intrusion detection methods

Download Intrusion Detection  Methods

If you can't read please download the document

Post on 06-Jan-2016




4 download

Embed Size (px)


Intrusion Detection Methods. “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”. The Seven Fundamentals. What are the methods used How are IDS organized What is an intrusion - PowerPoint PPT Presentation


  • Intrusion Detection Methods Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.

  • The Seven FundamentalsWhat are the methods usedHow are IDS organizedWhat is an intrusionHow do we trace and how do they hideHow do we correlate informationHow can we trap intrudersIncident response

  • Some fundamental questionsAre ID methods only suited for manual use by experts?Are ID methods well defined enough to be automated?What are some of the manual methods used by experts?What ID methods are available in tools today?

  • ID methodsAudit trail processingOn-the-fly processingProfiles of normal behaviorSignatures of abnormal behaviorParameter pattern matching or anomaly discoveryAre the above methods independent? Dependant?Mutually exclusive?

  • Audit Trail ProcessingActivities are first logged and stored in a log file via audit probs.Audit probes are [mostly] selected based on what constitutes security critical events.System and security administrators (and designers) are changed with enabling/disabling probs.Auditing vs. Performance? What are the issues?What are the TCSEC requirements for Audit? (See Page 40)

  • Case study: TCP logs

    Internal net (in)External net(out)logRouter/Gateway

  • Case study: TCP logs (cont.)


  • How much of the previous discussion can be automated?

  • Examples of things to watch for!Users logging in at strange hoursUnexpected reboots or clock changesUnusual error messagesFailed login attemptsUnauthorized use of the su commandUsers logging from unusual locations

  • Problems to be considered while using logging systems

    Most administrators dont collect audits, and if they do, they rarely process them!

  • Problems to be considered while using logging systems (cont.)Large size of audit filesAbout 5M per week for a workgroup serverBecomes more problematic for centralized logging

  • Problems to be considered while using logging systems (cont.)

    Degraded system performanceReached 85% on some typical unix and NT systems

  • Problems to be considered while using logging systems (cont.)

    Difficulty in protecting the logLog files growing smaller!Print everything

  • Problems to be considered while using logging systems (cont.)

    Unknown storage duration of logsHow long should logs be kept?How long are they kept on your linux system?

  • Unix SyslogSyslogd is a daemon (background process)Receives message for the log file from:User processes running on the same mchaine (as syslogd) via /dev/logKernel routines (/dev/klog)Processes on another machine via UDP port 514Syslogd defines an associated API for application authors

  • # Log all kernel messages to the console.# Logging much else clutters up the screen.kern.* /dev/console

    # Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;news.none;authpriv.none /var/log/messages

    # The authpriv file has restricted access.authpriv.* /var/log/secure

    # Log all the mail messages in one place.mail.* /var/log/maillog

    # Everybody gets emergency messages, plus log them on another# machine.*.emerg *

    # Save mail and news errors of level err and higher in a# special file.uucp,news.crit /var/log/spooler


  • F25 21:37:44 rnd PAM_pwdb[17775]: (sshd) session opened for user sherif by (uid=0)F25 21:40:00 rnd CROND[17784]: (root) CMD ( /sbin/rmmod -as)F25 21:42:18 rnd PAM_pwdb[17789]: (sshd) session opened for user sherif by (uid=0)F25 21:50:01 rnd CROND[17813]: (root) CMD ( /sbin/rmmod -as)F25 21:51:24 rnd PAM_pwdb[17789]: (sshd) session closed for user sherifF25 21:52:27 rnd PAM_pwdb[17775]: (sshd) session closed for user sherifF25 22:00:00 rnd CROND[17851]: (root) CMD ( /sbin/rmmod -as)F25 22:01:00 rnd CROND[17856]: (root) CMD (run-parts /etc/cron.hourly)F25 22:10:00 rnd CROND[17887]: (root) CMD ( /sbin/rmmod -as)F25 22:20:01 rnd CROND[17969]: (root) CMD ( /sbin/rmmod -as)F25 22:30:00 rnd CROND[17999]: (root) CMD ( /sbin/rmmod -as)F25 22:40:01 rnd CROND[18034]: (root) CMD ( /sbin/rmmod -as)F25 22:50:00 rnd CROND[18061]: (root) CMD ( /sbin/rmmod -as)F25 23:00:00 rnd CROND[18087]: (root) CMD ( /sbin/rmmod -as)F25 23:01:01 rnd CROND[18092]: (root) CMD (run-parts /etc/cron.hourly)F25 23:10:01 rnd CROND[18123]: (root) CMD ( /sbin/rmmod -as)F25 23:20:00 rnd CROND[18149]: (root) CMD ( /sbin/rmmod -as)F25 23:30:00 rnd CROND[18175]: (root) CMD ( /sbin/rmmod -as)F25 23:40:00 rnd CROND[18201]: (root) CMD ( /sbin/rmmod -as)F25 23:50:01 rnd CROND[18228]: (root) CMD ( /sbin/rmmod -as)F26 00:00:00 rnd CROND[18264]: (root) CMD ( /sbin/rmmod -as)F26 00:01:01 rnd CROND[18269]: (root) CMD (run-parts /etc/cron.hourly)F26 00:10:00 rnd CROND[18302]: (root) CMD ( /sbin/rmmod -as)F26 00:20:01 rnd CROND[18352]: (root) CMD ( /sbin/rmmod -as)F26 00:28:17 rnd PAM_unix[18386]: (system-auth) session opened for user root by sherif(uid=500)F 26 00:30:00 rnd CROND[18426]: (root) CMD ( /sbin/rmmod -as)/var/log/messages

