4 intrusion detection

7/26/2019 4 Intrusion Detection

1/32

S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 11

Intrusion DetectionIntrusion Detection


2/32


IntrudersIntrudersGain hostile or unwanted access to theGain hostile or unwanted access to thesystem.system.

Either local or via networkEither local or via network

Varying levels of competenceVarying levels of competence

May seem benignMay seem benign

May use compromised system to launchMay use compromised system to launch

other attacksother attacksAim to increase their own privileges onAim to increase their own privileges on

systemsystem


3/32


Types of IntrudersTypes of Intruders

MasqueraderMasquerader:: usually an outsider,usually an outsider, not authorizednot authorized

to use the system, but penetrates the systemto use the system, but penetrates the systemthrough legitimate user accountthrough legitimate user account

MisfeasorMisfeasor:: usually an insideusually an insidelegitimate user wholegitimate user who

accesses assets not authorized, or is authorized butaccesses assets not authorized, or is authorized but

misuses privilegesmisuses privileges

Clandestine userClandestine user::an insider or outsider user whoan insider or outsider user whohas supervisory access to the systemhas supervisory access to the system


4/32


Intrusion TechniquesIntrusion Techniques

Basic attack methodologyBasic attack methodology

Take possession of target machine and gatherTake possession of target machine and gatherunauthorized informationunauthorized information

Obtain initial accessObtain initial accessEscalate privilegesEscalate privileges

Remove traces of intrusionRemove traces of intrusionMain goal is to acquire passwordsMain goal is to acquire passwords


5/32


Why Need Intrusion DetectionWhy Need Intrusion DetectionSecurity failures are inevitableSecurity failures are inevitable

Need to detect intrusionsNeed to detect intrusions

Blocked if detected quicklyBlocked if detected quickly

Act as deterrentAct as deterrent

Collect information to improve securityCollect information to improve security

Intruder behaves differently from legitimate userIntruder behaves differently from legitimate user

Hackers are constantly trying to penetrate into network andHackers are constantly trying to penetrate into network andsystemssystems

Script Kiddies, Self Sponsored, State Sponsored, TerroristScript Kiddies, Self Sponsored, State Sponsored, Terrorist

SponsoredSponsoredData within organization is often more important than theData within organization is often more important than thenetwork itselfnetwork itself

Commerce, Government, Business, and AcademiaCommerce, Government, Business, and Academia


6/32


Intrusion Detection SystemIntrusion Detection System

Types of IDSTypes of IDS

HostHost--based IDSbased IDS

NetworkNetwork--based IDSbased IDS


7/32


HostHost--based IDSbased IDSUse OS auditing mechanismsUse OS auditing mechanisms e.g., logs all direct or indirect events generated bye.g., logs all direct or indirect events generated by

a usera user

Monitor user activitiesMonitor user activities

e.g., Analyze shell commandse.g., Analyze shell commands

Monitor executions of system programsMonitor executions of system programs e.g., Analyze system calls made bye.g., Analyze system calls made bysendmailsendmail

Involve looking atInvolve looking at

communications in and out of a machinecommunications in and out of a machine

integrity of system filesintegrity of system files

processes runningprocesses running


8/32


Examples ofExamples of

HostHost--based IDSbased IDSBlack IceBlack Ice((http:/ / www.networkice.comhttp:/ /www.networkice.com)) Windows Operation SystemWindows Operation System

Zone AlarmZone Alarm ((http:/ /www.zonealarm.comhttp:/ / www.zonealarm.com)) Windows Operation SystemWindows Operation System

Internet Security Systems (ISS)Internet Security Systems (ISS) RealSecureRealSecure((http:/ / www.iss.nethttp:/ /www.iss.net))

Windows and Unix Operating SystemWindows and Unix Operating System

Linux Intrusion Detection Systems (LIDS)Linux Intrusion Detection Systems (LIDS)((http:/ / www.lids.orghttp:/ /www.lids.org))

Linux Operating SystemLinux Operating System
http://www.networkice.com/http://www.networkice.com/http://www.zonealarm.com/http://www.zonealarm.com/http://www.iss.net/http://www.iss.net/http://www.lids.org/http://www.lids.org/http://www.lids.org/http://www.iss.net/http://www.zonealarm.com/http://www.networkice.com/


9/32


Strengths and DrawbacksStrengths and Drawbacks

of Hostof Host--based IDSbased IDSStrengths:Strengths: Easy attack identificationEasy attack identification

Can monitor key componentsCan monitor key components

Near realNear real--time detection and response.time detection and response.

