnames and IP
addresses are disclosed to the attacker. Providing internal IP address information to an
untrusted user over the Internet is akin to providing a complete blueprint, or roadmap, of an
organization’s internal network.
4. Network reconnaissance: The objective of this step is to determine the network topology as
well as potential access paths to the victim network. The “traceroute” command is often used
to this purpose.
13
Scanning
The objectives of the scanning activity are
basically:
Identifying both the TCP and UDP services
running on the target system
Identifying the type of operating system of the
target system
Identifying specific applications or versions of
a particular service
Mohamed Hamdi
The attacker can gather many kinds of valuable information using the following scanning
mechanisms:
1. ICMP-based scanning techniques: Ranging from ‘ping sweeps’ to more clever ICMP queries,
these techniques primarily allow to know which hosts are alive within a portion of the network,
but they can also provide more accurate information. For example, with the UNIX tool
icmpquery (http://packetstorm.securify.com/UNIX/scanners/icmpquery.c) – or icmpush
(http://packetstorm.securify.com/UNIX/scanners/icmpush22.tgz), you can request the time on
the system (to see the time zone the system is in) by sending an ICMP type 13 message
(TIMESTAMP). And you can request the netmask of a particular device with the ICMP type 17
message (ADDRESS MASK REQUEST). The netmask of a network card is important because
you can determine all the subnets being used.
2. Port scanning: The major objectives of port scanning is to identify listening TCP and UDP ports
on the target system. However, they can also extend to operating system identification. The
most known port scanning techniques include active stack fingerprinting, TCP SYN scanning,
TCP connect scanning, TCP FIN scanning, TCP Null scanning, TCP Xmas Tree scanning,
TCP ACK scanning, TCP window scanning, TCP RPC scanning, and UDP scanning.
14
Enumeration
Enumerating activities aim at:
Poorly protected network resources and shares
Weakly authenticated active user accounts
Vulnerable applications and operating systems
Enumerating techniques are operating system-
specific
Information is gathered through active
connections to target systems and directed
queries
Mohamed Hamdi
15
Buffer overflows
Mohamed Hamdi
Buffer overflow attacks exploit the procedure call flow to execute non-authorized commands.
From one point of view, a procedure call alters the flow of control just as a jump does, but unlike a
jump, when finished performing its task, a function returns control to the statement or instruction
following the call. Basically, a buffer overflow is the result of stuffing more data into a buffer than it
can handle. It allows the attacker to change the return address of a function so that he can change
the flow of execution of the program. Typically, the return pointer of a given function is replaced by
the address of the non-authorized process (or command) that the attacker wants to execute.
Buffer overflow-based attacks can be categorized into stack overflow, heap overflow, stack
overrun, and heap overrun.
16
Denial-of-Service
DoS attacks aim at stopping the access to
a specific service to legitimate and
authorized users
The outcome of DoS attacks is
proportional to the importance of the victim
service
Most of DoS attacks rely on the flooding
principle
Mohamed Hamdi
Denial-of-Service attacks use the nature of a communication protocol and flood a target with a
specific packet. Three major examples of flooding attacks are considered in the following:
- SYN flood: The SYN flood attack consists simply in sending a large number of SYN packets and
never acknowledging any of the replies (i.e., SYN-ACK). This violation of the TCP handshake
leads the recipient to accumulate more records of SYN packets than his software (implementing
the TCP/IP stack) can handle. The most popular version of the attack does not reveal the actual
IP address of the hacker. In fact, the return address associated with the initial SYN packets is in
this case not valid; therefore, the victim would return the SYN-ACK packet to an address that does
not respond or even does not exist.
A technical fix, called SYNcookie, has been found and incorporated in the Linux OS in 1996
(since, it has been extended to some other OSs). Rather than keeping a copy of the incoming
SYN packet, the victim simply uses a sequence number that is derived from the sequence number
of the attacker (i.e., the host that initiates the connection).
- Smurf attack: This attack exploits the Internet Control Message Protocol (ICMP), which enables
users to send an echo packet to a remote host to check whether it is alive. The problem arises
with broadcast addresses that correspond to more than one host. Some implementations of the
Internet protocols respond to pings to both the broadcast address and their local address (the idea
was to test a LAN to gather the hosts that are alive). The attack is to construct a packet with the
source address forged to be that of the victim, and send it to a number of Smurf amplifiers that will
each respond (if alive) by sending a packet to the target, and this can swamp the target with more
packets than it can cope with.
- Tribe Flood Network (TFN): TFN is made up of client and daemon programs, which implement a
distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood,
and Smurf style attacks. The attacker(s) control one or more clients, each of which can control
many daemons. The daemons are all instructed to coordinate a packet based attack against one
or more victim systems by the client. This reduces the chances of the victim to ‘survive’ to the
flooding attack because he would face hundreds (even thousands) of machines instead of a single
attacker. This type of attack has also the characteristic to hide the identity of the attack source.
17
Spoofing attacks
The attacker fakes his identity as that of a
legitimate user
The most known spoofing techniques include:
IP address spoofing
ARP address spoofing
Session highjacking
DNS spoofing
Sequence number spoofing
DNS Spoofing
Phishing
Mohamed Hamdi
In a spoofing attack, a user appears to be someone else i.e. the attacker fakes his identity as that
of a legitimate user. Because of spoofing, that attacker is able to manipulate packets so that they
appear to come from another system or network. Thus, spoofing could include spoofing an
internal network IP address or return email address. This attack technique is customary used to
prepare for perpetrating flooding or other denial of service attacks. Spoofing covers a large
category of computer attacks. It basically stands for identity falsification or masquerading. This
attack class includes IP address spoofing, session highjacking, Domain Name Service (DNS)
spoofing, sequence number spoofing, and replay attacks.
For example, in the case of sequence number spoofing, the attacker must monitor the packets
sent from A to B and then guess the sequence number of the packets. Then the attacker knocks
out A with a S attack and injects his own packets, claiming to have the address of A. A's firewall
can defend against spoof attacks when it has been configured with knowledge of all the IP
addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives from
an interface that is not known to be connected to that interface. Many carelessly designed
protocols are subject to spoof attacks, including many of those used on the Internet.
Another kind of spoofing is "web page spoofing," also known as phishing. In this attack, a web
page is reproduced almost as it is to another server but is owned and operated by someone else.
This attack is intended to blind the victims into thinking that they are connected to a trusted site.
Typically, a payment system's login page might be spoofed allowing the attacker to harvest user
names and passwords. This is often performed with the aid of DNS cache poisoning in order to
direct the user away from the legitimate site and into the false one. Once the user puts in his
password, the attack-code reports a password error, and then redirects the user back to the
legitimate site.
18
Preventive security
Mohamed Hamdi
19
Reactive security
Mohamed Hamdi
20
Further readings
M. Hamdi, N. Boudriga, “Network Attacks,” The
Handbook of Computer Networks, Vol. 3, EiC: Hossein
Bidgoli, John Wiley & Sons, ISBN: 0471784613, 2007.
J. Scambray, S. McClure, G. Kurtz, “Hacking Exposed,”
Osborne/Mc Graw Hill, ISBN: 0 - 07
- 219214
- 3, 2001.
Mohamed Hamdi
21
Part II: Preventive
countermeasure
techniques
Mohamed Hamdi
22
1- Firewalls
‘’The basic function of a firewall is to screen
network communications for the purposes of
preventing unauthorized access to or from a
computer network’’
Strassberg et al. “Firewalls: the Complete Reference” 2002
A firewall allows defining multiple security
domains
A firewall has the following properties:
All communications should pass through the firewall
Only authorized traffic is permitted
Security mechanisms should protect the firewall itself
from attacks
Mohamed Hamdi
23
Assessing the firewall
technology
Firewall strengths
Enforcing security policies
Restrict access to specific services
Log the access activity
Firewall weaknesses
Attacks can be embedded in the normal system
behaviour
Efficiency depends on the implemented rules (i.e.,
security policy)
High- speed traffic can not be fully inspected by the
firewall
Mohamed Hamdi
24
Firewall technologies
Fourfirewall technologies are commonly
considered
Packet filters
Application gateways
Circuit-level gateways
Mohamed Hamdi
25
Packet filtering (1)
Based on packet header, the firewall decides to:
Pass the packet to an adjacent security domain
Drop the packet
Reject the packet
The set of rules (security policy) should take into
consideration
Source and destination IP addresses
Transport and network protocols
Source and destination port numbers
Mohamed Hamdi
26
Packet filtering (2)
Advantages
Little overhead
Reduced cost
Disadvantages
Direct external/internal connectivity
Weak perimeter security
Low scalability
Mohamed Hamdi
27
Application gateways
Log information about
Origin, address, destination, time, duration
The client program talks to the application
gateway instead of the real server
The client program should include
Proxy-aware application software
Proxy-aware operating system software
Proxy-aware routers
Mohamed Hamdi
28
Stateful packet inspection
engines
Packet is inspected to determine whether it is
part of an existing, established communication
flow
Depending on the protocol, the packet may be
inspected further
If the packet does not have a corresponding
entry in the connection table, the firewall will
inspect the packet against the configured rule
set
The firewall typically uses timers and TCP FIN
packet inspection to determine when to remove
the connection from the connection table
Mohamed Hamdi
29
2- Cryptography-Based
Security
Cryptography is the study of mathematical
techniques related to aspects of
information security such as
confidentiality, data integrity, entity
authentication, and data origin
authentication
Cryptanalysis is the science of recovering
the plaintext from cipher-text without
possessing the key
Mohamed Hamdi
30
Generic cryptographic
scheme
Symmetric algorithms
Key1 = Key2, or are easily derived from each other.
Asymmetric or public key algorithms
Different keys, which cannot be derived from each other.
Public key can be published without compromising private
key.
Encryption and decryption should be easy, if keys are
known.
Mohamed Hamdi
31
Encryption scheme
An encryption scheme consists of two sets
{Ee : ke ∈ K }, and {Dd : kd ∈ K } verifying
∀ke ∈K , ∃! kd ∈K Ekd = Ek−e1
Mohamed Hamdi
32
Perfect secrecy
Perfect encryption scheme can exist only if
the secret information k is as long as the
plaintext [Shannon, 1943]
P = {p1,..,pn}, C = {c1,..,cq}
p(pi) = Pr[‘transmit pi’]
p(pi|cj) = Pr[‘recover pi from cj’]
Mohamed Hamdi
33
Perfect authenticity
Impersonation attack: The adversary forms a
fraudulent cryptogram cl without knowledge about the
authentic cryptogram cj
Substitution attack: The adversary forms a fraudulent
cryptogram cl having some knowledge about the
authentic cryptogram cj
Perfect authenticity can not be rigorously achieved
(Pr[‘impersonation’] ≥ card(P)/card(C))
“Perfect authenticity” is achieved if, and only if,
− I ( k ,c j )
min(Pr[' impersonat ion ' ], Pr[' substituti on ' ]) = 2
Mohamed Hamdi
34
Modern cryptography
The assumption that the adversary has
unlimited computing resources is abandoned
Encryption, decryption, and the adversary are
modeled by probabilistic algorithms
The running time of the encryption,
decryption, and the adversary algorithms are
measured as functions of a security
parameter s
Mohamed Hamdi
35
Stream ciphers
For a plaintext P = x1x2x3x4x5… and a key k=
k1k2k3k4…, there exists a function f and an encryption
algorithm Et such that
C = Ek1 ( x1 ) Ek2 ( x2 )....
ki = f (k , xi ,..., xi −1 )
The values k1, k2, k3,…. are called the key streams
Synchronous cipher is the one where the key
= ki
Mohamed Hamdi
36
Synchronous Vs self-
synchronizing stream ciphers
(1)
Mohamed Hamdi
37
Synchronous Vs self-
synchronizing stream ciphers
(2)
Mohamed Hamdi
38
Block Ciphers
Block ciphers simultaneously encrypt groups of characters
of a plaintext message using a fixed encryption
transformation
Memoryless, i.e. the same function (and the same key) is
used to encrypt successive blocks
Some modes of use:
Electronic Code Book ECB:
Each plaintext block is encrypted independently
The blocks of encrypted messages are not linked
Mohamed Hamdi
39
Design characteristics for
block ciphers
Choice of block length n
n too long ⇒ complex algorithm, performance loss
n too short ⇒ weak encryption, easy to attack
compromise
Definition of encryption function ek
Good algorithms can be published, data are protected by hiding
the key
Choice of the key length of k
k too short ⇒ systematic testing of all valid keys (Brute Force
attack)
(Against Brute Force attacks a minimum of 70-bit is necessary)
Mohamed Hamdi
40
Data Encryption Standard (DES)
64 bit input
1. Initial block 56 bit key kDES
permutation
Generate 16
per-round keys
48 bit k1
Round 1
3. Encryption in 16
identical rounds:
48 bit k2
Round 2
48 bit
Round 16
k16
Additional step: swap 2. Generation
of round keys
Left and right halves
64 bit output
4. Final block
permutation
Mohamed Hamdi
41
Step 1 and 4: input and output
permutations
Input permutation (IP) Output permutation (IP-1)
58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
40 goes to 1
61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7 1 goes to 40 33 1 41 9 49 17 57 25
Mohamed Hamdi
42
Step 3 : one DES round
Encryption: decryption:
Cipher Cipher
function function
+ +
43
Step 3: cipher function -
substitution
Expand 32-bit input block Ri to a 48 input block Ri’
Divide 32-bit input block into 8 chunks of 4 bit
1 2 3 4 5 6 7 8 9 32
32 1 2 3 4 5 4 5 6 7 8 9
Mohamed Hamdi
44
Step 3 : cipher function: S-
Boxes for substitution
0 0 0 1 0 1
Mohamed Hamdi
45
RSA
1. Choose 2 large prime numbers, p and q, of
equal length, compute p x q = n, which is
the public modulus
2. Choose a random public key, e, so that e
and (p-1)(q-1) are relatively prime
3. Compute e x d = 1 mod (p - 1)(q - 1) are
relatively prime
4. Thus, C = Pe mod n, P = Cd mod n
where P is the plaintext and C is the cipher-text.