  • F25 22:32:22 rnd sendmail[18009]: g1PKU1x18007:to=,delay=00:02:21, xdelay=00:00:03, mailer=esmtp, pri=589605, [],dsn=2.0.0, stat=Sent (ok dirdel)

    F25 22:32:42 rnd sendmail[18009]: g1PKU1x18007:to=,delay=00:02:41, xdelay=00:00:20, mailer=esmtp, pri=589605, [],dsn=2.0.0, stat=Sent (g1PJVqt94451 Message accepted for delivery)/var/log/mail

  • SWATCHSimple and effective toolWritten in perl

    /pattern/[, /pattern/] action[,action] duration

  • Case Study : Secureview Firewall-1 Audit IntranetInternetFirewall-1Firewall-1logOtherFirewall-1Log ProcessingToolsReportingModuleDataMartDatabaseBuilderAdminModuleSecurity AdministratorSecureITSecureView

  • Mar 2 23:53:51 -> VECNA ****P*** Mar 2 23:54:33 -> VECNA ****P*** Mar 2 23:55:39 -> VECNA ****P*** Mar 2 23:56:44 -> VECNA ****P*** Mar 2 23:57:50 -> VECNA ****P*** Mar 2 23:58:49 -> VECNA ****P*** Mar 3 00:00:00 -> VECNA ****P*** Mar 3 00:01:01 -> VECNA ****P*** Mar 3 00:02:05 -> VECNA ****P*** Mar 3 00:03:11 -> VECNA ****P*** Mar 3 00:04:14 -> VECNA ****P***

  • On-the-fly processingTimelinessProcessing methodStorage requirementsInformation capacity

  • Network management and NIDSUse SNMP and RMON (RFC 1271) as a basis for ID collection and processingAnalyze traffic history and statisticsExamine network trendsinitiate alarmsTraffic generation for testing

  • Case Study : NFRTargetSystemPacketSuckerDecisionEngineQueryGUIAlert ManagerFilter 2Filter 3Filter NFilter 1BackendBackendBackend

  • Methods for extracting traffic from the network for processingIn-line diversion of traffic by network componentsOff-line extraction (passive sniffing)Most used: Ethernet promiscuous modeOther examples:Serial linesWireless networksTempest effect aka The van Eck effect

  • Case Study : BorderGuard Firewall Extraction for NetRanger ProcessingNSX device : local intrusion Monitoring Function ProtectedSystemBorderGuardFirewallTargetSystemNSXIntrusion DetectionDiverted Traffic forNetRanger IntrusionDetectionGateway Traffic

  • Normal Behavior profiling

  • Normal Behavior profilingInitial profiling of new systems and users based on estimations of expected behaviorObserved user and system behavior should be used to fine-tune profilesInformation from other (external) resources is used to improve the accuracy of prediction

  • Case study: IDES modelAudit trail information is collected in protected logsProfile based tools as used for off-line analysis

  • Case study: IDES model (cont.)

    Subjects and Objects: from classical INFOSEC view of the initiator and the target of an activity

  • Case study: IDES model (cont.)Profile: Characterization of behaviorAudit records: the data structures used to capture the systems observed behaviorAnomaly records: the data structures used to capture anomalous behaviorAlarms: problem reporting methods

  • Toll fraud and similar problemsHow can toll fraud-like problems be solved using Normal Behavior profiling?How about credit card fraud?Phone card fraud?

  • SecurityHighlight Suspicious Activity and Review Unrecognizable Call Data for Hacker DetectionPrevent/Locate Unauthorized System Access Real Time Notification of Exception Calling Track After Hours Security GuardsDetect Bomb ThreatsSelective Reporting/Display for Top Secret/Sensitive MaterialsAccount for Calls But Delete Detail (Call Processing)Password Security to Prevent Moving from Call Processing Keyboard Macro Available to Provide Additional Security

  • The Abnormal Behavior (Attack) Signature Method

    Commonly used in on-the-fly IDS

    Attack signaturesMay require temporal and state machine like modelingSpecial character stringsE.g.: /etc/password in an ftp session

  • Case Study: SNORT ru


View more >