intrusion detection and honeypots · pdf filecsc 482: computer security slide #2 . topics . 1....

Intrusion Detection and Honeypots

CSC 482: Computer Security Slide #1


Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. Base Rate Fallacy 4. Honeypots: An Alternative Approach 5. Architecture of an IDS 6. Example IDS: snort 7. Active Response: Intrusion Prevention Systems (IPS) 8. Host-based IDS and IPS 9. IDS Evasion Techniques

IDS Terminology Intrusion

Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)

Intrusion detection The identification through intrusion signatures and

report of intrusion activities Intrusion prevention

The process of both detecting intrusion activities and managing automatic responsive actions throughout the network



Goals of IDS 1. Detect wide variety of intrusions

Previously known and unknown attacks. Need to adapt to new attacks or changes in

behavior. 2. Detect intrusions in timely fashion

May need to be be real-time, especially when system responds to intrusion. Problem: analyzing commands may impact response

time of system. May suffice to report intrusion occurred a few

minutes or hours ago.


Goals of IDS 3. Present analysis in easy-to-understand format.

Ideally a binary indicator. Usually more complex, allowing analyst to examine

suspected attack. User interface critical, especially when monitoring

many systems . 4. Be accurate

Minimize false positives, false negatives. Minimize time spent verifying attacks, looking for

them.


Deep Packet Inspection DPI = Analysis of Application Layer data

Protocol Standard Compliance Is port 53 traffic DNS or a covert shell session? Is port 80 traffic HTTP or tunneled IM or P2P?

Protocol Anomaly Detection Traffic is valid HTTP. But suspicious URL contains directory traversal.


Models of Intrusion Detection 1. Anomaly detection

What is usual, is known. What is unusual, is bad. Statistical IDS. Need to update profile so that it matches current

usual activities on systems. 2. Misuse detection

What is bad is known. Look for what is bad, hope it doesn’t change. Rule based IDS. Need to regularly update db of intrusion signatures.

Possible Alarm Outcomes Intrusion Attack No Intrusion Attack

Alarm Sounded

No Alarm

Sounded

True Positive False Positive

True Negative False Negative


Base-Rate Fallacy Difficult to create IDS with high true-positive rate and

a low false-negative rate. If the number of actual intrusions is relatively small

compared to the amount of data being analyzed, then the effectiveness of an intrusion detection system can be reduced.

In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.

This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event.


Base-Rate Fallacy Example Example case

IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100

examined. Results

Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.

Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!

Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms.


Honeypots and Honeynets Honeypot: a system designed solely for intruders to attack in order to accomplish one or more of the following goals. Also known as a honeynet.

1. Detect intrusions with very few false positives, since legitimate users have no reason to access honeypot.

2. Monitor attacker activities to determine targeted assets, origin, motivation, capabilities, etc.

3. Waste intruder time attacking honeypot, so that defender has time to respond to incident.


Low Interaction Honeypots honeyd: responds to probes on a set of unused IP addresses via shell scripts that can return banners for simple scans like nmap –sV. nepenthes: emulates vulnerable Windows services to collect exploits and malware. Dionaea: scriptable honeypot designed to be able to emulate wide variety of vulnerable services to collect exploits and malware. Fakenet: simulates DNS, HTTP, HTTPS to dynamically analyze malware. Returns reasonable responses to malware requests.

Slide #12 CSC 482: Computer Security

Medium Interaction Honeypots Kippo is a medium interaction ssh honeypot designed to log brute force attacks and attacker shell commands. Inspired by Kojoney, a LI ssh honeypot.

Fake filesystem with the ability to add/remove files. Possibility of adding fake file contents so the attacker

can 'cat' files such as /etc/passwd. Only minimal file contents are included.

Saves files downloaded with wget for later inspection Deception: ssh pretends to connect, apt-get pretends to

install, etc.



High Interaction Honeypots Honeywall sets up tools for HI honeypots.

Environment simulation: virtual machines configured with appropriate tools for the next three tasks.

Data control: firewalling tools to limit attacker activities to avoid damaging other systems.

Data collection: network (snort) and keystroke loggers (Sebek kernel module).

Data analysis: tools to extract relevant data from tcpdump logs and more.

Client Honeypots

CSC 482: Computer Security

Honeymonkey Microsoft Research project. Network of VMs running IE crawling the web in search

of malicious sites that attempt to exploit browsers and distribute malware.

Multiple versions of Windows and IE used. Thug

Low interaction client honeypot. Emulates multiple browsers and OSes.

Slide #15

Honeytokens A honeytoken is data that is designed solely for attackers to abuse. Any access to the data is an indication of unauthorized use.

Attempts to download honeytoken files or database records can be identified by NIDS.

Medical record systems will sometimes create fake records for celebrities and politicians.

Mailing lists may contain email addresses published nowhere else that point to accounts that accept mail and record sender information.

Maps contain fake streets, towns, or islands to identify when competitors copy the map.

Slide #16 CSC 482: Computer Security

IDS Components

Untrusted Internet

IDS Manager

IDS Sensor

router router

router

IDS Sensor

Firewall

Slide #17


IDS Architecture An IDS is essentially a sophisticated audit system

Sensors gathers data for analysis from hosts or network.

