intrusion detection systems (ids)
TRANSCRIPT
Intrusion Detection Intrusion Detection SystemsSystems
CSE 3043 Computer SecurityCSE 3043 Computer SecurityCSE 3043 Computer SecurityCSE 3043 Computer Security
Definitions• Intrusion
– A set of actions aimed to compromise the security p ygoals, namely
• Integrity, confidentiality, or availability, of a computing and networking resource
• Intrusion detection– The process of identifying and responding to intrusion
activities
– Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intentmalicious or suspicious intent.
Why Intrusion Detection?y
• Computer Networks wage a constant struggle against intruders and attackers.
• Attacks on distributed systems grow y gstronger and more prevalent everyday.
• Intrusion detection methods are a key toIntrusion detection methods are a key to controlling and potentially eradicating attacks on a system.
Intrusion Detection Defined• Clear Definition:
A I t i d t ti t t i t thAn Intrusion detection system pertains to the methods used to identify an attack on a computer or computer networkcomputer or computer network.
• Formal Definition:
“[Intrusion Detection] is the art of detecting inappropriate, incorrect, or anomalous activity.”
-Dirk Lehmann, Siemens CERT
Elements of Intrusion Detection• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct evidence
• Components of intrusion detection systems:– From an algorithmic perspective:g p p
• Features - capture intrusion evidences
• Models - piece evidences together
– From a system architecture perspective:• Audit data processor, knowledge base, decision engine,
alarm generation and responses
Components of Intrusion D t ti S tDetection System
Audit Records
Audit Data Preprocessor
Audit Recordssystem activities are system activities are
observableobservable
Preprocessor
Activity Data
Detection normal and intrusive normal and intrusive DetectionModels Detection Engine
Alarms
normal and intrusive normal and intrusive activities have distinct activities have distinct
evidenceevidence
DecisionTable
Decision EngineAction/Report
Key Performance Metricsy• Algorithm
Alarm: A; Intrusion: I– Alarm: A; Intrusion: I– Detection (true alarm) rate: P(A|I)
• False negative rate P(¬A|I)• False negative rate P(¬A|I)
– False alarm rate: P(A|¬I)• True negative rate P(¬A|¬I)True negative rate P( A| I)
Intrusion Detection Approachespp• Modeling
F t id t t d f dit d t– Features: evidences extracted from audit data
– Analysis approach: piecing the evidences togetherMi d i ( k i b d)• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
• Different ways of classifying an IDS• Different ways of classifying an IDS
IDS based on– anomaly detection
– signature based misuse
– host based
– network basednetwork based
Misuse Detectionpattern
t hi
Intrusion P
matching
intrusionPatterns
activitiesactivities
Example: if (src_ip == dst_ip) then “land attack”
Limitation: Can’t detect new attacks
Signature-Based Intrusion Detection SystemsSignature Based Intrusion Detection Systems
• Watch for patterns of events specific to knownWatch for patterns of events specific to known and documented attacks
Typically connected to a large database which• Typically connected to a large database which houses attack signatures
• Presumed to be able to detect only attacks “known” to its database
• Performance lag when intrusion patterns match several attack signatures
Intrusion Detection Schemes (2)Pattern-Matching Detection (PMD)Pattern Matching Detection (PMD)
• Also known as signature-based intrusion detection.Also known as signature based intrusion detection.• “the term signature refers to a set of conditions that, when met,
indicate some type of intrusion event.” • PMD detects a pattern which matches closely to the activity that is
typical of a network intrusion, so if a pattern or set of events match this may indicate a specific attack on the system that has been previously documentedpreviously documented.
• PMD usually associated with misuse intrusion (attacks from inside). • Pattern Matching “looks for a fixed sequence of bytes within a single g q y g
packet, and traffic is filtered to a source or destination port.” –Informit.com
Pattern-Matching Detection (PMD)…Some Disadvantages:• Pattern Matching may have difficulty
detecting attacks to well-known ports.
• PMD may result in an inordinate amount of false positives if the matching is based on a
tt th t i t ipattern that is not unique.
• “PMD is only as good as the database of attack signatures used for comparison.”
Anomaly based IDS• This IDS models the normal usage of the network
as a noise characterization.
• Anything distinct from the noise is assumed to be an intrusion activity.y– E.g flooding a host with lots of packet.
The primar strength is its abilit to recogni e• The primary strength is its ability to recognize novel attacks.A th t i t i ill b i d b if t ti • Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection.
• These generate many false alarms and hence compromise the g y peffectiveness of the IDS.
Anomaly Detection
708090
b bl
activity 40506070
normal profile
probable intrusion
activity measures
10203040 p
abnormal
0CPU Process
Size
Problem: Relatively high false positive rate -anomalies can just be new normal activities.
Anomaly-Based Intrusion Detection SystemsAnomaly Based Intrusion Detection Systems
• Identify intrusions by detecting anomaliesIdentify intrusions by detecting anomalies • Works on notion that “attack behavior” differs
enough from “normal user behavior”enough from normal user behavior• System administrator defines the baseline of
normal behaviornormal behavior• Ability to detect new attacks• Issues (False Positives, Heavy processing
overheads, Time to create statistically significant baselines)significant baselines)
Intrusion Detection Schemes (1)St ti ti l A l D t ti (SAD)Statistical Anomaly Detection (SAD)
• SAD refers to using statistical profiles to identify anomalies within the network – the system keeps track of activities, and y preports abnormal activity as an attack on the system.
