What are the three types of intruders?

Answer 1

1. Introduction

The problem of intruders in computer networks is rather old. In fact, it has been persistent

since the beginning of the computer age. One of the first official documents concerning

computer security and intruders is from 1980. It is the so called Anderson report [Ande1980].

Its contents point out how current the threat of intruders was even back then. The Anderson

report [Ande1980] defines a lot of intrusion scenarios that are still up-to-date and applicable,

which is one of the reasons that it is still referred to today. On this account, section 2 of this

article explains the different types of intruders and their characteristics.

The following section presents several intrusion detection techniques and how intrusions can

be prevented. A promising approach for intrusion detection is introduced and its mode of

operation is briefly depicted. Considering an example of the effectiveness of this approach we

will show how the intrusion detection of this tool works in practice.

Whereas section 3 deals with closing security gaps by means of intrusion detection, section 4

brings out security issues regarding the password management on UNIX, and it describes

general problems of the password selection. Good passwords need to be distinguished from

bad passwords in order to make it a more difficult task for attackers to guess passwords. We

will present some of the techniques that claim to be solutions to these problems and discuss

their effectiveness.

2. Threat scenarios

The term "intruders" compromises more than just human attackers who manage to gain access

to computer resources although the resource was not meant to be used by them in the first

place. Apart from these human attackers who are popularly called "hackers", intruders can be

computer programs that seem to be useful, but contain secret functionality to invade a system

or a resource. These programs are also known as Trojan horses. Programs containing viruses

can act as intruders too. Computer systems can be any kind of internal network, e.g. within a

company. Computer resources can be work stations, mobile computers, as well as computer

programs. Although we don't need to distinguish between human attackers and computer

programs that perform illicit actions, we need to know some characteristics that define

intruders. One has to keep in mind that the following definitions not only apply to human

beings, but to illicit computer programs too, although below we will talk about "individuals"

acting in different types of threat scenarios. This is done in accordance with most of the

literature about this subject.

In general, three types of intruders can be distinguished: the misfeasor, the masquerader, and

the clandestine user. The definition for these terms can be traced back to [Ande1980] which

establishes these terms in detail. To refrain from repeating an exhaustive list of definitions

only the important differences in the characteristics of misfeasor, clandestine user, and

masquerader will be addressed.

- 2 -

Misfeasor

Imagine someone who emails blueprints and schematics the company he works for is holding

a patent on to his home email account in order to sell it to a competitor company. Another

example of such a misfeasance of ones privileges is printing offensive material at work.

Nowadays we can take for granted that someone has access to an email accounts or a printer

at work. It is obvious that no data was accessed without authorization in both of these

examples. However, the user misused some of his privileges.

On this account we define misfeasor as an individual who works within the scope of his

privileges but misuses them.

Clandestine user

Another user might take advantage of a security hole in the operating system in order to gain

administrative privileges to a computer resource. How this can be achieved on a recent

operating system will be shown in section 3.3 and we define clandestine user as an individual

who seizes supervisory control to disengage or avoid security mechanisms of the system such

as audit and access controls.

Masquerader

A third individual could steal another user's login id and the associated password. If this data

is at the disposal of an attacker he can use the system incognito for his illicit intensions. Yet,

sometimes stealing ids and passwords is not even necessary, because some users might

choose very simple passwords, which can be a mere repetition of the login id, some easily

accessible information related to their personal life, such as their spouse's name, or a

password that is very short, for example only 4 characters or even shorter.

We define masquerader as an individual who overcomes a systems access control to exploit a

legitimate user's account.

Common to misfeasor, clandestine user, and masquerader is that either they aim to increase

the amount of their privileges or they use the system in an unforeseen way.

If a system is tricked by an attacker to provide users with privileges they did not hold before,

the system is in a compromised state.

It has to be noted that misfeasors end clandestine users are internal attackers. That means,

initially they are legitimate users having some privileges in the internal network, whereas the

masquerader can be an attacker from outside the networks if he happens to correctly guess a

password.

3. Identifying Intruders

Typically, everyone stores plenty of sensitive data in ones user account, such as personal data,

address books, data one is required to carefully protect by law, and data that grants access to

other systems or that is supposed to prove one's identity for example. It is fairly easy to find

examples for each of these types of data:

Personal data could be emails from your spouse. Address books might contain phone numbers

and addresses of the suppliers the company does business with. Time tracking of engineers

has to be handled with great care. Furthermore, if one has stored passwords or private and

public keys on ones account, the security systems that try to grant secure access to other

systems or that try to prove one's identity by these means will be useless. Moreover, if such

sensible data can be accessed by others the owner runs a high risk of financial losses and

personal harm.

- 3 -

3.1. Intrusion detection

The threats of attackers have to be addressed to. To this end intrusion detection techniques

have been developed to close security gaps of operating systems and network access controls.

Below different types of intrusion detection techniques will be introduced briefly and an

overview of their weaknesses and strengths will be given as they appear in [Stal2003] and

[Ilgu1995].

Threshold Detection

Threshold Detection is one of the most rudimentary intrusion detection techniques compared

to the other ones. The idea of this approach is to record each occurrence of a suspicious event

and to compare it to a threshold number. However, it turns out that establishing threshold

numbers as well as rating the security relevance of events is a rather difficult task which is

often based on experiences and intuition. An implementation of this approach was developed

at Los Alamos National Laboratory and it is called NADIR.

Anomaly Detection

Anomaly Detection is one of the earliest approaches which try to meet requirements described

in [Ande1980] to distinguish masquerader, misfeasor, and clandestine user. Implementations

of this approach are realized in statistical or rule based forms. Typically, anomaly detection

requires little knowledge of the actual system beforehand. In fact, usage patterns are

established automatically by means of neural networks for example. Intrusion detection

systems that have already implemented this approach are IDES, Wisdom & Sense, and TIM.

Rule-based Penetration Identification

Rule-based Penetration Identification systems are expert systems that recognize single events

as well as sequences of events. The foundation pillar of this approach is a suspicious record

for each user. Initially this record has the value zero and the more suspicious a user becomes,

the higher his suspicious record. Examples that implement this technique are IDES, NADIR,

and Wisdom and Sense.

Model-based Intrusion Detection

A higher level of abstraction than the approaches above is characteristic of this intrusion

detection technique. The objective of Model-based Intrusion Detection is to build penetration

scenarios of network rather than characterizing the behavior of a specific user. For identifying

penetrations the pieces of evidence are evaluated against a hypothesis.

Intrusion prevention

The goal of Intrusion prevention is to close well known security gaps. A well known system

using this approach is COPS (Common Oracle and Password Security System)

Table 1 detects which intrusion detection technique is suitable to identify a certain type

attacker.

Misfeasor Clandestine user Masquerader

Threshold detection No Yes Yes

Anomaly Detection No Yes Yes

Rule-based Penetration identification Yes Yes No

Model-based Intrusion detection Yes Yes No

Intrusion Prevention No Yes No

Table 1 - Suitability for detecting attackers

In short, statistical-based techniques try to determine whether or not the current behavior

matches patterns seen earlier, whereas rule-based approaches define proper behavior. For this

reason statistical-based techniques are better in detecting masqueraders, whereas rule-based

- 4 -

ones are better in detecting misfeasors and clandestine users. In order to define all types of

intruders, systems for intrusion detection use more than just one approach to grant security.