Intrusion Detection Systems

(1)

Intrusion Detection Systems

(2)

Intrusion Detection Systems:

Overview

● IDS

●

Acronyms & Definition

●

Components

●

Recognition & Response

●

Security

●

Interoperability & Cooperation

● HIDS

●

Summary & Software

● NIDS

●

Summary & Software

(3)

Intrusion Detection Systems:

Acronyms

● IDS => Intrusion Detection System

- HIDS => Host based IDS

- NIDS => Network based IDS

● IPS => Intrusion Prevention System

(4)

Intrusion Detection Systems:

Definition

● An IDS is a system used for active

monitoring of computer systems and

networks to detect or even react to (prevent)

attacks and abuse.

● It should be seen as a integrated process

supported by various technical tools, not just

the tools themselves.

(5)

Intrusion Detection Systems:

Components

● Networkbased Sensors

They monitor and analyze the traffic of

system or a network segment.

Normally a dedicated system is used for this

task. In recent years these systems get

integrated into the network devices itself.

(Extensionboard or systemslot wired

(6)

Intrusion Detection Systems:

Components

● Hostbased Sensors

They are installed on the monitored systems

themselves and are able to detect attacks

(7)

Intrusion Detection Systems:

Components

● Database components

Sensors generate a huge amount of data

over a “long” timespan that has to be stored

somewhere.

Small datasets can be stored in files, larger

ones are stored in databases. Databases

offer higher performance for event access,

aggregation and analyzer.

(8)

Intrusion Detection Systems:

Components

● Management components

The management station (>=1) is used to

configure and calibrate the IDS. Sometimes

it is combined with the analysis station or a

sensor has it's own management already

integrated.

(9)

Intrusion Detection Systems:

Components

● Analysis components

A analysis station has tools to display and

analyze IDS events & alarms. It represents

the “intelligent” part of an IDS and is used to

generate reports.

(10)

Intrusion Detection Systems:

Components

● Communication components

Communication between IDS components

uses different protocols and is different in

terms of data amount and behavior.

The channels used should provide sufficient

bandwidth and security.

(11)

Intrusion Detection Systems:

Attackrecognition

● Patternrecognition

–

known attack detection (pattern comparison)

● Anomalydetection

–

protocolanlysis

–

statistical data comparison

–

artificial intelligence

–

honeypots

–

topologychange

(12)

Intrusion Detection Systems:

Intrusionresponse

● Documentation

● Alerting

● Countermeasures

–

temporary countermeasure

–

permanent configuration change

–

manual , semi-automated, automatic

–

(counterattack)

(13)

(14)

Intrusion Detection Systems:

IDS Security

● Confidentiality

●

An IDS should protect the internal communication

channels and it's access points

● Integrity

●

An IDS should be protected against manipulation

● Availability

●

An IDS should be protected against attacks

● Accountability

●

Any access to the IDS should restricted according the

(15)

Intrusion Detection Systems:

IDS collaboration

●

Virus scanner

specialized HIDS sensor & enforcement agent

●

Content filter (proxy)

network traffic enforcement agent

●

Vulnerability scanner

specialized NIDS sensor & IDS calibration

●

Firewalls

(16)

Intrusion Detection Systems:

HIDS

● Host(based) Intrusion Detection System

● HIDS is a “monitor” for behavior and state of

a system and it's users.

● Nowadays a lot of software has part “HIDS”

character.

–

Systemcall profiling

–

Config and registry changes

–

Integrity of binaries

(17)

Intrusion Detection Systems:

HIDS software

● aide / tripwire / samhain / osiris

- File integrity checker (MD5 databases)

- Checks permissions, owner ...