No additional hardware neededNo additional hardware needed

Drawbacks:Drawbacks: Type of information needed to be logged in is a matterType of information needed to be logged in is a matter

of experience.of experience.

Unselective logging of messages may greatly increaseUnselective logging of messages may greatly increaseaudit and analysis burdens.audit and analysis burdens.

Selective logging has risk that attack manifestations beSelective logging has risk that attack manifestations be

missed.missed.


10/32


NetworkNetwork--based IDSbased IDS

Deploy special sensors at strategic locationsDeploy special sensors at strategic locations

e.g., Packet sniffing viae.g., Packet sniffing viatcpdumptcpdumpat routersat routersInspect network trafficInspect network traffic

Watch for violations of protocols and unusualWatch for violations of protocols and unusual

connection patternsconnection patternsMonitor user activitiesMonitor user activities

Look into data portions of packets for maliciousLook into data portions of packets for malicious

command sequencescommand sequencesLook at packets for some sort of signature as they passLook at packets for some sort of signature as they passa sensora sensor


11/32


Common Network Signs ofCommon Network Signs of

Intrusion DetectionIntrusion DetectionStringString Look for a text string that indicates a possible attack.Look for a text string that indicates a possible attack.

PortPort Watch for connection attempts to wellWatch for connection attempts to well--known frequentlyknown frequently

attacked ports.attacked ports.

HeaderHeader Look for dangerous or illogical combinations of packets andLook for dangerous or illogical combinations of packets and

headers. The most famous example isheaders. The most famous example is

WinnukeWinnuke

, where a, where a

packet is destined for a NetBIOS port and the Urgent pointer,packet is destined for a NetBIOS port and the Urgent pointer,or Out Of Band pointer is set. This resulted in the "blueor Out Of Band pointer is set. This resulted in the "bluescreen of death" for Windows systems.screen of death" for Windows systems.


12/32


Some Examples ofSome Examples of

NetworkNetwork--based IDSbased IDSInternet Security Systems (ISS)Internet Security Systems (ISS) RealSecureRealSecure

((http:/ /www.iss.nethttp:/ / www.iss.net)) Windows and Unix Operating SystemWindows and Unix Operating System

SnortSnort

((http:/ / www.snort.orghttp:/ /www.snort.org

))

Open SourceOpen Source

Windows and Unix Operating SystemWindows and Unix Operating System

CiscoCisco NetRangerNetRanger ((http:/ /www.cisco.comhttp:/ /www.cisco.com)) Unix Based Appliance Intrusion Detection SystemUnix Based Appliance Intrusion Detection System
http://www.iss.net/http://www.iss.net/http://www.snort.org/http://www.snort.org/http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/http://www.snort.org/http://www.iss.net/


13/32



of Networkof Network--based IDSbased IDS

Strengths:Strengths: Cost of ownership reducedCost of ownership reduced

Packet analysis feasiblePacket analysis feasible

Real time detection and responseReal time detection and response

Malicious intent detection before real intrusion happensMalicious intent detection before real intrusion happens

Operating system independenceOperating system independence

Drawbacks:Drawbacks: Packets can be lost on flooded networks; Reassemble packets could be

incorrect and trigger false alarm

Not handle encrypted data

Depending on architectureDepending on architecture

High falseHigh false--positivepositive

Configuration needs expertiseConfiguration needs expertise

Privacy compromisedPrivacy compromised


14/32


Hybrid of Network-based

and Host-based IDS

NIDS

NIDS

NIDS

HIDS

HIDS

Internet

HIDS


15/32


IntrusionIntrusion

Detection TechniquesDetection TechniquesProfileProfile--basedbased

SignatureSignature--basedbased

RuleRule

--basedbased

State Transition AnalysisState Transition Analysis

Pattern MatchingPattern Matching


16/32


ID TechniquesID Techniques

ProfileProfile--basedbasedProfile: identification of subjects and their normalProfile: identification of subjects and their normalbehaviorbehavior

Subject: a user account, a service, a group, or a networkSubject: a user account, a service, a group, or a networkdomain, etc.domain, etc.

