Intrusion detection

Intrusion detection is defined as the issue of identifying intrusions by individuals who are using a system without authorization ("crackers") and those who are authorized but abuse their privileges ("insider threat"). Currently, two types of model are generally employed by Intrusion Detection Systems (IDSs):

• Anomaly detection models. These enable the profile of a user's normal behaviour to be statistically compared with the parameters of the current user's session; "significant" deviations from the normal behaviour are reported to the security officer, where "significant" is defined as a threshold set by the specific model or by the security officer.

• Misuse detection models. This second type of model supports comparison between parameters of the user's session and known techniques used by attackers to penetrate a system.

In general, controls on user behaviour in the system are tackled by tracking the requests performed by users and recording them in a suitable trail (audit). The analysis has the purpose of detecting whether a set of requests, performed by a given user or user group, may be considered as suspicious.

Audit controls in traditional audit systems have the drawback of being very complex, and of being executed a posteriori. The manual review of the large amount of audit data to be assessed limits the workability of the approach. All possible attacks on the system are not always detected, or can be detected long after they occured. Therefore, the necessity arises of providing tools and systems which automatically or semi-automatically check the audit data and try to detect intrusions, possibly on-line, in real time.

A number of IDSs are based on the analysis of the audit trails offered by the host operating system (OS). These systems employ techniques such as the evaluation of a weighted multinomial function to detect deviations from normal behaviour, a covariance matrix for profiling normal behaviour, and rule-based expert systems to detect security violations.

Particular problems of intrusion detection are the need for real-time response, the large amount of data to be processed, the lack of available attack data to be analysed, and the large number of parameters that can be associated with audit data. Therefore, intrusion detection can borrow solutions from other fields such as artificial intelligence, statistics, information theory, or machine learning. These solutions need to be adapted to IDS design and operation, and the impact of these techniques on intrusion detection is yet to be fully understood.

Answer the following questions:

1.What is intrusion detection? 2.What are the main types of models generally employed by IDSs? 3.What are the main problems of intrusion detection?

TEXT 5C.

TRENDS IN INTRUSION DETECTION: MACHINE LEARNING (ML)

ML techniques can be used in IDSs to observe a given system and "learn" to characterize "normal" activities and thus detect abnormal conditions. In particular, four areas of ML seem to have the greatest potential for IDSs:

• Concept learning. This is the task of training a system to classify elements into categories, which are fixed by the teacher, by considering the element attributes. A classification task in the field of misuse detection is to state whether a certain work session is intrusive or normal.

• Clustering. This consists of partitioning a collection of elements into groups of related elements using some "similarity" criteria. Clustering also includes the task of constructing the categories and the classification rules but in a different way from concept learning.

• Predictive learning. A temporal model of data is constructed giving the ability to learn about intrusion events from temporal data and sequences of discrete events. This model usually incorporates additional knowledge about the specific application. The fewer bits (compression ratio) are required to represent a sequence of events, the more powerful the predictive model is. In misuse detection, a predictive model can be learned and characterized numerically by its compression ratio or mean rate of predictability.

• Extraction of features. The feature extraction problem (distinguishing the relevant from the irrelevant features, and combining the relevant features into a function that identifies an event, for example, an intrusion) is a problem of ML that limits the usefulness of standard techniques for concept learning and clustering. Some promising new approaches provide algorithms that ameliorate the effectiveness of feature extraction techniques.

Answer the following question:

1.What areas of ML seem to be the most promising for IDSs?

UNIT 6

TEXT 6A.

USER AUTHENTICATION

Authentication mechanisms validate the user identity through some object, or information, known to the user, through something owned by the user, or through a combination of these modes. Authentication systems based on information known to the user are:

• Password-based systems. A user is identified through a secret string of characters (numerical and alphanumerical) known exclusively by this user and by the system.

• Query-answer-based systems. A user is identified on the basis of his or her answering a set of questions posed by the system. Questions are specific for each user and, generally, based on mathematical functions to be computed by the system after receiving entry values from the user.

• Double authentication systems (hand-shaking), where the system introduces itself to the user, and the user authenticates himself back to the system. Authentication by the system occurs through information known only to the user (for example, date, time, and code of the last work session). User authentication is password based.

Authentication systems based on information owned by the user are basically card-based systems: a magnetic card contains a bar or magnetic strip code, or a microprocessor. Authentication occurs upon acceptance of the card inserted in a proper reader, sometimes coupled with a secret code.