Manager analyzes data obtained from sensors according to its internal rules.

Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection,

analysis methods. May activate response mechanism.


Host-Based Sensors 1. Obtain information from logs

May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel.

2. Agent generates its information Analyzes state of system. Treats results of analysis as log data.


Network-Based Sensors Sniff traffic from network.

Use hubs, SPAN ports, or taps to see traffic. Need sensors on all switches to see entire network. Deep packet inspection (DPI).

Sensor needs same view of traffic as destination Attacker may send packets with TTL set so that they

arrive at destination but expire before reaching sensor. Packet fragmentation and reassembly works differently

on different OSes, so sensor sees different packet than destination in some cases.

End-to-end encryption defeats content monitoring Not traffic analysis, though.


Aggregation of Information Sensors produce information at multiple layers of

abstraction. Application-monitoring sensors provide one view of an

event. System-monitoring sensors provide a different view of

an event. Network-monitoring sensors provide yet another view

(involving many packets) of an event.


Notifier Accepts information from manager Takes appropriate action

Page, call, IM, or e-mail security officer. Rate-limit contacts so a single problem does not result in

an overwhelming flood of notices. Respond to attack.

Often GUIs Use visualization to convey information.


Example: snort Network Intrusion Detection System

Sniffs packets off wire. Checks packets for matches against rule sets. Logs detected signs of misuse. Alerts adminstrator when misuse detected.


Example Architecture: snort


Snort Rules Rule Header

Action: pass, log, alert Network Protocol Source Address (Host or Network) + Port Destination Address (Host or Network) + Port

Rule Body Content: packet ASCII or binary content TCP/IP flags and options to match Message to log, indicating nature of misuse detected


Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;)


IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers:

1. External attackers intruding from Internet. 2. Internal attackers intruding from your LANs.

Where should you place IDS systems?

1. Perimeter (outside firewall) 2. DMZ 3. Intranet 4. Wireless


IDS Deployment


Sguil NSM Console


Intrusion Prevention Systems What else can you do with IDS alerts?

Identify attack before it completes. Prevent it from completing.

How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules.

Is IPS a good idea? How do you deal with false positives?


IPS Deployment Types Inline

IPS Intranet

Non-Inline

Intranet

IPS


Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address.

Inline: can perform blocking itself. Non-inline: send request to firewall.

Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh

Great Firewall = Firewall + IPS



Host IDS and IPS Anti-virus and anti-spyware

AVG anti-virus, SpyBot S&D Log monitors

swatch, logwatch Integrity checkers

tripwire, osiris, samhain Monitor file checksums, etc.

Application shims mod_security (usually called a WAF)


Evading IDS and IPS Alter appearance to prevent sig match

URL encode parameters to avoid match. Use ‘ or 783>412-- for SQL injection.

Alter context Change TTL so IDS sees different packets than target

hosts receives. Fragment packets so that IDS and target host

reassemble the packets differently.


Fragment Evasion Techniques Flood of fragments

DoS via heavy use of CPU/RAM on IDS. Tiny fragment

Break attack into multiple fragments, none of which match signature.

ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments

Offset of later fragments overwrites earlier fragments. ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” Different OSes deal differently with overlapping.


Web Evasion Techniques URL encoding

GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion

GET /./cgi-bin/./bad.cgi Long directory insertion

GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi IDS may only read first part of URL for speed.

Tab separation GET<tab>/cgi-bin/bad.cgi Tabs usually work on servers, but may not be in sig.

Case sensitivity GET /CGI-BIN/bad.cgi Windows filenames are case insensitive, but signature may not be.


Countering Evasion Keep IDS/IPS signatures up to date.

On daily or weekly basis. Use both host and network IDS/IPS.

Host-based harder to evade as runs on host. Fragment attacks can’t evade host IDS. Network IDS still useful as overall monitor.

Tune IDS/IPS to handle based on experience False positives False negatives


Key Points 1. Models of IDS:

Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS).

2. IDS Architecture: sensors, manager, notifier. 3. Host vs. Network IDS

Host: agent on host checks files, processes to detect attacks. Network: sniffs and analyzes packets to detect intrusions.

4. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ?

5. IDS/IPS Evasion Alter appearance to avoid signature match. Alter context to so IDS interprets differently than host.

Key Points: Honeypots 6. Honeypots deceive attackers

1. Identify intrusions with low false positive rates. 2. Learn more about intrusions, esp. with HI honeypots. 3. Interaction levels: low, medium, high 4. Honeyclients and honeytokens



References 1. Richard Bejtlich, The Tao of Network Security Monitoring, Addison-

Wesley, 2004. 2. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and

Internet Security, 2nd edition, 2003. 3. Goodrich and Tammasia, Introduction to Computer Security, Pearson,

2011. 4. The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley,

2004. 5. Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A

Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30.

6. Steven Northcutt and Julie Novak, Network Intrusion Detection, 3rd edition, New Riders, 2002.

7. Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005.

8. Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003.

9. Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006.

intrusion detection and honeypots · pdf filecsc 482: computer security slide #2 . topics . 1....

Documents