Mohamed Hamdi
46
Elliptic Curve Cryptography
(ECC)
Elliptic Curve: y2 = x3 + ax + b
Addition is the counterpart of modular
multiplication, and Multiplication is the
counterpart of modular exponentiation.
Two points, P and R, on the elliptic curve
where P = KR, and finding K is hard problem
as for discrete logarithm problem.
160-bits is equivalent to 1024-bit RSA key.
Mohamed Hamdi
47
Cryptographic Attacks (1)
1. Brute Force
2. Known Plaintext
3. Chosen Plaintext
4. Adaptive Chosen Plaintext
5. Ciphertext Only
6. Chosen Ciphertext
7. Adaptive Chosen Ciphertext
Mohamed Hamdi
48
Cryptographic Attacks (2)
8. Birthday Attack
9. Meet-in-the-Middle
10. Man-in-the-Middle
11. Differential Cryptanalysis
12. Linear Cryptanalysis
13. Differential Linear Cryptanalysis
14. Factoring
15. Statistical
Mohamed Hamdi
49
3 - Virtual Private Networks
A method of ensuring private, secure
communication between hosts over an
insecure medium using tunneling
Often established between geographically
separate locations (not a necessary
condition)
Via tunneling and software drivers,
computer is logically directly connected to
a network that it is not physically a part of
Mohamed Hamdi
50
Tunneling
Putting one type of packet inside another
Both parties must be aware of tunnel for it
to work
Tunnels are practically built using some
means of encryption to secure
communications
IPSec
SSH
Mohamed Hamdi
Many VPN packages use tunneling to create a private network, including several that we review in
this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2
Forwarding Protocol, and IPSec's tunnel mode. VPNs allow you to connect to a remote network
over the Internet, which is an IP network. The fact is, though, that many corporate LANs don't
exclusively use IP (although the trend is moving in that direction).
Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use
IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible
protocols. The packet within the packet could be of the same protocol or of a completely foreign
one. For example, tunneling can be used to send IPX packets over the Internet so that a user can
connect to an IPX-only Novell server remotely.
With tunneling you can also encapsulate an IP packet within another IP packet. This means you
can send packets with arbitrary source and destination addresses across the Internet within a
packet that has Internet-routable source and destination addresses. The practical upshot of this is
that you can use the reserved (not Internet-routable) IP address space set aside by the Internet
Assigned Numbers Authority (IANA) for private networks on your LAN, and still access your hosts
across the Internet.
51
RA versus SS VPNs
Remote-Access
The typical example of this is a dial-up
connection from home or for a mobile worker,
who needs to connect to secure materials
remotely
Site-to-Site
The typical example of this is a company that
has offices in two different geographical
locations, and wants to have a secure
network connection between the two
Mohamed Hamdi
52
VPN-based security services
Mohamed Hamdi
53
VPN architectures
Thefollowing architectures are often
considered to establish tunnels
Gateway to gateway
• Using two VPN aware Gateways
End host to gateway
• End host uses VPN Software
End host to end host
• Both hosts use software
End host to concentrator
Mohamed Hamdi
54
Introduction to IPSec
Designed to combat specific shortcomings
in IP
Address forgery
Payload Modification
Replay
Sniffing
Mohamed Hamdi
IP packets have no inherent security. It is relatively easy to forge the addresses of IP packets, modify the contents of IP
packets, replay old packets, and inspect the contents of IP packets in transit. IP-level security implements
functions to fulfill three major security properties: authentication, confidentiality, and integrity. The authentication
mechanisms guarantee that a received packet was, in fact, transmitted by the party specified by the source address
in the packet header. In addition, the integrity mechanism allows to check if the packet has been altered in transit.
The confidentiality functionalities enable communicating parties to encipher the transmitted data in order to
prevent third parties from getting read access to sensitive information.
IPSec can be used in many contexts including the following:
1. Establishing secure connection between a company’s headquarter and its branch office(s): A company can build
IPSec-based virtual private networks over a public network (e.g., Internet) to transmit sensitive data between the
headquarter and the branch offices. Such solution allows basically to save costs and network management
overhead.
2. Getting secure remote access to company’s network: An employee can gain secure access over the Internet to the
private company’s network. This allows to reduce the cost of toll charge because the user makes a local call to the
Internet Service Provider (ISP) to connect to the company’s network.
3. Establishing end-to-end secure connections between hosts: Network applications requiring the protection of
sensitive data can use IPSec functions in order to provide secure connectivity between two hosts where the
application is installed.
55
Security Association
A one way relationsship between a sender
and a receiver
Identified by three parameters:
Security Parameter Index (SPI)
IP Destination address
56
SA parameters
The parameters defining a SA are
Sequence number counter
Sequence number overflow
Antireplay window
Lifetime
Mode
Tunnel parameters
PMTU parameters
Mohamed Hamdi
57
Security policy Database
Usedto relate SAs to IP traffic
SPD entries consist of:
Parameters defining a subclass of IP traffic
(selectors)
SA pointers
An
interaction between the SPD and the
SADB should exist
Mohamed Hamdi
58
Outbound vs Inbound policy
(1)
Outbound IPSec policy
Compare selector fields (in the packet) to
SPD entries, retrieve SA pointers in case of
match
Determine the appropriate SA(s) for the
packet (SADB queries)
Apply the required IPsec processing
Mohamed Hamdi
59
Outbound vs Inbound policy
(2)
Inbound IPSec policy
If the packet does contain any IPSec header
• SPD is checked (using selector fields) for the appropriate
policy
• The potential action are ‘discard’, ‘bypass’, or ‘apply’
If the packet contains an IPSec header
• The IPSec layer extracts the SPI, the source IP address, and
the destination IP address from the packet
• SADB queries are performed to appropriately decapsulate
the packet
Mohamed Hamdi
60
Outbound vs Inbound policy
(3)
Mohamed Hamdi
61
AH and ESP
AH provides proof-of-data origin on
received packets, data integrity, and anti-
replay protection
ESP provides all that AH provides in
addition to optional data confidentiality and
limited traffic confidentiality
Mohamed Hamdi
The method of protecting IP datagrams or upper-layer protocols uses one of the IPSec protocols, the encapsulating
security (ESP), or the authentication header (AH). AH provides proof-of-data origin on received packets, data integrity,
and anti-replay protection while ESP provides, in addition to the services offered by AH, optional data confidentiality
and limited traffic confidentiality. The IPSec authentication functions allow a networked system to authenticate IP
traffic so that it can be filtered appropriately. They also prevent IP spoofing attacks.
62
AH (1)
Authentication Header protocol
Offers Authenticity and Integrity
Uses cryptographic hash
• Prevents IP Spoofing
Mohamed Hamdi
Authentication Header (AH) provides authentication and integrity to the datagrams passed
between two systems. It achieves this by applying a keyed one-way hash function to the datagram
to create a message digest. If any part of the datagram is changed during transit, it will be
detected by the receiver when it performs the same one-way hash function on the datagram and
compares the value of the message digest that the sender has supplied. The one-way hash also
involves the use of a secret shared between the two systems, which means that authenticity can
be guaranteed.
AH can also enforce antireplay protection by requiring that a receiving host sets the replay
bit in the header to indicate that the packet has been seen. Without this protection, an
attacker might be able to resend the same packet many times:
63
AH (2)
Mohamed Hamdi
64
ESP (1)
Authentication Header protocol
Offers Authenticity and Integrity
Uses cryptographic hash
• Prevents IP Spoofing
Mohamed Hamdi
65
ESP (2)
Mohamed Hamdi
66
Transport mode
Real IP Header IP Options IPSec Header Payload (For example, TCP and Payload)
Could be either
Or
AH Header
Authenticates Over
Mohamed Hamdi
The transport mode protects only the payload portion of the datagram. The use of transport mode
in both AH and ESP is detailed in the following:
1. Transport mode AH: The AH is inserted after the original IP header and before the IP payload
(e.g., TCP segment). Authentication features cover the entire packet, excluding mutable fields
in the IP header that are set to zero for MAC calculation. In the specific case of IPv6, AH is
considered as an end-to-end payload, meaning that is not processed by intermediate routers.
Hence, the AH appears after the IPv6 base header and the hop-by-hop, routing, and fragment
extension headers.
2. Transport mode ESP: ESP is used, in this case, to encrypt and optionally authenticate the
payload of the IP datagram. The ESP header is inserted before the upper layer header (e.g.,
ICMP, TCP, UDP) and an ESP trailer is placed after the packet payload. If the packet is
authenticated, the ESP authentication data field is added after the ESP trailer. The entire
transport-layer segment plus the ESP trailer are encrypted. Authentication covers the
transport-layer segment as well as the ESP trailer and the ESP header. For IPv6 packets, ESP
is considered as an end-to-end payload which is not processed by intermediate routers.
Hence, the ESP header appears after the IPv6 base header and the hop-by-hop, routing, and
fragment extension headers. Encryption cover the IPv4 ciphertext in addition to the destination
options extension header, if it occurs after the ESP header. Authentication covers the IPv6
ciphertext plus the ESP header.
67
Tunnel mode
GW IP Header IPSec Header Real IP Header Payload (For example, TCP and Payload)
Could be either
Or
AH Header
Authenticates Over
Mohamed Hamdi
The tunnel mode protects both the header and the payload of the IP datagram. The use of this
mode in AH and ESP is described in the following:
1. Tunnel mode AH: The entire original IP packet is authenticated, and the AH is inserted
between the original IP header and a new gateway IP header. The inner IP header carries the
ultimate source and destination addresses, while the outer (i.e., gateway) IP header may carry
different IP addresses (e.g., addresses of the security gateways). Authentication covers the
entire inner packet, including the original inner IP header. The outer IP header is protected
except for mutable fields.
2. Tunnel mode ESP: The entire packet is encrypted and the ESP header is added at the
beginning of the datagram. Because the IP header contains the destination address and
possible source routing directives, it is necessary to add a new header that will contain
sufficient information for routing. In fact, intermediate routers would be unable to process
packets with encrypted headers. Obviously, the information contained in the outer header
should not be useful for carrying out traffic analysis attacks.
68
SA combination schemes
One SA can not perform both AH and ESP
Separate security policies can be needed
between end-hosts and gateways
SAs can be combined in two ways
Transport adjacency
Iterated tunneling
Mohamed Hamdi
One can not implement both AH and ESP using a single SA. In addition, an individual SA can not
be used to implement different policies between end-hosts and gateways. In that cases,
multiple SAs should be combined for the same IP traffic. The sequence of SAs through which
the IP traffic should be processed is refered to as ‘SA bundle’.
Practically, SAs can be combined according to two schemes:
1. Transport adjacency: Refers to the case where multiple security protocols are applied to the
same packet without modifying the tunneling architecture. This mechanism supports only one
level of combination. Furthermore, the computational overhead is not important because IPSec
processing is performed only at the destination end-host.
2. Iterated tunneling: Refers to the implementation of different IPSec tunnels between different
sites. These tunnels can implement different security policies. Obviously, this technique
supports multiple embedded tunnels.
It is noteworthy that these two mechanisms can be combined (e.g., a transport SA can be
established between hosts and tunnel SA can be considered between intermediate gateways).
One extremely important feature is the order in which confidentiality and authentication are
applied to the IP datagram.
69
Key management
IPSec framework mandates support for
both automated and manual KM
IKE is used to dynamically create SAs
IKE is based on a framework defined by
the Internet security association and key
management (ISAKMP), and implements
two key management protocols Oakley
and SKEME
Mohamed Hamdi
Prior to an IP packet being secured by IPSec, a security association must exist. The IKE is used to create SAs
dynamically IKE negotiates SAs on behalf of IPSec and populates SADB IKE is based on a framework defined by the
Internet security association and key management (ISAKMP), and implements two key management protocols Oakley
and SKEME
Oakley could be utilized to achieve a secure key exchange. SKEME is another key exchange protocol, in which the
parties use public key to authenticate each other and share components of the exchange. Each side encrypts a random
numbers in the public key of the peer and both random numbers (after decryption) contribute to the ultimate key.