● systemcall auditor

- Checks what systemcalls a binary uses

● ossec / logwatch

- Loganalyzer

● chkrootkit, rkhunter

(18)

Intrusion Detection Systems:

NIDS

● (Deep) Packet (Protocol) inspection

- e.g try to detect an overlong URL

● Attackpattern recognition

- e.g a portscan followed by malformed

service request packets

● Traffic mapping

- e.g. who talks with who normally

● Malware detection (content analysis)

(19)

Intrusion Detection Systems:

NIDS software

● Snort

● Prelude

●

Bro

●

Suricata

●

HLBR

●

X-RAY (Windows – discontinued / last release 2006)

(20)

Intrusion Detection Systems:

Snort

● www.snort.org

(The defacto standard)

● Signature based detection

● Limited anomaly detection

● Prevention using flexresp

● Opensource

(21)

Intrusion Detection Systems:

Snort modules

● Preprocessors

- stream5: TCP reassembly & state tracking

- frag3: IP defragmentation module

- sfPortscan: port scan detecttion

- <protocol>: portocol specific inspection (http,ssh,dns...)

● Output

- syslog / binarylog / tcpdump format, csv

- database / fastlog

- prelude

(22)

Intrusion Detection Systems:

Prelude

● http://www.prelude-technologies.com

- libprelude

- IDMEF

- Sensors

- Managers

- Frontend

(23)

Intrusion Detection Systems:

IDS deployment

● Placement

- Inside firewall

(Only sees in/out attempts of hosts)

- Outside firewall

(Lot of false positives due to internet noise)

- Between internal network segments

● Types

-Inline

-Mirroport (Spanport) => out of band

-Network tap => out of band

(24)

Intrusion Detection Systems:

IDS drawbacks

● False positives

● Enumeration of evil (blacklist)

● Expanding bandwidth

● Encryption (SSL, TLS, IPSec)

● Evasion

–

Protocol abuse

–

Encoding

(25)

Intrusion Detection Systems:

Facts

● IDS does not prevent anything by itself but

makes the event visible and thus allows a

response

● IDS requires user experience and training

● IDS requires a lot of initial work before it can

be used in a productive environment

● IDS needs to be maintained constantly

● IDS is more than just tools it should be an

(26)

Intrusion Detection Systems:

Bibliography

●

BSI-Leitfaden zur Einführung von

Intrusion-Detection-Systemen (alt, aber gut)

https://www.bsi.bund.de/cln_165/ContentBSI/Publikationen/Studien/ids02/index_htm.html

●

Network Intrusion Detection (2002)

Stephen Northcutt, Judy Novak (ISBN-10: 0735712654)

●

Practical Intrusion Analysis: Prevention and Detection for

the Twenty-First Century (2009)

Ryan Trost (ISBN-10: 0321591801)

(27)

Communication Security I-7263a

Intrusion Detection Systems

(28)

Intrusion Detection Systems:

Overview

●

IDS

●Acronyms & Definition ●Components

●Recognition & Response ●Security

●Interoperability & Cooperation

●

HIDS

●Summary & Software

●

NIDS

●Summary & Software

(29)

Acronyms

●

IDS => Intrusion Detection System

- HIDS => Host based IDS

- NIDS => Network based IDS

●

IPS => Intrusion Prevention System

●

(IRS => Intrusion Response System)

(30)

Definition

●

An IDS is a system used for active

monitoring of computer systems and

networks to detect or even react to (prevent)

attacks and abuse.

●

It should be seen as a integrated process

supported by various technical tools, not just

the tools themselves.

(31)

Components

●

Networkbased Sensors

They monitor and analyze the traffic of

system or a network segment.

Normally a dedicated system is used for this

task. In recent years these systems get

integrated into the network devices itself.

(Extensionboard or systemslot wired

internally)

Advantages of network sensors are that it's possible to install them in a “invisible” way, this makes them very resistant to detection and/or attacks. They do not add load to the systems they monitor (protect) and distributed attacks can be detected, contrary to host based sensors.

There are several problems that network sensors have to cope with. The speed of the increased bandwidth in networks cannot be matched by faster sensors. Nowadays senors can cope easily with 100MBit links but in a Gigabit (or faster) network with high packet rates it gets very difficult to deploy sensors capable of monitoring all the link traffic. Compared to a network device that only has to read the packet header and then decide what to with the packet a sensor has to process (configuration dependent) the entire packet. Normally this in done by comparing against multiple signatures and thus requires a lot of performance and resources.

