Download - Intrusion detection
04
/08
/20
23
2
INTR
USIO
N D
ETEC
TIO
N
PRESENTATION OUTLINE Introduction
What ? Why ? History Typical Intrusion Scenario
Types of Attacks What IDS does ? Types of IDS
Based on detection approach Advantages/ Disadvantages
Based on protected system Network / Host based detection
Evaluation of IDS Commercially available IDS
Snort References Q/A
04
/08
/20
23
3
INTR
USIO
N D
ETEC
TIO
N
WHAT IS INTRUSION DETECTION SYSTEM? Intrusion
Any unauthorized access, not permitted attempt to access/damage or malicious use of information resources
Intrusion Detection Detection of break-ins and break-in attempts via
automated software systems
Intrusion Detection Systems(IDS) Defense systems, which detect and possibly
prevent intrusion detection activities
04
/08
/20
23
4
INTR
USIO
N D
ETEC
TIO
N
WHAT IS NOT AN IDS ?
Network logging systems Security Scanners
vulnerability assessment tools to check flaws in OS,N/W
Antivirus products Security/Cryptographic systems
E.g. VPN,SSL, Kerbose Firewalls
04
/08
/20
23
5
INTR
USIO
N D
ETEC
TIO
N
WHY IDS ?
Straight Forward Reason to protect data and system integrity.Fact : can not be done with ordinary password and file security
Misconception : A network firewall will keep the bad guys off my network, right? My anti-virus will recognize and get rid of any virus I might catch,
right? And my password-protected access control will stop the office
cleaner trawling through my network after I've gone home, right?
So that's it – “I'm fully protected”
04
/08
/20
23
6
INTR
USIO
N D
ETEC
TIO
N
Anti-virus systems are only good at detecting viruses they already know about
Passwords can be hacked or stolen or changed by other
Firewalls DO NOT recognize attacks and block them Simply a fence around your network
no capacity to detect someone is trying to break-in(digging a hole underneath it)
Can’t determine whether somebody coming through gate is allowed to enter or not.
Roughly 80% of financial losses occur hacking from inside the network
“BEWARE OF INTERNAL INTRUDERS” Example : In April 1999, many sites were hacked via a bug in ColdFusion. All had firewalls to block other access except port 80. But it was the Web Server that was hacked.
HERE IS THE REALITY
04
/08
/20
23
7
INTR
USIO
N D
ETEC
TIO
N
ID- A BRIEF HISTORY 1980 - James Anderson Paper Computer Security Threat
Monitoring and Surveillance Concept of “detecting” misuse and specific user events
emerged 1984 - Dr. Dorothy Denning and SRI developed first
model for intrusion detection, Intrusion Detection Expert System developed
1988 – HayStack Project at University of California Lab, released intrusion detection system for US Air force
1989 – Commercial company HayStack Labs released Stalker
1990 – UC’s Todd Heberlein introduced idea of Network Detection System” Developed Network Security Monitor
SAIC developed Computer Misuse Detection System
04
/08
/20
23
8
INTR
USIO
N D
ETEC
TIO
N
HISTORY – CONTD..
US Air force developed Automated Security Measurement System
ID Market gain popularity around 1997 1998 ISS developed RealSecure Cisco purchased Wheel Group First host-based detection company Centrax
Corporation emerged Currently IDS is the top selling security
technology
Source : www.symantic.com/connect/articles/evolution-detection-systems
04
/08
/20
23
9
INTR
USIO
N D
ETEC
TIO
N
TYPICAL INTRUSION SCENARIO
Information Gathering
Further Information Gathering
Attack !
Successful Intrusion
Fun and Profit
-Find as much as info. As possible-whois lookup and DNS Zone transfers-Normal browsing ; gather important info.
