4 intrusion detection
TRANSCRIPT
-
7/26/2019 4 Intrusion Detection
1/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 11
Intrusion DetectionIntrusion Detection
-
7/26/2019 4 Intrusion Detection
2/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 22
IntrudersIntrudersGain hostile or unwanted access to theGain hostile or unwanted access to thesystem.system.
Either local or via networkEither local or via network
Varying levels of competenceVarying levels of competence
May seem benignMay seem benign
May use compromised system to launchMay use compromised system to launch
other attacksother attacksAim to increase their own privileges onAim to increase their own privileges on
systemsystem
-
7/26/2019 4 Intrusion Detection
3/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 33
Types of IntrudersTypes of Intruders
MasqueraderMasquerader:: usually an outsider,usually an outsider, not authorizednot authorized
to use the system, but penetrates the systemto use the system, but penetrates the systemthrough legitimate user accountthrough legitimate user account
MisfeasorMisfeasor:: usually an insideusually an insidelegitimate user wholegitimate user who
accesses assets not authorized, or is authorized butaccesses assets not authorized, or is authorized but
misuses privilegesmisuses privileges
Clandestine userClandestine user::an insider or outsider user whoan insider or outsider user whohas supervisory access to the systemhas supervisory access to the system
-
7/26/2019 4 Intrusion Detection
4/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 44
Intrusion TechniquesIntrusion Techniques
Basic attack methodologyBasic attack methodology
Take possession of target machine and gatherTake possession of target machine and gatherunauthorized informationunauthorized information
Obtain initial accessObtain initial accessEscalate privilegesEscalate privileges
Remove traces of intrusionRemove traces of intrusionMain goal is to acquire passwordsMain goal is to acquire passwords
-
7/26/2019 4 Intrusion Detection
5/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 55
Why Need Intrusion DetectionWhy Need Intrusion DetectionSecurity failures are inevitableSecurity failures are inevitable
Need to detect intrusionsNeed to detect intrusions
Blocked if detected quicklyBlocked if detected quickly
Act as deterrentAct as deterrent
Collect information to improve securityCollect information to improve security
Intruder behaves differently from legitimate userIntruder behaves differently from legitimate user
Hackers are constantly trying to penetrate into network andHackers are constantly trying to penetrate into network andsystemssystems
Script Kiddies, Self Sponsored, State Sponsored, TerroristScript Kiddies, Self Sponsored, State Sponsored, Terrorist
SponsoredSponsoredData within organization is often more important than theData within organization is often more important than thenetwork itselfnetwork itself
Commerce, Government, Business, and AcademiaCommerce, Government, Business, and Academia
-
7/26/2019 4 Intrusion Detection
6/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 66
Intrusion Detection SystemIntrusion Detection System
Types of IDSTypes of IDS
HostHost--based IDSbased IDS
NetworkNetwork--based IDSbased IDS
-
7/26/2019 4 Intrusion Detection
7/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 77
HostHost--based IDSbased IDSUse OS auditing mechanismsUse OS auditing mechanisms e.g., logs all direct or indirect events generated bye.g., logs all direct or indirect events generated by
a usera user
Monitor user activitiesMonitor user activities
e.g., Analyze shell commandse.g., Analyze shell commands
Monitor executions of system programsMonitor executions of system programs e.g., Analyze system calls made bye.g., Analyze system calls made bysendmailsendmail
Involve looking atInvolve looking at
communications in and out of a machinecommunications in and out of a machine
integrity of system filesintegrity of system files
processes runningprocesses running
-
7/26/2019 4 Intrusion Detection
8/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 88
Examples ofExamples of
HostHost--based IDSbased IDSBlack IceBlack Ice((http:/ / www.networkice.comhttp:/ /www.networkice.com)) Windows Operation SystemWindows Operation System
Zone AlarmZone Alarm ((http:/ /www.zonealarm.comhttp:/ / www.zonealarm.com)) Windows Operation SystemWindows Operation System
Internet Security Systems (ISS)Internet Security Systems (ISS) RealSecureRealSecure((http:/ / www.iss.nethttp:/ /www.iss.net))
Windows and Unix Operating SystemWindows and Unix Operating System
Linux Intrusion Detection Systems (LIDS)Linux Intrusion Detection Systems (LIDS)((http:/ / www.lids.orghttp:/ /www.lids.org))
Linux Operating SystemLinux Operating System
http://www.networkice.com/http://www.networkice.com/http://www.zonealarm.com/http://www.zonealarm.com/http://www.iss.net/http://www.iss.net/http://www.lids.org/http://www.lids.org/http://www.lids.org/http://www.iss.net/http://www.zonealarm.com/http://www.networkice.com/ -
7/26/2019 4 Intrusion Detection
9/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 99
Strengths and DrawbacksStrengths and Drawbacks
of Hostof Host--based IDSbased IDSStrengths:Strengths: Easy attack identificationEasy attack identification
Can monitor key componentsCan monitor key components
Near realNear real--time detection and response.time detection and response.