The biggest problem of network sensors though is encrypted traffic. Attack examples:

- DDOS - SYN flood

- malicious URL (overlong, special character....) - port scans

(32)

Components

●

Hostbased Sensors

They are installed on the monitored systems

themselves and are able to detect attacks

directed to operating systems and services.

Host based sensors have to be installed on any system to be monitored. They have to match the installed OS and its applications and are normally visible to the system and its users.

Host based sensors are used to detect / check: - File integrity

- File and application access - Login failure

- Access violations

- Suspicious behaviour (user) - Configuration changes

- Host specific network traffic (even encrypted one (with application support)) A host based sensor have to be programmed specifically to it's purpose. It has a performance impact on the host and consumes bandwidth to report it's findings.

(33)

Components

●

Database components

Sensors generate a huge amount of data

over a “long” timespan that has to be stored

somewhere.

Small datasets can be stored in files, larger

ones are stored in databases. Databases

offer higher performance for event access,

aggregation and analyzer.

(34)

Components

●

Management components

The management station (>=1) is used to

configure and calibrate the IDS. Sometimes

it is combined with the analysis station or a

sensor has it's own management already

integrated.

Normally a management station is used to complete the following tasks: - Add/Remove Components (Sensors, DB's, Analysis- Management stations) - Management of the monitored objects.

- Logical grouping and preprocessing configuration - IDS Policy

- creation - management - assignment - deployment

(35)

Components

●

Analysis components

A analysis station has tools to display and

analyze IDS events & alarms. It represents

the “intelligent” part of an IDS and is used to

generate reports.

(CMD Line, Web GUI, specific IDS GUI)

An analysis station is used to detect and analyze IDS events. - Display IDS Events

- Sorting & Classification of IDS Events - Correlation of IDS Events

- Alarming

- Reaction proposal or actual reaction

- Store preprocessed data & results for further use - Report generation

(36)

Components

●

Communication components

Communication between IDS components

uses different protocols and is different in

terms of data amount and behavior.

The channels used should provide sufficient

bandwidth and security.

Sensors-> Databases - Events - Alarms Sensors -> Manifestation - Heartbeat - Status

Management station -> Databases - Status

- Configuration

Management station -> IDS Components - Configuration

- Policy - Status

- Reaction commands

Management station-> Analysis station - Alerts

Analysis station -> Databases - Events

(37)

Attackrecognition

●

Patternrecognition

– known attack detection (pattern comparison)

●

Anomalydetection

– protocolanlysis

– statistical data comparison – artificial intelligence

– honeypots – topologychange

●

Aggregation & Correlation

Pattern recognition and protocol analysis are the methods mostly used in todays IDS. More advanced methods using AI or honeypots are only used in prototypes or in a scientific / educational environment.

Pattern recognition examples: - Byte sequence eg. 00 45 af 1e

- SYN requests on different ports in sequence - x login attempts in y minutes

There are a huge amount patterns and its variations needed to detect known attacks. It's possible to generate more general and thus less signatures but this tends to a increased number of false positives.

Protocol analysis tries to detect any abnormal use of a defined protocol. As an example is non random content in a ICMP message. This method is quite successful but very performance intensive.

Statistical data comparison uses recorded “behavior” data as a reference value and compares actual “behavior” against it. As example abnormal high data flow during nighttime from system a to system b. Or a user x accesses service b, c, d never used before.

The huge amount of data produced by sensors is normally pre aggregated to condense the useful information in the smallest possible size. 65535 ports scan events on a host are aggregated in one event.

Correlation is a intelligent “merge” of events from various sensors to an IDS alert. As example NIDS-> Multiple session initiaion attempts on a SSH service and HIDS-> 50 login failures on SSH server in 5 minutes is correlated in a SSH service attack.

(38)

Intrusionresponse

●

Documentation

●

Alerting

●

Countermeasures

– temporary countermeasure

– permanent configuration change – manual , semi-automated, automatic – (counterattack)

Documentation is necessary prior to the analyze of the events. Normally a documented event consist of (Time, affected system, type of attack)

Additional data like packet content can be used later to get a more profound analysis. Alerting can be done depending on severity and type of attack over various ways to different recipients. (Email, SMS, SNMP-Trap, Pager, automated phone calls). Depending on type of alert and alerted person it should be presented in a way

appropriate to the knowledge of the recipient and the transport way. (A bad example would be sending whole specific service log files to a CSO)

Processes on how a person should respond to an alert should be in place prior to it's first occurrence.

