intrusion detection

Download Intrusion detection

Post on 04-Nov-2014




5 download

Embed Size (px)




  • 1. INTRUSION DETECTION By : Umesh Dhital

2. PRESENTATION OUTLINE10/27/2010 Introduction What ? Why ?INTRUSION DETECTION History Typical Intrusion Scenario Types of Attacks What IDS does ? Types of IDS Based on detection approach Advantages/ Disadvantages Based on protected system Network / Host based detection Evaluation of IDS Commercially available IDS Snort References 2 Q/A 3. WHAT IS INTRUSION DETECTION SYSTEM? Intrusion 10/27/2010 Any unauthorized access, not permitted attempt to access/damage or malicious use of information resources INTRUSION DETECTION Intrusion Detection Detection of break-ins and break-in attempts via automated software systems Intrusion Detection Systems(IDS) Defense systems, which detect and possibly prevent intrusion detection activities3 4. WHAT IS NOT AN IDS ? 10/27/2010 Network logging systems Security Scanners INTRUSION DETECTION vulnerability assessment tools to check flaws in OS,N/W Antivirus products Security/Cryptographic systems E.g. VPN,SSL, Kerbose Firewalls 4 5. WHY IDS ? 10/27/2010 Straight Forward Reason to protect data and system integrity. INTRUSION DETECTION Fact : can not be done with ordinary password and file security Misconception : A network firewall will keep the bad guys off my network, right? My anti-virus will recognize and get rid of any virus I might catch, right? And my password-protected access control will stop the office cleaner trawling through my network after I've gone home, right?So that's it I'm fully protected5 6. HERE IS THE REALITY Anti-virus systems are only good at detecting viruses they 10/27/2010already know about Passwords can be hacked or stolen or changed by other Firewalls DO NOT recognize attacks and block them INTRUSION DETECTION Simply a fence around your networkno capacity to detect someone is trying to break-in(digging a hole underneath it) Cant determine whether somebody coming through gate is allowed to enter or not. Roughly 80% of financial losses occur hacking from inside the network BEWARE OF INTERNAL INTRUDERS Example :In April 1999, many sites were hacked via a bug in ColdFusion. All had firewallsto block other access except port 80. But it was the Web Server that was hacked. 6 7. ID- A BRIEF HISTORY10/27/2010 1980 - James Anderson Paper Computer Security Threat Monitoring and Surveillance Concept of detecting misuse and specific user eventsINTRUSION DETECTION emerged 1984 - Dr. Dorothy Denning and SRI developed first model for intrusion detection, Intrusion Detection Expert System developed 1988 HayStack Project at University of California Lab, released intrusion detection system for US Air force 1989 Commercial company HayStack Labs released Stalker 1990 UCs Todd Heberlein introduced idea of Network Detection System Developed Network Security Monitor SAIC developed Computer Misuse Detection System7 8. HISTORY CONTD.. 10/27/2010 US Air force developed Automated Security Measurement System INTRUSION DETECTION ID Market gain popularity around 1997 1998 ISS developed RealSecure Cisco purchased Wheel Group First host-based detection company Centrax Corporation emerged Currently IDS is the top selling security technologySource : 8 9. TYPICAL INTRUSION SCENARIO10/27/2010-Findas much as info. As possible Information Gathering-whois lookup and DNS Zone transfers-Normal browsing ; gather important info.INTRUSION DETECTION -ping sweeps, port scanning Further Information Gathering -web server vulnerabilities -version of application/services -start trying out different attacks Attack ! - UNICODE attack if has IIS installed-try to find misconfigured running services-Passive Attack / Active Attack -install own backdoors and delete log files Successful Intrusion -replace existing services with own Trojenhorses that have backdoor passwords orcreate own user accounts- Steal confidential information- Use compromised host to lunch further 9 Fun and Profitattacks- Change the web-site for FUN 10. 10/27/2010 INTRUSION DETECTION10 11. TYPES OF ATTACK10/27/2010 Unauthorized access to the resources Password crackingINTRUSION DETECTION Spoofing e.g. DNS spoofing Scanning ports & services Network packet listening Stealing information Unauthorized network access Uses of IT resources for private purpose Unauthorized alternation of resources Falsification of identity Information altering and deletion Unauthorized transmission and creation of data 11 Configuration changes to systems and n/w services 12. TYPES OF ATTACK CONTD..10/27/2010 Denial of Service FloodingINTRUSION DETECTION Ping flood Mail flood Compromising system Buffer overflow Remote system shutdown Web application attackMost attacks are not a single attack but a series of individual events developed in coordinated manner 12 13. 