Approaches:Approaches: Intrusion Detection Expert System (Intrusion Detection Expert System (IDESIDES))

Wisdom and Sense (Wisdom and Sense (W & SW & S))

SpecificationSpecification--basedbasedAdvantages: easy to implement; capable of detecting newAdvantages: easy to implement; capable of detecting newintrusion scenariosintrusion scenarios

Disadvantage: high false alarmsDisadvantage: high false alarms


17/32


ID TechniquesID Techniques

SignatureSignature--basedbasedFind specific event sequences (signatures) byFind specific event sequences (signatures) by

scanning system activitiesscanning system activitiesEvent: a generic system activity, such as deleting aEvent: a generic system activity, such as deleting afile, sending an efile, sending an e--mailmail

Types:Types: RuleRule--basedbased StateState--transition analysistransition analysis

Pattern matchingPattern matching

Can detect known intrusion patterns efficiently, butCan detect known intrusion patterns efficiently, butnot unknown intrusion patterns and variants ofnot unknown intrusion patterns and variants ofintrusion signatures.intrusion signatures.


18/32


RuleRule

--based Intrusion Detectionbased Intrusion Detection

Based on expert systemBased on expert system

Most basic signatureMost basic signature--based IDSbased IDSIfIf condition,condition, thenthenactionaction

ConditionConditionspecifies constraints on auditspecifies constraints on auditrecordrecord

ActionActionspecifies action to be taken ifspecifies action to be taken ifcondition is satisfied.condition is satisfied.


19/32


RuleRule--based Intrusion Detectionbased Intrusion Detection

(cont.)(cont.)Observe events happening on systemObserve events happening on system

Apply rules to decide if activity is suspiciousApply rules to decide if activity is suspicious

RuleRule--based Anomaly Detection:based Anomaly Detection: Generating rules involves analysis of audit data andGenerating rules involves analysis of audit data and

identification of usage patternidentification of usage pattern

Observe current data and match against rules to see if itObserve current data and match against rules to see if itconforms to abnormal behaviorconforms to abnormal behavior

Example: If a server finds that 60 % of the packetsExample: If a server finds that 60 % of the packets

received arereceived areInternet Control MessageProtocol (Internet Control MessageProtocol (ICMPICMP) echo) echorequestsrequestsfrom diverse sources, it may be regarded as afrom diverse sources, it may be regarded as aDoSDoSattack. Rule:attack. Rule: Percentageof echo request in ICMP >= 60%Percentageof echo request in ICMP >= 60%

DoSDoSattack happensattack happens


20/32



of Ruleof Rule--based Intrusion Detectionbased Intrusion DetectionStrengths:Strengths: The inference engine is simpleThe inference engine is simple

The system is powerful to detected intrusion specified inThe system is powerful to detected intrusion specified inthose rulesthose rules

Easy to implementEasy to implement

LimitationsLimitations Direct dependence on audit records.Direct dependence on audit records.

Rules are created using audit records of known penetrations.Rules are created using audit records of known penetrations.

Slight variations in attacks could make penetrationSlight variations in attacks could make penetrationundetected.undetected.

If someone changes audit trail, penetration not detected.If someone changes audit trail, penetration not detected.

Difficult for distributed processingDifficult for distributed processing


21/32


State Transition AnalysisState Transition AnalysisStateStateis a snapshot of the system with all the volatile andis a snapshot of the system with all the volatile andpermanent memory locations.permanent memory locations. State represents some attribute of systemState represents some attribute of system not whole system statenot whole system state

State is generic, e.g.State is generic, e.g. user is root nowuser is root now

TransitionTransitionis an action that will make state changed.is an action that will make state changed.