-ping sweeps, port scanning-web server vulnerabilities-version of application/services
-start trying out different attacks- UNICODE attack if has IIS installed-try to find misconfigured running services-Passive Attack / Active Attack
-install own backdoors and delete log files-replace existing services with own Trojen horses that have backdoor passwords or create own user accounts
- Steal confidential information- Use compromised host to lunch
further attacks- Change the web-site for FUN
04
/08
/20
23
10
INTR
USIO
N D
ETEC
TIO
N
04
/08
/20
23
11
INTR
USIO
N D
ETEC
TIO
N
TYPES OF ATTACK
Unauthorized access to the resources Password cracking Spoofing e.g. DNS spoofing Scanning ports & services Network packet listening Stealing information Unauthorized network access Uses of IT resources for private purpose
Unauthorized alternation of resources Falsification of identity Information altering and deletion Unauthorized transmission and creation of data Configuration changes to systems and n/w services
04
/08
/20
23
12
INTR
USIO
N D
ETEC
TIO
N
TYPES OF ATTACK CONTD..
Denial of Service Flooding
Ping flood Mail flood
Compromising system Buffer overflow Remote system shutdown
Web application attack
“Most attacks are not a single attack but a series of individual events developed in coordinated manner”
04
/08
/20
23
13
INTR
USIO
N D
ETEC
TIO
N
Source : http://members.autobahn.mb.ca/~het/terror_war/evote.html
04
/08
/20
23
14
INTR
USIO
N D
ETEC
TIO
N
WHAT AN IDEAL IDS IS SUPPOSED TO DO ?
Identify possible incidents detect an attacker has compromised system
Report administrator Log information
keep log of suspicious activities Can be configured to
Recognize violations of security policies Monitor file transfers
Copying a large database onto a user’s laptop Identify reconnaissance activity
Attack tools and worms perform reconnaissance activity like : host and port scans
04
/08
/20
23
15
INTR
USIO
N D
ETEC
TIO
N
IDS CLASSIFICATION
Source : http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html
04
/08
/20
23
16
INTR
USIO
N D
ETEC
TIO
N
IDS TYPES : BASED ON DETECTION APPROACH
Knowledge-based or Signature-based Behavior-based or Anomaly-based Knowledge-based
Matching signature of well-known attacks against state-change in systems or stream of packets flowing through network
Example of signatures : A telnet attempt with username “root” which is violation of an
organization’s security policy An e-mail with a subject “Free Pictures” and an attachment
“freepics.exe” -characteristics of a malware
04
/08
/20
23
17
INTR
USIO
N D
ETEC
TIO
N
ADVANTAGE / DISADVANTAGES OF KB-IDS
Very few false alarm Very effective to detect previously known threats
Ineffective to detect new threats Threats disguised by use of evasion techniques Compares a current unit of activity (e.g. a n/w
packet or a log entry) to a list of signatures using string comparisons operations
Little understanding of n/w or application protocol and can’t track the state of complex communication
e.g. can’t pair request with the corresponding response
Cant remember a previous request while processing the current request
04
/08
/20
23
18
INTR
USIO
N D
ETEC
TIO
N
BEHAVIOR-BASED IDS
Compares normal event against observed events to identify significant deviation
Has profiles to represent normal behavior of Users, hosts, network connections or applications Developed by monitoring the characteristics of
typical activity over a period of time Profiles can be for behavioral attributes like:
Number of email sent by a user, number of failed logins for a host, level of processor usage etc.
ExampleA profile for a network might show that in an average, 13% of network bandwidth are due to Web activities during typical workday hours. Then IDS can use statistical methods to compare current Web activity bandwidth with expected one and alert administrator if high bandwidth is being occupied by web activities
04
/08
/20
23
19
INTR
USIO
N D
ETEC
TIO
N
STATIC VS. DYNAMIC PROFILES
Profiles are generated over a period of time (days or sometimes weeks)
Static profile is unchanged unless required to generate new profile
Change in systems and/or networks inaccurate static profile (Generate Again)
Dynamic profile defect : susceptible to evasion attempts from attackers Frequently performing malicious activity
04
/08
/20
23
20
INTR
USIO
N D
ETEC
TIO
N
ADVANTAGES / DISADVANTAGES OF BBIDS
Very effective to detect unknown threats Example :Suppose computer is infected with a new type of malware. The malware consumes large computer’s processor resources and send large number of emails, initiating large number of network connections. This is definitely a significantly different behavior from
established profiles. High false alarm rate
All activities excluded during training phase Making a profile is very challenging
04
/08
/20
23
21
INTR
USIO
N D
ETEC
TIO
N
NETWORK BASED INTRUSION DETECTION
IDS are placed on the network, nearby system(s) being monitored
Monitors n/w traffic for particular n/w segments or devices
The network interface card placed in promiscuous mode to capture all n/w traffic
Sensors placed on n/w segment to check the packets Primary types of signatures are
String signature Port Signature Header Condition Signature
04
/08
/20
23
22
INTR
USIO
N D
ETEC
TIO
N
NETWORK BASED INTRUSION DETECTION CONTD.. String Signature
Look text/string that may indicate possible attack Example: UNIX system “cat” “+ +” > /.rhosts”
Port Signature Watch for connection attempts to well-known, frequently attacked
ports Example : telnet (TCP port 23) , FTP (TCP port 21/20) Ports are not used but packets are coming that port.