Countermeasures should be defined to improve the response to an alert. As example to a distributed attack on a web shop, an appropriate response could be to temporary block the service by inserting a firewall rule.

Automated or semi-automated countermeasures should be used very carefully as they can easily lead to unintended service disruption. (A weapon can always be used against it's wearer)

Real counterattacks are discussed in the IDS community but not used (as far as I know) due to legal implications.

(39)

(40)

IDS Security

●

Confidentiality

●An IDS should protect the internal communication

channels and it's access points

●

Integrity

●An IDS should be protected against manipulation

●

Availability

●An IDS should be protected against attacks

●

Accountability

●Any access to the IDS should restricted according the

(41)

IDS collaboration

● Virus scanner

specialized HIDS sensor & enforcement agent

● Content filter (proxy)

network traffic enforcement agent

● Vulnerability scanner

specialized NIDS sensor & IDS calibration

● Firewalls

(42)

HIDS

●

Host(based) Intrusion Detection System

●

HIDS is a “monitor” for behavior and state of

a system and it's users.

●

Nowadays a lot of software has part “HIDS”

character.

– Systemcall profiling

– Config and registry changes – Integrity of binaries

(43)

HIDS software

●

aide / tripwire / samhain / osiris

- File integrity checker (MD5 databases)

- Checks permissions, owner ...

●

systemcall auditor

- Checks what systemcalls a binary uses

●

ossec / logwatch

- Loganalyzer

●

chkrootkit, rkhunter

(44)

NIDS

●

(Deep) Packet (Protocol) inspection

- e.g try to detect an overlong URL

●

Attackpattern recognition

- e.g a portscan followed by malformed

service request packets

●

Traffic mapping

- e.g. who talks with who normally

●

Malware detection (content analysis)

(45)

NIDS software

●

Snort

●

Prelude

● Bro ● Suricata ● HLBR

● X-RAY (Windows – discontinued / last release 2006) ● Winpooch (Windows – discontinued /last release 2007)

(46)

Snort

●

www.snort.org

(The defacto standard)

●

Signature based detection

●

Limited anomaly detection

●

Prevention using flexresp

●

Opensource

(47)

Snort modules

●

Preprocessors

- stream5: TCP reassembly & state tracking - frag3: IP defragmentation module

- sfPortscan: port scan detecttion

- <protocol>: portocol specific inspection (http,ssh,dns...)

●

Output

- syslog / binarylog / tcpdump format, csv - database / fastlog

- prelude

(48)

Prelude

●

http://www.prelude-technologies.com

- libprelude

- IDMEF

- Sensors

- Managers

- Frontend

(49)

IDS deployment

●

Placement

- Inside firewall

(Only sees in/out attempts of hosts)

- Outside firewall

(Lot of false positives due to internet noise)

- Between internal network segments

●

Types

-Inline

-Mirroport (Spanport) => out of band -Network tap => out of band

(50)

IDS drawbacks

●

False positives

●

Enumeration of evil (blacklist)

●

Expanding bandwidth

●

Encryption (SSL, TLS, IPSec)

●

Evasion

– Protocol abuse

(51)

Facts

●

IDS does not prevent anything by itself but

makes the event visible and thus allows a

response

●

IDS requires user experience and training

●

IDS requires a lot of initial work before it can

be used in a productive environment

●

IDS needs to be maintained constantly

●

IDS is more than just tools it should be an

(52)

Bibliography

● BSI-Leitfaden zur Einführung von

Intrusion-Detection-Systemen (alt, aber gut)

https://www.bsi.bund.de/cln_165/ContentBSI/Publikationen/Studien/ids02/index_htm.html

● Network Intrusion Detection (2002)

Stephen Northcutt, Judy Novak (ISBN-10: 0735712654)

● Practical Intrusion Analysis: Prevention and Detection for

the Twenty-First Century (2009)

Ryan Trost (ISBN-10: 0321591801)