70
ISAKMP
Defines procedures and packet formats to
establish, negotiate, modify, and delete SAs
Defines payloads to express certain constructs
during an exchange like hash digests, pseudo-
random nonces, certificates, or SAs
Other payloads are defined to enable notification
data, such as error conditions to be passed to
peer, and delete messages to be passed
instructing a peer to delete an SA
Mohamed Hamdi
As it has been detailed in the previous slides, two security associations are set up between the
cryptographic end-points before beginning to exchange datagrams. The Internet Security
Association and Key Management Protocol (ISAKMP) defines generic protocol formats and
procedures for the negotiation of security parameters and for entity authentication. The ISAKMP
specification defines two basic types of exchanges: Phase 1 exchanges, which are used to
negotiate master SAs, and Phase 2 exchanges, which use master SA to establish other security
associations.
Phase 1 exchange establishes an ISAKMP “security association”. The concept of this SA has some
similarities to an IPSec. The peers must first negotiate their terms, a method to authenticate them, and
parameters in which to establish them. The SA is then used to authenticate subsequent Phase 2.
Phase 2 establishes SAs for other protocols. ISAKMP describes five exchanges. Each exchange has a
slightly different goals and accomplishes them in differing numbers of steps The first step of any exchange
is an exchange of cookies ( 8-byte, pseudo-random numbers generated by each ISAKMP entity and
assigned to each remote peer. Each cookie is unique to the remote peer and also to the particular exchange
in which it is defined. The purpose of the cookies is to provide ‘freshness’ to the exchange.
71
ISAKMP header
Mohamed Hamdi
There are 13 distinct payloads defined by ISAKMP. They all begin by the same generic 32- bit header. ISAKMP
defines payloads to express certain constructs during an exchange like hash digests, pseudo-random nonces,
certificates, or SAs. Other payloads are defined to enable notification data, such as error conditions to be passed to
peer, and delete messages to be passed instructing a peer to delete an SA.
The basic structure of the ISAKMP message contains the following fields:
1. Initiator and responder cookie: Uniquely identify an ISAKMP exchange or an ISAKMP security association. They
also provide limited protection against denial-of-service attacks by not responding to a specific system’s requests
after a certain number of aborted attempts have been made. This basically allows to control the computational
capabilities available on the system.
2. Next payload: Specify the type of the ISAKMP payload that follows the header.
3. Major and minor version: Identify the protocol version of the current message.
4. Exchange type: Indicates the type of ISAKMP exchanges that is conducted with the current message. There are
five pre-defined exchange types that will be detailed further.
5. Flags: Contain bits to indicate specific characteristics. The ‘encrypt’ bit indicates whether the payload following
the message is encrypted. The ‘commit’ bit indicates a key exchange. The ‘authenticate only’ bit indicates that the
payload of the message is authenticated but not encrypted.
6. Message identifier: Identifies messages that belong to different protocol runs and therefore allows a simultaneous
negotiation of multiple security associations.
7. Message length: Indicates the total length of the current message including the ISAKMP header and all payloads.
8. ISAKMP generic payload: Contains the message payload. A single ISAKMP message can contain multiple chained
payloads. The payload type field of the following message is always indicated in the next payload field of the
preceding payload or in the ISAKMP protocol header.
72
ISAKMP exchanges (1)
Mohamed Hamdi
ISAKMP proposes five default exchange types that are described in the following:
•Base exchange: Allows key exchange and authentication material to be transmitted together.
This minimizes the number of exchanges at the expense of not providing identity protection. The
first two messages provide cookies and establish an SA with agreed protocol and transforms; both
sides use a nonce to ensure against replay attacks. The last two messages exchange the key
material and user IDs, with the AUTH payload used to authenticate keys, identities, and the
nonces from the first two messages.
•Identity protection exchange: Expands the Base Exchange to protect the users’ identities. The
first two messages establish the SA. The next two messages perform key exchanges, with nonces
for replay protection. Once the session key has been computed, the two parties exchange
encrypted messages that contain authentication information, such as digital signatures and
optionally certificates validating the public keys.
•Authentication only exchange: Used to perform mutual authentication, without a key exchange.
The first two messages establish the SA. Moreover, the responder uses the second message to
convey its ID and uses authentication to protect the message. The initiator sends the third
message to transmit its authenticated ID.
73
ISAKMP exchanges (2)
Mohamed Hamdi
•Aggressive exchange: minimizes the number of exchanges at the expense of not providing
identity protection. In the first message, the initiator proposes an SA with associated offered
protocol and transform options. The initiator also begins the key exchange and provides its ID. In
the second message, the responder indicates its acceptance of the SA with a particular protocol
and transform, completes the key exchange, and authenticates the transmitted information. In the
third message, the initiator transmits an authentication result that covers the previous information,
encrypted using the shared secret session key.
•Informational exchange: Used for one way transmission of information for SA management.
74
4- Access Control
Techniques
Set of procedures (hardware, software,
administrators) user to monitor access to
systems, identify users requesting access,
record access attempts, and grant or deny
access based on pre-established rules
and policies
Mohamed Hamdi
Access control is the collection of mechanisms that permits the managers of a system to exercise
a directing or restraining influence over the behavior, use, and content of the system. This control
is employed to achieve the security objectives of the system, such as data integrity and
confidentiality.
Access is the ability to do something with a computer resource (e.g., use, change, or view).
Access control is the means by which the ability is explicitly enabled or restricted in some way
(usually through physical and system-based controls). Computer-based access controls are called
logical access controls. Logical access controls can prescribe not only who or what (e.g., in the
case of a process) is to have access to a specific system resource but also the type of access that
is permitted. These controls may be built into the operating system, may be incorporated into
applications programs or major utilities (e.g., database management systems or communications
systems), or may be implemented through add-on security packages. Logical access controls
may be implemented internally to the computer system being protected or may be implemented in
external devices.
75
Access control types
Discretionary
Access Control
Mandatory Access Control
Role-Based Access Control
Mohamed Hamdi
76
Discretionary access control
Name Access
Server 2 Ali Yes
Mohamed No
Server 3 Salah Yes
Mohamed Hamdi
DAC constitutes a means of restricting access to objects based on the identity of subjects and/or
groups to which they belong. The controls are discretionary in the sense that a subject with a
certain access permission is capable of passing that permission (perhaps indirectly) on to any
other subject (unless restrained by mandatory access control).
According to this principle, subject has authority to specify what objects are accessible (e.g., use
of ACL). This technique is very common in the commercial contexts because of its flexibility.
77
Mandatory access control
(1)
MAC mechanisms assign a security level
to all information, assign a security
clearance to each user, and ensure that all
users only have access to that data for
which they have a clearance
Mohamed Hamdi
MAC is means of restricting access to objects based on the sensitivity (as represented by a label)
of the information contained in the objects and the formal authorization (i.e., clearance) of subjects
to access information of such sensitivity.
Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate
a subject’s clearance, and the classification or sensitivity of the relevant object. Every object is
assigned a sensitivity level/label and only users authorized up to that particular level can access
the object. Access depends on rules and not only the identity of subjects and objects. Only an
administrator may change the category of a resource (e.g., even owners are not allowed to do).
78
Mandatory access control
(2)
Individuals Resources
Server 1
“Top Secret”
Server 2
“Secret”
Server 3
“Classified”
Mohamed Hamdi
79
Role-based access control
(1)
A user has access to an object based on the
assigned role
Roles are defined based on job functions
Permissions are defined based on job authority
and responsibilities within a job function
Operations on an object are invocated based on
the permissions
The object is concerned with the user’s role and
not the user
Mohamed Hamdi
80
Role-based access control
(2)
Individuals Roles Resources
Role 1
Server 1
Role 2 Server 2
Server 3
Role 3
81
5- SSL/SSH
The transport layer provides efficient and
reliable transmission services
Mohamed Hamdi
82
SSL (Secure Sockets
Layer)
SSL is a secure data exchange protocol providing
Privacy between two Internet applications
Authentication of server (authentication of browser optional)
Uses enveloping: RSA used to exchange DES keys
SSL Handshake Protocol
Negotiates symmetric encryption protocol, authenticates
SSL Record Protocol
Packs/unpacks records, performs encryption/decryption
Does not provide non-repudiation
Mohamed Hamdi
The SSL protocol was first designed with the primary goal of protecting sessions of the
HyperText Transfer Protocol (HTTP). However, it can actually be used to secure any
application that runs over TCP. SSL Version 3.0 offers the following services:
•Entity authentication: Prior to any communication between client and server, an
authentication exchange is performed to verify the identity of the peer entity either only to
the client or also to the server. After successful authentication, an SSL session is
established between two entities.
•Confidentiality of user data: If agreed during negotiation of the SSL session, the user data
is encrypted. SSL offers a range of algorithms for this purpose (i.e., cipher suite).
•Data origin authentication and data integrity: Each message is secured using a
cryptographic hash function. SSL Version 3.0 originally used prefix-suffix mode for this
purpose although there was some security concerns about it. Either MD5 or SHA can be
negotiated as the underlying cryptographic hash function.
As for the OSI model, SSL uses the notion of sessions. Prior to actual communication,
client and server establish a session in which the parameters for securing the
communication are negotiated. As in the OSI model, a session can run over multiple
transport layer connections.
The SSL protocol itself uses two important protocols: a record protocol, and a handshake
protocol. The record protocol is used as the basis for data exchange in SSL sessions. Its
tasks include the fragmentation of user data into plaintext blocks, called records, no longer
than 214 octets, the optional compression of plaintext blocks, and the optional encryption
and authentication of plaintext blocks. The handshake protocol is used for entity
authentication and session negotiation. A session can be negotiated so that it can be
duplicated or resumed at a later time, thus allowing an established cryptographic context
to be reused.
8352
SSL architecture
HANDLES COMMUNICATION
WITH THE APPLICATION
Protocols
INITIALIZES COMMUNCATION
BETWEEN CLIENT & SERVER
HANDLES DATA
COMPRESSION
Mohamed Hamdi
8452
SSL Record Content
SOURCE: http://www.microsoft.com/library/media/1033/technet/
Mohamed Hamdi
The above figure illustrates the content of SSL records. The content type field identifies the SSL
protocol contained in the record. For instance, the following codes are used:
•Change cipherspec (20)
•Alert (21)
•Handshake (22)
•Application data (23)
The version field refers to the SSL protocol version (e.g., major=3,minor=0). The length field
contains the length of user data in octets. The maximum user data length is 210+214.
85
SSL Record Protocol
Mohamed Hamdi
86
SSL Handshake Protocol
Mohamed Hamdi
87
Cipher Suite
For public-key, symmetric encryption and certificate
verification we need
public-key algorithm
symmetric encryption algorithm
message digest (hash) algorithm
This collection is called a cipher suite
SSL supports many different suites
Client and server must decide on which one to use
The client offers a choice; the server picks one
Mohamed Hamdi
8852
Cipher Suites
SSL_NULL_WITH_NULL_NULL = { 0, 0 } INITIAL (NULL) CIPHER SUITE
Mohamed Hamdi
SSL supports three methods for negotiating a pre-master secret from which other session
keys are derived:
1. RSA-protected negotiation: A pre-master secret is randmoly cretaed by the client,
encrypted using the public key of the server, and sent to the server. The server does
not send a separate ‘KeyExchange’ message element of its own to the client as it is not
actively involved in creating the shared secret.
2. Diffie-Hellman: This involves the execution of a conventional Diffie-Hellman key
negotiation protocol with the pre-master key derived from the shared secret gcsmod(n),
where c is the client’s secret and s is the server’s secret.
3. Fortezza: Fortezza is a non-published method that was developed by the NSA and
supports key escrow for government agencies.
8952
SSL Encryption
Premaster secret
Created by client; used to “seed” calculation of encryption
parameters
Very simple: 2 bytes of SSL version + 46 random bytes
Sent encrypted to server using server’s public key
Master secret
Generated by both parties from premaster secret and random
values generated by both client and server
Key material
Generated from the master secret and shared random values
Encryption keys
Extracted from the key material
Mohamed Hamdi
9052
Forming the Master
Secret
SERVER’S PUBLIC KEY
IS SENT BY SERVER IN
ServerKeyExchange
Mohamed Hamdi
9152
Forming the Key
Material
JUST LIKE FORMING
THE MASTER SECRET
Mohamed Hamdi
9252
Obtaining Keys from the
Key Material
Mohamed Hamdi
9352
Further readings
Strassberg
G. Schäfer, “Security in Fixed and Wireless Networks: an
Introduction to Securing Data Communications,” John Wiley & Sons,
ISBN: 0-470-86370-6, 2003.
W. Stallings, “Cryptography and Network Security: Principles and
Practices,” Prentice Hall, ISBN: 0-13-869017-0, 1999.
J.C. Foster, V.T. Liu, “Writing Security Tools and Exploits,”
Syngress, ISBN: 1-59749-997-8, 2006.
J. Viega, G. McGraw, “Building Secure Software,” Addison-Wesley,
ISBN: 020172152X, 2002.
A. Menezes, P. van Oorschot, S. Vantone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
B. Schneier, “Applied Cryptography,” John Wiley & Sons, ISBN:
0471128457, 1996.
