Traditional Indications and Warnings for

Host Based Intrusion Detection

Presented by Wayne A. Campbell

PRC, Inc

at the 1999 CERT Conference (Omaha, NE)


Traditional Indications and Warnings (I&W) methodology has been used by military organizations to determine whether activities by a potential enemy are cause for a heightened state of alert. As the methodology evolved, events that precipitated aggressive behavior were recorded after an enemy had attacked. In time, a repository of information was developed which specified conditions in which a possible attack was near. During the Cold War era, the United States designed a sophisticated system to alert them of impending aggression by Warsaw Pact nations. This indicator-based approach required intelligence agencies to perform a very careful and detailed analysis of any and all actions taken by the Warsaw Pact. This analysis required determination of what actions must be taken or would likely be taken in order for the Warsaw nations to move from their current position to a war-ready condition. The analysis also included constructing a list of possible actions, determining which actions could be effectively monitored, weighing and prioritizing the actions, and determining a course of action based on the indicator being set. It must be remembered that a significant number of indicators were required to be activated before the I&W system produced a warning. A few events, such as troop movements, an increase in reconnaissance flights or message traffic, though important would not trigger a warning. Once a warning was issued, it was provided to strategic decision-makers as an estimate of Warsaw Pact war making ability at the given time. This information, coupled with additional data, allowed a trained planner to make informed decisions about the Warsaw Pact’s intentions. This same strategy can be used to determine host-based anomalous behavior or system misuse.

In recent computer history, Indications and Warnings technology has had a place in post-attack evaluation. When an attack1 is confirmed, by a multitude of potential strategies, computer forensics is used to determine how an attack occurred and what resources may have been compromised. This stage of analysis defines the attack and the steps needed to perform or duplicate the attack. This is commonly known as an “attack signature”. Once the attack has been defined, a post-mortem may or may not be done to determine what events precipitated the attack. The post-mortem must look at events concerning the physical security, social engineering issues, and actual system events. Though physical security and social engineering are important aspects of the post-mortem, they will not be addressed in this paper. The actual system events, which can be determined by the post-mortem analysis, can be used to determine what events indicate that a possible attack is underway. This is the premise in which Security Indication and Warning (SIW) is based.

Indicators

Indicators are defined as an event, or events, which suggest that a potential enemy attack may be near or already in progress. In traditional I&W, an example of an indicator could be the movement of troops from their home base. Indicators are typically selected based on historical analysis. That is to say, after an attack, an analyst will pour over data surrounding the events, which occurred hours, days and months before the attack to determine what events could have alerted the authorities of a possible attack. A single indicator or event may be inconsequential, but when analyzed within the context of other indicators may become significant.

There are certain events or “barriers” which can be used to define indicators for Host Based Intrusion and Detection (ID). As with traditional I&W, computer Security Indications and Warnings (SIW) methodology is best developed by analyzing historical methods of computer intrusions and misuse. This analysis can be used to determine what events or use of resources can be indicators of potential hostile activity. In addition, knowledge of operating system vulnerabilities and weaknesses are crucial in defining indicators. It is important to know that each site may have site specific information, that when compromised, may indicate a potential threat. This information and its protection philosophies are known as “boundaries”. This topic will be discussed in detail in the following sections

The SIW methodology allows the same event to have different levels of significance based on time, location and perpetrator of the event. The level of significance is determined by the site’s security policy. An example may be the use of root privileges on a development machine is considered less threatening then root privileges in a production environment. The levels of significance are crucial in the determination logic needed to reduce nuisance of false positive alerts. Levels of significance also contribute to the overall flexibility and scalability of monitoring which allows multiple alerts to be generated without duplication of data streams needed for analysis. Furthermore, host based SIW is not based on “scenario” matching2, but analysis of multiple, seemingly unrelated events. Therefore it is only necessary to identify indicators of activity - not the various sequences in which they might occur. Since SIW is based on an event or series of events triggering indicators, it inherently has the capability to detect new attacks based on variations of old attacks. The decision making process for SIW can then be coded into a set of rules which can be both broad in focus as well as very narrow. The rules therefore should be defined in terms of escalating events not simply an attack signature.

The process of determining what events3 or resources4 need to be monitored as indicators for the Security I&W logic must be addressed by your security organization. Attack information, historical data, security policy, and security trends all need to be analyzed during this process. This process should first look for all possible events that could signal anomalous behavior or misuse. Once a broad spectrum of events has been identified, the data should be categorized. Site personnel should determine categories, but at a minimum, the following are recommended.



