Intrusion Detection Systems - uni- and system security ! Vulnerability analysis ! ... On Benchmarking Intrusion Detection Systems in ... Network-based intrusion detection system !

Download Intrusion Detection Systems - uni-  and system security ! Vulnerability analysis ! ... On Benchmarking Intrusion Detection Systems in ... Network-based intrusion detection system !

Post on 06-Mar-2018




2 download

Embed Size (px)


<ul><li><p>Intrusion Detection Systems </p><p> Aleksandar Milenkoski Chair of Software Engineering University of Wrzburg </p><p> </p></li><li><p> Affiliation history Sep. 2011 - Sep. 2014: Marie Curie Research Fellow at the </p><p>Karlsruhe Institute of Technology, Karlsruhe, Germany March 2013 - May 2013: Visiting Researcher at University of </p><p>Rennes 1, Rennes, France since Sep. 2014: Doctoral Researcher at University of Wrzburg, </p><p>Wrzburg, Germany </p><p> Research interests Network and system security Vulnerability analysis Intrusion detection Evaluation of intrusion detection systems </p><p>Background information </p><p>2/41 Intrusion Detection Systems </p></li><li><p> Relevant publications Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avrtizer, and Bryan D. Payne. </p><p>Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices. ACM Computing Surveys, 48(1):12:1-12:41, September 2015, ACM, New York, NY, USA. 5-year Impact Factor (2014): 5.949. </p><p> Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Matthias Luft. Evaluation of Intrusion Detection Systems in Virtualized Environments Using Attack Injection. In The 18th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2015), Kyoto, Japan, November 2015. Springer. November 2015, Acceptance Rate: 23%. </p><p> Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, and Samuel Kounev. Experience Report: An Analysis of Hypercall Handler Vulnerabilities. In Proceedings of The 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014) - Research Track, Naples, Italy, November 2014. IEEE, IEEE Computer Society, Washington DC, USA. November 2014, Acceptance Rate: 25%, Best Paper Award Nomination. </p><p> Aleksandar Milenkoski, Samuel Kounev, Alberto Avritzer, Nuno Antunes, and Marco Vieira. On Benchmarking Intrusion Detection Systems in Virtualized Environments. Technical Report SPEC-RG-2013-002 v.1.0, SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC), 7001 Heritage Village Plaza Suite 225, Gainesville, VA 20155, USA, June 2013. </p><p>Background information (2) </p><p> </p><p>Intrusion Detection Systems 3/41 </p></li><li><p> Basics What is an intrusion detection system (IDS)? Types of intrusion detection systems (IDSes) </p><p> Snort: The de-facto standard open-source IDS </p><p> Advanced topics IDSes in virtualized environments Evaluation of IDSes Evaluation of IDSes in virtualized environments </p><p>Outline </p><p>Intrusion Detection Systems 4/41 </p></li><li><p>BASICS </p></li><li><p> The NIST (National Institute of Standards and Technology) definition </p><p>Def.: Intrusion detection is the process of monitoring the events occurring in a computer or networked system and analyzing said events for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices </p><p>Def.: An IDS is a software, or hardware appliance, which automates the intrusion detection process </p><p>Basics </p><p>Intrusion Detection Systems 5/41 </p></li><li><p>Basics: Basic IDS architecture </p><p>Input </p><p>Sensors </p><p>Analysis Engine </p><p>Output </p><p>Intrusion Detection Systems 6/41 </p></li><li><p>Basics: IDS types </p><p>Property IDS Type Monitored platform Host-based </p><p>Network-based Hybrid </p><p>Attack detection method Misuse-based Anomaly-based Hybrid </p><p>Deployment architecture Distributed Non-distributed </p><p>Non-exhaustive systematization </p><p>Intrusion Detection Systems 7/41 </p></li><li><p> Host-based Monitors the activities on the system (i.e., the host) where it is </p><p>deployed to detect local attacks attacks executed by users of the targeted system itself </p><p> Network-based Monitors network traffic to detect