Mohamed Hamdi
94
Exercises I
Mohamed Hamdi
95
Part III: Detection and
Reaction to Security
Incidents
Mohamed Hamdi
96
1- Intrusion Detection and
Prevention Systems
Intrusion detection
Monitoring events
Analyzing signs of intrusions
Reporting alerts
Intrusion prevention
Attempting to stop the attack process
Mohamed Hamdi
Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of potential incidents, which are violations or imminent
threats of violation of computer security policies, acceptable use policies, or standard security
practices. Intrusion prevention is the process of performing intrusion detection and attempting to
stop detected potential incidents. Intrusion detection and prevention (IDPS) systems are primarily
focused on identifying potential incidents, logging information about them, attempting to stop
them, and reporting them to security administrators. In addition, organizations use IDPSs for other
purposes, such as identifying problems with security policies, documenting existing threats, and
deterring individuals from violating security policies. IDPSs have become a necessary addition to
the security infrastructure of nearly every organization.
IDPSs typically record information related to observed events, notify security administrators of
important observed events, and produce reports. Many IDPSs can also respond to a detected
threat by attempting to prevent it from succeeding. They use several response techniques, which
involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring
a firewall), or changing the attack’s content.
97
Major functions
Informationgathering
Event analysis
Report generation
Automated response
Stopping the attack
Changing the environment
Mohamed Hamdi
The major functions that should be implemented in IDPSs are described below:
1. Information gathering: Information is usually recorded locally, and might also be sent to separate
systems such as centralized logging servers, security information and event management (SIEM)
solutions, and enterprise management systems. Generally, sensors are used to this purpose. Multiple
sensor implementations and architectures can be used depending on the characteristics of the protected
infrastructure.
2. Event analysis: The role of the analysis process is to analyze the events provided by the information
gathering components. The results of the analysis are sent back to the system as additional events,
typically representing alarms. Analysis encompasses the correlation, fusion, and elimination of security
alerts.
3. Report generation: Once an intrusion-related behavior is detected, the IDPS should notify the security
administrator about it. This notification, known as an alert, occurs through any of several methods,
including the following: e-mails, pages, messages on the IDP user interface, Simple Network
Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A
notification message typically includes only basic information regarding an event; administrators need to
access the IDP for additional information.
4. Automated response: Intrusion prevention functionalities enable the system to stop several detected
attacks. Obviously, this presupposes the interoperability between the IDPS and other security tools, such
as firewalls. The major techniques that are currently used to prevent the occurrence of intrusions are:
1. Stopping the attack process: Examples of how this could be done are as follows:
• Terminate the network connection or user session that is being used for the attack
• Block access to the target (or possibly other likely targets) from the offending user
account, IP address, or other attacker attribute
• Block all access to the targeted host, service, application, or other resource
2. Changing the environment: The IDPS could change the configuration of other security controls
to disrupt an attack. Common examples are reconfiguring a network device (e.g., firewall,
router, switch) to block access from the attacker or to the target, and altering a host-based
firewall on a target to block incoming attacks. Some IDPSs can even cause patches to be
applied to a host if the IPS detects that the host has vulnerabilities.
3. Normalizing the attack flow: Some IDPS technologies can remove or replace malicious portions
of an attack to make it benign. A simple example is an IDPS removing an infected file
attachment from an e-mail and then permitting the cleaned email to reach its recipient. A more
complex example is an IDPS that acts as a proxy and normalizes incoming requests, which
means that the proxy repackages the payloads of the requests, discarding header information.
This might cause certain attacks to be discarded as part of the normalization process.
98
IDPS categories
IDPSs can be categorized according to
Detection techniques
• Signature- based detection
• Anomaly- based detection
• Stateful protocol analysis
Detection architectures
• Network- based detection
• Host- based detection
Mohamed Hamdi
99
Architectural issues (1)
Typical IDPS components are:
Sensors
Management servers
Consoles
Database servers
Mohamed Hamdi
100
Architectural issues (2)
Network-based IDPSs Internet
Inline architecture
Router
Management Switch
interface
Firewall
Monitoring
IDPS management switch Sensor points
Switch
Management Console
server Private
network
Mohamed Hamdi
An inline sensor is deployed so that the network traffic it is monitoring must pass through it, much
like the traffic flow associated with a firewall. In fact, some inline sensors are hybrid firewall/IDP
devices, while others are simply IDPSs. The primary motivation for deploying IDPS sensors inline
is to enable them to stop attacks by blocking network traffic. Inline sensors are typically placed
where network firewalls and other network security devices would be placed—at the divisions
between networks, such as connections with external networks and borders between different
internal networks that should be segregated. Inline sensors that are not hybrid firewall/IDPS
devices are often deployed on the more secure side of a network division so that they have less
traffic to process. The above figure shows such a deployment. Sensors can also be placed on the
less secure side of a network division to provide protection for and reduce the load on the dividing
device, such as a firewall.
101
Architectural issues (3)
Signature-based IDPSs Internet
Passive architecture
Router
Sensor
Network
Switch
tap
Firewall
Sensor Switch
Mohamed Hamdi
A passive sensor is deployed so that it monitors a copy of the actual network traffic; no traffic
actually passes through the sensor. Passive sensors are typically deployed so that they can
monitor key network locations, such as the divisions between networks, and key network
segments, such as activity on a demilitarized zone (DMZ) subnet. Passive sensors can monitor
traffic through various methods, including the following:
•Network Tap. A network tap is a direct connection between a sensor and the physical network
media itself, such as a fiber optic cable. The tap provides the sensor with a copy of all network
traffic being carried by the media. Installing a tap generally involves some network downtime, and
problems with a tap could cause additional downtime. Also, unlike spanning ports, which are
usually already present throughout an organization, network taps need to be purchased as add-
ons to the network.
•Spanning Port. Most switches have a spanning port, which is a port that can see all network
traffic going through the switch. Connecting a sensor to a spanning port can allow it to monitor
traffic going to and from many hosts. Although this monitoring method is relatively easy and
inexpensive, it can also be problematic. If a switch is configured or reconfigured incorrectly, the
spanning port might not be able to see all the traffic. Another problem with spanning ports is that
their use can be resource-intensive; when a switch is under heavy loads, its spanning port might
not be able to see all traffic, or spanning might be temporarily disabled. Also, most switches have
only one spanning port, and there is often a need to have multiple technologies, such as network
monitoring tools, network forensic analysis tools, and other IDP sensors, monitor the same traffic.
102
Architectural issues (4)
Host-based IDSs
Internet
Router
Network
Switch
tap
Public servers with
DMZ switch Firewall
HB IDPS agents
IDPS management switch Switch
Private
Management Console network
server
Mohamed Hamdi
Host-based IDPS agents are most commonly deployed to critical hosts such as publicly
accessible servers and servers containing sensitive information. However, because agents are
available for various server and desktop/laptop operating systems, as well as specific server
applications, organizations could potentially deploy agents to most of their servers and
desktops/laptops. Some organizations use host-based IDPS agents primarily to analyze activity
that cannot be monitored by other security controls. For example, network-based IDPS sensors
cannot analyze the activity within encrypted network communications, but host-based IDPS
agents installed on endpoints can see the unencrypted activity.
Moreover, most IDPS agents alter the internal architecture of the hosts on which they are
installed. This is typically done through a shim, which is a layer of code placed between existing
layers of code. A shim intercepts data at a point where it would normally be passed from one
piece of code to another. The shim can then analyze the data and determine whether or not it
should be allowed or denied. Host-based IDPS agents may use shims for several types of
resources, including network traffic, filesystem activity, system calls, Windows registry activity,
and common applications (e.g., e-mail, Web).
Some host-based IDPS agents do not alter the host architecture. Instead, they monitor activity
without shims, or they analyze the artifacts of activity, such as log entries and file modifications.
Although less intrusive to the host, reducing the possibility of the IDPS interfering with the host’s
normal operations, these methods are also generally less effective at detecting threats and often
cannot perform any prevention actions.
One of the important decisions in selecting a host-based IDPS solution is whether to install agents
on hosts or use agent-based appliances. From a detection and prevention perspective, installing
agents on hosts is generally preferable because the agents have direct access to the hosts’
characteristics, often allowing them to perform more comprehensive and accurate detection and
prevention. However, agents often support only a few common OSs; if a host does not use a
supported OS, an appliance can be deployed instead. Another reason to use an appliance instead
of installing an agent on a host is performance; if an agent would negatively impact the
performance of the monitored host too much, it might be necessary to offload the agent’s
functions to an appliance.
103
IDSs in the wireless context
Stations Stations
Sensors
Management Console
server
Mohamed Hamdi
The typical components in a wireless IDPS solution are the same as a network-based IDPS: consoles,
database servers (optional), management servers, and sensors. All of the components except sensors have
essentially the same functionality for both types of IDPS. Wireless sensors perform the same basic role as
network-based IDPS sensors, but they function very differently because of the complexities of monitoring
wireless communications.
Unlike a network-based IDPS, which can see all packets on the networks it monitors, a wireless IDPS works
by sampling traffic. There are multiple frequency bands to monitor, and each band is separated into
channels. It is not currently possible for a sensor to monitor all traffic on a band simultaneously; a sensor
has to monitor a single channel at a time. When the sensor is ready to monitor a different channel, the
sensor must shut its radio off, change the channel (known as hopping), then turn its radio on. The longer a
single channel is monitored, the more likely it is that the sensor will miss malicious activity occurring on other
channels. To avoid this, sensors typically hop frequently, so that they can monitor each channel a few times
per second. To reduce or eliminate hopping, specialized sensors are available that use several radios and
high-power antennas, with each radio/antenna pair monitoring a different channel. Because of their higher
sensitivities, the high-power antennas also have a larger monitoring range than regular antennas. Some
implementations coordinate hop patterns among sensors with overlapping ranges so that each sensor
needs to monitor fewer channels.
Wireless IDPS components are typically connected to each other through a wired network. As with a
network-based IDPS, a separate management network or the organization’s standard networks can be used
for wireless IDPS component communications. Because there should already be a strictly controlled
separation between the wireless and wired networks, using either a management network or a standard
network should be acceptable for wireless IDP components. Also, some wireless IDPS sensors (particularly
mobile ones) are used standalone and do not need wired network connectivity.
Choosing sensor locations for a wireless IDPS deployment is a fundamentally different problem than
choosing locations for any other type of IDPS sensor. If the organization uses WLANs, wireless sensors
should be deployed so that they monitor the RF range of the organization’s WLANs (both APs and Stations),
which often includes mobile components such as laptops and PDAs. Many organizations also want to
deploy sensors to monitor physical regions of their facilities where there should be no WLAN activity, as well
as channels and bands that the organization’s WLANs should not use, as a way of detecting rogue APs and
ad hoc WLANs. Other considerations, such as physical security, sensor range, wired connection availability,
and AP location, can be thought of for selecting wireless sensor locations.
104
2- Analyzing Security Alerts
Mohamed Hamdi
105
Alert correlation
Provides more succinct and high-level view of
occurring or attempted intrusions
Transforms sensor alerts into intrusion reports
Implements two classes of correlations
functions:
Functions that correlate events that occur close in
time and space
Functions that operate on events corresponding to an
attack scenario that evolves over several hours, and
that includes alerts generated on different hosts
Mohamed Hamdi
Alert correlation is a process that takes as input the alerts produced by one or more intrusion
detection sensors and provides a more succinct and high-level view of occurring or attempted
intrusions. The main objective is to produce intrusion reports that capture a high-level view of the
activity on the network without losing security-relevant information.
The alert correlation process consists of a collection of components that transform sensor alerts
into intrusion reports. Because alerts can refer to different kinds of attacks at different levels of
granularity, the correlation process cannot treat all alerts equally. Instead, it is necessary to
provide a set of components that focus on different aspects of the overall correlation task.
Some of the components can operate on all alerts, independent of their type. These components
are used in the initial and final phase of the correlation process to implement general functionality
that is applicable to all alerts. Other components can only work with certain classes of alerts.
These components are responsible for performing specific correlation tasks that cannot be
generalized for arbitrary alerts.
The correlation process implements components which are based on specific functions, which
operate on different spatial and temporal properties. That is, some of the components correlate
events that occur close in time and space (e.g., alerts generated on one host within a small time
window), while others operate on events that represent an attack scenario that evolves over
several hours and that includes alerts that are generated on different hosts (e.g., alerts that
represent large-scale scanning activity). It is natural to combine events that are closely related
(spatially and temporally) into composite alerts, which are in turn used to create higher-level
alerts.
106
Meta-alert
Results from multiple related alerts
Has the same semantics as elementary alerts but its
content is derived from their attributes
Points to the alerts that were aggregated to produce the
meta
- alert
Mohamed Hamdi
When two or more related alerts are merged as part of the alert correlation process, the result is
called a meta-alert. A meta-alert is similar to an alert
but its contents (e.g., the victims of an attack) are derived as a function of the attributes of the
merged alerts. Each meta-alert also contains references to all of the alerts that were merged to
produce the meta-alert. The decision of whether alerts should be merged or not is dependent on
the particular component of the correlation process and on the values of relevant attributes of
these alerts.