No additional hardware neededNo additional hardware needed
Drawbacks:Drawbacks: Type of information needed to be logged in is a matterType of information needed to be logged in is a matter
of experience.of experience.
Unselective logging of messages may greatly increaseUnselective logging of messages may greatly increaseaudit and analysis burdens.audit and analysis burdens.
Selective logging has risk that attack manifestations beSelective logging has risk that attack manifestations be
missed.missed.
-
7/26/2019 4 Intrusion Detection
10/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1010
NetworkNetwork--based IDSbased IDS
Deploy special sensors at strategic locationsDeploy special sensors at strategic locations
e.g., Packet sniffing viae.g., Packet sniffing viatcpdumptcpdumpat routersat routersInspect network trafficInspect network traffic
Watch for violations of protocols and unusualWatch for violations of protocols and unusual
connection patternsconnection patternsMonitor user activitiesMonitor user activities
Look into data portions of packets for maliciousLook into data portions of packets for malicious
command sequencescommand sequencesLook at packets for some sort of signature as they passLook at packets for some sort of signature as they passa sensora sensor
-
7/26/2019 4 Intrusion Detection
11/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1111
Common Network Signs ofCommon Network Signs of
Intrusion DetectionIntrusion DetectionStringString Look for a text string that indicates a possible attack.Look for a text string that indicates a possible attack.
PortPort Watch for connection attempts to wellWatch for connection attempts to well--known frequentlyknown frequently
attacked ports.attacked ports.
HeaderHeader Look for dangerous or illogical combinations of packets andLook for dangerous or illogical combinations of packets and
headers. The most famous example isheaders. The most famous example is
WinnukeWinnuke
, where a, where a
packet is destined for a NetBIOS port and the Urgent pointer,packet is destined for a NetBIOS port and the Urgent pointer,or Out Of Band pointer is set. This resulted in the "blueor Out Of Band pointer is set. This resulted in the "bluescreen of death" for Windows systems.screen of death" for Windows systems.
-
7/26/2019 4 Intrusion Detection
12/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1212
Some Examples ofSome Examples of
NetworkNetwork--based IDSbased IDSInternet Security Systems (ISS)Internet Security Systems (ISS) RealSecureRealSecure
((http:/ /www.iss.nethttp:/ / www.iss.net)) Windows and Unix Operating SystemWindows and Unix Operating System
SnortSnort
((http:/ / www.snort.orghttp:/ /www.snort.org
))
Open SourceOpen Source
Windows and Unix Operating SystemWindows and Unix Operating System
CiscoCisco NetRangerNetRanger ((http:/ /www.cisco.comhttp:/ /www.cisco.com)) Unix Based Appliance Intrusion Detection SystemUnix Based Appliance Intrusion Detection System
http://www.iss.net/http://www.iss.net/http://www.snort.org/http://www.snort.org/http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/http://www.snort.org/http://www.iss.net/ -
7/26/2019 4 Intrusion Detection
13/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1313
Strengths and DrawbacksStrengths and Drawbacks
of Networkof Network--based IDSbased IDS
Strengths:Strengths: Cost of ownership reducedCost of ownership reduced
Packet analysis feasiblePacket analysis feasible
Real time detection and responseReal time detection and response
Malicious intent detection before real intrusion happensMalicious intent detection before real intrusion happens
Operating system independenceOperating system independence
Drawbacks:Drawbacks: Packets can be lost on flooded networks; Reassemble packets could be
incorrect and trigger false alarm
Not handle encrypted data
Depending on architectureDepending on architecture
High falseHigh false--positivepositive
Configuration needs expertiseConfiguration needs expertise
Privacy compromisedPrivacy compromised
-
7/26/2019 4 Intrusion Detection
14/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1414
Hybrid of Network-based
and Host-based IDS
NIDS
NIDS
NIDS
HIDS
HIDS
Internet
HIDS
-
7/26/2019 4 Intrusion Detection
15/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1515
IntrusionIntrusion
Detection TechniquesDetection TechniquesProfileProfile--basedbased
SignatureSignature--basedbased
RuleRule
--basedbased
State Transition AnalysisState Transition Analysis
Pattern MatchingPattern Matching
-
7/26/2019 4 Intrusion Detection
16/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1616
ID TechniquesID Techniques
ProfileProfile--basedbasedProfile: identification of subjects and their normalProfile: identification of subjects and their normalbehaviorbehavior
Subject: a user account, a service, a group, or a networkSubject: a user account, a service, a group, or a networkdomain, etc.domain, etc.