Administrative. All events dealing with the modification, deletion or viewing of an operational system’s configuration.


Role Specific. This category should contain events that usually are performed by users within a particular role such as a database administrator.


Policy Limitations. Events that would be considered unauthorized use of restricted resources based on site requirements.


Limited Usage. All events that would be considered unique or are rarely performed on a system would be placed in this category. These events may overlap with administrative events.


Daily/routine. All events that do not fit into one of the above categories should be placed here.


Once categorized, the events in each group should be prioritized according to what events have the potential for the most damage or cost to the organization. Events that could have a multiplicity of impacts should be rated the highest. Once all events have been prioritized, a cost/performance analysis needs to be done. The more events to be monitored, the slower the response (due to sheer volume) and the costlier the analysis (due to time and resources). On the other hand, reducing the number of events significantly can allow threats to occur undetected. A balance must be met that encourages the use of the process and produces meaningful output, yet keeps the costs at a manageable level.




Figure 1 – Balancing Cost vs Performance


Barriers and Boundaries

In the context of computer security I&W, a barrier is defined as a computer resource or process that when used, misused or compromised suggest that a security breach or operating system misuse may be occurring or has been attempted. An example of this on a UNIX system is the use or creation of a /.rhosts file which can allow a host to act in a privileged role. Typically barriers are provided at the operating system or kernel level.

A boundary is defined as a computer resource or process that when used, misused or compromised indicates that the site’s security policy may have been violated. A boundary may or may not have any direct relationship to the security posture of a system. An example of this on an NT system could be the clearing of the event log without saving a copy for historical purposes. The primary difference between a barrier and a boundary is that a barrier is operating system specific and affects system security. A boundary is organization specific and has more to do with policy instead of security.

The categorization of events into barriers and boundaries is crucial to the SIW process. Great effort should be taken to assure that the triggering of a barrier or boundary can be clearly and unambiguously activated. This is accomplished by the painstaking historical analysis of computer usage and the correct use of level of significance. The division of events into barriers and boundaries is significant in the response afforded the breach of either. Since barriers are typically associated with attacks against the operating system, an aggressive response may need to take place. Boundaries, on the other hand, may require a less aggressive stance.

Barriers must closely adhere to the fact that a security relevant event has occurred. All security relevant actions (i.e. su to root on UNIX) must be recorded as a barrier. Events that can not be clearly identified as security relevant may still be events that trigger or cross a barrier. This can be seen in time delayed attacks, when insignificant events occur over an extended time period. The events together provide evidence of an attack, but separately they do not. When barriers are breached, significant, decisive action is usually taken against the machine and/or user. An example may be logging off the user or denying access to the LAN by a machine. A single barrier typically should be used to monitor any unique event(s) or unusual circumstances, whereas groups of common or normal events typically would be grouped into a single barrier definition.

Boundaries are events by users, which may be deemed misuse, anomalous, or inappropriate behavior. A boundary should have a security policy requirement (actual or derived) as the basis for its definition. This prevents ambiguous and/or unjustifiable breaches. A site may define a boundary as logging on between 11:00 PM and 6:00 AM by users other then system administration personnel. If this boundary is crossed, it does not necessarily signal a security threat, but it does confirm a system misuse is occurring. Boundaries being crossed typically require further in-depth investigation by security personnel to comprehend the magnitude of the problem.

It is clear that both barriers and boundaries need to be monitored to assess the security level of your system. Typically the combination of multiple barriers and/or boundaries should trigger a security alert. Whenever an alert is produced due to a security indicator, there must be a clearly defined response, whether automatic or manual.



Levels of Significance

A primary shortcoming of many intrusion and detection systems is the requirement that all events throughout the LAN or individual systems have the same impact on the security level of the system. In other words, all events are treated as equal. In reality, events from different systems or users are weighed differently in the security equation. The SIW methodology allows a site to place more significance to an event based on who performed the action as well as what platform the action was executed on. This ability allows general rules to be generated, without necessarily producing a large number of false positives. For example, the ability to su to root on a UNIX system may be allowed on a development platform where system level processes are being created and tested. However, on a production system, this functionality is not desired for the general user community. The same su detect rule could be used on both systems by applying a higher level of significance to this action when performed by the general user community and not individuals in the development group.