Authentication systems based on "something a user is" are:

• Computerized facsimile systems. The user image is stored; identification occurs by matching the person with his or her stored image shown on the screen;

• Fingerprint-based systems. Identification is the result of a match between the user's fingerprints with the stored ones;

• Hand-pressure systems. Identification is made based on the user pressure in writing his or her signature on a suitable device;

• Voice-recognition-based systems. The user's voice is matched against its stored version;

• Retinal features-based systems. Identification is made by examining the features of the user's retina.

The last set of authentication systems has a higher degree of complexity than the previous ones because of the intricacies of the matching operations between the stored features of an individual and the actual ones. They incur a higher probability of denial to authorized users. Costs are also a relevant consideration, and the technologies involved (voice/image recognition) make these systems expensive. Therefore, their use is only appropriate in highly security-critical environments.

Words to be learnt:

authentication-проверка подлинности,подтверждение права на доступ; character-знак,символ; identification-отождествление,опознавание, распознавание; intricacy-сложность; match-n.совпадение,v.сопоставлять,сравнивать; password-пароль; query-запрос; recognition-распознавание; retina-сетчатка глаза; to validate-проверять достоверность,подтверждать правильность.

I. Answer the following questions:

1.What is the purpose of authentication mechanisms? 2.What are authentication systems based on?

II. Define the function of the participles and translate the sentences:

1.Users are subjects accessing protected resources.2.A database is a collection of data organized and managed by specific software, the DBMS.3.The degree of security provided by current commercial DBMS technology is rather low.4.The recovery system uses a log journal, namely, a file containing a sequence of records stored into stable storage.5.We define a firewall as a collection of components placed between two networks.6.A firewall, if properly deployed against the expected threats, will provide an organization with greatly increased security.7.Even authorized users should pass through a security gateway when crossing the firewall.

III. Translate the sentences paying attention to the meaning of "one":

1.Entered passwords are matched against stored ones for verification.2.Not all the mechanisms mentioned are implemented at the OS level: password-based mechanisms are the most common ones.3.On the one hand, skilful users make security systems more reliable.4.In the message filter model messages are not allowed to flow directly from one object to another.5.One should be aware of the danger of computer viruses.6.One can achieve a significant increase in security by using one-time passwords.7.A password of 16 bytes is not as strong as one might guess.

TEXT 6B.

MEMORY PROTECTION

In multiprogrammed environments, the primary memory of a system is partitioned and assigned to the data and programs of different users. This requires protection from mutual interference (among application programs, or among application and system programs). Moreover, the same resources need to be shared among different users.

Various sharing levels exist, ranging from no sharing (complete isolation) to uncontrolled sharing. The implementation of a controlled sharing mechanism needs sophisticated protection at the Operating System (OS) level. There exist the following types of hardware mechanisms for protection and controlled memory sharing : fence address, bound registers, paging, segmentation.

A fence address marks the bound between the memory area reserved to the OS (generally the lower memory region) and the memory area available for a user. Assuming the OS is assigned the lower memory, a fence-address-based mechanism verifies that each address generated by a program refers to the higher region of the memory. Addresses generated by user programs are matched against the fence value: an address value higher than the fence value is a correct reference to the user area, whereas a lower value is incorrect: the program is terminated, and an error message is reported to the user. A fence address can be specified as a constant, inserted directly in the hardware, or can be loaded into the fence register.

By the register-based protection technique, a user's memory area is delimited by a pair of values, stored in proper registers, that mark the area bounds. Each user has an associated pair of registers. Bound values can be expressed in two different ways: bound registers and base/limit registers.

The paging technique is based on partitioning the physical and logical memory into fixed-size portions. For physical memory, these are called frames; for logical memory, they are called pages. Operations allowed on the contents of a page are expressed through a set of protection bits stored, for each page, in the page table.

Protection bits may specify "read-only" pages, "read/write" pages, "execute only" pages. Segmentation consists in partitioning a program into parts, named segments, corresponding to the logical entities of a program.

So far as protection is concerned, rights on the segment contents are expressed through protection bits. Segments can be read only, read/write, or execute only. Protection bits for segments are stored in the segment table; access requests are matched against the rights.

Answer the question:

1.What are the main types of hardware mechanisms for memory protection? Describe each of them.

TEXT 6C.