Approaches:Approaches: Intrusion Detection Expert System (Intrusion Detection Expert System (IDESIDES))
Wisdom and Sense (Wisdom and Sense (W & SW & S))
SpecificationSpecification--basedbasedAdvantages: easy to implement; capable of detecting newAdvantages: easy to implement; capable of detecting newintrusion scenariosintrusion scenarios
Disadvantage: high false alarmsDisadvantage: high false alarms
-
7/26/2019 4 Intrusion Detection
17/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1717
ID TechniquesID Techniques
SignatureSignature--basedbasedFind specific event sequences (signatures) byFind specific event sequences (signatures) by
scanning system activitiesscanning system activitiesEvent: a generic system activity, such as deleting aEvent: a generic system activity, such as deleting afile, sending an efile, sending an e--mailmail
Types:Types: RuleRule--basedbased StateState--transition analysistransition analysis
Pattern matchingPattern matching
Can detect known intrusion patterns efficiently, butCan detect known intrusion patterns efficiently, butnot unknown intrusion patterns and variants ofnot unknown intrusion patterns and variants ofintrusion signatures.intrusion signatures.
-
7/26/2019 4 Intrusion Detection
18/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1818
RuleRule
--based Intrusion Detectionbased Intrusion Detection
Based on expert systemBased on expert system
Most basic signatureMost basic signature--based IDSbased IDSIfIf condition,condition, thenthenactionaction
ConditionConditionspecifies constraints on auditspecifies constraints on auditrecordrecord
ActionActionspecifies action to be taken ifspecifies action to be taken ifcondition is satisfied.condition is satisfied.
-
7/26/2019 4 Intrusion Detection
19/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 1919
RuleRule--based Intrusion Detectionbased Intrusion Detection
(cont.)(cont.)Observe events happening on systemObserve events happening on system
Apply rules to decide if activity is suspiciousApply rules to decide if activity is suspicious
RuleRule--based Anomaly Detection:based Anomaly Detection: Generating rules involves analysis of audit data andGenerating rules involves analysis of audit data and
identification of usage patternidentification of usage pattern
Observe current data and match against rules to see if itObserve current data and match against rules to see if itconforms to abnormal behaviorconforms to abnormal behavior
Example: If a server finds that 60 % of the packetsExample: If a server finds that 60 % of the packets
received arereceived areInternet Control MessageProtocol (Internet Control MessageProtocol (ICMPICMP) echo) echorequestsrequestsfrom diverse sources, it may be regarded as afrom diverse sources, it may be regarded as aDoSDoSattack. Rule:attack. Rule: Percentageof echo request in ICMP >= 60%Percentageof echo request in ICMP >= 60%
DoSDoSattack happensattack happens
-
7/26/2019 4 Intrusion Detection
20/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2020
Strengths and DrawbacksStrengths and Drawbacks
of Ruleof Rule--based Intrusion Detectionbased Intrusion DetectionStrengths:Strengths: The inference engine is simpleThe inference engine is simple
The system is powerful to detected intrusion specified inThe system is powerful to detected intrusion specified inthose rulesthose rules
Easy to implementEasy to implement
LimitationsLimitations Direct dependence on audit records.Direct dependence on audit records.
Rules are created using audit records of known penetrations.Rules are created using audit records of known penetrations.
Slight variations in attacks could make penetrationSlight variations in attacks could make penetrationundetected.undetected.
If someone changes audit trail, penetration not detected.If someone changes audit trail, penetration not detected.
Difficult for distributed processingDifficult for distributed processing
-
7/26/2019 4 Intrusion Detection
21/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2121
State Transition AnalysisState Transition AnalysisStateStateis a snapshot of the system with all the volatile andis a snapshot of the system with all the volatile andpermanent memory locations.permanent memory locations. State represents some attribute of systemState represents some attribute of system not whole system statenot whole system state
State is generic, e.g.State is generic, e.g. user is root nowuser is root now
TransitionTransitionis an action that will make state changed.is an action that will make state changed.