A meta-alert can be further merged with other alerts (either sensor alerts or meta-alerts), resulting
in a hierarchical structure, which can be represented as a tree. The most recent meta-alert is the
root node in this tree, and all successor nodes can be reached by following the references to the
merged alerts. All intermediate nodes in the tree are meta-alerts, while all leaves are sensor
alerts. The purpose of meta-alerts is to aggregate information of related attacks and present a
single alert instance that summarizes all the relevant information to a human analyst.
Whenever the correlation system considers a meta-alert and a sensor alert as candidates for
merging, it first attempts to merge the root of the meta-alert
with the sensor alert. If the root alert cannot be merged, all its successor alerts are independently
considered for merging. The process of finding appropriate alert candidates for merging is
repeated recursively until an alert that can be merged with the sensor alert is found, or until a leaf
alert is reached. The idea behind this approach is the fact that a meta-alert represents the
complete attack information of all its successor nodes. Therefore, alerts are considered in a top-
down fashion and merging is performed at the highest level possible.
107
Normalization
Translates alerts into a standardized
format (i.e., unifying syntax and
semantics)
Attack names should be identical
Time/date representation should be unique
…
Mohamed Hamdi
Alert messages are produced by a variety of sensors developed by different vendors and research
groups. Because these alert messages can be encoded in different formats, it is necessary to
translate each alert into a standardized format that is understood by the alert correlation process.
This translation, or normalization, implies that the syntax and semantics of a sensor alert is
recognized.
The purpose of the Intrusion Detection Working Group is to define data formats and exchange
procedures for sharing information of interest to intrusion detection and response systems, and to
management systems which may need to interact with them. The main outcome was the Intrusion
Detection Message Exchange Format data model (IDMEF). IDMEF provides a standard
representation for intrusion alerts. This representation defines the syntax of an alert and specifies
the semantics of certain attributes. However, the IDMEF effort is mostly concerned with syntactic
rules. It is possible, and common, that sensor implementors choose different names for the same
attack, provide incomplete information for certain fields, or choose to include additional fields to
store relevant data. As a result, similar information can be labeled differently or can be included in
different fields. Because there is no specification for the content of most fields, they can be filled
with meaningless strings (most commonly, “unknown” is used).
The intrusion detection community would benefit greatly from a shared alert model that extends
the current IDMEF work with semantic information and a common attack naming scheme. An
ontology for intrusions is a prerequisite for true interoperability between different IDSs. It is
necessary to capture low-level attributes at both the network and the operating system level.
Without a common way of describing all involved entities, sensors will continue to send reports
that appear to disagree even when detecting the same intrusion. In current alert correlation
systems, adapter modules are used to interface with different intrusion detection sensors. Each
module relies on a knowledge base to convert sensor-specific information into attributes and
values usable by the correlator. In order to facilitate convergence, a newly designed alert
correlation system should take alert names from the CVE (Common Vulnerabilities and
Exposures) list, which is a well-known effort to standardize the names for all publicly known
vulnerabilities.
108
Pre-processing
Required because certain sensors omit
some fields that are important for the
correlation process
The pre-processing phase mainly includes
Determining alert’s time
Determining alert’s source and target
Mohamed Hamdi
Normalized alerts are denoted by a standardized name and have attributes that are in a format that is
understood by the correlation system. However, an additional preprocessing phase is required because
certain sensors omit some of the fields that are important for the correlation process (i.e., start time, end
time, source, and target).
• Determining alert’s time: The start time and the end time have to be determined for each alert. The start
time of an event is defined as the point in time when this event occurs. The end time of an event is
defined as the point in time when an event ends. The difference between the end time and the start time
denotes the duration of the event. The IDMEF standard defines the following three different classes to
represent time.
• ‘CreateTime’: This is the time when the alert is created by the analyzer.This is the only
timestamp considered mandatory by the IDMEF standard.
• ‘DetectTime’: This is the time when the event(s) producing an alert are detected by the
analyzer. In the case of more than one event, the time the first event was detected.
• ‘AnalyzerTime’: This is the time at the analyzer when the alert is sent to a correlation system
(which is called manager in the IDMEF terminology).
• Determining alert’s source and target: When the timestamps have been set (using any of the techniques
described above), the source(s) and target(s) of the attack have to be determined. According to the
IDMEF standard, the attack source is composed of information about the node, the user, the process,
and the network service that originated the attack. The attack target also includes a list of affected files.
Not all fields have to be defined for both the source and the target, but the correlation system requires at
least one non-empty field for each. When the correlation system receives alert message with empty
source or target attributes, the preprocessing phase has to provide some best-effort values. For host-
based alerts, the node fields of the attacks’ source and target are set to the address of the host where
the sensor is located. For network-based alerts, the node information is taken from the source and
destination IP addresses.
• Determining attack’s name: The alert can be augmented with additional information on the basis of the
standardized alert name that is assigned in the previous phase. An example for such information is the
attack class, which describes the type of an attack with respect to a simple scheme that distinguishes
between local or remote information gathering and privilege escalation attempts. The class information is
useful because it allows one to group together similar attacks.
109
Alert aggregation
Theaggregation process consists of five
steps:
Alert fusion
Alert verification
Mohamed Hamdi
110
Alert fusion
Mohamed Hamdi
The task of the alert fusion phase is to combine alerts that result from the independent detection
of the same attack occurrence by different intrusion detection systems. Alert fusion acts as a filter
that removes obvious duplicates from the correlation process.
The decision to fuse two alerts in the alert fusion step is based on the temporal difference
between these two alerts and the information that they contain. The alert fusion phase only
considers two alerts as candidates for fusion when their start times and end times differ by less
than a certain, predefined time span It is not required that two alerts have identical time values in
order to compensate for clock drift when sensors are located at different machines and for the
time it takes the alert messages to reach the correlator. In addition, it is necessary that the alerts
are received from different sensors. This is reasonable because it cannot be expected that a
certain sensor emits two similar alerts with different time stamps for one single attack occurrence.
Finally, all overlapping attributes (i.e., attributes for which both alerts specify values) have to be
identical. There are no restrictions on the values of attributes that are only specified by a single
alert. At a first glance, these constraints seem very restrictive. However, the purpose of the fusion
phase is to combine duplicate alerts, not to correlate closely related attacks (this is implemented
in later phases).
When two alerts are fused, the resulting meta-alert is assigned the earlier of both start times and
end times. This is done in the assumption that both alerts are related to the same attack, and a
later time stamp is likely to be the result of delays at the sensors. Because the values of attributes
that are defined in both alerts have to be identical, the corresponding attributes of the meta-alert
receive the same values. For attributes that are only defined in a single alert, the corresponding
attributes of the meta-alert are assigned the respective values that are defined. An alternative way
of describing the attributes of the meta-alert after fusing two alerts is that the attribute fields of the
fused meta-alert are set to the union of the values of the respective alert attributes.
111
Alert verification
Allows to distinguish between successful
and failed intrusion attempts
Reduces the negative impact of false
positives
Implements multiple techniques:
Pattern-matching
Behavior modeling
…
Mohamed Hamdi
112
Attack scenario
reconstruction
Mohamed Hamdi
An attack scenario combines a series of alerts that refer to attacks launched by one attacker
against a single target. The goal of this phase is to correlate alerts that are caused by an attacker
that tests different exploits against a certain program or that runs the same exploit multiple times
to guess correct values for certain parameters (e.g., the offsets and memory addresses for a
buffer overflow). The correlation process still operates on very basic relationships between alerts.
The task of attack thread recognition is limited to the aggregation of alerts that are caused by the
activity of a single attacker who focuses on a single target.
Alert threads are constructed by merging alerts with equivalent source and target attributes that
occur in a certain temporal proximity. Attacks are considered to occur in sequence after each
other, and therefore, it is not necessary that both start times and end times of the alerts are close
(as was required for alert fusion). Instead, the requirement is that the end time of the earlier attack
has to be close to the start time of the following one.
113
Distributed attack scenario
reconstruction
Mohamed Hamdi
Distributed alert scenario reconstruction aims at building links between different alerts scenarios
having the same target. One important task at this level is to correlate network-based and host-
based alert scenarios. Linking network-based to host-based alerts is difficult because the
information that is present in these alerts differs. Network-based sensors can provide the source
and destination IP addresses and ports of packet(s) that contain detected attacks. Host-based
sensors, on the other hand, include information about the process that is attacked and the user on
whose behalf this process is executed.
A possible approach is to state that a host-based alert is linked to a network-based alert if it
occurs a short time after the network-based attack and the network-based attack targets the host
where the host-based attack is observed. This approach is simple, but has the obvious drawback
that it is very imprecise and might correlate independent alerts. It can, however, be improved by
utilizing a priori information about the port(s) used by a certain network service. Another possibility
is to specify that a certain attack is known to prepare for or to be a precondition for another attack.
This allows a packet containing a specific attack to be linked to an alert raised by a sensor
monitoring the victim server.
114
Attack focus recognition
Identify
attack source(s) and target(s)
Two possible schemes are inverstigated:
‘Many2one’: Multiple hosts attack a single
vicitim
‘One2many’: A single host attacks multiple
victims
Based on sliding time window
Mohamed Hamdi
The task of the attack focus recognition phase is to identify hosts that are either the source or the
target of a substantial amount of attacks. This phase aggregates the alerts associated with a
single host attacking multiple victims (called a one2many scenario) and multiple attackers
attacking a single victim (called a many2one scenario).
The attack focus phase is effective in reducing the number of alerts caused by (distributed) denial
of service (DDoS) attacks and port scan activity. In general, alerts related to a DDoS attempt can
be merged into a single many2one meta-alert, while alerts related to port scans are combined into
a single one2many meta-alert.
Attack focus recognition is, in its simplest form, based on a sliding time window. The correlation
system computes the total number of attacks that each host has launched during a time window
w. Each host that is responsible for more that than a certain number of attacks (given by an a
priori threshold t) is considered to perform a one2many attack and an appropriate meta-alert is
created.
A one2many alert can be further classified as a horizontal portscan or as a horizontal multiscan. A
horizontal portscan refers to a situation where a certain host probes the status of a particular port
on many targets. A horizontal multiscan is similar, but instead of a single port, multiple ports are
probed on each host. Note that the set of probed ports is consistent between targets. To further
classify a one2many alert as one of these two types of scans, the destination ports of the
individual attacks are analyzed. When all attacks target the same port, or the same set of ports,
the alert is further classified as either a horizontal portscan or a horizontal multiscan. In addition to
the number of attacks that each host has launched, the total number of times that each host was
the victim of an attack is determined as well. When a host is the victim of more than a certain
number of attacks, an appropriate many2one meta-alert is created. When the number of attacks
against the host exceeds a second threshold, which is significantly higher than the threshold
necessary to create a many2one alert, the meta-alert is additionally tagged as a denial of service.
The source field of a one2many meta-alert is set to be the attacker’s host, while the target and all
other remaining fields are the union of the targets of the individual attacks. The many2one
scenario operates in a similar way, the only difference being that the roles of the attacker (source)
and victim (target) are reversed.
115
3- Digital investigation
The use of scientifically derived and proved
methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation, and presentation of digital
evidence derived from digital sources for the
purpose of facilitation or furthering the
reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown
to be disrupted to planned operations
A road map for digital forensics
Digital Forensics Research Workshop. (2001)
Mohamed Hamdi
Digital forensics, also known as computer and network forensics, has many definitions. Generally,
it is considered the application of science to the identification, collection, examination, and
analysis of data while preserving the integrity of the information and maintaining a strict chain of
custody for the data. Computer and network forensics has evolved to assure proper presentation
of computer crime evidentiary data into court. Forensic tools and techniques are most often
thought of in the context of criminal investigations and computer security incident handling used to
respond to an event by investigating suspect systems, gathering and preserving evidence,
reconstructing events, and assessing the current state of an event.
When deciding which internal or external parties should handle each aspect of forensics,
organizations should keep the following factors in mind:
•Cost. There are many potential costs. Software, hardware, and equipment used to collect and
examine data may carry significant costs (e.g., purchase price, software updates and upgrades,
maintenance), and may also require additional physical security measures to safeguard them from
tampering. Other significant expenses involve staff training and labor costs, which are particularly
significant for dedicated forensic specialists. In general, forensic actions that are needed rarely
might be more cost-effectively performed by an external party, whereas actions that are needed
frequently might be more cost-effectively performed internally.
•Response Time. Personnel located on-site might be able to initiate computer forensic activity
more quickly than could off-site personnel. For organizations with geographically dispersed
physical locations, off-site outsourcers located near distant facilities might be able to respond
more quickly than personnel located at the organization’s headquarters.
•Data Sensitivity. Because of data sensitivity and privacy concerns, some organizations might be
reluctant to allow external parties to image hard drives and perform other actions that provide
access to data. For example, a system that contains traces of an incident might also contain
health care information, financial records, or other sensitive data; an organization might prefer to
keep that system under its own control to safeguard the privacy of the data. On the other hand, if
there is a privacy concern within the team. For example, if an incident is suspected to involve a
member of the incident handling team, using an independent third party to perform forensic
actions would be preferable.
