1 / 59

Intrusion Detection

Intrusion Detection. Dr. Gregory Vert. Intrusion Detection. Definition: Detection of an attack While it is going on Shortly after it has occurred. Intrusion Detection. Goal: To thwart the attack Conduct forensic investigation Minimize damage

Patman
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Dr. Gregory Vert

  2. Intrusion Detection • Definition: • Detection of an attack • While it is going on • Shortly after it has occurred

  3. Intrusion Detection • Goal: • To thwart the attack • Conduct forensic investigation • Minimize damage • Learn how attack was conducted and improve system security

  4. Intrusion Detection • General Theory behind ID • Actions of normal system processes and users conform to a pattern that can be defined mathematically • Users and processes are not trying to break the system • Users and processes have a set of defined privileges and actions

  5. Intrusion Detection • In order to do intrusion detection build a system that monitors for changes in the previous assumptions • Example • 90 % of cpu usage occurs between 8-5pm • Users don’t usually browse the password files • More than 3 failed login attempts my be an attack because users usually log in on the first time

  6. Intrusion Detection • Attack tools are • How systems are usually attacked • Are usually a piece of existing software • Are generally automated • Want volume in an attack • Want to look at many computers and find a few that are not secure • Want the computer to do the bulk of the work on the attack

  7. Intrusion Detection • Example of Attack Tool • Root kits • Replace existing operating system file • Sniff passwords and network connections • Run with root privilege • E.g. ls, du, netstat, ifconfig (network device configurations) • Run concealed • Allow access to the hacker through a back door

  8. Intrusion Detection • Denning • Hypothesis that exploitation of vulnerabilities requires abnormal use of existing commands • Therefore look for abnormality in command usage on system • Key idea behind detection

  9. Intrusion Detection • Intrusion Detection Systems (IDS) • An automated system that looks for abnormal patterns in: • system commands, • usages • Volumes • Access to locations in system • Failures

  10. Intrusion Detection • An IDS must be automated because • System logs contain tons and tons of information • Often looking for 5-20 abnormal changes in 5000 lines of data • Slow attacks even worse to detect because • Actions happen over extended period of times • Logs don’t show adjacent sequences of activities

  11. Intrusion Detection • Good IDS has 4 characteristics (Bishop) • Detects a wide variety of attacks • Not as simple as it sounds • How can you detect an attack if you don’t know how it works and have never seen one before • Class Ideas ?

  12. Intrusion Detection • Good IDS’s have 4 characteristics • Detect attacks in timely fashion • How fast is fast enough • Discussion ? • Real time systems may bog down processing • Which is an attack in its own right • A denial of service attack

  13. Intrusion Detection • Good ID’s have 4 characteristics • Must present analysis in a clear simple format • Problems: • False Positives • Thinks an attack is going on when it really is not • False Negatives • Does not think an attack is going on when it really is

  14. Intrusion Detection • Good ID’s have 4 characteristics • Must be accurate • The false X problem previous slide • We only want to respond to the real stuff because: • Time consuming • May lead to actions that damage system without cause • Draws resources away from dealing with a real attack that could start as you are investigating

  15. Intrusion Detection • Three systems models for an IDS • Anomaly detection • Misuse detection • Specification detection • new

  16. Intrusion Detection • Anomaly detection • Assumes that unexpected behavior is evidence of an attack • Compare set of variables and their values to a known set of variables • Tries to reason about an attack based on data does not match • Usually done with statistics but could be done with other variable techniques also

  17. Intrusion Detection • Anomaly Detection • Threshold approach • When an variable(s) are above a certain level determine an attack • Example: • number of failed logins for a given user id in 10 minutes • disk usage • # of packets on port x in time period n

  18. Anomaly Detection • Threshold approach problems • Users have different skill levels • Example an asian user of an english comptur system • Class ? • One threshold generally applied to all • However approach can penalize new users by locking them out of the system

  19. Anomaly Detection • Statistical Moment Approach • Instead of setting a threshold, calculate: • Average • Means • Standard deviations • Look for deviations from these variable

  20. Anomaly Detection • Statistical Moment Approach • Problems • Data may change over time in unexpected ways • New users • Users become smarter • Need to age data somehow to show how system is changing • How do we do this ? • Generally a better system than thresholds • May use an expert system (Haystack, IDES)

