Cu Cu Cu Cu

21:.....................................................................1 22:.....................................................................3 23:.....................................................................7 24:....................................................................10

Cu 21: Trnh by v vn xm nhp h thng tri php: - Khi nim hnh vi xm nhp h thng tri php, phn loi k xm nhp (Intruder) theo bin php xm nhp, phn loi Intruder theo hnh vi. - Pht hin xm nhp: Mc ch, gi thit c bn trong pht hin xm nhp, hai phng php tip cn trong pht hin xm nhp (da trn thng k v da trn lut). - H pht hin xm nhp phn tn. 1) Khi nim hnh vi xm nhp h thng tri php, phn loi k xm nhp (Intruder) theo bin php xm nhp, phn loi Intruder theo hnh vi. Khi nim hnh vi xm nhp h thng tri php: l hnh vi xm nhp vo h thng m mnh khng c php truy nhp vo, khng c cho n bi h thng. Phn loi k xm nhp theo bin php xm nhp: o Gi mo: ngi dng bt hp php t bn ngoi xm nhp vo h thng v li dng quyn ca mt ngi dng hp php. (xm nhp t bn ngoi) o Lm quyn: ngi dng hp php, nhng s dng quyn hn vt qu phm vi cho php (xm nhp t bn trong) o Ngi dng ln lt: chim quyn iu khin gim st trnh khi s kim sot v iu khin truy nhp (thng s dng i vi h qun tr c s d liu khng tt) (xm nhp t bn trong hoc bn ngoi) Phn loi k xm nhp theo hnh vi: o Khm ph h thng: khng c nh ph hoi, ch xm nhp vo (th xem kh nng ca mnh c th xm nhp vo c khng ^^) o Ph hoi: xm nhp h thng v thc hin cc hnh vi ph hoi h thng (thng l nhng k tr tui, hnh ng nng ni, thiu kin thc, nhiu thi gian rnh ri)

2)Pht hin xm nhp: Mc ch, gi thit c bn trong pht hin xm nhp, hai phng php tip cn trong pht hin xm nhp (da trn thng k v da trn lut). Mc ch: o Pht hin nhanh: ti thiu ha thit hi v khi phc hot ng bnh thng cho h thng mt cch nhanh chng. o Ngn chn: h thng pht hin xm nhp c hiu qu c th gip ngn chn cc xm nhp o Thu thp thng tin v cc k thut xm nhp tng kh nng ngn chn

Gi thit c bn trong pht hin hnh vi xm nhp l: hnh vi ca k xm nhp tri php c s khc bit so vi ngi dng hp php v c th pht hin c s khc bit ny. C th tin hnh nh sau: o Phn bit gia k gi mo v ngi dng hp php o Quan st cc d liu lch s o Thit lp cc mu hnh vi o Quan st cc lch quan trng trong hnh vi 2 phng php tip cn trong pht hin xm nhp o Pht hin bt thng theo thng k: thu thp d liu v hnh vi ca ngi dng hp php trong mt khong thi gian nh k theo di cc hnh vi v xc nh hnh vi tri php: da vo ngng: tn sut xut hin ca cc s kin nht nh o m s ln xut hin ca mt kiu s kin nht nh trong mt khong thi gian o To ra c li tch cc (ngi dng thc s b coi l k thm nhp)v li tiu cc (k xm nhp tri php thc nhng li khng b coi l k xm nhp tri php) da trn tiu s: t h s ca hot ng ngi dng, pht hin ra cc thay i o m t hnh vi qu kh ca cc c nhn ngi dng hoc cc nhm ngi dng c lin quan v sau pht hin ra nhng s chnh lch ng k o Tiu s l mt tp cc tham s o Nn tng ca cc tip cn ny l vic phn tch cc bn ghi kim sot o Cc bn ghi qua thi gian nh ngha hnh vi in hnh. Bn ghi kim sot hin thi c dng pht hin s xm nhp Khng cn hiu bit trc v khe h bo mt cch ny th pht hin thnh cng vi k xm nhp gi mo, cn vi k xm nhp vt quyn th kh pht hin hn. o Pht hin da trn lut quan st cc s kin trong h thng v p dng tp cc quy tc xem hnh ng c ng ng hay khng xy dng mt h thng lut xc nh hnh vi k xm nhp pht hin bt thng: pht hin s sai khc trong cc mu hnh vi trc o t ng sinh ra cc lut bng vic phn tch cc bn ghi kim sot lch s xc nh cc kiu s dng o gi s tng lai s ging nh qu kh v p dng cc lut vo hnh vi hin ti o khng yu cu kin thc v nhng im yu trong bo mt o cn mt c s d liu ca cc lut ln (10^4 -> 10^6) nhn din xm nhp: h chuyn gia tm kim cc hnh vi ng ng. o s dng cc lut nhn din nhng xm nhp bit hoc nhng xm nhp cn ang nghi ng o lut c to ra bi cc chuyn gia v c trng h thng y l cch tt hn so vi pht hin bt thng theo thng k pht hin xm nhp

