1 / 39

Survey of Information Assurance

Survey of Information Assurance. Intrusion Detection systems. Agenda. The Early Systems Network Based Detection Architecture Benefits Challenges Host Based Detection Architecture Benefits Challenges Detection Mechanisms. Scope of Discussions.

lexiss
Download Presentation

Survey of Information Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Survey of Information Assurance Intrusion Detection systems

  2. Agenda • The Early Systems • Network Based Detection • Architecture • Benefits • Challenges • Host Based Detection • Architecture • Benefits • Challenges • Detection Mechanisms

  3. Scope of Discussions Details of signature matching algorithms not covered. Validity of data collected by an IDS from legal point of view not discussed. Data Mining Techniques and data refinement is not discussed. Business aspect of Intrusion detection not covered.

  4. IDS – systems that collect information from a variety of system & network resources, and then analyze the information for signs of intrusion and misuse.

  5. The Early Systems

  6. The Early Systems (continued..)

  7. Capabilities Comparison among early IDS

  8. Capabilities Comparison among early IDS (contd…)

  9. Flaws of early IDS • No platform independence - IDS could not analyze data from systems other than the one it was designed for. i.e. the systems were OS specific. • No system independence – IDS could not process data from systems other than the original targets to which they had been designed. • Bad UI – The user interfaces were far from intuitive due to research nature of these projects.

  10. Types of IDS • Network Based Intrusion Detection Systems • System is used to analyze network packets, i.e. the data sent out of the host interface. • Packets are usually “sniffed” off the network. • The IDS is uniquely positioned to detect access attempts and DOS attacks originating from outside • Host Based Intrusion Detection Systems • Analyze data originating at the host • Have no access/monitoring for data in the network or data originating at other hosts.

  11. Network Based IDS • Unauthorized access • Unauthorized login • Jump-off Point for other Attacks • Data/Resource Theft • Password Downloads • Bandwidth Theft • DOS – denial of service • Malformed Packets • Packet Flooding • Distributed DOS

  12. A – Architecture B – Benefits C – Challenges A B C of network based IDS

  13. Network Based IDS - Architecture • Sensors are deployed across the network that report to a central console. • Sensors: Self contained detection engines that obtain packets in the network, search for intrusion-like behavior and send information back to central console. • Types: • Traditional Sensor: sensors monitor network segments, not individual machines. • Network Node: An agent is placed on each machine in the network, which monitors only traffic received by given machine.

  14. A Standard Network IDS Command Console Network sensor TCP/IP Records Detection Engine Network Packets 3 Log 2 1 Alert 5 Security Officer 6 Response Subsystem 4 9 Report 8 Data Forensics 7 Data Base

  15. Traditional Sensor based Architecture • Steps: • A packet is sent (by anyone) on or outside the network. • It is sniffed by the sensor • The sensor-resident detection engine examines the packet for pre-defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. • Security Officer is notified. • A response is generated. It may be automated or directed by security officer. It may include reconfiguration of sensor/router/firewall. • A log entry is made. • A comparison is made with data base and report is created. • The incident is stored in data base to establish any long-term trend using Data Forensics.

  16. A Sensor Based Network IDS Command Console Network sensor TCP/IP Records Detection Engine 4 Log 1 2 3 Network Packets Alert 5 Security Officer 6 Response Subsystem 9 Report 8 Data Forensics 7 Data Base

  17. Distributed Network-Node Architecture • Steps: • A packet is sent (by anyone) on or outside the network. • It is sniffed by the sensor placed on destination machine. • The sensor-resident detection engine examines the packet for pre-defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. • Security Officer is notified. • A local response is generated. • A log entry is made. • A comparison is made with data base and report is created. • The incident is stored in data base to establish any long-term trend using Data Forensics.

