Intrusion Detection Intrusion Detection SystemsSystems

CSE 3043 Computer SecurityCSE 3043 Computer SecurityCSE 3043 Computer SecurityCSE 3043 Computer Security

Definitions• Intrusion

– A set of actions aimed to compromise the security p ygoals, namely

• Integrity, confidentiality, or availability, of a computing and networking resource

• Intrusion detection– The process of identifying and responding to intrusion

activities

– Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intentmalicious or suspicious intent.

Why Intrusion Detection?y

• Computer Networks wage a constant struggle against intruders and attackers.

• Attacks on distributed systems grow y gstronger and more prevalent everyday.

• Intrusion detection methods are a key toIntrusion detection methods are a key to controlling and potentially eradicating attacks on a system.

Intrusion Detection Defined• Clear Definition:

A I t i d t ti t t i t thAn Intrusion detection system pertains to the methods used to identify an attack on a computer or computer networkcomputer or computer network.

• Formal Definition:

“[Intrusion Detection] is the art of detecting inappropriate, incorrect, or anomalous activity.”

-Dirk Lehmann, Siemens CERT

Elements of Intrusion Detection• Primary assumptions:

– System activities are observable

– Normal and intrusive activities have distinct evidence

• Components of intrusion detection systems:– From an algorithmic perspective:g p p

• Features - capture intrusion evidences

• Models - piece evidences together

– From a system architecture perspective:• Audit data processor, knowledge base, decision engine,

alarm generation and responses

Components of Intrusion D t ti S tDetection System

Audit Records

Audit Data Preprocessor

Audit Recordssystem activities are system activities are

observableobservable

Preprocessor

Activity Data

Detection normal and intrusive normal and intrusive DetectionModels Detection Engine

Alarms

normal and intrusive normal and intrusive activities have distinct activities have distinct

evidenceevidence

DecisionTable

Decision EngineAction/Report

Key Performance Metricsy• Algorithm

Alarm: A; Intrusion: I– Alarm: A; Intrusion: I– Detection (true alarm) rate: P(A|I)

• False negative rate P(¬A|I)• False negative rate P(¬A|I)

– False alarm rate: P(A|¬I)• True negative rate P(¬A|¬I)True negative rate P( A| I)

Intrusion Detection Approachespp• Modeling

F t id t t d f dit d t– Features: evidences extracted from audit data

– Analysis approach: piecing the evidences togetherMi d i ( k i b d)• Misuse detection (a.k.a. signature-based)

• Anomaly detection (a.k.a. statistical-based)

• Deployment: Network-based or Host-based

• Different ways of classifying an IDS• Different ways of classifying an IDS

IDS based on– anomaly detection

– signature based misuse

– host based

– network basednetwork based

Misuse Detectionpattern

t hi

Intrusion P

matching

intrusionPatterns

activitiesactivities

Example: if (src_ip == dst_ip) then “land attack”

Limitation: Can’t detect new attacks

Signature-Based Intrusion Detection SystemsSignature Based Intrusion Detection Systems

• Watch for patterns of events specific to knownWatch for patterns of events specific to known and documented attacks

Typically connected to a large database which• Typically connected to a large database which houses attack signatures

• Presumed to be able to detect only attacks “known” to its database

• Performance lag when intrusion patterns match several attack signatures

Intrusion Detection Schemes (2)Pattern-Matching Detection (PMD)Pattern Matching Detection (PMD)

• Also known as signature-based intrusion detection.Also known as signature based intrusion detection.• “the term signature refers to a set of conditions that, when met,

indicate some type of intrusion event.” • PMD detects a pattern which matches closely to the activity that is

typical of a network intrusion, so if a pattern or set of events match this may indicate a specific attack on the system that has been previously documentedpreviously documented.

• PMD usually associated with misuse intrusion (attacks from inside). • Pattern Matching “looks for a fixed sequence of bytes within a single g q y g

packet, and traffic is filtered to a source or destination port.” –Informit.com

Pattern-Matching Detection (PMD)…Some Disadvantages:• Pattern Matching may have difficulty

detecting attacks to well-known ports.

• PMD may result in an inordinate amount of false positives if the matching is based on a

tt th t i t ipattern that is not unique.

• “PMD is only as good as the database of attack signatures used for comparison.”

Anomaly based IDS• This IDS models the normal usage of the network

as a noise characterization.

• Anything distinct from the noise is assumed to be an intrusion activity.y– E.g flooding a host with lots of packet.

The primar strength is its abilit to recogni e• The primary strength is its ability to recognize novel attacks.A th t i t i ill b i d b if t ti • Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection.

• These generate many false alarms and hence compromise the g y peffectiveness of the IDS.

Anomaly Detection

708090

b bl

activity 40506070

normal profile

probable intrusion

activity measures

10203040 p

abnormal

0CPU Process

Size

Problem: Relatively high false positive rate -anomalies can just be new normal activities.

Anomaly-Based Intrusion Detection SystemsAnomaly Based Intrusion Detection Systems

• Identify intrusions by detecting anomaliesIdentify intrusions by detecting anomalies • Works on notion that “attack behavior” differs

enough from “normal user behavior”enough from normal user behavior• System administrator defines the baseline of

normal behaviornormal behavior• Ability to detect new attacks• Issues (False Positives, Heavy processing

overheads, Time to create statistically significant baselines)significant baselines)

Intrusion Detection Schemes (1)St ti ti l A l D t ti (SAD)Statistical Anomaly Detection (SAD)

• SAD refers to using statistical profiles to identify anomalies within the network – the system keeps track of activities, and y preports abnormal activity as an attack on the system.

