Intrusion Detection SystemsIntrusion Detection Systems

Sai Nandoor

Priya Selvam

Balaji Badam

How insecure are we?How insecure are we?• Attacks on computer infrastructures are a

serious problem.• Information theft is up over 250% in the

last 5 years.• 99% of all major companies report at least

one major incident. • Telecom and computer fraud totaled $10

billion in the US alone.

* Source: Eugene H Spafford. Security Seminar,

Department of Computer Sciences, Purdue University, Jan 1996.

IDS Based on Data SourceIDS Based on Data Source• Host Based IDS

– Its role is to identify tampering or malicious activity occurring on the system.

– This is achieved by monitoring log files, users, and the file system.

• Network Based IDS– Its role is to identify tampering or malicious

activity occurring in the network traffic.– This is achieved by monitoring network traffic

on the wire for specific activities/signatures that represent an attack.

• Hybrid IDS– Combination of network and host based IDS.

Host Based - Network BasedHost Based - Network Based

AdvantagesAdvantages

Network Host

Lowers cost of ownership Lower cost of entry

Detects what HIDS miss Detects what NIDS miss

Difficult to remove evidence Verifies success/failure of attack

Real-time detection & response Suited for encrypted environments

Detects unsuccessful attacks Monitors specific activities

OS independent Requires no additional hardware

Host Based IDSHost Based IDS

• Specific files to be monitored are defined in a configuration file.

• Digest of the file is stored in a database.• Multiple digest algorithms can be used.• Examples:

TRIPWIRE/AIDE/SAMHAIN

TRIPWIRETRIPWIRE

• Can be reconfigured to prevent false-alarms.• Flexible policy language with predefined policy

files and wildcard support.

AIDEAIDE

• Similar to lighter version TRIPWIRE

SAMHAINSAMHAIN

• Support for Stealth mode of operation.• Encrypted and authenticated client/server

connections.

Network Based IDSNetwork Based IDS

• Packet Sniffing front end.• Pattern matching engine.• Backend database.• Examples:

SNORT/SHOKI/BRO

SNORTSNORT

• Provides its own language.• Passive, doesn’t terminate malicious activity.

SHOKISHOKI• Multi-filter rule sets that match individual

packets.• SNORT rules can be converted to SHOKI filters.

BROBRO

• Can also operate as packet sniffer/logger.• Flexible rule based language to describe traffic.• Can perform protocol analysis, content

searching/matching.

SNORT RulesSNORT Rulesvar EXTERNAL_NET ![128.3.0.0/16,131.243.0.0/16]var HTTP_SERVERS [128.3.0.0/16,131.243.0.0/16]var HTTP_PORTS 80

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace

output alert_fast: alarms.log

include file1.config

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)

Bro’ RulesBro’ Rulesrule sid-1328 { header ip[9:1] == 6 header ip[12:4] != 128.3.0.0/16,131.243.0.0/16 header ip[16:4] == 128.3.0.0/16,131.243.0.0/16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" }

SHOKI RulesSHOKI Rules tcp 65536 THRESHOLD:1:10:20 SAMP-6 http h([t]*p)://

ALL

tcp 65536 HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL

tcp 65536 PORT_SCAN:3:30:50 SAMP-8 p_scan 0x687474 ALL

ACID screen capture for SNORTACID screen capture for SNORT

Hybrid IDSHybrid IDS

• Can be clustered• Centralized database• Provides file protection by using digest• Network sensing using packet sniffing• Blends strengths of HIDS & NIDS• Examples:

MANHUNT/PRELUDE/DRAGON

MANHUNTMANHUNT• Detects new and modified attacks• Dynamically reassign ports scanned• Flowchaser and Trackback to fight DDoS

PRELUDEPRELUDE• Incorporates information from other IDS • Provides hooks to firewalls, honeypots, etc• Uses multiple sensors and a report server

DRAGONDRAGON• Provides IDS evasion counter measures, by

Keeping a large database of known hacker techniques and searching for anomalies.

GoalsGoals

• Design a hybrid system• Send instantaneous alerts to network

administrator and other hosts• Use secure communication channels• Keep configuration file secure• Keep checksum database secure• Maintain list of intruders• Maintain a log of attacks

DesignDesign

Intruder

DatabaseFirewall

Other Hosts

Administrator

Host

ImplementationImplementation

• Dedicated Sockets for Communication• Messages encrypted using AES• Configuration file included in list of

secure files• Checksums encoded using AES• Network Administrator maintains log of

intrusions• Hosts maintain a list of intruders

Sample executionSample execution

Future WorkFuture Work• Network sensors to defend DDoS attacks• Incorporate different hashing algorithms• Add feature to track sources of DDoS• Incorporate data from existing IDS• Add a file change notification component

Lessons LearnedLessons Learned• Hybrid IDS involves a lot of components• Comm. between hosts and admins must be

secure• Configuration files are vulnerable• Hybrid IDS provides better security

ReferencesReferences

• Intrusion Detection SystemsBy Ricky M. Magalhaes http://www.windowsecurity.com

• An Introduction to Intrusion DetectionBy Aurobindo Sundaram, ACM Crossroads

• Network Vs. Host Based Intrusion Detectionhttp://www.isskk.co.jp

• IDS Productshttp://www.netsmart.net.au

• Intrusion Detection and Network Auditing on the Internethttp://www.infosyssec.com