remote attacksattacks </p><p>carried out over a network connection </p><p> Hybrid </p><p>Basics: Monitored platform </p><p> </p><p> </p><p>Intrusion Detection Systems 8/41 </p></li><li><p> Misuse-based Evaluates system and/or network activities against a set of </p><p>signatures of known attacks </p><p> Anomaly-based Uses a baseline profile of regular network and/or system </p><p>activities as a reference to distinguish between regular and anomalous activities </p><p> Hybrid </p><p>Basics: Attack detection method </p><p>Intrusion Detection Systems 9/41 </p></li><li><p> Misuse-based versus anomaly-based IDSes </p><p> Def.: Zero-day attacks attacks that exploit vulnerabilities that have not been publicly disclosed before the execution of the attacks </p><p> What is effective: A misuse- or an anomaly-based IDS? Example: Adam always reads his e-mails on Sundays around 5 </p><p>pm. This Saturday, at 11 am, he accessed his inbox. Def.: False alert an alert generated by an IDS when there is </p><p>no attack/intrusion. What may generate a false alert: A misuse- or an anomaly-</p><p>based IDS? </p><p>Basics: Attack detection method (2) </p><p>Intrusion Detection Systems 10/41 </p></li><li><p> Non-distributed Non-compound IDS that can be deployed only at a single </p><p>location </p><p> Distributed Compound IDS that consists of multiple intrusion detection </p><p>subsystems that can be deployed at different locations and communicate to exchange intrusion detection-relevant data </p><p>Basics: Deployment architecture </p><p>Intrusion Detection Systems 11/41 </p></li><li><p> Def.: Coordinated attacks --- carefully orchestrated attacks that target multiple victims at specific moments in time towards achieving a given malicious goal </p><p> Example: An attacker using a single IP address ( first breaks into a mail server of CityBank deployed in Europe and then uses stolen (valid) credentials to access a mail server of CityBank in US. </p><p> What is effective: A non-distributed or distributed IDS? </p><p>Basics: Deployment architecture (2) </p><p>IDS Europe </p><p>Central analysis Alert [] </p><p>IDS US </p><p>Login event [] </p><p>Deny access to </p><p>Intrusion Detection Systems 12/41 </p></li><li><p>SNORT The de-facto standard IDS </p></li><li><p> What is Snort? Snort is a packet analysis tool </p><p> Network-based intrusion detection system Sniffer Forensic data analysis tool </p><p> Advantages of Snort Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, </p><p>HP-UX, ) Fast Configurable (Many reporting/logging options) Free (GPL/Open Source Software) </p><p>Introduction to Snort </p><p> </p><p>Intrusion Detection Systems 13/41 </p></li><li><p> Snort is a misuse-based IDS Detects signatures of attacks using rules </p><p> Known attacks have signatures --- sequence of bytes that characterize a malicious packet almost for sure Example: Code Red Worm 2001 </p><p> Exploited vulnerability in IIS 4.0 and 5.0 Buffer overflow vulnerability </p><p>Attack detection </p><p>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbcd3%7801%u9090%u6805%ucbd3%u7801 </p><p>Intrusion Detection Systems 14/41 </p></li><li><p>Architecture of Snort </p><p>Packet Decoder </p><p>Preprocessor </p><p>Detection engine </p><p>Output stage </p><p>Packet stream</p><p>Sniffing </p><p>Snort </p><p>Data flow</p><p>Alerts/Logs </p><p>Intrusion Detection Systems 15/41 </p></li><li><p> Packet decoder has the job of determining which underlying protocols are used </p><p>in the packet (such as Ethernet, IP, TCP, etc.) looks for errors or anomalies in the fields of packet header </p><p>headers </p><p> Preprocessor allows users and programmers to drop modular plugins into </p><p>Snort (e.g., SMTP, POP, FTP preprocessors) </p><p> Detection engine evaluates packets against rules </p><p> Output stage generates output </p><p>Architecture of Snort (2) </p><p>Intrusion Detection Systems 16/41 </p></li><li><p>Detection engine: Rules </p><p>Rule header Alert tcp any -&gt; any </p><p>Rule options (flags: SF; msg: SYN-FIN Scan;) </p><p>Alert tcp any -&gt; any </p><p>Alert