Intrusion Detection
Systems
Advanced Computer Networks 2007
Reinhard Wallner
Outline
n Introduction
n Types of IDS
n How works an IDS
n Attacks to IDS
n Intrusion Prevention Systems
n Limits of IDS
n Operation examples
What is an IDS …
n
System to detect unwanted manipulations
to computer systems
n
Identification of misuse and abnormal
behavior
n
Detect many types of malicious network
Motivation
n Other security measures are not sufficient (Authentication, Firewall, …) n Attacks motivated by ¨ financial ¨ political ¨ military or ¨ personal reasons
What does an IDS?
n
Logging and preparing for analysis
n
Analysis
n
Presentation (i.e. an Alarm)
n
Reaction (only in Intrusion Prevention
Types of IDS
n
Host based IDS (HIDS)
n
Network based IDS (NIDS)
n
Hybrid IDS (combination of HIDS and
Passive vs. Reactive System
n
Passive System
¨Detects a potential security breach ¨Logs the information
¨Signals an Alert
n
A Reactive System additionally
¨Resets the connection ¨Reprograms the firewall ¨Automatically or manually
Host based IDS (HIDS) 1
n Installed on a host
n Monitors system objects and remembers its attributes, e.g. file-system objects
n Creates a checksum (optional)
n Database to store objects and attributes
n Reports anomalies in form of logs, e-mails or similar
n Detects unauthorized insider activity or file
Host based IDS (HIDS) 2
n
Pro
¨Detailed information about attack
n
Con
¨HIDS itself can be attacked (and if attacked host is down, HIDS is also down)
¨Local installation on each host ¨Host resources are needed
Network based IDS (NIDS) 1
n
Monitors network traffic
n
Try to find suspicious patterns
n
I.e. Portscan detection
n
NIDS collaborates with other systems like
Firewall
n
Detects attempts from outside the trusted
Network based IDS (NIDS) 2
n Pro
¨ Controls a network segment, not only one host
¨ A defect of one host is no risk for the NIDS
n Con
¨ The bandwidth of the NIDS can be overloaded
¨ In switched networks
n Using of Taps
Hybrid IDS
n
Combination of HIDS and NIDS
n
Management console necessary
n
Network sensors
Logging
n Differently on different IDS’s
n On HIDS
¨ Detailed Information à specific Analysis possible
n On NIDS
¨ Distributed Sensors
¨ Management station
Analysis 1
• Integrity check / Target monitoring
¨ Cryptographic signature or checksum to secure the integrity of files
¨ On demand (post mortem or reactive) integrity check
¨ Simple to implement
n Signature detection / Misuse detection
¨ Compares network traffic with known signatures of attacks
¨ Pattern matching procedures
Analysis 2
n Anomaly detection
¨ Detects anomalies on user behavior
¨ I.e. a secretary uses at 11 p.m. applications like nmap, gcc
¨ Privacy problem!!!
n Stealth Probes
¨ attempts to detect attackers that act over prolonged periods of time
¨ combination of Signature detection and Anomaly detection
Attacks to IDS
n Integrity check with signature
¨ is secure if the cryptograpical system is good enough (i.e. RSA) and
¨ if private key isn’t stored on the host
n Integrity check with checksum
¨ the integrity of the initial database can be tampered (à WORM-Medium)
n Signature detection can be attacked by
¨ DDoS
Insertion Attack
n
Idea: uses packets accepted by the IDS
accept but not by the host
n
i.e. attacker sends packets
¨
¨Packet with * isn’t accepted by host
¨Host will Stop because IDS don’t know this Signature
Intrusion Prevention Systems (IPS)
n
Extended IDS
n
Automated reactions to alarms from IDS
¨i.e. updates a firewall blacklist
¨Changes or interrupts actively network traffic ¨Try to prevent attacks in real time
n
Honeypots
Honeypot
n Runs alone on a server
n Simulates services or proxy servers (Sugarcane)
n Logs activity
n Legitimated users don’t know and therefore never address a honeypot
n Automated attacks cannot distinguish the honeypot from a normal host
n Used for
¨ attracting and binding attacks
¨ detecting and analyzing of new attacks
¨ protecting of production systems
Tarpit
n Tries to delay the distribution velocity of Spammers and Worms
n IP-, TCP- or Application-Level Tarpits n Example: HTTP-Tarpit
¨ Tries to block the Harvester (Search engine that searches email addresses on web pages) of the spammer
¨ Delivers web page very late
¨ Inserts a lot of links to himself
Limits of IDS / IPS
n Positive and negative failures
n Unknown attacks cannot detected or prevented n Cryptographically methods can be a problem
n Legal restrictions in identification and logging of attackers
n Needs other tools (Firewall, Router,…) to prevent intrusion
Operation examples 2
Intrusion Detection Message
Exchange Format (IDMEF)
n Standardized communication protocol
n Protocol to communicate between the IDS
components (Sensors – Management console, …)
n Main requirements to the protocol
¨ Authentication of the sender
¨ Reliable information
Summary
n IDS are necessary because security incidents become more numerous and other security measures aren’t sufficient
n IDS is an active System à needs administration n IDS itself can be attacked
n Cryptographically data can be a problem
n Never 100% protection
IDS/IPS Applications
n Snort [http://www.snort.org/ ] (NIPS)
n Prelude [ http://www.prelude-ids.org/ ] (Hypbid IDS)
n Hogwash [http://hogwash.sourceforge.net/ ], combination of IDS and Firewall
n Honeyd [ http://www.honeyd.org/ ], Honeypot
n LaBrea
[ http://labrea.sourceforge.net/labrea-info.html ], Honeypot and IDS
Literature
n [1] http://en.wikipedia.org/wiki/Intrusion_detection_system n [2] http://de.wikipedia.org/wiki/Intrusion_Detection_System n [3] http://en.wikipedia.org/wiki/Honeypot_%28computing%29 n [4] Einbruchserkennung in Netzwerke http://www.net-tex.de/net/ids.htmln [5] Bundesamt für Sicherheit in der Informationstechnik, Intrusion-Detection Grundlagen
http://www.bsi.de/literat/studien/ids02/dokumente/Grundlagenv10.pdf
n [6] The Internet Engineering Task Force (IETF),
Intrusion Detection Message Exchange Format(IDMEF)
Questions
n
Explain the three kinds of IDS. What are
the advantages and disadvantages?
¨Slides 8-12
n
Which methods about analyzing in IDS do
you know? How can these methods
attacked?
Thanks for your attention!
Reinhard Wallner