PenetrationPenetrationis viewed as a sequence of actions performed by anis viewed as a sequence of actions performed by an
attacker that leads from an initial state to a compromised (inseattacker that leads from an initial state to a compromised (insecure)cure)state.state. Penetration sequence represented by finite state machinePenetration sequence represented by finite state machine
node is a statenode is a state
arc is an action (or transition)arc is an action (or transition)
Signature actionsSignature actionsare a sequence of identified actions which willare a sequence of identified actions which willtrigger transition from one state to another.trigger transition from one state to another.
-
7/26/2019 4 Intrusion Detection
22/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2222
State Transition AnalysisState Transition Analysis (cont.)(cont.)
Information retrieved from audit data areInformation retrieved from audit data arerepresented graphically in State Transitionrepresented graphically in State Transition
DiagramDiagramAs actions of an intrusion are completed one byAs actions of an intrusion are completed one byone, the target machine changes its state fromone, the target machine changes its state from
one state to another when certain action isone state to another when certain action isperformed. When the machine changes fromperformed. When the machine changes fromsome normal state to a compromised state, ansome normal state to a compromised state, an
intrusion is detected and reportedintrusion is detected and reported
h d b k
-
7/26/2019 4 Intrusion Detection
23/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2323
Strengths and DrawbacksStrengths and Drawbacks
of State Transition Analysisof State Transition AnalysisStrengths:Strengths: State Transition Analysis identifies a number ofState Transition Analysis identifies a number of
signature actions and represents themsignature actions and represents themvisually.visually. State Transition Diagram identifiesState Transition Diagram identifiespreciselypreciselythethe
requirements and penetrationsrequirements and penetrations
List of actions that must occur forList of actions that must occur forcompletioncompletionofofpenetration.penetration.
Provide efficient reasoning support.Provide efficient reasoning support.Drawbacks:Drawbacks: It cannot represent complex intrusion scenarios.It cannot represent complex intrusion scenarios.
-
7/26/2019 4 Intrusion Detection
24/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2424
Covered so far in classCovered so far in class
on September 14, 2005on September 14, 2005
-
7/26/2019 4 Intrusion Detection
25/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2525
Pattern Matching ApproachPattern Matching Approach
Each intrusion signature is represented as aEach intrusion signature is represented as aPetriPetri
netnetA Petri net is a graphical and mathematicalA Petri net is a graphical and mathematicalmodeling tool. It consists ofmodeling tool. It consists of placesplaces,, transitionstransitions,,
andandarcsarcsthat connect them.that connect them.Input arcsInput arcsconnectconnectplaces with transitions, whileplaces with transitions, whileoutput arcsoutput arcsstart atstart ata transition and end at a place.a transition and end at a place.
Has strong expressive powerHas strong expressive power(Reference:(Reference:James L. Peterson,James L. Peterson, Petri Net theory and modelingof systemsPetri Net theory and modelingof systems)
-
7/26/2019 4 Intrusion Detection
26/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2626
Pattern Matching ApproachPattern Matching Approach(cont.)(cont.)
Characteristics of patterns used to model attacksCharacteristics of patterns used to model attacks LinearityLinearity: Specifies a sequence of events comprising the: Specifies a sequence of events comprising the
signature pattern which is a sequence of events withoutsignature pattern which is a sequence of events without
conjunction and disjunction.conjunction and disjunction. UnificationUnification: Instantiates variables to earlier events and matches: Instantiates variables to earlier events and matches
these events to later occurring events.these events to later occurring events.
OccurrenceOccurrence: Specifies the relative placement in time of an event: Specifies the relative placement in time of an eventwith respect to the previous events.with respect to the previous events.
BeginningBeginning: Specifies the absolute time of match of the: Specifies the absolute time of match of the
beginning of a pattern.beginning of a pattern. DurationDuration: Specifies constraints on the time duration for which: Specifies constraints on the time duration for whichthe event must be active.the event must be active.
Reference: S. Kumar, E. H.Reference: S. Kumar, E. H. SpaffordSpafford,, An Application of Pattern Matching inAn Application of Pattern Matching inIntrusion DetectionIntrusion Detection http:/ /http:/ /www.csee.umbc.edu/www.csee.umbc.edu/cadip/ docs/ NetworkIntrusion/pattern.pdfcadip/ docs/ NetworkIntrusion/ pattern.pdf
-
7/26/2019 4 Intrusion Detection
27/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2727
Pattern Matching Approach (cPattern Matching Approach (cont.)ont.)