tcp any -&gt; any </p><p>(flags: S12; msg: Queso Scan;) </p><p>(flags: F; msg: FIN Scan;) </p><p>alert tcp ! any -&gt; any (flags: SF; msg: SYN-FIN scan;) </p><p>Alerts to traffic from outside the 10.1.1.x subnet to the 10.1.1.x subnet with the Syn and the Fin flags set. </p><p>Rule header Rule options </p><p>Intrusion Detection Systems 17/41 </p></li><li><p> Interesting packets are sent to log files </p><p> also to various add-ons SnortSnarf (html output) SnortPlot (plots of attacks) Swatch (email alerts) </p><p>Output stage </p><p>Usability is important </p><p> </p><p> </p><p> </p><p>Intrusion Detection Systems 18/41 </p></li><li><p> Snort as is is a non-distributed IDS </p><p> However, third-party tools can be used Demarc [now offline]: NIDS management console </p><p>Snort as a distributed IDS </p><p>Intrusion Detection Systems 19/41 </p></li><li><p>Intrusion Detection Systems </p><p>Advanced topics IDSes in virtualized environments </p><p>Evaluation of IDSes Evaluation of IDSes in virtualized </p><p>environments </p></li><li><p> Virtualized environment Hypervisor (Xen, KVM, Vmware..) Virtual machines (VMs) </p><p> The hypervisors observes all VM activities (system and network activities) </p><p>Introduction </p><p>Guest VM </p><p> Hypervisor </p><p>Guest VM </p><p>NIC Network traffic </p><p>Intrusion Detection Systems 20/41 </p></li><li><p>Architecture </p><p>VMFence, Xenini, OSSEC, Wizard, Snort </p><p>Intrusion Detection Systems 21/41 </p></li><li><p> Benefits Isolation from malicious VM users Transparency </p><p> Drawbacks Some host-based IDSes require modifications of the </p><p>hypervisor: Difficult deployment in closed-source hypervisors (vendor support is a must) </p><p> If no hypervisor modification: host-based IDSes have access to low-level, hypervisor data (e.g., memory dumps): Cannot be easily interpreted by an attack analysis engine </p><p>Benefits and drawbacks </p><p>Intrusion Detection Systems 22/41 </p></li><li><p> If no hypervisor modification: host-based IDSes have access to low-level, hypervisor data (e.g., memory dumps): Cannot be easily interpreted by an attack analysis engine </p><p> Solution: Interpreter </p><p>Virtual machine introspection </p><p> Memory dump </p><p> Interpreter </p><p> Analysis </p><p>LibVMI </p><p>Intrusion Detection Systems 23/41 </p></li><li><p>Advanced topics IDSes in virtualized environments </p><p>Evaluation of IDSes Evaluation of IDSes in virtualized </p><p>environments </p></li><li><p> IDS evaluation answers two major questions: How well this IDS performs? Is this IDS better than that one? Evaluation criteria: attack detection accuracy, performance </p><p>overhead </p><p> Benefits of evaluation of IDSes Enables the comparison of different IDSes Enables the improvement of the configuration of deployed </p><p>IDSes Reduced risk of security breaches </p><p>Introduction </p><p>Intrusion Detection Systems 24/41 </p></li><li><p>Core components </p><p>Measurement methodology Metrics </p><p>Workloads </p><p>Intrusion Detection Systems 25/41 </p></li><li><p>Workloads </p><p>Categorization criteria Workload type Content Pure benign </p><p>Pure malicious Mixed </p><p>Form Executable Trace </p><p> </p><p>ExploitDatabase </p><p>PacketStorm </p><p>Securityfocus </p><p>Intrusion Detection Systems 26/41 </p></li><li><p>Workloads: Honeypots </p><p>Intrusion Detection Systems 27/41 </p></li><li><p>Workloads: Trace form </p><p>Repository Content Activities Labelled Realistic Anonymized Metadata CAIDA Mixed Netw. No Yes Yes Yes DEFCON Malicious Netw. No No No No DARPA Mixed Netw./</p><p>Host Yes No No Yes </p><p>ITA Benign Netw. No Yes Yes No LBNL Benign Netw. No Yes Yes Yes MAWILab Mixed Netw. Yes Yes Yes Yes </p><p>The DARPA datasets: </p><p>Ground truth is important </p><p>Intrusion Detection Systems 28/41 </p></li><li><p>Metrics </p><p>Metric Formula False negative rate = P ( neg. A | I ) True positive rate 1- = P (A | I ) False positive rate = P ( A | neg. I ) True negative rate 1- = P ( neg. A | neg. I ) </p><p>A An IDS generates an alert I An attack is performed