116
Forensic process
Collection
Identify, label, record, and acquire data from the possible
sources of relevant data
Examination
Process large amounts of collected data to assess and extract
data of particular interest
Analysis
Analyze the results of the examination to derive useful
information that addresses the questions that were the impetus
for performing the collection and examination
Reporting
Reporting the results of the analysis
Mohamed Hamdi
Despite the abundant research activity related to digital forensic models, the tasks constituting the forensic
process are not standardized yet. Many of the proposed guidelines are specific to several technologies or
systems and are not yet open enough to be applied to various kinds of digital attacks. In 2001, the US
Department of Justice (DoJ) presented a four-step model including "collection, examination, analysis, and
reporting." The Digital Forensics Research Workshop introduced three extra phases that are "identification",
"preservation" and "decision” making the framework more appropriate to computer forensics. In fact, the DoJ
model does not take into account some particular characteristics of this field. Identification, for instance,
becomes more complex in the case of digital forensics because of the huge volume of available data it may
have to analyze. In the following, the most important steps that are shared by the aforementioned models
are discussed. More precisely, evidence collection, preservation, and analysis as well as intention inference
will be focused on.
The first task is to locate and identify useful evidence. To this end, the investigator should seize the various
hardware that may contain relevant information. Unfortunately, this is not always possible to perform.
Meanwhile computers, hard disks or CD-ROMs can be seized, LANs (Local Area Networks) and
communications infrastructures, which can hold key elements, are hard or even impossible to seize for
evidence purposes. Moreover, the complexity of evidence collection depends heavily on the cleverness of
the attacker. For instance, the use of encryption, scrubbing tools makes evidence harder to reach.
Once gathered, the evidence has to be correctly maintained to prevent it from being totally or partially lost. In
fact, the attacker may try to get back the hardware evidence to avoid being caught. He can also delete or
alter digital information that constitutes a proof against him. Thus, evidence integrity is a key factor that
should be considered to guarantee admissibility if needed.
The two last steps are crucial in order to have a sound interpretation of the collected information. The time,
techniques or location of attack’s source, to name just a few, are elements that can help the forensic analyst
in his task. Just like traditional crimes, profiles can be built to characterize criminals. Evidence analysis and
suspect intention inference are so close that they could be merged in the same step. Their separation
comes from the fact that different skills are needed for different tasks. Evidence analysis involves a deep
context-specific scientific knowledge while behavior modeling can be used through the use of traditional
techniques.
A key feature of digital forensics is that the quantity of gathered information can be so big that it becomes
hard to analyze. For example, visualizing the content of five Mega bytes of electronic documents or log files
could not be done manually. To this end, various automated tools can assist investigators to accelerate the
search of digital evidence or to conduct an inference-based reasoning to analyze the attack.
117
Evidence requirements
The digital evidence should be
Accurate
Verifiable
Repeatable
Authenticated
Admissible
Mohamed Hamdi
In order to recognize digital evidence as a legal proof to indict or to discharge a suspect, it has to conform to
several requirements. In particular, the evidence should not be altered, and examination results should be
accurate, verifiable and repeatable. However, the most crucial requirement an investigation should fulfill is
authenticity, i.e., to demonstrate that a given (hardware or software) piece of evidence is effectively related
to the suspect. For example, to link data on a computer to individuals, the investigator can use access
control logs, cryptographic based authentication, or biometric features. On the other hand, to prove
malicious network activity, he can rely on IP addresses, passwords or digital certificates. A reoccurring
problem at this stage is to consider the case where an alibi is investigated. In fact, the reliability of the
evidence, especially time and location, is the main issue to prove in such cases. Another issue is that pieces
of evidence should be admissible, meaning that they should be acceptable legally. This assumes that the
investigator must be aware of the legal framework.
In its Good Practice Guide for Computer Based Evidence, the English Association of Chief Police Officers
(ACPO) defines four principles that have to be followed during an investigation process. These principles are
given below:
•First Principle: No action taken by Police or their agents should change data held on a computer or other
media, which may subsequently be relied in Court.
•Second Principle: In exceptional circumstances where a person finds it necessary to access original data
held on a target computer, that person must be competent to do so and to give evidence explaining the
relevance and the implications of their actions.
•Third Principle: An audit trail or other record of all processes applied to computer-based evidence should be
created and preserved. An independent third party should be able to examine those processes and achieve
the same result.
•Fourth Principle: The Officer in charge of the case is responsible for ensuring that the law and these
principles are adhered to. This applies to the possession of, and access to, information contained in a
computer. They must be satisfied that anyone accessing the computer, or any use of a copying device,
complies with these laws and principles.
It appears that the ACPO guideline relies on the fact that digital evidence has the same nature as traditional
evidence. Therefore, it should be subject to the same rules and laws. In spite of their popularity, the ACPO
principles, in their current version have two major shortcuts. First, they do not guarantee some of the
fundamental properties of digital evidence. For example, they are not sufficient to produce integrity because
data in electronic format is intrinsically volatile and thus, can disappear without user intervention. In other
terms, the four principles are necessary, but not sufficient to provide integrity. Another limit is that the ACPO
guide is limited to the investigation of standalone computers. It does not address cases where a suspect
performs a network attack.
118
Hard disk investigation (1)
Deleted files
Bad sectors
Mohamed Hamdi
A possible approach to hide data is to act at the partitioning stage by marking several partitions as
hidden or leaving unused spaces that can be filled through the use of specific disk editors.
Another category of free sectors that can be exploited for illegal purposes consists in the
unassigned sectors that are left between partitions. File systems, on the other hand, present other
possibilities to the suspect as he may delete some files in order to recover them later. Effectively,
several OSs do not thoroughly erase the sectors containing a deleted file but they mark them as
possible to reallocate instead. Of course, the examiner may be asked to perform some more
skillful tasks depending on the technical capabilities of the suspect (that could be estimated from
his profile). In the following, two from the myriad of the hiding techniques that require a relatively
high technical level are described.
When being manufactured, hard disks are checked for bad sectors. When a defective sector is
found, one possibility is to mark it by setting the bit 0 of the sector flag to 1. Once performed, this
operation denies access from the controller to the concerned sector. To avoid affecting the disk
capacity, several controllers are able to format substitutive free sectors to replace the damaged
ones. Then, the address value of a bad sector is substituted by the address of the newly affected
sector. Attackers can use this process, called bad sector mapping, by making access requests to
sectors containing incriminating information to other normal sectors. Thus, the content of the
hidden sectors cannot be explored through the OS.
An other method for hiding data inside a hard disk stems from the incompatibility between the
addressing structures of IDE/ATA hard disks and several BIOS programs. In fact, this makes an
important number of physical sectors inaccessible by the execution of BIOS interruption operation.
The solution that has been adopted by most of the computer manufacturers to attenuate this
space loss is called translated disk geometry. A glance at this process shows that a number of
sectors are impossible to access by the BIOS because of the use of rounding operator . This fact
can be exploited by attackers because the disk space that is presumed to be unusable for a BIOS
may be recognized by other BIOS programs.
119
Hard disk investigation (2)
Investigators should examine copies of
files, not original files
Disk imaging tools
Investigators should preserve the integrity
of the original storage media
Write-blocker (hardware, software)
Investigators should rely on file headers to
identify the content of a specific file
File viewer
Mohamed Hamdi
During backups and imaging, the integrity of the original media should be maintained. To ensure
that the backup or imaging process does not alter data on the original media, analysts can use a
write-blocker while backing up or imaging the media. A write-blocker is a hardware or software-
based tool that prevents a computer from writing to computer storage media connected to it.
Hardware write-blockers are physically connected to the computer and the storage media being
processed to prevent any writes to the media. After a backup or imaging is performed, it is
important to verify that the copied data is an exact duplicate of the original data. Computing the
message digest of the copied data can be used to verify and ensure data integrity. A message
digest is a hash that uniquely identifies data and has the property that changing a single bit in the
data will cause a completely different message digest to be generated.
Analysts can accurately identify the type of data stored in many files by looking at their file
headers. A file header contains identifying information about a file and possibly metadata that
provides information about the file contents. A file header could be located in a file separate from
the actual file data. Another effective technique for identifying the type of data in a file is a simple
histogram showing the distribution of ASCII values as a percentage of total characters in a file.
120
OS investigation
The collection process should involve
Volatile data: Slack space, free space,
network configuration, running processes,
open files, login sessions
Non-volatile data: Configuration files,
password files, log files, application files,
swap files, dump file, temporary files
Investigators should choose the
appropriate shutdown method
Mohamed Hamdi
Volatile OS data involving an event can be collected only from a live system that has not been rebooted or
shut down since the event occurred. Every action performed on the system, whether initiated by a person or
by the OS itself, will almost certainly alter the volatile OS data in some way. The most interesting locations
where the analyst might look for volatile data include the following:
•Memory contents: There are several utilities that can copy the contents of RAM to a data file and
assist in subsequent analysis of the data. On most systems, it is not possible to avoid alteration of
RAM when running a utility that attempts to make a copy of RAM. Instead, the goal is to perform
the copying with as small a footprint as possible to minimize the disruption of RAM.
•Network configuration: Most OSs include a utility that displays the current network configuration,
such as ifconfig on UNIX systems and ipconfig on Windows systems. Information that can be
provided through network configuration utilities includes the hostname, the physical and logical
network interfaces, and configuration information for each interface (e.g., IP address, Media Access
Control [MAC] address, current status).
•Running processes: All UNIX-based systems offer the ps command for displaying currently
running processes. Although Windows offers a graphical user interface (GUI)-based process list
utility, the Task Manager, it is usually preferable to have a text-based listing. Third-party utilities can
be used to generate a text list of running processes for Windows systems.
•Open files: All UNIX-based systems offer the lsof command for displaying a list of open files.
Third-party utilities can be used to generate text lists of open files for Windows systems.
After obtaining volatile OS data, analysts often should collect non-volatile OS data. To do so, the analyst first
should decide whether the system should be shut down. Shutting down the system not only affects the
ability to perform bit stream imaging and many logical backups, but can also change which OS data is
preserved. Most systems can be shut down through two methods:
•Graceful shutdown: This causes the OS to perform cleanup activities, such as closing open files,
deleting temporary files, and possibly clearing the swap file, before shutting down the system. A
graceful shutdown can also trigger removal of malicious material; for example, memory-resident
rootkits may disappear, and Trojan horses may remove evidence of their malicious activity. The OS
is typically shut down from the account of the administrator or the current user of the system (if the
current user has sufficient privileges).
•Power removal: Disconnecting the power cord from the back of the computer (and removing the
batteries on a laptop or other portable device) can preserve swap files, temporary data files, and
other information that might be altered or deleted during a graceful shutdown.73 Unfortunately, a
sudden loss of power can cause some OSs to corrupt data, such as open files. In addition, for
some consumer devices, such as PDAs and cell phones, removing battery power can cause a loss
of data.
121
Network investigation
IDPSs and firewalls do not provide reliable
information about attack source
Tracing the source of anonymous flow:
IP marking
Edge sampling
Authenticated marking
Deterministic packet marking
Hash - based trace- back
Thumb printing
Inter- packet delay based tracing
Mohamed Hamdi
Introducing network protocols and applications in the computing environment opens many breaches that
malicious entities are able to exploit. For instance, attackers can easily hide their identities due to the
stateless nature of the existing routing protocols. Furthermore, the effect of an attack can propagate rapidly
from a physical location to another through the use of means provided by communication infrastructure
itself. Therefore, Intrusion Detection Systems (IDSs) are not sufficient to solve the fundamental problems of
network forensics. Basically, IDSs detect events that are correlated with attacks and can react in different
ways (i.e. generating alarms, blocking connections, etc.). This is not sufficient when conducting an
investigation process as the identity of the attacker has to be determined. This is often a complex task since
intruders use stepping-stones and zombies when carrying out their attacks. More clever attackers may send
their packets across encrypted links to make their identification more difficult.
Tracing anonymous attack flows is not the only issue the investigator should consider, but it is, by far, the
most critical one. Besides, an important research effort should be directed toward identifying the source of
attacks. Other activities such as evaluating the impact of an attack or studying its modus operandi have also
to be performed within the frame of the forensic process. Assessing the damage resulting from an intrusion
is particularly helpful to determine whether the investigation should be pursued or not on the basis of a cost-
benefit balance. Of course, this assumes that an efficient cost model for computer network forensics has
been applied. In addition, a deep analysis of the attack technique may reveal useful information about the
attacker as it will be demonstrated in the next section. In the remainder of this section, we focus on the
traceback problem as we believe it is a challenging issue.
Several solutions have been developed as an attempt to locate particular hosts in a specific network that are
initiating network attacks. They are called source tracing systems. At this stage, it may seem to the reader
that trace-back methods are not related to digital forensics. In fact, these methods have been seldom
presented as forensic tools and they have been rather viewed as IDS components. Particularly, they confer
reactivity to intrusion detection. Nevertheless, they remain efficient for post-mortem analysis (i.e., after the
occurrence of the attack).
