Post on 06-May-2015
Embed Size (px)
- Intrusion Detection
- Himani Singh
- ( himanisingh @ comcast .net )
- Kavita Khanna
- ( [email_address] )
- (CS-265, Fall-2003)
2. Intrusion DetectionPresentation Outline
- How an Intruder gets access?
- Security Holes and Vulnerabilities
- What is Intrusion Detection?
- Typical intrusion scenario
- Host based and Network based Intrusion Detection.
- Knowledge based and behavioral based Intrusion Detection.
- False positives / false alarms.
- Do I need IDS if I already have a firewall?
3. How an Intruder get access
- ahackerand/orcrackerwho hacks into systems and does unauthorized/ malicious activities
- How does an intruder get access?
- Physical Intrusion remove some hardware, disk, memory
- System Intrusion low-privilege user account
- Remote Intrusion across network
4. Security Holes and Vulnerabilities What? Software bugs Systemconfiguration Bad PasswordPolicy Traffic Sniffing Designflaws 5. Security Holes and Vulnerabilities
- Software bugs
- Buffer overflows overflow input by intentional code .
- Unexpected combinations : PERLcan send some malicious input to another program
- Unhandled input :action on invalid input ?
- Race conditions :rare but possible
- System configuration
- Default configurations- easy-to-use configurations
- Lazy administrators -empty root/administrator password
- Hole creations -Turn off everything that doesn't absolutely positively need to run
6. Security Holes and Vulnerabilities (Cont)
- Password cracking
- Weak passwords, Dictionary attacks and Brute force etc
- Sniffing unsecured traffic
- Shared medium
- Server sniffing
- Remote access
- Design flaws
- TCP/IP protocol flaws
- SmurfICMP request as return address asvictim's
- SYN Flood-target run out of recourse,combine with IP spooling
- UNIX design flaws
- Distributed DoS attack Amazon and Yahoo
- Do not forgetSocial Engineering-Hacker Kevin Mitnick told congress that he use technology only 2% of time
7. What is Intrusion Detection
- Intrusion: An unauthorized activity or access to an information system. Attack originated outside the organization.
- Misuse : Attacks originating inside the organization.
- Intrusion Detection (ID ):process of detecting, if Intrusion / Misuse has been attempted, is occurring, or has occurred.
- Intrusion and/or misuse can be as severe as stealing sensitive information or misusing your email system for Spam
- ID runs continuously
- Does both Detection and Response
The practical Intrusion Detection book by Paul E.Proctor . 8. Typical intrusion scenario
- Step 1: outside reconnaissance
- Step 2: inside reconnaissance
- Step 3: exploit
- Step 4: foot hold
- Step 5: profit, likebandwidth theft
- Step 6:get out,cover trace
- random internet addresses looking for a specific hole on any system rather than a specific system
- Ping sweeps
- TCP/UDP scans
- OS identification
- Account scan
Step 1 & 2: Reconnaissance 10. Step 3: EXPOITS
- CGI scripts
- Web server attacks
- Web browser attacks
- URL, HTTP, HTML, JAVA SCRIPT, FRAMS
- SMTP (SendMail) attacks
- IP spoofing
- DNS poisoning
- Buffer Overflows
- Signature recognition
- Patterns -well-known patterns of attack e.g.
- cgi patterns
- tcp port scans
- Port based signatures : if common ports are not in use and traffic is coming in / going out on that port
- Invalid protocol behavior
- Anomaly detection
- Some action or data that is not considered normal for a given system, user, or network.
- Can be indicated by change inCPU utilization, disk activity, user logins, file activity,traffic increased, so forth
- Advantage Detectsunknown attacks/ misuse
- Anomaly detection --three statistical criteria
- Number of events expected range
- e.g. log in attempts > 3
- If statistical period goes outside expected interval e.g. time to load a file on ftp server
- Markov model if there is sequence of events
- Suppose xyzhjzxyzthen
- Now probability ofz coming after xyis 1,
- and so on
- If there is a s deviationthen there is a problem
14. IDS (Intrusion Detection System)
- IDSshould do
- Event log analysis for Inside threat detection
- Network traffic analysis for perimeter threat detection
- Security configuration management
- File integrity checking
Agent Director Agent Agent Host a Network M notifier 15. Components of IDS
- Command console : a centercommandingauthority
- Network sensor
- Alert notification
- Response subsystem
- Network Tap(s)
16. Network Intrusion Detection System
- NIDS:When system detects an intruder by Sniffing or monitoring the network packets on network wire and matching the attack pattern to a database of known attack patterns.
- Architecture of NIDS
- Networknode:Agents distributed on each critical target computer in network to monitor traffic bound only for individual target.
- Sensorbased:Sensor is between two communicating computers either stand-alone or on network deviceto monitor whole network
- Anetwork packetis born.
- A packet isreadin real-time through sensor (either on a network sensor or network node sensor).
- Detection engine used toidentify predefined patternof misuse.
- If match,Security officer is notified by audible, e-mail, pager, visual, SNMP.For example Beep or play a .WAV file. "You are under attack".
- AnAlert is generated(either pre-defined or through Security officer).
- Aresponse to that Alert is generated.
Steps In NIDS 18. StepsIn NIDS (Cont.)
- Reconfigure firewall /router
- Filter out IP address
- Terminate (Reset) TCP connection
- Alert is stored for later review
- timestamp, intruder IP address, victim IP address/port, protocol information
- Reports are generated
- Data log for long-term trends
19. NIDS Limitations
- Packet loss on high speed network
- Intruder can hide in lost packets, Node-based
- ID does not suffer from this issue
- Switched network : ATM
- Solutions network sensor decrypted side of VPN
- Distributed network architecture with ID agents
- Encrypted on fly; put key on router security threat
- many signatures can be detected in full string
- Sniffer dete