Intrusion detection systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Intrusion Detection Systems PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on
  • Presentation posted in: General

Intrusion Detection Systems. Francis Chang <[email protected]> Systems Software Lab OGI. [1] M. Crosbie, B. Kuperman, " A Building Block Approach to Intrusion Detection " [2] M. Wetz, Andrew Hutchison, " Interfacing Trusted Applications with Intrusion Detection Systems "

Download Presentation

Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Intrusion detection systems

Intrusion Detection Systems

Francis Chang <[email protected]>

Systems Software Lab

OGI


The papers

[1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection"

[2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems"

[3] Y. Zhang, W. Lee, "Intrusion Detection in Wireless Ad-Hoc Networks"

[4] G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large"

The Papers


A building block approach to intrusion detection

A building Block Approachto Intrusion Detection

Let’s first look at the first paper…

[1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection"


A building block approach to intrusion detection1

A building Block Approachto Intrusion Detection

A new spin on how to build an IDS –

“..motors the system looking for misuse actions that are indicative of attack. These misuses actions are called building blocks.”

Need for a better data source for IDS (IDDS – Intrusion Detection Data Source)


A building block approach to intrusion detection2

A building Block Approachto Intrusion Detection

Examples of building blocks:

  • Modification of a system file

  • Unexpected change user privileges of a running process

  • Modify log files

  • Change a global symbolic link

  • Creating setuid programs


A building block approach to intrusion detection3

A building Block Approachto Intrusion Detection

So what did they do?

Build an in-kernel IDDS.


A building block approach to intrusion detection4

A building Block Approachto Intrusion Detection

Crosbie/Kuperman argue that traditional IDS data sources are insufficient – let’s take a look at their argument.


A building block approach to intrusion detection5

A building Block Approachto Intrusion Detection

syslogd:

  • Often a popular IDS data source

  • Often syslogd is used when a daemon “starts up, change configuration, encounter an error, or some other unusual behaviour occurs”


A building block approach to intrusion detection6

A building Block Approachto Intrusion Detection

syslogd: (continued)

  • Crosbie/Kuperman argues that the quality of the log messages is completely dependent on the programmers who wrote the system daemons.

  • Early versions of syslogd could be attacked – buffer overflows, abnormal exits


A building block approach to intrusion detection7

A building Block Approachto Intrusion Detection

Network Packet Traces:

  • If only using network packet traces, you often lose context, and thus, cannot detect certain types of attacks.


A building block approach to intrusion detection8

A building Block Approachto Intrusion Detection

Why is an in-kernel approach good?

  • Time inside the kernel is “frozen”

  • In-kernel design is more resilient to attack


Interfacing trusted apps

Interfacing Trusted Apps

The next paper -

[2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems"


Interfacing trusted apps1

Interfacing Trusted Apps

This is funny:


Interfacing trusted apps2

Interfacing Trusted Apps

The basic suggestion: Rewrite existing applications to take advantage of a syslogd/IDS system.


Interfacing trusted apps3

Interfacing Trusted Apps


Intrusion detection in wireless ad hoc networks

Intrusion Detection in Wireless Ad-hoc Networks

The problem:

  • Open Medium – attacks can come from anywhere, an go anywhere

  • No clear topology – network is continually changing – no central points


Intrusion detection in wireless ad hoc networks1

Intrusion Detection in Wireless Ad-hoc Networks

The solution: An IDS at every node

Let’s take a closer look at the IDS…


Intrusion detection in wireless ad hoc networks2

Intrusion Detection in Wireless Ad-hoc Networks


Intrusion detection in wireless ad hoc networks3

Intrusion Detection in Wireless Ad-hoc Networks

Detecting Abnormal Routing Updates –

Give each IDS a built-in GPS, and watch for unexpected # of route changes. (Statistical analysis)


Intrusion detection in wireless ad hoc networks4

Intrusion Detection in Wireless Ad-hoc Networks

Detecting abnormal activities in other layers:

Various independent monitors to detect anomolies in other protocol layers, and combine results into a confidence rating.