This approach can also be used to monitor unique or unusual events and/or processes on a system. By setting the level of significance to a high level, an unusual event can quickly be raised to the attention of a security officer. In addition to the unusual event, a specific ID may also increase the level of significance.

Security I&W Approach

The Security I&W (SIW) methodology will be explained by using three (3) sample statements from a security policy. Using these statements, indicators will be identified and levels of significance will be addressed. Rules will then be created and refined if required.

The security policy statements (and related background information) are:

1) No user shall have direct access to the price files for job proposal submissions; access to these files is only permitted via the corporate directed tools.

Background: All price files are contained in the /proposal/prices directory. All the files are created and maintained by an internally created application (PropGen) and have the extension “.ppf”.

2) No individual shall be able to assume another user’s identity on any production machine. On development machines, developers may assume the “root” role but no other user’s identity.

Background: All development machines have an IP address in the range of 192.12.15.[0-20]. No direct login to root is permitted; you must login as a user first.

3) No user shall attempt to obtain root or administrative privileges through covert means.

Background: This is a general rule designed to prohibit any attempt to obtain administrative privileges through buffer overflows or any UNIX system vulnerability or weakness.

These security policy statements are incomplete because they are lacking an important element – response definition. Though it is not the intent of this paper to define what is required in a security policy, the response definition is crucial to the SIW methodology. A site must know what to do when a violation has occurred. It should be clearly stated what the response to a violation should be. This paper will infer and derive the response requirements from the policy statements.

Policy statement #1 expresses the importance of the price schedule files and the information contained within these files. Based on this statement, we can determine that whenever the files are copied or removed, a violation has occurred. In addition, any time a file is read by a process other than the corporate tool, PropGen, a violation has occurred. Access to the directory /proposal is not in and of itself a violation, however, it could signal unauthorized browsing may be occurring. The security officer should be informed of such activities. Therefore the following alert messages should be produced and displayed to the security officer based on statement number one:

Attempt to copy sensitive price schedules.

Attempt to delete sensitive price schedules.

Illegal access to the prices schedules.

Unauthorized browsing of restricted resources.

Policy statement #2 explains the requirement of users to protect their user ID. This includes not divulging their user ID and password to any individual. It also defines for developers the circumstances in which they can acquire administrative privileges as root. Not specifically defined, but derived from the background information, is the requirement that root logins are not permitted. Using this information, the following alerts can be defined:

Illegal root login

Unauthorized use of su() command

Root assumed a user’s identity

Unauthorized transition to a new user ID

Policy statement #3 specifies that root access can only be obtained through normal, corporate approved means, such as the su command. Any acquisition of root privileges, other than by site approved means, should be made known to the security officer. Alert messages related to this policy statement are:

Illegal transition to root (buffer overflow)

Root shell attack has occurred

After reviewing the security policy, defining the barriers and boundaries typically should be done by an individual knowledgeable of basic system security. The information about the operating system is necessary when defining barriers. This information is crucial since vulnerabilities may be specific to an operating system version and/or its manufacturer. Note: the background information defined above is for a UNIX system (i.e. Solaris). Knowing the OS information, the following barriers can be defined:

1) Audit Daemon. This is a primary barrier. The daemon must be operational at all times for accurate host-based analysis. Any change to its normal operating state is a reportable event.

2) su command. No individual is allowed to assume another person’s identity. The su command allows a user to change their effective user id. Obtaining root privileges is also to be limited. Monitoring the use of su is crucial for policy statement number one and two.

3) Login service. The login service authenticates and regulates who has access to every machine. On Solaris systems (as well other UNIX systems) the service, in conjunction with other processes, limits the ability of a user to log onto a machine using the root account.

4) /etc/passwd. This UNIX file as well as its shadow file contains information required to log onto a system. This file should never be copied to another file or directory. This could indicate someone is trying to assume an individual’s identity.

5) Development System. The development platforms have special privileges associated with their job. However these privileges are associated with specific IP addresses.

6) Audit ID. The auditing subsystem tracks all users with a unique identification number.

Boundaries are defined specifically with your users and systems in mind based on your site’s security policy. With this being true, the following three boundaries are defined:

1) “ppf” file. These files contain price schedules and are only to be created, viewed and/or modified through the corporate created tools. Accessing these files by any other means is a violation of the security policy. Such acts could be viewed as corporate espionage.