P Probability </p><p>These metrics originate from signal detection theory J. Hancock and P. Wintz, Signal Detection Theory. New York: McGrawHill, 1966. </p><p>Intrusion Detection Systems 29/41 </p></li><li><p> ROC (Receiver Operating Characteristic) curve Plots true positive rate (1-) against the corresponding false </p><p>positive rate () for each IDS operating point </p><p> Def.: IDS operating point --- IDS configuration yielding (, 1-) </p><p>Metrics (2) </p><p>Common goal: Identification of an optimal operating point </p><p>0.5 1 1.5 2 2.5 3</p><p>103</p><p>0</p><p>0.2</p><p>0.4</p><p>0.6</p><p>0.8</p><p>1</p><p>False positive rate ()</p><p>Intrusiondetectioncapability(C</p><p>ID)</p><p>Intrusion Detection Systems 30/41 </p></li><li><p>Measurement methodology </p><p> Attack detection accuracy is not the only relevant IDS property Is accuracy of any relevance if attacks are detected too late? </p><p>Attack-detection-related Attack detection accuracy Attack coverage Resistance to evasion techniques </p><p>Attack detection and reporting speed </p><p>Resource consumption-related CPU consumption Memory consumption </p><p>Network consumption </p><p>Others Performance overhead Workload processing capacity </p><p>Intrusion Detection Systems 31/41 </p></li><li><p>IDS Evaluation: Historical overview </p><p>1995 2014</p><p>1996</p><p> Puketza et al. develop an approach and a framework </p><p> for evaluating IDSes in a systematic manner</p><p>1997</p><p>1998 1999</p><p>Researchers from Lincoln Laboratory at MIT generate trace files </p><p>for evaluating IDSes (i.e., the DARPA datasets) and evaluate multiple IDSes</p><p>2000</p><p>2011</p><p>Dumitras et al. present the WINE datasets </p><p>and a platform for evaluating IT security systems</p><p>2000 - 2014</p><p>Small-scale IDS evaluation studies are carried out by researchers designing novel IDSes </p><p>and occasionally appear in trade magazine articles </p><p>1998</p><p>Debar et al. develop a workbench</p><p>for evaluating IDSes</p><p>Intrusion Detection Systems 32/41 </p></li><li><p>Advanced topics IDSes in virtualized environments </p><p>Evaluation of IDSes Evaluation of IDSes in virtualized </p><p>environments </p></li><li><p> IDSes that detect virtualization-specific attacks Attacks targeting hypervisors </p><p> Hypercalls Identical to system calls Critical attack surface of hypervisors [Rutkowska, J., </p><p>Wojtczuk, R. @ BlackHat USA 2008] </p><p> Hypercall IDSes Examples: Collabra, Xenini, CC Detector, OSSEC, ... Components in the hypervisor, anomaly-based </p><p>IDSes in virtualized environments </p><p>Intrusion Detection Systems 33/41 </p></li><li><p> How do we extensively evaluate the accuracy of hypercall IDSes? There are no workloads: no traces, attack scripts targeting </p><p>hypercall (hypervisor) weaknesses are extremely rare </p><p> An approach for generating IDS evaluation workloads Injection of malicious hypercall activities (e.g., attacks, </p><p>covert channel operations) during regular operation of VMs Live testing of hypercall IDSes </p><p>An open issue </p><p>Intrusion Detection Systems 34/41 </p></li><li><p> hInjector Publicly available at </p><p>Attack injection </p><p>MVM! Hypervisor!</p><p>User!</p><p>Kernel!</p><p>Hardware!</p><p>Injector!</p><p>LKM!</p><p>Configuration! Logs!</p><p>Filter!</p><p>Memory!</p><p>Hypercall handler!</p><p>6!</p><p> 2! 4!</p><p> !</p><p>vCPU!</p><p> 3! 5!</p><p> 3! 5!</p><p> 1!</p><p>shared_info!</p><p>IDS !(in SVM)!</p><p>monitors!</p><p>Intrusion Detection Systems 35/41 </p></li><li><p> Design criteria for realistic and practically feasible IDS evaluation </p><p> Injection of realistic attacks [35 PoCs, new attacks can be </p><p>easily configured] Injection during regular system operation Non-disruptive attack injection Low performance overhead </p><p>Attack injection (2) </p><p>Intrusion Detection Systems 36/41 </p></li><li><p> IDS under test: Xenini [Maeiro et al. 2011] Sequence of hypercalls of length n [n=10] Calculates anomaly scores between 0 and 1 and fires an </p><p>alert if a...</p></li></ul>