Tracing methods can be divided into two classes: host-based methods and network-based methods. The
former consist of installing agents on each network host while the latter use the network infrastructure to
identify attack sources. A trivial shortcoming of host-based tracing is that it is no longer applicable if the
attacker uses a host where the trace-back system is not installed. In other terms, such component has to be
installed on each host which is obviously an unrealistic assumption in an open environment like the Internet.
In the sequel, the study is restricted to network-based tracing approaches since they are more appropriate
for modern networks that are, by nature, open.
122
IP marking
Building a map of
routes originating
from the victim using
a traditional mapping
technique
Identifying the valid
attack path
Mohamed Hamdi
The first task is to build a map of routes originating from the victim using a traditional mapping
technique. Typically, this map consists of a directed acyclic graph such as illustrated in the above
figure, where V is the victim host, {Ri} are the routers and leaves {Ai} represent the potential attack
sources.
The attack path from a leaf node Ai is the ordered list of routers between Ai and V. The exact
trace-back problem can therefore be defined as determining the attack path and the associated
attack origin for each attacker.
In essence, IP marking consists of the fact that routers add path information into the packets
during forwarding to allow the victim to reconstruct the attack path. Of course, this approach
extends the flow transmitted across the network and would be likely unfeasible without
considering several probabilistic and encoding issues.
123
Edge sampling
Three fields (start, end, distance) are added to
mark edges instead of nodes
If the packet is to be marked, the router inserts its IP
address in the ‘start’ field and 0 in the ‘distance’ field
If the ‘distance’ field is set to zero, the router inserts
its IP address into the ‘end’ field
Else, the router increments the ‘distance’ field
The number of packets X needed to reconstruct
a path of length d verifies
ln (d )
E(X ) ≤
p (1 − p )
d −1
Mohamed Hamdi
It is more efficient to mark edges in the attack path rather than nodes. The edge sampling
algorithm consists of introducing three fields: start, end and distance that have to be added to
marked packets. When a router marks a packet, it puts its IP address into the start field and zero
into the distance field. However, if the distance field is already set to zero meaning that the
previous router has marked the packet, the router writes its IP address into the end field. Clearly,
this mechanism allows the representation of the edge between the current router and the previous
router that marked the packet. Moreover, even if the router does not mark the packet, it always to
increment the distance field to guarantee a more efficient characterization of spoofed packets. The
distance fields corresponding to those packets would be greater than the length of the attack path.
To write the marking information in a given packet, one can overload of the IP identification field of
the IP header that is normally used for fragmentation. This choice relies on measurements having
shown that less than 0.25% of packets are actually fragmented. However, IP identification is a 16-
bit field while 72 bits are needed to encode edge information (32 bits for start and end IP
addresses and 8 bits for distance). Thus, an encoding technique called Fragmentation Sampling
Scheme (FSS) has been developed. FSS is based on two mechanisms. First, the usage of
exclusive-or (XOR) of the IP addresses constituting the edge permits to reduce the required
storage space by a factor of two. The resulting value from this operation is called the edge-id.
Therefore, the victim will receive the edge-ids of two adjacent routers except for packets arriving
from routers that are at one hop from those routers.
The second encoding mechanism consists of splitting each packet into 8 non-overlapping
fragments. When a packet is marked, the router selects a random fragment and adds it up to the
packet. This solves the problem as the 16 bits of the IP identification field can be filled by
assigning 8 bits to the edge-id fragment, 3 bits to the position of the fragment and 5 bits to the
distance.
Nonetheless, due to the use of edge-ids instead of traditional logical addresses, another problem
called collision (or birthday paradox) arises. Effectively, edge-ids are not unique and the
probability that the victim host receives two identical edge fragments is not zero. In order to
overcome this limitation, a redundancy check mechanism can be added to the algorithm.
124
Authenticated marking
11-bithash values are used instead of full
IP addresses
The marking information is expressed by
(
edge _ id = h1 IP Ri ⊕ h2 IP R j ) ( )
where h1 and h2 are two distinct 11-bit
hash functions.
Mohamed Hamdi
Assuming that the route map has been predetermined by the victim host, the full IP addresses are
not needed for the tracing purpose. In this way, 11-bit hash values of edge-ids can be used
instead of fragments. Supposing that Ri and Rj marked a given packet, the victim would receive
the result of the XOR of the IP address of Ri and the IP address of Rj.
Two one-way functions are used to recover the order of the routers at the victim stage; using a
single function would not allow path reconstruction as the XOR operator is commutative. Although
the Advanced Marking Scheme presents an acceptable computational overhead, it can be
thwarted if an upstream router is compromised. In fact, all routers are supposed to be trustful. A
potential method to address this issue is to authenticate packet marking using an approach based
on cryptographic checksums.
Assuming that each router Ri holds a symmetric key Ki, it can compute the Message
Authentication Codes (MAC) of edge-ids and append them to marked packets in order to prevent
other routers from forging its marking information. As for every symmetric encryption technique,
key management is the fundamental problem arising in the Authenticated Marking Scheme. Time-
released keys authentication mechanisms can be used if the size of the route map is important
(yielding an impractical number of keys).
125
Deterministic packet
marking
Probabilistic marking techniques
Require important computational capabilities
Are only applicable to detect the source of
DoS attacks
Do not guarantee convergence
Mohamed Hamdi
Probabilistic Packet Marking (PPM) schemes, have three principal shortcomings. First, they
require important processing and memory capabilities at the victim level. Furthermore, their
application is restricted to Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks. However, the main limitation of these techniques is that they may not converge because
a large number of packets of the order of thousands must be available at the victim host in order
to reconstruct the attacked paths.
To overcome PPM disadvantages, a new marking technique, called Deterministic Packet Marking
(DPM) was introduced. The rationale behind this scheme is to perform the marking at the ingress
interface of the closest router to the attacker since multiple attack paths can correspond to the
same attack (this is the essence of routing algorithms). In other words, the attack flow is uniquely
identified by its source and destination. In addition, this marking scheme is deterministic in the
sense that every packet is marked by the nearest router to the station that emitted it.
To encode the marking information (the source IP address) in IP datagrams, DPM uses the IP
Identification field and the 1-bit reserved flag of the IP header. The IP address is divided into two
equal segments and the marking process consists of putting randomly, with probability of 0.5, one
of those parts into the IP Identification field. Clearly, the 1-bit flag is used to state whether the
marking information consists of the first or the second half of the source IP address.
This method outperforms PPM since it does not have an important computational complexity. The
number of packets that are needed by the victim to identify the attacker is by far less than in the
PPM case. In fact, two packets originating from the same source and having two different marks
are sufficient. Yet, it assumes the existence of a strong intervention from Internet Service
Providers (ISPs), which cannot be usually provided for obvious reasons. In addition, DPM cannot
be used if Network Address Translation (NAT) is used in the network which includes the attacker's
machine. Indeed, the victim would recover the private address of the attacker that does not
contain any interesting information.
126
Hash-based trace-back
Introduces a three-level hierarchy
Data Generation Agents (DGAs)
SPIE Collection and Reduction Agents (SCARs)
SPIE Trace
- back Manager (STM)
The trace-back process
1. DGAs capture compressed data that uniquely
identifies each packet
2. SCARs receive attack notification from STM
3. SCARs gets attack packets’ digests from DGAs
4. SCARs report local attack path to STM
5. STM combines local attack paths
Mohamed Hamdi
The Hash-based IP trace-back approach, also referred to as Source Path Isolation Engine (SPIE),
introduces a three-level hierarchy consisting of Data Generation Agents (DGAs), SPIE Collection
and Reduction Agents (SCARs) and a SPIE Traceback Manager (STM). DGAs, which are at the
lowest level of the hierarchy, consist typically of routers that offer the possibility of capturing a
compressing piece of information, which uniquely identify each packet they forward. To achieve
this goal, hash functions are applied to the constant fields of the IP header (that do not change
during the transmission) and to the first 8 bytes of the packet payload. A backup functionality has
also been considered to overcome routers memory limitations.
At the upper level, SCARs receive notifications of attack occurrence from the STM, which is the
communicating component with various IDSs existing in the network. SCARs send queries to the
appropriate DGAs to get the digests of the packets that were forwarded at the time interval
including the instant were the attack took place. Having analyzed packet hashes, every SCAR
reports to the STM the results concerning the attack paths in its region. Finally, the STM combines
the elementary attack paths, and thus performs the packet tracing.
Although SPIE is efficient and robust against various packet transformations (e.g., NAT,
encryption), some important factors might obstruct its application in real contexts. The most
important issue is related to the industry since SPIE relies on routers, which include sophisticated
functionalities. Each router must be equipped with specific functions to extract packet hashes and
an implemented backup strategy. This requires a great effort from manufacturers, which would
make them reserved about developing those functionalities. Similarly, ISPs are closely involved in
this marking scheme. For instance, the synchronization of the time intervals is a particularly tricky
task. An additional limitation results from the fact that a centralized STM controls the whole
system, which makes the framework more vulnerable as everything would collapse in the case of
an STM failure.
127
Thumb printing (1)
Given a packet stream of a specific
connection, identify the connections steps
from the victim to the attacker
Connection chain identification relies on
characteristics that uniquely identify
connections, and that are difficult to forge
Mohamed Hamdi
The goal of connection chain identification is to find the set of hosts that the intruder used to carry
out an attack. A common technique to hide source’s attack is to log on to a set of sources before
breaking into the target. The attacker identification task becomes harder if the intrusion traces are
deleted or if encrypted networks segments are used. Thus, finding connection chain should not
rely on the study of traditional intrusion traces (essentially log files), but on the study of other
characteristics that represent uniquely a connection and that are difficult to forge.
If H0, H1, …,Hn-1 are the potential intermediate hosts the attacker used to perform an intrusion, a
connection ci is defined as a log-on operation between hosts Hi-1 and Hi . When the attacker
establishes connection ci, the data flow sent between Hi-1 and Hi is called a packet stream. The
goal of the connection chain identification process is, given a packet stream of a connection ci, to
determine the entire connection steps denoted c1, c2, …, cm from the attacker to the victim.
128
Thumb printing (2)
Given two connections ci and cj, the sequence
numbers of the corresponding packet streams
are denoted by (s li )0 ≤ l ≤ n and (slj )0≤l ≤ n . Similarly, the
i j
packet arrival time is represented by two series
(tli )0≤l ≤n and (tlj )0≤l≤n.The deviation between the
i j
packet streams is computed using the following
expression:
Dij = min ⎨ ∑ (T (h, k ) − min(T (h, k ))), ∑ (T (h, k ) − max(T (h, k )))⎬,
1 ⎧ h=d h=d
⎫
0≤ k ≤ m '
d ⎩ h =1 h
h =1
h
⎭
where T(h,k) =tkj+h −thi , d = sni − s1i and m ' = max {l slj + d ≤ n j } .
i
Mohamed Hamdi
The idea behind thumb printing is that several features of the transmitted data is constant at all
points on a connection chain. Thumbprints can be thought of as signatures that uniquely identify a
connection chain.
This method relies on the observation that the evolution of sequence numbers during the
transmission of a packet stream is a good criterion to measure the correlation between
connections. A metric based on the evolution of sequence numbers during a connection can be
used in order to measure the deviation between connections. This metric should be kept small
when computed for two connections that belong to the same connection chain. Basically, the
correlation metric represents the slope of the graph that maps sequence numbers to time. Thus,
the main assumption is that this metric is nearly invariant (or constant) for connections occurring
in the same chain.
Informally, a deviation is a measure of similarity of the evolution of sequence numbers according
to time for two packet streams. In fact, T(h,k) can be seen as a distance, in terms of time,
between the k+hth packet of the connection j and the hth of the connection i. Henceforth, the above
condition means that the graphs representing this evolution have to be adjusted horizontally and
vertically so that the average distance between them is minimal. Thus, an advantage of deviation-
based connection chain identification is that it does not require clock synchronization as only the
shapes of the aforementioned graphs are compared.
Meanwhile, sequence numbers are generally managed by OSs kernels and this makes the
invariance assumption inconsistent if multiple OSs are used along the connection chain.
Moreover, since the packet content is not used in the deviation-based approach, it is still accurate
when the attacker uses application-level encryption (e.g., SSH, SSL) to hide the transmitted data.
However, this reasoning no longer holds if encryption occurs at the network level (e.g. ESP) as
deviation-based tracing is vulnerable against payload padding. Even worse, the system may not
be able to analyze properly packet headers.
129
Inter-packet delay based
tracing
Packet timestamps are used to evaluate the
correlation between two packet streams
Correlation window
( )
Wl , s d1i ,..., d ni i = d li ,..., d li+ s −1 ,
where l is the starting point of the window, s is
the size of the window, and dki = tki +1 − tki is the IPD.
The correlation function is expressed by
CPF (ci , c j , l , k , s ) = φ (Wl , s (ci ), Wl + k , s (c j )),
where φ (.,.) is a similarity measurement criteria.
Mohamed Hamdi
In order to address the problem of characterizing partially (or totally) encrypted connection chains,
the investigator can use a method which is very similar to the previous one except that it relies
only on packet timestamps to evaluate the correlation between the two packet streams. More
precisely, it introduces the notion of Inter-Packet Delay (IPD) correlation window as a feature that
characterizes a portion of a packet stream.
