Is There an Intruder in My Computer?

NEWS AT SEI

Author

Larry Rogers

This library item is related to the following area(s) of work:

Security and Survivability

This article was originally published in News at SEI on: June 1, 2002

Understanding the ways you can secure your home has much in common with understanding how to protect the security of your computer network. Let’s look at the parallels. Imagine that it’s summertime, and you are getting ready to go on vacation. This year is a little different, though, because over the last few months, you’ve bought a new DVD player, a big-screen TV, and a computer. You decided to beef up your home security by contracting the services of a security company. They’ve installed a system intended to guard the perimeter of your house. With everything now secure, you head for the beach and a week away from cell phones, beepers, email, and your boss!

When you come home, all looks well; the TV, DVD player, and computer are all where you left them. There were no calls from the security company, so it’s safe to assume that your house wasn’t broken into and robbed, right? That seems like a reasonable conclusion.

Let’s add to that scenario fresh tire marks on the lawn, a broken pane of glass from a door, and a report from the security company that an alarm went off. Now you are sure that somebody tried to break in. Did they get in, and, if so, what did they do?

You check the house and everything looks normal, that is, everything is as you remember it. Nothing was moved or disturbed, as nearly as you can tell. You conclude that even though there was a break-in, nothing was taken. You fix the window, reseed the lawn, thank the security company for their information, and move on.

You might have drawn the wrong conclusion, though. The thieves didn’t steal the big items, preferring instead to take smaller ones, like the ring that was in your bedroom jewelry box. Since you only wear that ring on special occasions, you probably won’t notice it’s gone until you want to wear it again. Even then, you might not connect its loss with the break-in.

So, how would you know if anything had been stolen or tampered with by someone breaking into your house? That’s a tough question. You could take pictures all around your house to help jog your memory should there be a break-in. Would that have helped you to determine that your ring had been stolen?

In order to remember all of the items around your house and know where they were you’d need to photograph literally every inch. That’s an almost impossible task. Moreover, every time you left for a few days (or even a few hours), you’d have to retake every picture so that you would catch recent changes on film. It might be fun to do once or twice, but the process would get old quickly.

Video surveillance is another way to record the events around your house. Assuming everything is installed properly, works as designed, and the videotape does not run out, a video log file can help you understand what happened while you were away. Again, constantly videotaping every inch of your house is a daunting task, and it can be fairly expensive.

Now let’s switch from the scenario of a home break-in to a computer break-in. How would you know if an intruder tried to break in to your computer, if the intruder was successful, and ultimately what the intruder did once he or she broke in?

Just as you needed to take photos of all items in your house to be able to detect unwanted changes, you need to have a record of every file, directory, device, and setting on your computer. Similarly, as the videotapes show the changes that took place while you were gone, you need a log of the changes that happened while your computer was running. Additionally, just as you are aware from the videotapes that it’s normal for the mail carrier to come to your door at about noon every day, you need to be aware of what events are normal for your computer.

Do you know these things about your computer system? Do you have a list of all of the files, directories, devices, and settings? Do you know how they change as the system and applications run? Do you know what is normal and, conversely, what is unexpected and therefore potentially a sign of an intrusion? If you don’t, how would you know if someone has broken into your system? And if you have had a break-in, would you be able to figure out what the intruder did?

Characterizing Your System

This process of identifying all files, directories, devices, and settings, as well as a having a log of their changes and some understanding of normalcy, is called characterizing a system. While it is pretty easy to identify these items, it’s not as simple to know how they change as your system runs. It should be easy, though, because somebody does know, and you ought to be able to use their knowledge to help characterize your system. Do you have any idea who keeps this information? How about the operating systems and applications vendors? After all, they either wrote the programs you’re running or they have access to the source code used to create them. They can identify which files, directories, and devices change so you can decide which changes are normal. Now, if only vendors would tell you what to expect when your system runs!

Is this reasonable information to expect from a software vendor? Let’s look at vendors from other industries. Take the automobile industry for example. My owner’s manual—the one that’s supposed to be in the glove compartment—says “Under certain driving conditions such as heavy stop and go traffic, or driving up hills in hot weather, the [engine coolant temperature gauge] pointer may indicate at the top of the NORMAL band. This is also acceptable.” What’s more, the owner’s manual goes on to tell me what to do when the pointer is out of the NORMAL band. They are telling owners what constitutes normal and how to react to an abnormal condition.

Now, go look at the documentation for one of your applications. Does it tell you what happens to your system when you run that application? Does it tell you, for example, whether it creates files somewhere in the file system or that running 1,000 instances at the same time may cause your system to slow to a crawl? Probably not.

What are you—the vigilant systems administrator—to do? In this period of time before the vendors provide you with the information you need to understand and secure your systems, you’ll need to figure all of this out yourself. First, you’ll need to characterize the operating system and its applications in a pseudo-production test environment. That usually means acquiring systems that you’ll use to understand what happens once they’re released for production use. Set them up and run them as you would in production.

Next, you’ll need some characterization software. There are both commercial and freeware products. One popular tool for characterizing a system is TripWire from tripwiresecurity.com. It is multi-platform, and some versions even come with source code. There are many other tools with similar functionality. These all fall under the general category of host-based intrusion detection tools. Try an Internet search using that phrase to see what other tools are available.

Finally, you put it all together and learn what files, directories, devices, and settings are on your systems and how they change over time. In your controlled test environment, you’ll learn what is normal. Be aware, though, that once your system goes into production, you’ll probably learn more about what constitutes normal, because no matter how good your test systems are, they only approximate your production environment. That’s all right; just seek to understand this new set of changes and incorporate them into your characterization.

Now files, directories, devices, and settings are really only a part of the complete characterization of a computer system. Other attributes to look at are

  • running programs. What resources do they consume and at what times do they run? For example, if your file system backup programs were running at 11 a.m., would that be considered normal? How about a word processor that has already used ten hours of CPU time?
  • network traffic. If your email server suddenly starts making HTTP connections to another computer system, is that normal? What if the flow of Web traffic suddenly increases by an order of magnitude, is that normal?
  • performance. Would you know if your Web server was “slow” today relative to other days? How many transactions can your transaction server handle?
  • the operating system itself. Intruders are actively changing how the operating system works, so applications work differently even though they remain unchanged. Imagine what would happen if the operating system call that executes a program was changed to execute a different program instead.

Unfortunately, the tools available to check these attributes are not as mature as those that check the files, directories, devices, and settings. Nevertheless, as a vigilant systems administrator, you need to account for these other attributes in your full system characterization.

At last, it’s summertime again and you’re looking forward to some relaxing time away from your normal routine. You’ve noted where things are in your house, and you’ve employed that security company to keep an eye on your perimeter. At the office, you’ve also taken the time to learn more about your systems, and you feel confident that you know how they work and what constitutes normal. Your coworkers will use your new characterization to watch these systems during your absence. Next stop: the beach!

About the Author

Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center® is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.

This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us

info@sei.cmu.edu

412-268-5800

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.