H ?How?• The system keeps two distinct sets of data – a long-term

usage data profile and a short-term observed usage data filprofile.

• The long-term usage data profile is a combination of the “usage patterns” that were detected in the long run and vise versa.

• Long-term and short-term usage data are compared, and standard deviations are computed. If the deviations are “statistically significant,” then they are reported as potential attacks.

Statistical Anomaly Detection (SAD) …Pros:Pros:• Detection of attacks that would be missed by other detection

mechanisms with applications confined to specific types of traffic that can be easily measuredcan be easily measured.

Cons:• Deviations from baseline usage patterns can actually be false

positives.Att k ti i h d t i t t t i t ti• Attack reporting is hard to interpret or turn into an action.

• Traffic is large and constantly changing ->difficult to establish a baseline.

• Attacks can be contained within the baseline with no one the wiser.• Attackers can train the system: attack traffic seen as normal false

lalarms.

(Host-Based vs. Network-Based) Systems (1)( ) y ( )

Host Based System (HIDS)• Run on distinct hosts or devices within the network.

• Monitors the incoming and outgoing packets behavior, and reports any abnormal activity detectedand reports any abnormal activity detected.

• System logs (syslog), the integrity of the file system integrity (fingerprinting), and process execution are g y ( g p g), pexamined, such as the TCPWrappers and the network stack.

“I h t b d t th [i t i d t ti t ]• “In a host-based system, the [intrusion detection system] examines at the activity on each individual computer or host.” - Webopedia.com

Host-Based IDSsHost Based IDSs

• Using OS auditing mechanismsUsing OS auditing mechanisms– E.G., logs all direct or indirect events generated by a user

• Monitoring user activities

• Monitoring executions of system programsg y p g

Host/Applications based IDSHost/Applications based IDS

• The host operating system or the application p g y pplogs in the audit information.

• These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions admin activities etcprogram executions, admin activities etc.

• This audit is then analyzed to detect trails of intrusionintrusion.

Drawbacks of the host based IDSDrawbacks of the host based IDS

• The kind of information needed to be logged inThe kind of information needed to be logged in is a matter of experience.

• Unselective logging of messages may greatly• Unselective logging of messages may greatly increase the audit and analysis burdens.

• Selective logging runs the risk that attack• Selective logging runs the risk that attack manifestations could be missed.

Strengths of the host based IDSStrengths of the host based IDS

• Attack verificationAttack verification

• System specific activity

• Encrypted and switch environments

• Monitoring key componentsg y

• Near Real-Time detection and response.

No additional hardware• No additional hardware

(Host-Based vs. Network-Based) Systems (2)

Network-based system (NIDS)• The individual packets flowing through a network

are analyzed.

• NIDS can detect suspicious packets that are d i d t b l k d b fi ll’ “ d ”designed to be overlooked by a firewall’s “crude” filtering rules.

• The network traffic is examined for pattern t hi k t d th fl f thmatching among packets, and the flow of the

network is also examined.

Network IDSs• Deploying sensors at strategic locations

E G Packet sniffing via tcpdump at routers– E.G., Packet sniffing via tcpdump at routers

• Inspecting network traffic Watch for violations of protocols and unusual connection patterns– Watch for violations of protocols and unusual connection patterns

• Monitoring user activitiesLook into the data portions of the packets for malicious command– Look into the data portions of the packets for malicious command sequences

• May be easily defeated by encryption– Data portions and some header information can be encrypted

Network based IDSNetwork based IDS

• This IDS looks for attack signatures in networkThis IDS looks for attack signatures in network traffic via a promiscuous interface.

• A filter is usually applied to determine which• A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out g pknown un-malicious traffic.

Strengths of Network based IDSStrengths of Network based IDS

• Cost of ownership reducedCost of ownership reduced

• Packet analysis

• Evidence removal

• Real time detection and response

• Malicious intent detection

Complement and verification• Complement and verification

• Operating system independence

What is a Honeypot?What is a Honeypot?• An information system resource whose value lies in y

unauthorized or illicit use of that resource [Spitzner]

Honeypot is put up for several reasons:

• To watch what attackers do, in order to learn about new tt kattacks

• To lure an attacker to a place in which one may be able to learn enough to identify and stop the attackerto learn enough to identify and stop the attacker

• To distract adversaries from more valuable machines on a network

Uses of Honeypots…Uses of Honeypots…

Prevent Attacks• Network Security

– Studying traffic patternsStudying traffic patterns

– Determine new hacker techniques

D t t Att kDetect Attacks• Spam Prevention

• Credit card fraud identification

Advantages & DisadvantagesAdvantages & Disadvantages

• Advantages:g– Simple to create and maintain

Collect information of great value– Collect information of great value– Reduce false positives

C t ti it k i IP 6/E t d– Capture any activity, can work in IPv6/Encrypted Network

Disadvantage:• Disadvantage:– Can only track activity that directly interacts with

themthem

Module

• Outline Syllabus

Module

Outline Syllabus– Concept of Secure Computing, Domain of

Protection, Social Engineering, Attacks and Protection, Social Engineering, Attacks and Defenses, Defining Security Policy, Classical Ciphers, Encryption and Decryption, Symmetricand Asymmetric Ciphers Operating System Holes and Asymmetric Ciphers, Operating System Holes, Application Security (Web, e-mail, Databases), Viruses, Privacy, and Digital Rights Management,

l Intrusion Detection Systems, Secure Protocols, Security of Middleware, Software Protection, Web Security and Wireless Network Security.y W y.

31