Intrusion detection in wireless ad hoc networks5

Intrusion Detection in Wireless Ad-hoc Networks

Respond to intrusion detection by reconstructing the routing tables, and routing around the compromised node.


Towards trapping wily intruders in the large

Towards Trapping Wily Intruders in the Large

G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large"

The Basics: Monitor the network, and collect statistics. When the statistics deviate from “normal” behaviour, flag it.

Extend SNMP to allow various networks to collaborate to track down the intruder


Towards trapping wily intruders in the large1

Towards Trapping Wily Intruders in the Large

When a network is under attack, there is often a lot of suspicious network traffic – There are usually more:

  • TCP-RESET packets

  • ICMP echo & response

  • ICMP Destination unreachable messages


Towards trapping wily intruders in the large2

Towards Trapping Wily Intruders in the Large

ICMP Echo:

Often occur in high volume when a network is under attack:

  • Mapping out a network

  • DDOS attacks

  • SMURF Attacks – let’s take a look


Towards trapping wily intruders in the large3

Towards Trapping Wily Intruders in the Large

SMURF Attack

1.1.1.2

1.1.1.3

1.1.1.1

Ping 1.1.1.255 from 3.3.3.3

2.2.2.2

3.3.3.3


Towards trapping wily intruders in the large4

Towards Trapping Wily Intruders in the Large

SMURF Attack

1.1.1.2

1.1.1.3

Ping 1.1.1.255 from 3.3.3.3

1.1.1.1

2.2.2.2

3.3.3.3


Towards trapping wily intruders in the large5

Towards Trapping Wily Intruders in the Large

SMURF Attack

1.1.1.2

1.1.1.3

Echo Reply

Echo Reply

1.1.1.1

2.2.2.2

3.3.3.3


Towards trapping wily intruders in the large6

Towards Trapping Wily Intruders in the Large

SMURF Attack

1.1.1.2

1.1.1.3

1.1.1.1

Many Echo Responses

2.2.2.2

3.3.3.3


Towards trapping wily intruders in the large7

Towards Trapping Wily Intruders in the Large

TCP Resets:

They do not occur too frequently in normal network traffic – but very often when a network is being attacked.

Eg.

  • Port Scanning

  • Inverse Mapping – let’s take a look at this.


Towards trapping wily intruders in the large8

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Successful routing)

1.1.1.2

1.1.1.3

1.1.1.1

ACK from

1.1.1.2

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large9

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Successful routing)

1.1.1.2

1.1.1.3

1.1.1.1

TCP Reset

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large10

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Successful routing)

1.1.1.2

1.1.1.3

TCP Reset

1.1.1.1

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large11

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Successful routing)

1.1.1.2

1.1.1.3

No Response

1.1.1.1

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large12

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Unsuccessful routing)

1.1.1.2

1.1.1.3

1.1.1.1

ACK from

1.1.1.4

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large13

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Unsuccessful routing)

1.1.1.2

1.1.1.3

1.1.1.1

TCP Reset

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large14

Towards Trapping Wily Intruders in the Large

Inverse Mapping (Unsuccessful routing)

1.1.1.2

1.1.1.3

1.1.1.1

ICMP No Route to Host

2.2.2.2

2.2.2.3


Towards trapping wily intruders in the large15

Towards Trapping Wily Intruders in the Large

So, now that we know what we’re looking for, how do we find it?

Let’s just use some simple math – isolate patterns with least-squares curve fitting, and find corelations between network traffic.


Towards trapping wily intruders in the large16

Towards Trapping Wily Intruders in the Large


Towards trapping wily intruders in the large17

Towards Trapping Wily Intruders in the Large

Tracing an attack


Towards trapping wily intruders in the large18

Towards Trapping Wily Intruders in the Large

  • This system does not rely on specific types of attack/patterns/signatures, and does not attempt to reconstruct a detailed transaction log, relying only on statistics.

  • Can traceback the flow of the attack


  • Login