Header Signature Watch for dangerous or illogical combination of packet headers Example : TCP packet with both SYN and FIN flags set
Request wished to start and stop the connection at the same time.
Limitations Can not detect attacks on encrypted n/w traffic (E.g. HTPS, VPN) IDS sensors are susceptible to various attacks
Large volume of traffic can crash IDS sensor itself
04
/08
/20
23
23
INTR
USIO
N D
ETEC
TIO
N
Source : WindowsSecurity.com
04
/08
/20
23
24
INTR
USIO
N D
ETEC
TIO
N
HOST BASED IDS
Piece or pieces of software on the system to be monitored
Uses log files and network traffic in/out of that host as data source
Monitors: Incoming packets Login activities Root activities File systems
Host based IDS might monitor Wired and wireless network traffic ;Systems logs Running process; file access/modification
04
/08
/20
23
25
INTR
USIO
N D
ETEC
TIO
N
Source : WindowsSecurity.com
04
/08
/20
23
26
INTR
USIO
N D
ETEC
TIO
N
EVALUATION OF IDS’S
Source : Iftikhar Ahmad , Azween B Abdullah and Abdullah S Alghamdi ,“Comparative Analysis of Intrusion Detection Approaches”, 12th International Conference on Computer Modelling and Simulation, 2010
04
/08
/20
23
27
INTR
USIO
N D
ETEC
TIO
N
CURRENTLY AVAILABLE IDSS
Network Based IDS Host Based IDS
Internet Security Systems Real Secure
Internet Security Systems Real Secure
Symantec Net Prowler Symantec Intruder Alert
Network Ice Black Ice Defender
Tripwire
CyberSafe Centrax Cyber Safe Centrax
Detection Appliance
Snort, Fragroute /Fragrouter, OSSEC HIDS, are some of the most popular Open Source IDS
04
/08
/20
23
28
INTR
USIO
N D
ETEC
TIO
N
SNORT
Open source NIDS developed by Sourcefire It combines the benefits of signature based
and behavior based intrusion detection techniques
It has 300,000 registered users
04
/08
/20
23
29
INTR
USIO
N D
ETEC
TIO
N
How to install SNORT (in Linux)
http://www.youtube.com/watch?v=TZ0Hj0t5b5k&feature=related How to install and use SNORT (in XP)
http://www.youtube.com/watch?v=nAWN989WA0A&feature=related
carbo.dll is the file that can be used to remotely view any file your web server has permissions to view
04
/08
/20
23
30
INTR
USIO
N D
ETEC
TIO
N
REFERENCES Roman V. Yampolskiy and Venu Govindaraju, “Computer Security: a Survey of
Methods and Systems”, Journal of Computer Science 3 (7), 2007 Iftikhar Ahamad, Azween B Abdullah and Abdullah S Alghamdi, “Comparative
Analysis of Intrusion Detection Approaches”, 12 th International Conference on Computer Modeling and Simulation,2010
David Elson, “Intrusion Detection, Theory and Practice”, www.symantec.com Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention
Systems (IDPS)” , Special Publication 800-94 ISS, “Network- vs. Host-based Intrusion Detection”, A Guide to Intrusion
Detection Technology FAQ's : http://www.sans.org/security-resources/idfaq/ http://ids.nic.in/JCES%20TNL%20OCT%202008/IDS/IDS.htm http://sectools.org/ids.html http://www.snort.org/ http://www.wikipedia.org
04
/08
/20
23
31
INTR
USIO
N D
ETEC
TIO
N
QUESTIONS / COMMENTS