intrusion detection

Download Intrusion Detection

Post on 06-May-2015




0 download

Embed Size (px)


  • 1.
    • Intrusion Detection
  • By
  • Himani Singh
  • ( himanisingh @ comcast .net )
  • &
  • Kavita Khanna
  • ( [email_address] )
  • (CS-265, Fall-2003)

2. Intrusion DetectionPresentation Outline

  • How an Intruder gets access?
  • Security Holes and Vulnerabilities
  • What is Intrusion Detection?
  • Typical intrusion scenario
  • Host based and Network based Intrusion Detection.
  • Knowledge based and behavioral based Intrusion Detection.
  • False positives / false alarms.
  • Do I need IDS if I already have a firewall?

3. How an Intruder get access

    • Intruder
    • ahackerand/orcrackerwho hacks into systems and does unauthorized/ malicious activities
  • How does an intruder get access?
    • Physical Intrusion remove some hardware, disk, memory
    • System Intrusion low-privilege user account
    • Remote Intrusion across network

4. Security Holes and Vulnerabilities What? Software bugs Systemconfiguration Bad PasswordPolicy Traffic Sniffing Designflaws 5. Security Holes and Vulnerabilities

  • Software bugs
    • Buffer overflows overflow input by intentional code .
    • Unexpected combinations : PERLcan send some malicious input to another program
    • Unhandled input :action on invalid input ?
    • Race conditions :rare but possible
  • System configuration
    • Default configurations- easy-to-use configurations
    • Lazy administrators -empty root/administrator password
    • Hole creations -Turn off everything that doesn't absolutely positively need to run

6. Security Holes and Vulnerabilities (Cont)

  • Password cracking
    • Weak passwords, Dictionary attacks and Brute force etc
  • Sniffing unsecured traffic
    • Shared medium
    • Server sniffing
    • Remote access
  • Design flaws
    • TCP/IP protocol flaws
      • SmurfICMP request as return address asvictim's
      • SYN Flood-target run out of recourse,combine with IP spooling
    • UNIX design flaws
    • Distributed DoS attack Amazon and Yahoo
  • Do not forgetSocial Engineering-Hacker Kevin Mitnick told congress that he use technology only 2% of time

7. What is Intrusion Detection

  • Intrusion: An unauthorized activity or access to an information system. Attack originated outside the organization.
  • Misuse : Attacks originating inside the organization.
  • Intrusion Detection (ID ):process of detecting, if Intrusion / Misuse has been attempted, is occurring, or has occurred.[1]
    • Intrusion and/or misuse can be as severe as stealing sensitive information or misusing your email system for Spam
    • ID runs continuously
    • Does both Detection and Response

The practical Intrusion Detection book by Paul E.Proctor .[1] 8. Typical intrusion scenario

  • Step 1: outside reconnaissance
  • Step 2: inside reconnaissance
  • Step 3: exploit
  • Step 4: foot hold
  • Step 5: profit, likebandwidth theft
  • Step 6:get out,cover trace
  • random internet addresses looking for a specific hole on any system rather than a specific system


  • Ping sweeps
  • TCP/UDP scans
  • OS identification
  • Account scan

Step 1 & 2: Reconnaissance 10. Step 3: EXPOITS

  • CGI scripts
  • Web server attacks
  • Web browser attacks
  • SMTP (SendMail) attacks
  • IP spoofing
  • DNS poisoning
  • Buffer Overflows

11. Detection

  • Signature recognition
    • Patterns -well-known patterns of attack e.g.
      • cgi patterns
      • tcp port scans
    • Port based signatures : if common ports are not in use and traffic is coming in / going out on that port
    • Invalid protocol behavior

12. Detection

  • Anomaly detection
    • Some action or data that is not considered normal for a given system, user, or network.
    • Can be indicated by change inCPU utilization, disk activity, user logins, file activity,traffic increased, so forth
    • Advantage Detectsunknown attacks/ misuse

13. Detection

  • Anomaly detection --three statistical criteria
      • Number of events expected range
        • e.g. log in attempts > 3
      • If statistical period goes outside expected interval e.g. time to load a file on ftp server
      • Markov model if there is sequence of events
        • Suppose xyzhjzxyzthen
        • Now probability ofz coming after xyis 1,
        • and so on
        • If there is a s deviationthen there is a problem

14. IDS (Intrusion Detection System)

  • IDSshould do
    • Event log analysis for Inside threat detection
    • Network traffic analysis for perimeter threat detection
    • Security configuration management
    • File integrity checking

Agent Director Agent Agent Host a Network M notifier 15. Components of IDS

    • Command console : a centercommandingauthority
    • Network sensor
    • Alert notification
    • Response subsystem
    • Database
    • Network Tap(s)

16. Network Intrusion Detection System

  • NIDS:When system detects an intruder by Sniffing or monitoring the network packets on network wire and matching the attack pattern to a database of known attack patterns.
  • Architecture of NIDS
  • Networknode:Agents distributed on each critical target computer in network to monitor traffic bound only for individual target.
  • Sensorbased:Sensor is between two communicating computers either stand-alone or on network deviceto monitor whole network


  • Anetwork packetis born.
  • A packet isreadin real-time through sensor (either on a network sensor or network node sensor).
  • Detection engine used toidentify predefined patternof misuse.
  • If match,Security officer is notified by audible, e-mail, pager, visual, SNMP.For example Beep or play a .WAV file. "You are under attack".
  • AnAlert is generated(either pre-defined or through Security officer).
  • Aresponse to that Alert is generated.

Steps In NIDS 18. StepsIn NIDS (Cont.)

  • Reconfigure firewall /router
    • Filter out IP address
    • Terminate (Reset) TCP connection
  • Alert is stored for later review
    • timestamp, intruder IP address, victim IP address/port, protocol information
  • Reports are generated
  • Data log for long-term trends

19. NIDS Limitations

  • Packet loss on high speed network
    • Intruder can hide in lost packets, Node-based
    • ID does not suffer from this issue
  • Switched network : ATM
  • Encryption
      • Solutions network sensor decrypted side of VPN
      • Distributed network architecture with ID agents
      • Encrypted on fly; put key on router security threat
  • Packet-reassembly
      • many signatures can be detected in full string
  • Sniffer dete


View more >