10/27/2010INTRUSION DETECTION 13Source : 14. WHAT AN IDEAL IDS IS SUPPOSED TO DO ? Identify possible incidents 10/27/2010 detect an attacker has compromised system Report administrator INTRUSION DETECTION Log information keep log of suspicious activities Can be configured to Recognize violations of security policies Monitor file transfers Copying a large database onto a users laptop Identify reconnaissance activity Attack tools and worms perform reconnaissance activity like : host and port scans14 15. IDS CLASSIFICATION 10/27/2010 INTRUSION DETECTION15 Source : 16. IDS TYPES : BASED ON DETECTION APPROACHKnowledge-based or Signature-based 10/27/2010 Behavior-based or Anomaly-based Knowledge-based INTRUSION DETECTION Matching signature of well-known attacks against state- change in systems or stream of packets flowing through network Example of signatures : A telnet attempt with username root which is violation of an organizations security policy An e-mail with a subject Free Pictures and an attachment freepics.exe -characteristics of a malware16 17. ADVANTAGE / DISADVANTAGES OF KB-IDS10/27/2010 Very few false alarm Very effective to detect previously known threatsINTRUSION DETECTION Ineffective to detect new threats Threats disguised by use of evasion techniques Compares a current unit of activity (e.g. a n/w packet or a log entry) to a list of signatures using string comparisons operations Little understanding of n/w or application protocol and cant track the state of complex communication e.g. cant pair request with the corresponding response Cant remember a previous request while processing the current request 17 18. BEHAVIOR-BASED IDS10/27/2010 Compares normal event against observed events to identify significant deviationINTRUSION DETECTION Has profiles to represent normal behavior of Users, hosts, network connections or applications Developed by monitoring the characteristics of typical activity over a period of time Profiles can be for behavioral attributes like: Number of email sent by a user, number of failed logins for a host, level of processor usage etc. Example A profile for a network might show that in an average, 13% of network bandwidth are due to Web activities during typical workday hours. Then IDS can use statistical methods to compare current Web activity bandwidth with expected one and alert administrator if high bandwidth is being occupied by web activities 18 19. STATIC VS. DYNAMIC PROFILES Profiles are generated over a period of time (days 10/27/2010 or sometimes weeks) Static profile is unchanged unless required to INTRUSION DETECTION generate new profile Change in systems and/or networks inaccurate static profile (Generate Again) Dynamic profile defect : susceptible to evasion attempts from attackers Frequently performing malicious activity19 20. ADVANTAGES / DISADVANTAGES OF BBIDS Very effective to detect unknown threats 10/27/2010 Example : Suppose computer is infected with a new type of malware. The malware consumes large computers processor resources and send large number of INTRUSION DETECTION emails, initiating large number of network connections. This is definitely a significantly different behavior from established profiles. High false alarm rate All activities excluded during training phase Making a profile is very challenging20 21. NETWORK BASED INTRUSION DETECTION10/27/2010 IDS are placed on the network, nearby system(s) being monitoredINTRUSION DETECTION Monitors n/w traffic for particular n/w segments or devices The network interface card placed in promiscuous mode to capture all n/w traffic Sensors placed on n/w segment to check the packets Primary types of signatures are String signature Port Signature Header Condition Signature21 22. NETWORK BASED INTRUSION DETECTION CONTD.. 10/27/2010 String Signature Look text/string that may indicate possible attack Example: UNIX system cat + + > /.rhosts INTRUSION DETECTION Port Signature Watch for connection attempts to well-known, frequently attacked ports Example : telnet (TCP port 23) , FTP (TCP port 21/20) Ports are not used but packets are coming that port. Header Signature Watch for dangerous or illogical combination of packet headers Example : TCP packet with both SYN and FIN flags set Request wished to start and stop the connection at the same time. Limitations Can not detect attacks on encrypted n/w traffic (E.g. HTPS, VPN) IDS sensors are susceptible to various attacks Large volume of traffic can crash IDS sensor itself 22 23. 10/27/2010 INTRUSION DETECTION23 Source : 24. HOST BASED IDS 10/27/2010 Piece or pieces of software on the system to be monitored INTRUSION DETECTION Uses log files and network traffic in/out of that host as data source Monitors: Incoming packets Login activities Root activities File systems Host based IDS


View more >