Intrusion Detection System (IDS)

(1)

Intrusion Detection System

(IDS)

2 2 Introduction Introduction

What is intrusion

–

–type of attack on information assets in which type of attack on information assets in which

instigator attempts to gain entry into or disrupt

system with harmful intent

–

–when a user of an information system takes an when a user of an information system takes an

action that users was not legally allowed to take

–

–can be both from inside and outsidecan be both from inside and outside

3

Principles of Intrusion Detection

Characteristics of systems not under attack

– User, process actions conform to statistically predictable pattern

– User, process actions do not include sequences of actions that subvert the security policy

– Process actions correspond to a set of specifications describing what the processes are allowed to do

Systems under attack do not meet at least one of

these

4

Example

Goal: insert a back door into a system

– Intruder will modify system configuration file or program

– Requires privilege; attacker enters system as an unprivileged user and must acquire privilege

Nonprivileged user may not normally acquire privilege (violates #1)

Attacker may break in using sequence of commands that violate security policy (violates #2)

Attacker may cause program to act in ways that violate program’s specification

Introduction (continued)

Intrusion detection: consists of procedures and systems

created and operated to detect system intrusions

Related works

Related works –

–Intrusion toleranceIntrusion tolerance –

–Intrusion preventionIntrusion prevention –

–Intrusion reactionIntrusion reaction –

–Intrusion correction activitiesIntrusion correction activities

Scary

Stastics

Just over 90% of interconnected networks that were running IDS

detected computer security breaches in the last 12 months defian

detected computer security breaches in the last 12 months defiant of t of several implemented firewall protections that were installed.

several implemented firewall protections that were installed.

Computer Security Institute, 4/7/02 reported that 80% reported

financial losses in excess of $455M was caused by intrusion and

malicious acts thereafter.

Millions of jobs have been affected because of intrusion

Only 0.1% of companies are spending the appropriate budget on ID

Only 0.1% of companies are spending the appropriate budget on IDS. S. IDS are mostly misunderstood and are thought of as a firewall pr

IDS are mostly misunderstood and are thought of as a firewall product oduct or a substitute.

or a substitute.

If you use an antivirus then should also consider adding an IDS

If you use an antivirus then should also consider adding an IDS as a as a complimentary product to your security strategy.

complimentary product to your security strategy.Most organizations Most organizations using antivirus software do not use IDS.

(2)

7

Intrusion Detection Systems (IDSs)

Detects a violation of its configuration and

activates alarm

Where should the alarm be sent?

–

–Notify administrators directly of trouble via eNotify administrators directly of trouble via e--mail mail or pagers

or pagers

–

–Notify an external security service organizationNotify an external security service organization

8 8 IDS Terminology IDS Terminology

Alert or alarm

False negative

False positive

False attack stimulus

Noise

True attack stimulus

Confidence value

Alarm filtering

9 9 Why Use an IDS?

Why Use an IDS?

Prevent problem behaviors by increasing the perceived risk of

discovery and punishment

Detect attacks and other security violations

Detect and deal with preambles to attacks

Document existing threat to an organization

Act as quality control for security design and administration,

especially of large and complex enterprises

Provide useful information about intrusions that take place

10

Intrusion Detection Methods

Signature

-

based

Statistical anomaly

-

based

11

11 Signature

Signature--Based IDSBased IDS Characterize known ways to penetrate a

Characterize known ways to penetrate a sysemsysem –

–Pattern/signaturePattern/signature

Examine data traffic in search of patterns that match

known signatures

Widely used because many attacks have clear and

distinct signatures

Problem with this approach ?

12

12 Statistical Anomaly

Statistical Anomaly--Based IDSBased IDS

Define and characterize

Define and characterize correct static form and/or acceptable correct static form and/or acceptable dynamic behavior of the system.

dynamic behavior of the system.