The first step is to find, for a given value of j , the offset k that corresponds to a maximum of
CPF(.,.,.,.,.). The alert reader would have remarked that this procedure is equivalent to the graph
adjustment used in deviation-based tracing. By varying j, a set of optimal offsets are determined.
Therefore, according to the basic hypothesis, these offsets should be equal for all the correlation
points if ci and cj belong to the same connection chain.
The main advantage of IPD-based tracing is that it can be used in real-time, which may not be
very important from the computer forensics point of view. Another interesting feature is that it
needs relatively a few packets when compared to other methods in order to perform the
correlation process.
130
Further readings
M. Hamdi, N. Boudriga, “Forensic Science
and Computers,” The Handbook of
Information Security, Vol. 2, EiC: Hossein
Bidgoli, John Wiley & Sons, ISBN:
0471648337, 2006.
C. Kruegel, F. Valeur, G. Vigna, “Intrusion
Detection and Correlation: Challenges and
Solutions,” Springer, ISBN: 0-387-23399-
7, 2005.
Mohamed Hamdi
131
Part IV: Building
Security Policies
Mohamed Hamdi
132
Security policy
Used to express requirements in different
contexts
Difficult to find a uniform definition
Generally, a SP consists of a ‘a set of
rules that determine how a particular set of
assets should be secured’
Mohamed Hamdi
Finding a precise meaning to this term turns out to be very arduous as it is used to refer to numerous disparate aspects
of information systems’ security. The following examples give an idea about the different ways a SP can be thought
of depending on the context. The quoted sentences have been taken verbatim from the source documents so that
the reader can concretely note this ambiguity.
1. Information system SP: For an organization that owns a set of networked assets, the SP constitutes the core of the
security plan which entails the design and the implementation of security measures as well as documentation of
security incidents. The SP is the foundation for a security program addressing the business needs of the
organization. It should reflect the strategic approach of the enterprise to cope with the security risks that characterize
the environment. In (Hare, 2002, pp. 353), the SP has been defined as a “high level statement that reflects
organization’s belief related to information security.” The major purpose of the SP is to select the appropriate security
solutions to face those threat events while ensuring that the cost of protecting the infrastructure does not exceed the
benefit it provides. In business jargon, the rules of the SP should guarantee a Return On Investment (ROI).
2. Operating System (OS) SP: Due to the numerous security threats that exploit weaknesses at the OS level, a set of
protection mechanisms should be implemented to plug up such vulnerabilities. The totality of the protection
mechanisms related to an OS is called the Trusted Computing Base (TCB). They concern the various resources of
the computer system (e.g., hardware, software, processes). The most relevant example consists of the access
control policy which is enforced by secure OSs to protect the objects they handle. Obviously, for consistency and
completeness purposes, those mechanisms should abide by a set of rules, which form the SP. The reference
monitor is an entity that mediates accesses to objects by subjects. Among those accesses, only those that conform
to the SP are allowed. The reference monitor basically guarantees that the OS respects several pre-defined security
principles such as least privilege and continuous protection.
3. Key management SP: To establish a secure tunnel using the IPSec protocol suite, two end-points should agree upon
a set of mutually acceptable cryptographic parameters called Security Association (SA). These security parameters
are managed according to local security policies which are set in each end-node. For example, when creating a new
SA in order to modify an older one, “deletion of the old SA is dependent on local security policy.” Besides, a standard
has been recently developed to administrate IPSec security policies; it defined the concept of IP Security Policy
(IPSP).
These examples lead us to discuss the various SP types. It is noteworthy that rather than being conflicting, the above
definitions present the same concept from different angles. The alert reader would have remarked that the first
definition, related to information systems security, provides the broadest view in the sense that both OS security and
the usage of secure protocols can be seen as specific components of the global security program. In our sense, the
difficulty of defining a SP stems from the basic fact that security is related to many organizational aspects. For
example, from a human resource perspective, the SP serves “to inform all individuals operating within an
organization on how they should behave related to a specific topic” (Tudor, 2001). From a risk management point of
view, “policies should be concerned with what assets to protect and why they need to be protected” (Canavan, 2001,
pp. 239).
To unify all these views, the SP can be defined as a set of rules that determine how a particular set of assets should be
secured. This definition can in fact be applied to represent all SPs without delving into details concerning the context
and the language to adopt (natural language or machine language).
133
SP fragmentation (1)
SPs treat multiple security facets
SPs can be expressed in different languages
SPs can have different audiences
Ö Splitting the SP into multiple fragments
guarantees that:
All SP audiences can be addressed efficiently
All security requirements can be addressed
The security properties (e.g., confidentiality, integrity)
of the various SP portions can be preserved more
easily
Mohamed Hamdi
The SP is a multi-faceted concept that can effectively be defined in various manners. Security
specialists that addressed SPs mentioned this aspect. Most of them have agreed that "a suite
of policy documents rather than a single policy document works better in a large corporate
environment" (Canavan, 2003, p. 5). In fact, splitting the SP into fragments has multiple
advantages:
1. All SP audiences can be addressed efficiently.
2. All security requirements can be addressed.
3. The security properties (e.g., confidentiality, integrity) of the various SP portions can be
preserved more easily.
More concretely, a classification scheme should be considered to ensure that multiple policies are
developed to address the same security context.
134
SP fragmentation (2)
Audience-based classification
e.g., Governing SP, Technical SP, End-user
SP
Issue-based classification
e.g., Access control SP, Information
classification SP,
Sensitivity-based classification
e.g., Top Secret, Secret, Confidential, Public
Mohamed Hamdi
Examples of SP classifications are given below to highlight the importance, or even the necessity,
of SP fragmentation:
1. Audience-based classification: In (Canavan, 2003), Canavan argued that policies should be
hierarchized with respect to the hierarchical structure of roles. He proposed three policy types
which are: governing policy, technical policy, and end-user policy.
2. Issue-based classification: Ensuring the security of a system is proportionally difficult to its
complexity. Requirements related to security are defined with respect to the functionalities that
the system provides. Depending on the assets to protect, some issues can be more
emphasized than others. For example, for an Internet Service Provided (ISP), the major need
is to guarantee access to network services modulo the respect of contracts, laws, and ethics.
For this reason, ISPs concentrate their SPs on access control, authentication, and availability.
However, as the data structures they handle are simple (compared to other organization
types), developing an ICP requires less effort. On the opposite, a Certification Authority (CA)
manages a more rich data set. Cryptographic keys, digital certificates, and revocation lists are
just examples of these data. Consequently, information classification becomes more complex
than in the former case (ISPs). In the following, we attempt to give some of the security issues
that would need a separate policy. The information security policy and the access control
policy will be particularly detailed. The remaining policies will be discussed in later sections.
3. Sensitivity-based classification: Gaining knowledge about how a system is protected is often
one of the primary goals for an attacker. Thus, the SP itself should be secured in the sense
that it should not be accessed by non-authorized entities. This presupposes that SP content is
divided into pieces corresponding each to a security level. The most trivial sensitivity-based
classification consists in separating internal policies from external policies (Purser, 2004).
Policies that address the secure functioning of the production process are internal. Their
content should not be published outside the organization. Conversely, external policies are
those that are intended to be published to external audience. This classification can be
improved by being more granular. For example, internal policies themselves can be split into
many categories depending on the sensitivity of the concerned department.
135
SP requirements
Accountability: Every action performed on
the system should be traced
Awareness: Every user should possess
the appropriate knowledge to interact with
the system in a secure manner.
Proportionality: Security measures defined
in the security policy must be suitable with
the risks that threaten the system.
Mohamed Hamdi
A SP must possess several properties to fulfill its objectives. The essence of these properties is given in the
following.
1. Accountability: Every action performed on the system should leave a trace that would serve for
monitoring the system state. This guideline is tightly related to the continuous control of the IT
infrastructure. Practically, the most common accountability mechanism consists simply of recording
traces into log files. Nonetheless, as resources dedicated to this activity are generally limited (in the
sense that they do not allow the capture of all the attributes defining a system state), the security policy
should clearly treat the following issues:
1. Generation: What should be logged? Which are the relevant data with regard to the intrinsic
characteristics of the system under analysis?
2. Analysis: How should the captured information be analyzed to state whether the policy has
been violated?
3. Archival and storage: The information that accounts for the interaction of various components of
the system often has important security levels. Furthermore, archival is a key consideration due
to the fact that traces might be needed after a long time of being captured. Therefore, the
security policy must discuss storage procedures while putting the stress on access control
issues.
2. Awareness: Every user of the system should possess the appropriate knowledge to interact with the
system in a secure manner. This principle is particularly important since most of the security attacks
originate from the inside of the system or exploit vulnerabilities that exist in internal components (e.g.,
misconfigurations). In addition, awareness considerably reduces unintentional harmful actions. Training
programs are often mentioned as a solution that fulfills these needs. However, we believe that a strong
involvement of the human resources department is the best alternative for an enterprise to reach an
acceptable security level. For instance, some investigations should be conducted to gather if the
candidate caused security problems in his past jobs. Likewise, procedures that should apply when an
employee leaves an organization have to be included in the security policy to ensure that the employee
no longer possesses his security privileges.
3. Proportionality: Security measures defined in the security policy must be suitable with the risks that
threaten the system. In other terms, the value of critical information as well as the probability
corresponding to security attacks (deduced from studying the environment of the system) should be
taken into consideration when developing security policy. Obviously, overlooking these aspects would
lead to grave consequences due to the unrealistic view.
An intriguing point that might have been noticed by the reader is that the two latter objectives are, in some
sense, conflicting. A complete SP is rarely cost-effective because the attacks corresponding to a generic
environment are so numerous that mitigating all of them cannot be achieved with a reasonable budget.
Another problem may arise from the fact that completeness is a utopia that can never be objectively
reached. Effectively, the SP development team can never build a zero-uncertainty representation of the
studied environment.
136
SP lifecycle
Reassessment Approval
Implementation PublicationRaising
awareness
Mohamed Hamdi
Developing a security policy should be done according to several steps that are briefly explained
below:
1. Risk analysis: It includes essentially mission statement, asset evaluation, and threat
assessment. It is worth mentioning that some parts of the SP can be written in this step. In
fact, the risk analyst needs some rules to assign a security level to each resource meaning
that the data classification policy should have already been constructed at this level.
2. Development: This step consists of selecting the security rules that best fit the requirements of
the organization. The SP development team must use convenient languages to model and
validate the SP. The main characteristic of this step is that it is performed progressively to
move from an abstract representation towards a more concrete one.
3. Approval: It relies on a multi-disciplinary committee that validates the security policy. At every
layer (i.e., abstraction degree) of the development process, the SP should be validated
against: (a) the upper layer and (b) the security objectives.
4. Raising awareness: This ensures that the security policy is accessible to everyone who is
authorized to access it. This means that the SP is published correctly and that every user of
the secured system must possess the skills that are suitable to his responsibilities.
5. Implementation: It enforces the application of the security policy. During this step, operational
and technical controls are put in place. Operational controls are security mechanisms that are
essentially implemented and executed by the users themselves while technical controls
include the automated security countermeasures.
6. Reassessment: It guarantees a continuous monitoring of the security policy through scheduled
revisions and analyses. This process is essential to practically test the efficiency of the SP
since new threats can occur.
137
SP and documentation
hierarchy
An efficient security architecture
encompasses the use of different
document categories:
Standards
Procedures
Baselines
Guidelines
Mohamed Hamdi
To respect the uniformity of the organizational global view to face the potential threats, the SP
must be closely related to the whole security documentation. In the following, we outline the
main document categories that should be used to build an effective security architecture.
1. Standards: A standard is a document that defines how a specific task should be performed. It
can concern, for instance, the development of a product or a protocol related to a secure
process. Generally, standards are developed so that the community using the target system
knows what should be done to interact with it securely.
2. Procedures: Procedures describe exactly how to use the standards and guidelines to
implement the countermeasures that support the policy. These procedures can be used to
describe everything from the configuration of operating systems, databases, and network
hardware to how to add new users, systems, and software.
3. Baselines: Baselines are used to create a minimum level of security necessary to meet policy
requirements. Baselines can be configurations, architectures, or procedures that might or
might not reflect the business process, but that can be adapted to meet these requirements.
They can be used as an abstraction to develop standards.
4. Guidelines: Sometimes security cannot be described as a standard or set as a baseline, but
some guidance is necessary. These are areas where recommendations are created as
guidelines to the user community as a reference to proper security. For example, your policy
might require a risk analysis every year. Rather than requiring specific procedures to perform
this audit, a guideline can specify the methodology that is to be used, leaving the audit team to
work with management to fill in the details.
138
Further readings
M. Hamdi, N. Boudriga, “Security Policy
Guidelines,” The Handbook of Information
Security, Vol. 3, EiC: Hossein Bidgoli, John
Wiley & Sons, ISBN: 0471648337, 2006.
M. Hamdi, N. Boudriga, “Computer Security Risk
Management: Theory, Challenges, and
Countermeasures,” International Journal of
Communication Systems, Vol. 18, Issue 8, pp.
763-793, 2005.
Mohamed Hamdi
139
Exercises II
Mohamed Hamdi
140