  18. A Distributed Network Node IDS Command Console Network sensor TCP/IP Records 8 Report 7 Data Forensics 1 Network Packets Security Officer Alert Detection Engine 3 4 5 6 Data Base 2 Local Response

  19. Network Based IDS: Benefits • Outsider Deterrence • Responding to attack attempt with Legal Notice, e-mail warning etc. • Detection • Signature matching • Statistical behavioral analysis • Automated Response and Notification • Notify System Administrator • Reconfigure router/firewall to block attacking Source Address

  20. Network Based IDS: Challenges • Packet Reassembly • 1998 Ptacek and Newsham’s paper “Insertion, Evasion, and DOS: Eluding Network Intrusion Detection” • High Speed Networks • Sniffer Detection Programs • Antisniff (1999) • Switched Networks • ATM • Encryption

  21. Host Based IDS • Abuse of privilege • Administrative lapse (incorrect privilege assignment, domain addition, ex-employee • Privileged user disclosing data • Changes in Security Configuration • Admin rights to user, WFH user laptops • Guest Account • Open registry (windows NT defaults) • Legal Notice Missing

  22. A – Architecture B – Benefits C – Challenges A B C of HOST based IDS

  23. Host Based IDS - Architecture • Usually Agent based • Agent: An executable that runs on target host and communicates with a Central Command Console. • Types: • Centralized Host Based Architecture • Distributed Real-Time Architecture • Agentless Host-Based Intrusion Detection

  24. Centralized Host Based Architecture • Steps: • An event record is created (a program executed, a file accessed, etc.) • The agent centralizes the audit file to CC (Command Console) • Detection engine processes the file • Log is created • Alert is generated

  25. Centralized Host Based Architecture (contd…) • Security Officer is notified • Response is generated • The alert is stored • Raw data is moved to data archive • Reports are generated

  26. A Centralized Host Based IDS Command Console Target Host Audit Subsystem Detection Engine Audit Data 3 Log 2 1 Raw Data Centralized Collector Alert 5 Security Officer 6 Response Subsystem 4 9 Report 8 Data Forensics 7 Data Base

  27. Distributed Real-Time Architecture • Steps: • An event record is born • The file is read in REAL-TIME and processed through target-resident engine • Security Officer is notified • Response is generated • The alert is generated and sent to central console • Data Forensics is used to look for long term trends; no raw data archive or statistical data • Reports are generated

  28. A Distributed Real-Time Host IDS Command Console Target Host Audit Subsystem 8 Report 7 Data Forensics 1 Audit Data Security Officer Alert Detection Engine 3 4 5 6 Data Base 2 Local Response Collector

  29. Agent Less Architecture • There are no host-based agents • The Central console monitors systems through API that provides it with a “remote control” of the data source • Example: Windows NT/2000 has an API with such capabilities. Kane Security Monitor makes use of this facility.

  30. Host Based IDS: Benefits • Insider Deterrence • Detection • Notification and Response • Log off user/Disable account • Execute local script • Damage Assessment • Attack Anticipation • Prosecution Support

  31. Host Based IDS: Challenges • Performance • Case of Distributed Real-Time Architecture • Deployment/Maintenance • Compromise • Disabling or shutting of user agent • Spoofing • Inserting into audit records • Erasing audits

  32. Network Based Signatures Host Based Signatures Detection mechanisms

  33. Network Based Signatures (1 of 2) • Packet Content Inspection • The packet data (payload) is inspected for patterns or signatures. • Example: FTP Site Exec Pattern within data (c7a5 db87 c7a5 db01) exec cat /etc/passwd\r\n

  34. Network Based Signatures (2 of 2) • Packet Header Inspection • The packet header is inspected for patterns or signatures. • Example: • Broadcast Attack • Land Attack

  35. Host Based Signatures • Single Event Signatures • Writing to an executable • Access flags “WriteData” “WriteAttributes” “WriteEA” “AppendData” etc. • Multi Event Signatures • Repeated Failed Logins • Multi-Host Signatures • Events distributed over multiple hosts

  36. Limitations of IDS • Not an answer to primary network security issues • Requires a standard firewall and malware protection system • May not be able to detect new attack but does provide data to trace such activity.

  37. Latest trends: IDS and IPS • IPS – Intrusion prevention systems. IPS is much more active when compared to IDS and hence seen as better security technology. • IDS/IPS functionality is usually incorporated into the firewall or VPN. • These technologies can be used for rate-limiting a particular kind of data. • More of L7 analysis being incorporated into IDS/IPS systems

  38. Questions?

  39. References • Content and Diagram-references from The Practical intrusion Detection Handbook by Paul E. Proctor • http://www.sans.org/resources/idfaq/what_is_id.php?portal=3ddecea0aa1dd75e13d0c7f68b7a57eb • http://www.networksecurityjournal.com/intrusion-detection/ • http://www.networksecurityjournal.com/features/current-trends-in-ids-ips-052907/

More Related