When measured activity is outside baseline parameters

or clipping level, IDS will trigger an alert

IDS can detect new types of attacks

Requires much more overhead and processing capacity

than signature

than signature--based based

May generate many false positives

(3)

13

Types of

Types of IDSsIDSs

IDSs operate as

–

–networknetwork--basedbased

–

–hosthost--basedbased

–

–applicationapplication--basedbased

14

15

15 Network

Network--Based IDS (NIDS)Based IDS (NIDS) Resides on computer or appliance connected to

Resides on computer or appliance connected to

segment of an organization

segment of an organization’’s network; looks for signs s network; looks for signs of attacks

of attacks

When examining packets, a NIDS looks for attack

patterns

Installed at specific place in the network where it can

watch traffic going into and out of particular network

segment

16

16 NIDS Signature Matching

NIDS Signature Matching

To detect an attack, NIDSs look for attack patterns

Done by using special implementation of TCP/IP

stack:

stack: –

–In process of protocol stack verification, NIDSs look for In process of protocol stack verification, NIDSs look for

invalid data packets

–

–In application protocol verification, higherIn application protocol verification, higher--order protocols order protocols

are examined for unexpected packet behavior or improper

use

Advantages and Disadvantages of NIDSs

Good network design and placement of NIDS can

enable organization to use a few devices to monitor

large network

NIDSs are usually passive and can be deployed into

existing networks with little disruption to normal

network operations

NIDSs not usually susceptible to direct attack and may

not be detectable by attackers

Advantages and Disadvantages of NIDSs

(continued)

Can become overwhelmed by network volume and fail to

recognize attacks

Require access to all traffic to be monitored

–

–Having problems with certain switchesHaving problems with certain switches

Cannot analyze encrypted packets

Cannot reliably ascertain if attack was successful or not

Some forms of attack are not easily discerned by NIDSs,

specifically those involving fragmented packets

(4)

19

19 Host

Host--Based IDS Based IDS

Host

-

based

detect when intruder creates, modifies, or

deletes key system files or log files

Most HIDSs work on the principle of

configuration or change management

Advantage over NIDS: can usually be installed

so that it can access information encrypted

when traveling over network

20

20 Advantages of HIDSs

Advantages of HIDSs

Can detect local events on host systems and detect

attacks that may elude a network

attacks that may elude a network--based IDSbased IDS

Functions on host system, where encrypted traffic will

have been decrypted and is available for processing

Not affected by use of switched network protocols

Can detect inconsistencies in how applications and

systems programs were used by examining records

stored in audit logs

21

21 Disadvantages of

Disadvantages of HIDSsHIDSs

Pose more management issues

Vulnerable both to direct attacks and attacks against

host operating system

Does not detect multi

Does not detect multi--host scanning, nor scanning of host scanning, nor scanning of

non

non--host network devices host network devices Susceptible to some denial

Susceptible to some denial--ofof--service attacksservice attacks Can use large amounts of disk space

Can use large amounts of disk space

Can inflict a performance overhead on its host systems

22

22 Application

Application--Based IDSBased IDS

Application

Application--based IDS (AppIDS) examines application (database based IDS (AppIDS) examines application (database

management systems, content management systems, accounting

systems, etc ) for abnormal events

AppIDS may be configured to intercept requests:

–

–File SystemFile System

–

–Network Network

–

–ConfigurationConfiguration

–

–Execution SpaceExecution Space

23

23 Advantages and Disadvantages of AppIDSs

Advantages and Disadvantages of AppIDSs

Advantages

Advantages –

–Aware of specific users; can observe interaction between Aware of specific users; can observe interaction between

application and user

–

–Able to operate even when incoming data is encryptedAble to operate even when incoming data is encrypted

Disadvantages

Disadvantages –

–More susceptible to attackMore susceptible to attack –

–Less capable of detecting software tamperingLess capable of detecting software tampering

24

24 Log File Monitors

Log File Monitors

Log file monitor (LFM) similar to NIDS

Reviews log files generated by servers, network devices, and eve

Reviews log files generated by servers, network devices, and even n

other IDSs for patterns and signatures

Patterns that signify attack may be much easier to identify when

entire network and its systems are viewed holistically

Requires allocation of considerable resources since it will invo

Requires allocation of considerable resources since it will involve lve

the collection, movement, storage, and analysis of large

quantities of log data

(5)