Use Petri nets to captureUse Petri nets to capture Each signature corresponds to a particular Petri netEach signature corresponds to a particular Petri net
automatonautomaton
Nodes represents tokens; edges represents transitionsNodes represents tokens; edges represents transitions Final state of signature is a compromised stateFinal state of signature is a compromised state
Generate an intrusion patternGenerate an intrusion pattern1.1. Identify existence of files or other entities created by anIdentify existence of files or other entities created by an
attackerattacker
2.2. Identify a sequence of eventsIdentify a sequence of events
3.3. Identify two or more sequences of events under temporalIdentify two or more sequences of events under temporalrelationrelation
4.4. Identify duration of eventsIdentify duration of events
5.5. Identify interval of eventsIdentify interval of events
St th dD b kSt th dD b k
-
7/26/2019 4 Intrusion Detection
28/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2828
Strengths and DrawbacksStrengths and Drawbacks
of Pattern Matching Approachof Pattern Matching ApproachStrengths:Strengths: Rulebased sequential patternsRulebased sequential patternsdetect anomalous activities thatdetect anomalous activities that
are difficult using traditional methods.are difficult using traditional methods.
Systems built using this model are highlySystems built using this model are highlyadaptiveadaptivetotochanges by users; if a new pattern found, it is easier tochanges by users; if a new pattern found, it is easier to
define it by Petri net.define it by Petri net. Anomalous activities detected and reported within secondsAnomalous activities detected and reported within seconds
of receiving audit events.of receiving audit events.
Drawbacks:Drawbacks: Requires experience to generate rulesRequires experience to generate rules
Difficult to verify the completeness set of rulesDifficult to verify the completeness set of rules
-
7/26/2019 4 Intrusion Detection
29/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 2929
Intrusion AssessmentIntrusion Assessment
ActivitiesActivities
Collecting information about intrusions byCollecting information about intrusions byanalyzing a large amount of audit data fromanalyzing a large amount of audit data from
various network nodesvarious network nodes
Checking network configuration informationChecking network configuration information Talking to usersTalking to users
Querying other security tools, such as firewalls,Querying other security tools, such as firewalls,
authentication server, etc.authentication server, etc.
-
7/26/2019 4 Intrusion Detection
30/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 3030
Intrusion AssessmentIntrusion Assessment (cont.)(cont.)
Results generated by IDS can be categorized in threeResults generated by IDS can be categorized in three
levels:levels:
DataData measurement and observation from audit data andmeasurement and observation from audit data and
network traffic.network traffic.
InformationInformation data organized to represent primary intrusiondata organized to represent primary intrusiondetection results derived directly from audit data or networkdetection results derived directly from audit data or network
traffictraffic
KnowledgeKnowledge information explained and understood ininformation explained and understood interms of the intrusion identify, intrusion rate, threat, andterms of the intrusion identify, intrusion rate, threat, and
intrusion scope, etc.intrusion scope, etc.
-
7/26/2019 4 Intrusion Detection
31/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 3131
Intrusion AssessmentIntrusion Assessment(cont.)(cont.)
Information fusion techniques (BayesianInformation fusion techniques (Bayesian
network, heuristic methods, artificial intelligencenetwork, heuristic methods, artificial intelligencetechniques, etc.) to analyze all kinds oftechniques, etc.) to analyze all kinds of
information, including intrusion detectioninformation, including intrusion detection
results, audit data, etc. distributed acrossresults, audit data, etc. distributed acrosscomputer networks.computer networks.
Ch ll fCh ll f
-
7/26/2019 4 Intrusion Detection
32/32
S. S. YauS. S. Yau CSE 494/598, Fall 2005CSE 494/598, Fall 2005 3232
Challenges ofChallenges of
Intrusion AssessmentIntrusion AssessmentLarge volume of distributed data.Large volume of distributed data.
Heterogeneous networks systems.Heterogeneous networks systems.
Deep understanding to operating systems andDeep understanding to operating systems and
networks.networks.
Diverse activitiesDiverse activities difficult to formalizedifficult to formalize
Tedious, timeTedious, time--consuming, errorconsuming, error--prone, longprone, longlearning curvelearning curve