PenetrationPenetrationis viewed as a sequence of actions performed by anis viewed as a sequence of actions performed by an

attacker that leads from an initial state to a compromised (inseattacker that leads from an initial state to a compromised (insecure)cure)state.state. Penetration sequence represented by finite state machinePenetration sequence represented by finite state machine

node is a statenode is a state

arc is an action (or transition)arc is an action (or transition)

Signature actionsSignature actionsare a sequence of identified actions which willare a sequence of identified actions which willtrigger transition from one state to another.trigger transition from one state to another.


22/32


State Transition AnalysisState Transition Analysis (cont.)(cont.)

Information retrieved from audit data areInformation retrieved from audit data arerepresented graphically in State Transitionrepresented graphically in State Transition

DiagramDiagramAs actions of an intrusion are completed one byAs actions of an intrusion are completed one byone, the target machine changes its state fromone, the target machine changes its state from

one state to another when certain action isone state to another when certain action isperformed. When the machine changes fromperformed. When the machine changes fromsome normal state to a compromised state, ansome normal state to a compromised state, an

intrusion is detected and reportedintrusion is detected and reported

h d b k


23/32



of State Transition Analysisof State Transition AnalysisStrengths:Strengths: State Transition Analysis identifies a number ofState Transition Analysis identifies a number of

signature actions and represents themsignature actions and represents themvisually.visually. State Transition Diagram identifiesState Transition Diagram identifiespreciselypreciselythethe

requirements and penetrationsrequirements and penetrations

List of actions that must occur forList of actions that must occur forcompletioncompletionofofpenetration.penetration.

Provide efficient reasoning support.Provide efficient reasoning support.Drawbacks:Drawbacks: It cannot represent complex intrusion scenarios.It cannot represent complex intrusion scenarios.


24/32


Covered so far in classCovered so far in class

on September 14, 2005on September 14, 2005


25/32


Pattern Matching ApproachPattern Matching Approach

Each intrusion signature is represented as aEach intrusion signature is represented as aPetriPetri

netnetA Petri net is a graphical and mathematicalA Petri net is a graphical and mathematicalmodeling tool. It consists ofmodeling tool. It consists of placesplaces,, transitionstransitions,,

andandarcsarcsthat connect them.that connect them.Input arcsInput arcsconnectconnectplaces with transitions, whileplaces with transitions, whileoutput arcsoutput arcsstart atstart ata transition and end at a place.a transition and end at a place.

Has strong expressive powerHas strong expressive power(Reference:(Reference:James L. Peterson,James L. Peterson, Petri Net theory and modelingof systemsPetri Net theory and modelingof systems)


26/32


Pattern Matching ApproachPattern Matching Approach(cont.)(cont.)

Characteristics of patterns used to model attacksCharacteristics of patterns used to model attacks LinearityLinearity: Specifies a sequence of events comprising the: Specifies a sequence of events comprising the

signature pattern which is a sequence of events withoutsignature pattern which is a sequence of events without

conjunction and disjunction.conjunction and disjunction. UnificationUnification: Instantiates variables to earlier events and matches: Instantiates variables to earlier events and matches

these events to later occurring events.these events to later occurring events.

OccurrenceOccurrence: Specifies the relative placement in time of an event: Specifies the relative placement in time of an eventwith respect to the previous events.with respect to the previous events.

BeginningBeginning: Specifies the absolute time of match of the: Specifies the absolute time of match of the

beginning of a pattern.beginning of a pattern. DurationDuration: Specifies constraints on the time duration for which: Specifies constraints on the time duration for whichthe event must be active.the event must be active.

