IDS / IPS
An introduction to intrusion detection and intrusion prevention systems
James E. Thiel January 14, 2005
S.W.A.T. Drexel University
Overview
• Intrusion Detection • Purpose
• Types • Detection
Methods • Output • Examples • Limitations • Intrusion Prevention
• Purpose • Types • Examples • Risks • Conclusions
Intrusions
• “Any set of actions that attempts to undermine the integrity, confidentiality, or
availability of a resource” (R. Heady et al)
• Port scans • Worms
• Application exploits (buffer overflow) • Denial of Service
• Becoming increasingly subtle
Intrusion Detection
• An intrusion detection system (IDS) performs three actions:• Obtain audit data from the system monitored
• Network traffic • System logs
• System properties (load average, file use, login times, etc)
• Analyze the data, searching for evidence of attack
• Report any attack evidence to a human operator (‘alert’)
• Work in real time
• Typically identified by the system monitored
• Individual host • Network
IDS Effectiveness
• Accuracy how often an IDS will report an alert when an attack has not occurred
• Known as a false positive (false alarm)
• Completeness how often an IDS will fail to report an alert when an attack has
occurred
• Known as a false negative (missed detection)
• Performance rate at which an IDS can analyze audit data • Timeliness rate at which an IDS can raise an alarm
Network Intrusion Detection
• A networkbased IDS (NIDS) is configured to monitor a subnet• Dedicated IDS machine sniffs network traffic near a central routing device (hub, span
port)
• Pros:
• Does not affect network performance • Can be hidden
• Cons:
• Weak against denial of service attack • Single point of failure
Firewall Internet
Hub
NIDS
Host Intrusion Detection
• A hostbased IDS (HIDS) is configured to monitor a single host machine (server, terminal, firewall, etc) • Can monitor either incoming network traffic or operations on host • Runs as a process on host • Pros: • Monitor for intrusions that only apply to host • Cons: • Use resources of system • Requires specific HIDS for specific system Firewall Internet Hub Host HIDS Host HIDS Host HIDS Host HIDSDistributed Intrusion Detection
• A distributed IDS (DIDS) uses NIDS or HIDS or both as sensors• All analysis results are sent to a central management station • Also known as a hybrid IDS
• Pros:
• Widest in range
• Sensors can share and coordinate results • Cons:
• Results from sensors are sent across the [potentially compromised] network • Results from sensors may not be sent if network is flooded
Firewall Internet
Hub
Host HIDS NIDS
Detection Method Types
• Known Good desired/expected is defined; raise alarm at undesired• Pros:
• Low chance of missing intrusions • Strong against new vulnerabilities
• Cons:
• Extensive; lots of work to implement • High chance of false alarms
• Known Bad undesired is defined; raise alarm at undesired • Pros:
• Less work (potentially) • Low chance of false alarms
• Cons:
• High chance of missed intrusions • Weak against new vulnerabilities
Detection Methods
• Terminology varies among the different fields using IDS• Researchers use abstract, general classifications • IDS developers use concrete classifications
• System administrators use only the classifications that apply to their system
• Anywhere between two and five detection methods
• Rulebased (signature) detection • Protocol analysis
• Anomaly detection • Specification detection • Policybased detection
Rulebased Detection
• IDS has a database of pattern descriptions (rules) that indicate an attack • Alarm is raised if pattern (signature) is detected in audit data• Example: Raise alarm if a TCP packet contains a GET request for 'passwd.txt' • Pros:
• Fast (given a small rule set)
• Rules are customizable and easy to write • Easily identify intrusion
• Cons:
• Weak against newlydiscovered vulnerabilities • Requires constant updating to be effective
Protocol Analysis
• IDS contains protocol rules for system• Alarm is raised for violations of protocol in audit data
• Example: Raise alarm if response to TCP connection setup is anything other than an
RST/ACK or SYN/ACK packet
• Pros:
• More flexible than rulebased; can detect new types of intrusions • Cons:
• Assumes that all applications adhere to protocol standards • Extensive and difficult to write
Anomaly Detection
• IDS 'learns' properties of the system in its normal operating state (profiling) • Alarm is raised if system deviates from its normal state
• Example: Raise alarm if network traffic volume is higher than a certain value at a
specific time
• Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions • Low chance of missing an intrusion
• Cons:
• Requires complete profile of system behavior • High chance of false alarms
Specificationbased Detection
• IDS is given a defined description (specification) of the normal system state • Alarm is raised if system deviates from specification• Example: Raise alarm if CPU load on a host goes higher than value in specification • Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions • Low chance of missing an intrusion
• Cons:
• Requires syntax for description of system
• Requires complete knowledge of system behavior • High chance of false alarms
Policybased Detection
• IDS has list of predefined acceptable actions (policy)• Alarm is raised if policy is violated
• Example: Raise alarm if a GET request to a specific HTTP server is for any file other
than those allowed to be viewed by users
• Pros:
• Customizable to system
• More flexible than rulebased; can detect new types of intrusions • Cons:
• Requires complete policy of system • Must be updated if policy changes
Output
• Contact administrator directly• Email
• Page
• Record to data file
• Text file • System log
• Binary packet log (tcpdump)
