Ok now that the number of subscriptions has started to slow down, it is a good time to start some discussions. After all this is what the list was created for. The following will be more or less general ramblings, I am interested in hearing any further comments. 1. Currently the direction of intrusion detection systems (both network and computer system detectors) are involved with essentially 2 main thrusts. i) Encoding supposedly "known" intrusion patterns into knowledge bases then essentially monitoring the system audit trail for sequences that resemble the intrusive patterns. ii) Developing profiles of system subjects or "entities" that describe "normal" behavior patterns, then attempting to identify deviations from the established patterns. We have seen the use of bayesian based statistical profiling, I was wondering if anyone had considered any of the other mainstream uncertainty theories, such as Dempster-Shafer Theory (DST), Fuzzy-Logic (I think there has been some research into this area), and EMycin/Mycin theory. From my understanding Bayesian based inference is the most mathematically well founded of the above theories but at the same time it is also supposedly more difficult in terms of computational resources and algorithmic complexity. 2. Enforcing Computer System Policy. Due to the size of systems currently being administered (in some cases 10,000+ users), it beings to become a difficult task to ensure correct access controls for all users. From my perspective on system administration , not that I am system administrator in any sense, but I do have limited unix installation (from which I get to play with - Linux) and do use Solaris1.1 and 2.3 (as a user). (This is where I would particularly like to hear from the system administrators). Now the current release of Solaris comes with a admintool, essentially a set of tools that is supposed to make the task of administrating large networks alot easier, through the use of Database Manager (NIS+), Printer Manager, Host Manager and User Account Manager. These tools, are essentially to ease the task of maintaining or setting up services on the system, not actual tools to assist in security of the system per se, through increased authentication in NIS+ and incorporation of Kerberos (Secure RPC). Now while these tools and increased security features may provide for a more secure environment, there still seems to be alot lacking in the control over services and monitoring of system usage. Most auditing facilities are still very verbose text based. [ I envisage that a integrated graphical environment, where different user, service, resource, and intrusion detection components are incorporated, the administrator can essentially monitor the complete runnings of the system, query any alerts that appear, control monitoring processes etc. ] Now, in our university environment (it probably applies to alot of situations), it is common to find users are required to sign a computer usage policy agreement. Essentially the department and/or administrators decide on what services particular users are and aren't allow to use (ie. undergrads have different services, quota's etc to graduates). From my experience here, most services have been provided for, but due to general abuse of some services such as ftp and irc, some services are restricted. So now the job of the sysadm has been to ensure services are only available to those who have legitimate reasons for use of restricted services. And this is my general point - while it is generally easy to specify a computer policy on paper, it has been difficult to enforce (I assume there are some tools out there to monitor general services, but I think usually each administrator tends to re-implement solutions, kludges, hacks to monitor services). Actually, even when on paper, it is quite possible that users may argue a case that isn't correctly covered in the policy, or users find ways around the restrictions (via use of services that aren't commonly known). Not speaking from experience of course. ;) Now while this isn't necessary intrusion detection, such a component is probably suited to usage in combination with a intrusion detection system, or ideally be a component of an integrated system administrator environment (more on my ideas for universal intrusion detection system environments later). So what would be the steps for incorporating a paper based computer policy into a system enforcing tool ? Are there any tools that already perform such tasks ? In other operating systems ? First lets look briefly at some of the stages of implementing such a system The Problems: - Many administrators have in excess of 1000+ users, becomes difficult to ensure correct access controls - granularity. (not to mention problems with default settings) - Difficult to control/monitor system services. - Enforcing restrictions difficult, users usually find ways around restrictions. - Every system administrator tends to re-develop own methods, usually some kind of service/program wrapper. Now many users have well defined domain in which they are expected to work, so it should be possible to specify a policy for users/groups/services/resource usage. What is a policy ? Policy is usually in the form of a paper document that specifies in some detail what is accepted usage of the computer facilities. Often, it is difficult to specify detailed requirements for users. In turn, a user can't be expected to memorize every possible restriction (and may be difficult to specify every individual restriction), so one would hope that users could rely on the system to indicate when they are attempting actions that are in violation to policy and warn them (essentially stopping there actions). How would we formalize a policy ? How to the computer managers, department staff and system administrators specify what is allowed and what isn't when they maybe unsure of exactly what services, applications, and resources are available on the system. So there needs to be some process of identifying these services on the system. Once the possible services are known the policy a policy has to be resolved for the individual users/groups. NOTE: it may also be useful in specifying restrictions on a service/resource basis than establishing for each individual user. ie. easier to tell a file transfer service to restrict all and allow certain users/groups than to specify for each user/group whether they have access to the service) Some of this may sound like just setting access controls, the idea here, is to maintain complete controls over all resources associated to such a service. In in alot of cases maintaining the uid/gid would be too cumbersome. Now there only remains some implementation issues (which I will not go into here) but they are: How do we represent the computer policy in the computer system ? How do we detect policy violations ? I came up with the following steps: 1. Identification Process - use of a system scanner that attempts to identify services,applications etc on the system. Using signature files and file identification functions, the system scanner attempts to scan the system and identify each particular file and associate it, also configuration files may be specified to determine the state of the system (in much the same idea of using COPS to identify security problems, essentially we trying to determine the configuration of the system). Any unidentified objects may rely on the administrator for identification. 2. Formalization Process - takes all the system objects and groups related objects (ie. Applications - compilers, editors etc ; Services, Users/Groups). and builds an output form. 3. Policy Specification - using the form that identifies sets of services etc the desired settings can be agreed upon, ie. settings as to how services should be configured, which user/groups have access to which services, resources etc. 4. Specification Tool - system administrator then enters into system the policy requirements, using a graphical tool to insert required system settings for each system resource. Such settings maybe stored in a rule-based system, or database etc. 5. Verfication - Now the system can use such a specification database to verify, services to users. It would be possible to integrate authentication via usage of kerberos or similar schemes. Also each individual action by the user has to be classified, to the type of service, application etc. Essentially a type of program registration. Each service would be required to be registered (which would be performed by the identification process). When a user then access a service - through some signature action (maybe using a particular system call, or just some program execution etc). The service will be identified and the user verified for access restrictions. An example scenario: Ftp is a restricted service (typically there would be a wrapper, or the application may verify whether the user has access to such a program or general access controls on the program), so in a typical situation an administrator may modify the ftp binary, sys logging all access to ftp as well as checking the uid. So how does this deter a user that has their own copy of ftp. In our system the ftp binary may be registered to a signature action, which would then discriminate from the users own copy. Once the signature for ftp is identified the user requesting the service can be verified. So what do you think about such a system, I think it would be valuable addition to intrusion detection techniques. Such a component is more an intermediary step towards intrusion detection, and might be more useful to some than a full-blown intrusion detection system. I would appreciated any comments, additions to such a proposal ? Would the system administrators here like to give some examples of what they would like see in terms of additional system administration tools ? -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-330 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | LiNuX - the only justification for using iNTeL | +---------------------+--------------------------------------------------+