3) H pht hin xm nhp phn tn Pht hin truy nhp phn tn: o Host agent module: quy trnh nn thu thp d liu v gi kt qu ti my qun l tp trung o Lan monitor agent module: phn tch lu lng giao thng trong mng Lan v gi kt qu n my qun l tp trung o Central manager module: x l v phi hp cc bo co nhn c pht hin xm nhp

Honeypots: o L cc h thng ging by o Nh mi k tn cng vo nhng h thng quan trng o Thu thp thng tin v k tn cng o Gi k tn cng li lu c th phn ng c

Cu 22: Trnh by v virus my tnh v cc chng trnh m c: - Khi nim, phn loi cc chng trnh m c. Phn bit virus, su (worm), zombie.

Trnh by cu trc chung ca mt virus, k thut trnh pht hin bng vic nn chng trnh ch. Cc loi virus (file virus, virus boot sector, virus a hnh, virus macro). K thut gii m h virus pht hin v dit cc virus a hnh.

1) Khi nim, phn loi cc chng trnh m c. Phn bit virus, su (worm), zombie. Khi nim: chng trnh m c l mt chng trnh my tnh hay on m c thit k gy hi bng cch ph hy, tiu tn cc ti nguyn qu gi, hoc t h thng tnh ton vo tnh trng khng c bo v Phn loi: c 2 loi chnh o Cc on m c cn mt chng trnh ch k sinh, coi nh mt phn ca chng trnh ch o Chng trnh m c ng c lp o Ngoi ra 1 s loi cn c th t nhn bn

Phn bit virus, su (worm), v zombie o Viruses: on m c nhng vo chng trnh my tnh, v c th t nhn bn n bng cch gy ra hnh ng chn bn sao ca n vo cc chng trnh khc v thc hin cc hnh vi ph hoi. Virus ch c th ly nhim khi c s tc ng ca ngi dng.( Hnh vi chn bn sao gi l Ly nhim) o Worm: Mt chng trnh m c c kh nng t nhn bn. Worm s dng cc kt ni mng t gi cc bn sao ca n qua mng n cc nt khc m khng cn n tc ng ca ngi dng (v d gi chnh n ti tt c a ch mail trong danh sch ). Khng ging virus, worm khng cn n chng trnh ch k sinh m c th t tn ti c lp.

o Zombie: Mt chng trnh chim quyn iu khin mt my tnh c ni mng v sau s dng my tnh ny thc thi cc hnh ng ph hoi (gi spam email hoc dng tn cng DDOS). 2) Trnh by cu trc chung ca mt virus, k thut trnh pht hin bng vic nn chng trnh ch. Cu trc chung ca 1 virus: program V:= {goto main: 1234567;// du hiu c bit xc nh xem c b nhim cha subroutine infect-executable := {loop: file:= get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file;} subroutine dodamage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next:// chuyn iu khin n chng trnh ban u } K thut trnh pht hin bng vic nn chng trnh ch o Phin bn b nhim ca chng trnh di hn so vi phin bn gc (cha nhim) o Gii php: Nn file chng trnh -> di chng trnh nhim v cha nhim bng nhau.

Chng trnh nhim virus c nn li c kch thc nh chng trnh khng nhim virus khng b nn:

