intrusion detection systems
DESCRIPTION
Intrusion Detection Systems. Sai Nandoor Priya Selvam Balaji Badam. How insecure are we?. Attacks on computer infrastructures are a serious problem. Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident. - PowerPoint PPT PresentationTRANSCRIPT
Intrusion Detection SystemsIntrusion Detection Systems
Sai Nandoor
Priya Selvam
Balaji Badam
How insecure are we?How insecure are we?• Attacks on computer infrastructures are a
serious problem.• Information theft is up over 250% in the
last 5 years.• 99% of all major companies report at least
one major incident. • Telecom and computer fraud totaled $10
billion in the US alone.
* Source: Eugene H Spafford. Security Seminar,
Department of Computer Sciences, Purdue University, Jan 1996.
IDS Based on Data SourceIDS Based on Data Source• Host Based IDS
– Its role is to identify tampering or malicious activity occurring on the system.
– This is achieved by monitoring log files, users, and the file system.
• Network Based IDS– Its role is to identify tampering or malicious
activity occurring in the network traffic.– This is achieved by monitoring network traffic
on the wire for specific activities/signatures that represent an attack.
• Hybrid IDS– Combination of network and host based IDS.
Host Based - Network BasedHost Based - Network Based
AdvantagesAdvantages
Network Host
Lowers cost of ownership Lower cost of entry
Detects what HIDS miss Detects what NIDS miss
Difficult to remove evidence Verifies success/failure of attack
Real-time detection & response Suited for encrypted environments
Detects unsuccessful attacks Monitors specific activities
OS independent Requires no additional hardware
Host Based IDSHost Based IDS
• Specific files to be monitored are defined in a configuration file.
• Digest of the file is stored in a database.• Multiple digest algorithms can be used.• Examples:
TRIPWIRE/AIDE/SAMHAIN
TRIPWIRETRIPWIRE
• Can be reconfigured to prevent false-alarms.• Flexible policy language with predefined policy
files and wildcard support.
AIDEAIDE
• Similar to lighter version TRIPWIRE
SAMHAINSAMHAIN
• Support for Stealth mode of operation.• Encrypted and authenticated client/server
connections.
Network Based IDSNetwork Based IDS
• Packet Sniffing front end.• Pattern matching engine.• Backend database.• Examples:
SNORT/SHOKI/BRO
SNORTSNORT
• Provides its own language.• Passive, doesn’t terminate malicious activity.
SHOKISHOKI• Multi-filter rule sets that match individual
packets.• SNORT rules can be converted to SHOKI filters.
BROBRO
• Can also operate as packet sniffer/logger.• Flexible rule based language to describe traffic.• Can perform protocol analysis, content
searching/matching.
SNORT RulesSNORT Rulesvar EXTERNAL_NET ![128.3.0.0/16,131.243.0.0/16]var HTTP_SERVERS [128.3.0.0/16,131.243.0.0/16]var HTTP_PORTS 80
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
output alert_fast: alarms.log
include file1.config
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)
Bro’ RulesBro’ Rulesrule sid-1328 { header ip[9:1] == 6 header ip[12:4] != 128.3.0.0/16,131.243.0.0/16 header ip[16:4] == 128.3.0.0/16,131.243.0.0/16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" }
SHOKI RulesSHOKI Rules tcp 65536 THRESHOLD:1:10:20 SAMP-6 http h([t]*p)://
ALL
tcp 65536 HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL
tcp 65536 PORT_SCAN:3:30:50 SAMP-8 p_scan 0x687474 ALL
ACID screen capture for SNORTACID screen capture for SNORT
Hybrid IDSHybrid IDS
• Can be clustered• Centralized database• Provides file protection by using digest• Network sensing using packet sniffing• Blends strengths of HIDS & NIDS• Examples:
MANHUNT/PRELUDE/DRAGON
MANHUNTMANHUNT• Detects new and modified attacks• Dynamically reassign ports scanned• Flowchaser and Trackback to fight DDoS
PRELUDEPRELUDE• Incorporates information from other IDS • Provides hooks to firewalls, honeypots, etc• Uses multiple sensors and a report server
DRAGONDRAGON• Provides IDS evasion counter measures, by
Keeping a large database of known hacker techniques and searching for anomalies.
GoalsGoals
• Design a hybrid system• Send instantaneous alerts to network
administrator and other hosts• Use secure communication channels• Keep configuration file secure• Keep checksum database secure• Maintain list of intruders• Maintain a log of attacks
DesignDesign
Intruder
DatabaseFirewall
Other Hosts
Administrator
Host
ImplementationImplementation
• Dedicated Sockets for Communication• Messages encrypted using AES• Configuration file included in list of
secure files• Checksums encoded using AES• Network Administrator maintains log of
intrusions• Hosts maintain a list of intruders
Sample executionSample execution
Future WorkFuture Work• Network sensors to defend DDoS attacks• Incorporate different hashing algorithms• Add feature to track sources of DDoS• Incorporate data from existing IDS• Add a file change notification component
Lessons LearnedLessons Learned• Hybrid IDS involves a lot of components• Comm. between hosts and admins must be
secure• Configuration files are vulnerable• Hybrid IDS provides better security
ReferencesReferences
• Intrusion Detection SystemsBy Ricky M. Magalhaes http://www.windowsecurity.com
• An Introduction to Intrusion DetectionBy Aurobindo Sundaram, ACM Crossroads
• Network Vs. Host Based Intrusion Detectionhttp://www.isskk.co.jp
• IDS Productshttp://www.netsmart.net.au
• Intrusion Detection and Network Auditing on the Internethttp://www.infosyssec.com