2) /proposal directory. This directory is the repository for all information to be used in competitive bids, including the "prices" directory, which contains the ppf files. This directory is considered company sensitive and should be protected and monitored accordingly.

3) root privilege. Obtaining root privilege is considered a site defined boundary because it is limited to a select few individuals. All root activities are to be considered reportable events.

4) PropGen. The executable is required to access or modify company sensitive proposal data.

The Rules

Once the policy statements have been analyzed and alert messages defined, the initial rule generation process begins. Part of this process is the determination of event significance. Policy number 2 will be used to describe the rule generation process. This paper will not attempt to write rules for all policy areas discussed, nor will it try to capture all possible circumstances in the rule generation process.

There are three ways in which a user can assume another user’s identification. First, a user may obtain a user’s password and log in ID. Secondly, a user could log in with their ID and use the su() command to change ID (this requires a password). Third, a user could log in with their ID, use the su() command to change to root and then use the su() command again to change ID (this does not require a password). Using the barriers(ba) and boundaries(bo) defined, the following rules could be created:

ba2 and ba3(root)

Root login at console and the successful use of su()

ba2 and not ba5

Successful use of the su() command and you’re not on a development
platform.

(ba2 and ba5) and not ba6(root)

Successful use of the su() command and on the development platform and your current ID is not root.

Assuming that the ba2 event has a value of 5, ba3 has a value of 1, ba5 has a value of 4 and ba6 has a value of 3, the rules can be modified to have a threshold associated with them. Additionally, the rules can have a significance factor(SF) added to the equations. The new equations/rule could look as follows:

ba2 and ba3 => 6

ba2 and not ba5 => 9

(ba2 and (ba5*SF)) and not ba6 => 12

The third equation, using a SF of .25, is designed to allow 4 su() commands to be executed before a warning would be generated. The same barrier in equation number #2 is used and one event triggers a warning. This is one way in which to use level of significance, another could be the determination of the level or severity of the alert message.

Conclusion

The Indications and Warning methodology is a proven methodology that today’s technology allows us to apply to host-based intrusion detection. The methodology and its rules for activation can be accurately defined using Boolean math. The ability of a computer to rapidly process 1’s and 0’s allows quick analysis of multiple rules quickly. The rapid processing of Boolean equations allows multiple levels of indicators to be created. Furthermore, this ability allows rules to be created, which specify complex situations. Multiple levels allow a “one to many” relationship to exist between levels of indicators. The “one to many” relationship between indicators allow rules to be defined without an excessive amount of low level indicators.

The advantages of the SIW methodology are many, however, its primary advantage is flexibility. The flexibility is evident in its ability to add levels of significance to events and/or host systems. This technique allows the prioritization of events and users. The SIW methodology’s ability to detect possible attacks without prior knowledge of the attack’s signature is another important advantage. This advantage provides a level of protection against future, unknown attacks without the investment in frequent updates.

The SIW methodology’s disadvantages are few and can be easily overcome. The primary disadvantage is the number of potential “enemies” to monitor. Traditional I&W monitored one or two enemies, SIW is required to monitor potentially thousands of users. The situation creates the another disadvantage - system requirements. The larger the number of monitored entities, the more system memory, disk space and CPU speed is required for effective monitoring.

Overall, the Security Indications and Warnings methodology is consistent with the requirements for an intrusion detection system. The system can consistently and automatically warn of potential aggression/attacks. When properly implemented, SIW is a valuable tool to be used by information security professionals. Instead of providing definitive assertions, SIW is a warning system that can give guidance and direction.

1 An attack is defined as an unauthorized attempt to access the computer system, its resources or the LAN in which it is connected. The attack may or may not cause any physical damage.

2 Scenario matching, also known as attack signatures, typically employ a knowledge base (or database) of known computer attacks. The logic engine for these systems compares user activity against their cache of information. If the user’s activity matches a scenario, the security officer can be notified. The disadvantage to these systems is the requirement to have a comprehensive database of attacks; only known, recognizable attacks can be detected. For additional information, see U.S. patent 5,557,742

3 In this context, an event can be a single computer command (i.e. telnet) or a series of commands.

4 In this context, a resource can be computer hardware time events (i.e. CPU or IO), device usage (i.e. CD-ROM or tape device) or a specific system user.

10