3) Cc loi virus (file virus, virus boot sector, virus a hnh, virus macro). K thut gii m h virus pht hin v dit cc virus a hnh. Cc loi virus: o Virus k sinh: gn vo cc file thc thi, nhn bn khi chng trnh c chy. o Virus thng tr b nh: l mt phn ca chng trnh thng tr b nh, nhim vo tt c cc chng trnh c thc thi. o Virus boot sector: Nhim vo master boot record v ly lan khi h thng c khi ng t a b virus. o Virus giu mt: Virus c thit k n mnh, trnh b pht hin bi cc phn mm dit virus (nn, can thip cc thao tc vo/ra ). o Virus a hnh: Loi virus bin i sau mi ln ly nhim (ch yu thng qua vic m ha chnh n bng cc kha khc nhau), lm cho vic pht hin virus qua cc mu tr nn kh khn hn nhiu. o Macro virus: Ly nhim cc ti liu Microsoft Word. Chim 2/3 s virus hin c. K thut gi m h virus pht hin ra cc virus a hnh o D dng pht hin k c cc virus a hnh phc tp nht. o Khng nh hng ti h thng o Gm cc thnh phn sau: Gi lp CPU phn mm my tnh o B qut nhn din mu virus qut cc chng trnh nhn din cc mu virus bit iu khin gi lp iu khin vic thc thi m m c trong mi trng gi lp. o Da trn nguyn tc: Virus a hnh phi tin hnh gii m thn virus v trao quyn iu khin cho b phn ny. o To mi trng o, trong cc file b nhim c thc thi m khng nh hng ti h thng. o Khi cc file b nhim thc thi, phn mm qut s tin hnh r sot v nhn din mu virus sinh ra. Cu 23: Trnh by v firewall: - Khi nim, ti sao cn c firewall. - Cc k thut iu khin truy cp trong firewall, hn ch ca firewall . - Cc loi firewall: packet-filtering firewall, application-level gateway, circuit-level gateway. C ch hot ng ca tng loi. 1) Khi nim, ti sao cn c firewall. FireWall l mt k thut c tch hp vo h thng mng chng li s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. N cng l mt thit b hoc tp cc thit b c cu hnh cho php, t chi, m ha v gii m tt c cc diao dch my tnh gia cc min bo mt khc nhau da trn cc quy tc v tiu ch. Ti sao cn c firewall:

o o o o

Cc kt ni Internet cho php cc mng ring ni vo h thng mng ton cu. Firewall c chn vo gia mng ring v phn cn li ca Internet. Thit lp mt vnh ai bo v v mt im kim sot anh ninh duy nht. Firewall c th p dng cho mt hoc 1 h thng my ch.

2) Cc k thut iu khin truy cp trong firewall, hn ch ca firewall Cc k thut iu khin truy cp trong firewall: o Service Control iu khin theo hng dch v (Internet). i vo hoc ra. o Direction Control iu khin theo chiu ca dch v. o User Control iu khin truy cp dch v theo ngi dng. o Behavior Control iu khin theo hnh vi (cc dch v c s dng nh th no) Hn ch ca firewall: o Khng th chng li cc tn cng b qua firewall (bypass). o Khng chng li c cc mi e da t bn trong. o Khng chng c s ly nhim cc chng trnh virus v m c. 3) Cc loi firewall: packet-filtering firewall, application-level gateway, circuit-level gateway. C ch hot ng ca tng loi. Packet filtering firewall:lc gi tin, kim sot tng gi tin mt, hot ng tng mng, 1 s tng giao vn o p dng mt tp cc lut cho mi gi tin i qua Router v quyt nh s chuyn tip hay hy gi tin . o Lc gi tin theo c hai hng

o Cc lut da trn a ch ngun, a ch ch v s cng lc gi tin o Danh sch cc lut c khp vi cc tham s gi tin. o Nu khng c lut no khp, hnh ng mc nh c p dng. Hai chnh sch mc nh: - default = discard: Nhng gi tin khng c khai bo r rng l cho qua th s b hy. - default = forward: Nhng gi tin khng c khai bo r rng l hy th s c cho qua. Application-level gateway: o Hot ng nh mt b chuyn tip lu lng mc ng dng.

o Cn c gi l my ch y quyn (proxy) o Ngi dng kt ni ti gateway thc hin TELNET ti my ch xa, ngi dng c chng thc, sau gateway kt ni ti my ch xa v thng tin c chuyn tip gia 2 bn.

o Proxy c th t chi chuyn tip thng tin nu chng thc ngi dng tht bi hoc ng dng o C th kim tra gi tin qua li m bo an ton - full packet awareness o D dng ghi li thng tin v ton b ni dung gi tin c th hiu c. o Nhc im: Cn phi thc hin thm cc x l tng phc tp x l. Circuit-level gateway: o Khng cho php cc kt ni TCP end-to-end o Thit lp hai kt ni TCP: Mt gia gateway v trm bn trong, mt gia gateway v trm bn ngoi. o Chuyn tip cc phn on TCP t mt kt ni bn ny ti kt ni bn kia m khng thc hin kim tra ni dung o Chc nng an ninh (thc hin theo chnh sch) s xc nh kt ni no c php o c dng khi ngi dng bn trong l tin cy vi tt c cc dch v bn ngoi. o Thng c s dng kt hp vi mt proxy cho cc dch v bn trong. o Ch yu dng che giu thng tin ca cc mng ring bn trong.