H ?How?• The system keeps two distinct sets of data – a long-term
usage data profile and a short-term observed usage data filprofile.
• The long-term usage data profile is a combination of the “usage patterns” that were detected in the long run and vise versa.
• Long-term and short-term usage data are compared, and standard deviations are computed. If the deviations are “statistically significant,” then they are reported as potential attacks.
Statistical Anomaly Detection (SAD) …Pros:Pros:• Detection of attacks that would be missed by other detection
mechanisms with applications confined to specific types of traffic that can be easily measuredcan be easily measured.
Cons:• Deviations from baseline usage patterns can actually be false
positives.Att k ti i h d t i t t t i t ti• Attack reporting is hard to interpret or turn into an action.
• Traffic is large and constantly changing ->difficult to establish a baseline.
• Attacks can be contained within the baseline with no one the wiser.• Attackers can train the system: attack traffic seen as normal false
lalarms.
(Host-Based vs. Network-Based) Systems (1)( ) y ( )
Host Based System (HIDS)• Run on distinct hosts or devices within the network.
• Monitors the incoming and outgoing packets behavior, and reports any abnormal activity detectedand reports any abnormal activity detected.
• System logs (syslog), the integrity of the file system integrity (fingerprinting), and process execution are g y ( g p g), pexamined, such as the TCPWrappers and the network stack.
“I h t b d t th [i t i d t ti t ]• “In a host-based system, the [intrusion detection system] examines at the activity on each individual computer or host.” - Webopedia.com
Host-Based IDSsHost Based IDSs
• Using OS auditing mechanismsUsing OS auditing mechanisms– E.G., logs all direct or indirect events generated by a user
• Monitoring user activities
• Monitoring executions of system programsg y p g
Host/Applications based IDSHost/Applications based IDS
• The host operating system or the application p g y pplogs in the audit information.
• These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions admin activities etcprogram executions, admin activities etc.
• This audit is then analyzed to detect trails of intrusionintrusion.
Drawbacks of the host based IDSDrawbacks of the host based IDS
• The kind of information needed to be logged inThe kind of information needed to be logged in is a matter of experience.
• Unselective logging of messages may greatly• Unselective logging of messages may greatly increase the audit and analysis burdens.
• Selective logging runs the risk that attack• Selective logging runs the risk that attack manifestations could be missed.
Strengths of the host based IDSStrengths of the host based IDS
• Attack verificationAttack verification
• System specific activity
• Encrypted and switch environments
• Monitoring key componentsg y
• Near Real-Time detection and response.
No additional hardware• No additional hardware
(Host-Based vs. Network-Based) Systems (2)
Network-based system (NIDS)• The individual packets flowing through a network
are analyzed.
• NIDS can detect suspicious packets that are d i d t b l k d b fi ll’ “ d ”designed to be overlooked by a firewall’s “crude” filtering rules.
• The network traffic is examined for pattern t hi k t d th fl f thmatching among packets, and the flow of the
network is also examined.
Network IDSs• Deploying sensors at strategic locations
E G Packet sniffing via tcpdump at routers– E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic Watch for violations of protocols and unusual connection patterns– Watch for violations of protocols and unusual connection patterns
• Monitoring user activitiesLook into the data portions of the packets for malicious command– Look into the data portions of the packets for malicious command sequences
• May be easily defeated by encryption– Data portions and some header information can be encrypted
Network based IDSNetwork based IDS
• This IDS looks for attack signatures in networkThis IDS looks for attack signatures in network traffic via a promiscuous interface.
• A filter is usually applied to determine which• A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out g pknown un-malicious traffic.
Strengths of Network based IDSStrengths of Network based IDS
• Cost of ownership reducedCost of ownership reduced
• Packet analysis
• Evidence removal
• Real time detection and response
• Malicious intent detection
Complement and verification• Complement and verification
• Operating system independence
What is a Honeypot?What is a Honeypot?• An information system resource whose value lies in y
unauthorized or illicit use of that resource [Spitzner]
Honeypot is put up for several reasons:
• To watch what attackers do, in order to learn about new tt kattacks
• To lure an attacker to a place in which one may be able to learn enough to identify and stop the attackerto learn enough to identify and stop the attacker
• To distract adversaries from more valuable machines on a network
Uses of Honeypots…Uses of Honeypots…
Prevent Attacks• Network Security
– Studying traffic patternsStudying traffic patterns
– Determine new hacker techniques
D t t Att kDetect Attacks• Spam Prevention
• Credit card fraud identification
Advantages & DisadvantagesAdvantages & Disadvantages
• Advantages:g– Simple to create and maintain
Collect information of great value– Collect information of great value– Reduce false positives
C t ti it k i IP 6/E t d– Capture any activity, can work in IPv6/Encrypted Network
Disadvantage:• Disadvantage:– Can only track activity that directly interacts with
themthem
Module
• Outline Syllabus
Module
Outline Syllabus– Concept of Secure Computing, Domain of
Protection, Social Engineering, Attacks and Protection, Social Engineering, Attacks and Defenses, Defining Security Policy, Classical Ciphers, Encryption and Decryption, Symmetricand Asymmetric Ciphers Operating System Holes and Asymmetric Ciphers, Operating System Holes, Application Security (Web, e-mail, Databases), Viruses, Privacy, and Digital Rights Management,
l Intrusion Detection Systems, Secure Protocols, Security of Middleware, Software Protection, Web Security and Wireless Network Security.y W y.
31