25

25 Deploying Network

Deploying Network--Based IDSsBased IDSs

NIST recommends four locations for NIDS

sensors

–

–Location 1: behind each external firewall, in the Location 1: behind each external firewall, in the network DMZ

network DMZ

–

–Location 2: outside an external firewallLocation 2: outside an external firewall –

–Location 3: On major network backbonesLocation 3: On major network backbones –

–Location 4: On critical subnetsLocation 4: On critical subnets

26

27

27 Deploying Host

Deploying Host--Based IDSsBased IDSs

Proper implementation of HIDSs can be

painstaking and time

-

consuming task

Deployment begins with implementing most

critical systems first

Installation continues until either all systems are

installed, or the organization reaches planned

degree of coverage it is willing to live with

28

28 Active Intrusion Prevention

Active Intrusion Prevention

Some organizations implement active

countermeasures to stop attacks

LaBrea

: takes up unused IP address space

Learn From Attackers

Scanning and Analysis Tools

Typically used to collect information that attacker would need t

Typically used to collect information that attacker would need to o

launch successful attack

Attack protocol is series of steps or processes used by an

attacker, in a logical sequence, to launch attack against a targ

attacker, in a logical sequence, to launch attack against a target et

system or network

Footprinting

Footprinting: first step of attack: first step of attack--find out the find out the ipipaddresses of the addresses of the

target organization

–

–Web reconnaissance: Web reconnaissance: samspade.orgsamspade.org –

–WhoisWhoisinformation: information: whois.netwhois.net –

(6)

31

31 Scanning and Analysis Tools (continued)

Scanning and Analysis Tools (continued)

Fingerprinting

Fingerprinting: systematic survey of all of target : systematic survey of all of target

organization

organization’’s Internet addresses collected during the s Internet addresses collected during the

footprinting phase

Fingerprinting reveals useful information about internal

structure and operational nature of target system or

network for anticipated attack

These tools are valuable to network defender since they

can quickly pinpoint the parts of the systems or

network that need a prompt repair to close the

vulnerability vulnerability 32 32 Port Scanners Port Scanners

Tools used by both attackers and defenders to identify

computers active on a network, and other useful

information

Can scan for specific types of computers, protocols, or

resources, or their scans can be generic

The more specific the scanner is, the better it can give

attackers and defenders useful information

Example software:

Example software: nmapnmap

33

33 3434

Firewall Analysis Tools

Several tools automate remote discovery of

firewall rules and assist the administrator in

analyzing the rules

Although mostly design to facilitate network

administrator

’’

s work, can be used by attackers

35

35 Operating System Detection Tools

Operating System Detection Tools

Detecting a target computer

’’

s operating

system (OS) very valuable to an attacker

There are many tools that use networking

protocols to determine a remote computer

’’

s

OS

– –RemOSRemOS – –XProbeXProbe 36 36

RemOS

(7)

37

37 3838

Vulnerability Scanners

Active vulnerability scanners scan networks for highly

detailed information; initiate traffic to determine holes

Passive vulnerability scanners listen in on network and

determines vulnerable versions of both server and

client software

Passive vulnerability scanners have ability to find

client

client--side vulnerabilities typically not found in active side vulnerabilities typically not found in active

scanners scanners 39 39 4040

Attack Toolkit

(8)

43

43 Packet Sniffers

Packet Sniffers

Network tool that collects copies of packets from

network and analyzes them

Can provide network administrator with valuable

information for diagnosing and resolving networking

issues

In the wrong hands, a sniffer can be used to eavesdrop

on network traffic

To use packet sniffer legally, administrator must

To use packet sniffer legally, administrator must –

–be on network that organization ownsbe on network that organization owns –

–be under direct authorization of owners of networkbe under direct authorization of owners of network –

–have knowledge and consent of the content creatorshave knowledge and consent of the content creators

44

45