• Record to database
IDS Examples
• NIDS• Snort lightweight rulebased packet sniffer with limited protocol analysis and
anomaly detection
• Bro heavyweight rulebased and policybased packet sniffer
• HIDS
• PortSentry port scan detector • LogSentry log analyzer
• Tripwire file integrity monitor • Rkdet rootkit detector
• DIDS
• Prelude rulebased packet sniffer, log analyzer, buffer overflow detection • Osiris file integrity monitor
Limitations
• Must be kept up to date (signatures, protocols, etc)
• Assumes compromised network will be able to send alarm
• Accuracy and completeness depend largely on finetuning of IDS by administrator • Often weak against denial of service attacks
Intrusion Prevention
• Many network intrusions take little time to execute• Worms
• Backdoor exploits
• An IDS often does not provide enough time for an administrator to respond before the
intrusion has damaged the system
• An Intrusion Prevention System (IPS) is designed to identify potential attacks and
autonomously execute countermeasures to inhibit them, without affecting normal system operation
IPS Types
• Typically networkbased (NIPS); analyze network traffic for exploits • Several different types of countermeasures
• Session sniping • Packet filtering • Packet scrubbing • IP blocking
• Deception
• Hostbased IPS (HIPS) also exists; prevent malicious actions on operating system
Session Sniping
• The IPS closes a network session involving a host that has sent malicious traffic
• TCP RESET for TCP sessions
• ICMP Host/Network/Port Unreachable for UDP traffic
• Pros:
• Easy to implement and use
• Cons:
• Can be prevented by attacker through various means
• Examples:
• IPtables (Linux firewall) can REJECT traffic from a given host using this method • Snort has a ‘flexible response’ option, which allows it to send resets when a rule is
Packet Filtering
• The IPS drops traffic that contains malicious information • Pros:• Removes malicious traffic from the network
• Cons:
• Possibility of removing legitimate traffic
• Examples:
• Hogwash drops traffic when a rule is triggered
• Latest version of Snort has an ‘inline’ feature that allows it to drop traffic when a
Packet Filtering Implementation
•Usually implemented as an Inline NIDS
• NIDS positioned inline on network;
acts as a bridge between subnets
• NIDS redesigned to drop malicious
traffic.
•
Disruption of Inline NIDS will disrupt network
•
Also deployed as ‘ smart’ switches
Firewall Internet
Hub Inline NIDS
Packet Scrubbing
• The IPS replaces malicious packet content with benign content • Pros:• Does not indicate that IPS detected intrusion
• Cons:
• Only works if the intrusion involves malicious packet content
• Example:
• Snort has a ‘replace’ option that changes the malicious content to userdefined
IP Blocking
• The IPS changes the settings on a local firewall, causing it to block traffic from the
malicious host
• Pros:
• Effectively removes attacker from the network
• Cons:
• Possibility of blocking legitimate hosts
• Example:
• SnortSAM firewall agent receives information from Snort rules and changes
Deception
• The IPS sends traffic to the attacker indicating that the attack against a host succeeded
or that the connection to the host is no longer available
• Usually a dedicated host (a ‘honeypot’) on the network purposely exhibits
vulnerabilities, drawing the attacker away from the rest of the network
• Can also fake service applications on the hosts
• Pros:
• Attacker proceeds with attack; obtain information about attack and attacker
• Cons:
• Attacker is still on the network; may be able to launch attacks on other hosts • Possible legal implications
• Examples:
• The Deception Toolkit (DTK) simulates services on a host • honeyd creates virtual hosts for the attacker to attack
IPS Examples
• Packet filtering• Hogwash drop packets that trigger rules • Snort_Inline drop packets that trigger rules • FWSnort convert Snort rules to IPtables rules
• IP blocking
• SnortSAM block IP addresses based on Snort alerts
• PortSentry can automatically block IP addresses that run port scans
• Deception
• DTK simulate services on a host
Risks
• Attacker may obtain information from the countermeasure taken
• Existence of IPS on network • Type of IPS
• Operating system of host running IPS
• Attack may still succeed if there is sufficient delay between detection of attack and
deployment of countermeasure
• If IPS blocks IP addresses or traffic, attacker may manipulate traffic to prevent
communication between hosts or between networks
• Should only be used against attacks with certain characteristics (P. Proctor)
• The attack is rare
• The attack is catastrophic
• The attack cannot be spoofed (to cause another attack) • The attack is positively identifiable as misuse
Experiences with Snort
• Pros:
• Rule syntax is simple • Easy to configure
• Multiple output formats • Multiple IPS features
• Large amount of documentation • Cons:
• Difficult to write rules for binary data (applications, compressed files) • Stateful inspection of network traffic is limited
Conclusions
• Intrusions are becoming increasingly fast and difficult to detect by traditional methods. • An Intrusion Detection System searches system data for signs of attack and reports the
results to an administrator.
• An IDS is defined by the system it monitors (host or network) and by its detection method. Several different detection methods exist, which either detect intrusive data or recognize legitimate data.
• An Intrusion Prevention System searches system data for signs of attack and
autonomously activates countermeasures. It is the ‘next step’ beyond IDS, which reports intrusions but does not stop them.
• Several different networkbased countermeasures exist, which either disable malicious traffic or disable the attacker.