Reference: S. Kumar, E. H.Reference: S. Kumar, E. H. SpaffordSpafford,, An Application of Pattern Matching inAn Application of Pattern Matching inIntrusion DetectionIntrusion Detection http:/ /http:/ /www.csee.umbc.edu/www.csee.umbc.edu/cadip/ docs/ NetworkIntrusion/pattern.pdfcadip/ docs/ NetworkIntrusion/ pattern.pdf


27/32


Pattern Matching Approach (cPattern Matching Approach (cont.)ont.)

Use Petri nets to captureUse Petri nets to capture Each signature corresponds to a particular Petri netEach signature corresponds to a particular Petri net

automatonautomaton

Nodes represents tokens; edges represents transitionsNodes represents tokens; edges represents transitions Final state of signature is a compromised stateFinal state of signature is a compromised state

Generate an intrusion patternGenerate an intrusion pattern1.1. Identify existence of files or other entities created by anIdentify existence of files or other entities created by an

attackerattacker

2.2. Identify a sequence of eventsIdentify a sequence of events

3.3. Identify two or more sequences of events under temporalIdentify two or more sequences of events under temporalrelationrelation

4.4. Identify duration of eventsIdentify duration of events

5.5. Identify interval of eventsIdentify interval of events

St th dD b kSt th dD b k


28/32



of Pattern Matching Approachof Pattern Matching ApproachStrengths:Strengths: Rulebased sequential patternsRulebased sequential patternsdetect anomalous activities thatdetect anomalous activities that

are difficult using traditional methods.are difficult using traditional methods.

Systems built using this model are highlySystems built using this model are highlyadaptiveadaptivetotochanges by users; if a new pattern found, it is easier tochanges by users; if a new pattern found, it is easier to

define it by Petri net.define it by Petri net. Anomalous activities detected and reported within secondsAnomalous activities detected and reported within seconds

of receiving audit events.of receiving audit events.

Drawbacks:Drawbacks: Requires experience to generate rulesRequires experience to generate rules

Difficult to verify the completeness set of rulesDifficult to verify the completeness set of rules


29/32


Intrusion AssessmentIntrusion Assessment

ActivitiesActivities

Collecting information about intrusions byCollecting information about intrusions byanalyzing a large amount of audit data fromanalyzing a large amount of audit data from

various network nodesvarious network nodes

Checking network configuration informationChecking network configuration information Talking to usersTalking to users

Querying other security tools, such as firewalls,Querying other security tools, such as firewalls,

authentication server, etc.authentication server, etc.


30/32


Intrusion AssessmentIntrusion Assessment (cont.)(cont.)

Results generated by IDS can be categorized in threeResults generated by IDS can be categorized in three

levels:levels:

DataData measurement and observation from audit data andmeasurement and observation from audit data and

network traffic.network traffic.

InformationInformation data organized to represent primary intrusiondata organized to represent primary intrusiondetection results derived directly from audit data or networkdetection results derived directly from audit data or network

traffictraffic

KnowledgeKnowledge information explained and understood ininformation explained and understood interms of the intrusion identify, intrusion rate, threat, andterms of the intrusion identify, intrusion rate, threat, and

intrusion scope, etc.intrusion scope, etc.


31/32


Intrusion AssessmentIntrusion Assessment(cont.)(cont.)

Information fusion techniques (BayesianInformation fusion techniques (Bayesian

network, heuristic methods, artificial intelligencenetwork, heuristic methods, artificial intelligencetechniques, etc.) to analyze all kinds oftechniques, etc.) to analyze all kinds of

information, including intrusion detectioninformation, including intrusion detection

results, audit data, etc. distributed acrossresults, audit data, etc. distributed acrosscomputer networks.computer networks.

Ch ll fCh ll f


32/32


Challenges ofChallenges of

Intrusion AssessmentIntrusion AssessmentLarge volume of distributed data.Large volume of distributed data.

Heterogeneous networks systems.Heterogeneous networks systems.

Deep understanding to operating systems andDeep understanding to operating systems and

networks.networks.

Diverse activitiesDiverse activities difficult to formalizedifficult to formalize

Tedious, timeTedious, time--consuming, errorconsuming, error--prone, longprone, longlearning curvelearning curve

4 intrusion detection

Documents