Cu 24: Trnh by v packet-filtering firewall: - Khi nim, c ch, u nhc im ca packet-filtering firewall. - Cc bin php thng c s dng tn cng packet-filtering firewall: IP Spoofing, Source routing attack, Tiny fragment attack. - Stateless v Stateful firewall. u im ca Stateful firewall so vi Stateless firewall. 1) Khi nim, c ch, u nhc im ca packet-filtering firewall. Khi nim: packet-filtering firewall l phn mm tng la da trn router hoc chy thng qua my tnh c cu hnh gim st cc gi n v i. C ch: o p dng mt tp cc lut cho mi gi tin i qua Router v quyt nh s chuyn tip hay hy gi tin . o Lc gi tin theo c hai hng

o Cc lut da trn a ch ngun, a ch ch v s cng lc gi tin o Danh sch cc lut c khp vi cc tham s gi tin. o Nu khng c lut no khp, hnh ng mc nh c p dng. Hai chnh sch mc nh: - default = discard: Nhng gi tin khng c khai bo r rng l cho qua th s b hy. - default = forward: Nhng gi tin khng c khai bo r rng l hy th s c cho qua. o Cc lut ca packet filtering:

action block allow

-

ourhost * OURGW

port * 25

theirhost SPIGOT *

port * *

comment we dont trust these guys connection to our SMTP port

Cho php gi mail vo (port 25), nhng ch c gi cho gateway

10

Khng cho php lu lng n t my SPIGOT

action block
-

ourhost *

port *

theirhost *

port *

comment default

Chnh sch mc nh Lun lun l lut cui cng Lut ny cm tt c cc lu lng khc

action allow
-

ourhost *

port *

theirhost *

port 25

comment Connection to their SMTP port

Cc trm trong mng c th gi mail ra ngoi Mt vi ng dng c th kt ni ti cng 25 Hacker c th truy cp qua cng 25

action allow

src our

port * 25

dest * *

port 25 *

flags

comment connection to their SMTP port

hosts allow *
-

ACK

their replies

Ci tin trng hp trc Cc trm bn trong c th truy cp ti bt k SMTP server no Cho php cc xc nhn t SMTP server bn ngoi.

action allow

src our

port * * *

dest * * *

port * * >102 3

flags

comment outgoing calls

hosts allow * allow

ACK

X l cc kt ni FTP Hai kt ni c s dng: Mt dng iu khin v 1 truyn d liu; dng 2 cng khc nhau (20, 21) Cc kt ni ra ngoi s dng cc cng ch s cao (> 1023)

replies to our calls Traffic to nonservers

u im: n gin, nhanh, trong sut vi ngi dng.

11

Nhc im: rt kh thit lp cc lut chnh xc v khng c kh nng chng thc.

2) Cc bin php thng c s dng tn cng packet-filtering firewall: IP Spoofing, Source routing attack, Tiny fragment attack. IP address spoofing cc gi tin t bn ngoi c s dng a ch IP gi (tin cy) trong trng a ch ngun. Source routing attacks hacker n nh tuyn ngun gi tin trnh cc im kim sot. Tiny fragment attack hacker phn nh gi tin qua mt cc lut lc gi tin da trn tiu TCP. 3)Stateless v Stateful firewall. u im ca Stateful firewall so vi Stateless firewall. Stateless firewall: Cc packet-filter firewall thng thng (tnh static) l dng stateless. o Lc cc gi tin c lp, khng tham chiu cc thng tin khc. o Nu c mt phn on TCP SYN/ACK c gi, khng th bit c trc c phn on SYN yu cu m kt ni hay cha (cc stateful firewall c th kim tra c). o Cc stateless firewall khng x l c cc ng dng o cng (e.g FTP): FTP s dng cng 21 trao i thng tin iu khin S dng cng 20 trao i d liu. Stateful firewall: o Trng thi ca 1 kt ni: Open or Closed State: Th t ca gi tin trong cuc trao i Thng cho bit gi tin c phi thuc v mt kt ni ang m hay khng. o Stateful Firewall Operation Vi TCP, ghi li 2 a ch v s hiu cng vo bng trng thi vi tnh trng OK (m) o Mc nh, cho php cc kt ni t cc trm trong mng ti cc my ch ngoi mng. o Cc gi tin trao i tip theo gia cc my ny ti cc cng ny l c php m khng cn phi xem xt k. o Bn ghi b xa khi bng trng thi khi kt ni TCP ngt. Vi UDP, tng t nh TCP, 2 a ch IP v s hiu cng c ghi li trong bng trng thi vi tnh trng OK o Bn ghi b xa khi xy ra time-out u im ca Stateful firewall vi Stateless firewall: o Stateful firewall c th hiu c trng thi ca gi tin (gi tin c thuc v 1 kt ni ang m hay khng), stateless th khng o Stateless firewall khng x l c ng dng o cng

12