  21. Anomaly Detection • State Machine Model • Series of events occur in regular sequences • Certain events are more like to follow other events – state transitions • When a low probability transition occurs then it is probably anomalous • Draw: login, cd home dir -> open word processor • Can be utilized in system calls: open, read, write, close

  22. Anomaly Detection • State Machine • Problems • Need to know the events and sequences ahead of time • Need training data • System may change based on addition of new software • Can only be run on the computer from which the training data is derived

  23. Anomaly Detection • What features and data variables to watch is critical in the success of AD • Frank demonstrated that selection of the “best” features for a network activity classification program could be based on eliminating features based on the error rate they induce in classification of activity • He found that about 5 features was right for his study

  24. Anomaly Detection • Generally assumes a gaussian distribution • A bell curve that shows what is normal • Some systems may cluster data by related values such as “read time” for a file and “cpu usage” for the read • Outliers – values that don’t fit into a cluster then can be an attack • Draw

  25. Misuse Detection • An attack by an insider who generally has authorized access • Is rule based • Looks for sequences of commands that knowing violate policy • Example

  26. Misuse Detection • Rules are placed into a rule set • Ids processes rules against system logs looking for violations of the rules • Often involve expert systems because rules can be ambigous

  27. Misuse Detection • Cant detect attacks that are unknown • the attacks sequence of rule violations is not known • Can enhance systems to make them adaptive via petri nets

  28. Misuse Detection • IDIOT – Spafford, uses petri nets • Defines • events – a change in system state • a record of the event • transitions from one state to another on an event • transitions may have tests (guards) that check for existence of variables in certain states and / or make assignments • Can have separate transition branches that merge • Draw

  29. Misuse Detection • IDIOT classified attacks by categories: • existence – attack creates a file • sequence – attack causes several events to occur sequentially • partial order – attack causes two or more sequences of events that form an ordering over time • interval – two events occur exactly n units of time apart

  30. Misuse Detection • IDIOT • monitors audit trail logs • STAT a similar system • Ilgun • No guards • uses state tables • looks at the sequence of command to e.g. get a forbidden priveledge

  31. Specification Modeling • Misuse detection looks for states known to be bad • Specification modeling looks for states known to not be good – a possible intrusion • Builds specifications for how a program should run • Examines program for deviations from good states

  32. Specification Modeling • Ko developed a specification based IDS • Monitored 15 security related programs • Monitored on things like: • object access • synchronization of data • sequences of commands • race conditions

  33. Specification Modeling • They looked at rdist (remote distribution) • Rdist updates programs on remote systems • Problem is that rdist modifies permissions on files • replacing a file with a symbolic link to another file, can get rdist to change permissions on that file

  34. Specification Modeling • SM • utilizes grammars to specify actions • grammars define acceptable activities • is a relatively new field • because it specifies what should happen • unknown attacks can be detected • Class drawbacks ?

  35. Summary • Misuse detection • detects violations of policy, implicit or explicit • need to develop rules, states, actions etc. • must have in a rule base • only detects attacks that are known

  36. Summary • Anomaly Detection • detects policy violations also • little more generalized than Misuse detection • uses statistics to find deviations

  37. Summary • Specification Modeling • must have rules for how a good program is operating • need experts to define rules • can detect unknown attacks

  38. Architecture • IDS works off of audit trails • Audit trails found in logs • Best to collect log data from all over the system due to distributed attacks • Generally constructed in 3 subsystems

  39. Architecture • Agent • an relatively autonomous piece of software that collects data from a local machine • may format the data • why ? • sends the data to a centralized system • may weed data that is not deemed to be important

  40. Architecture • Agents can be: • host based • utilize system and application logs • may be security logs or accounting logs • a virtual agent can be in the kernel and write data to logs it finds interesting • logs can be very large

  41. Architecture • Agents can be • networked based • use devices and software to monitor network traffic • used to detect network based attacks • utilize sniffing • monitor contents of packets • must be arranged in a way to provide full network coverage • encipherment makes this task a problem

  42. Architecture • Agents send formatted information to the director software • Directors • eliminate unnecessary log entries • utilize an analysis engine to find attacks • usually are run on a separate system • adaptive directors may alter search rules (neural network)

  43. Architecture • Notifier • accepts information from the director and takes appropriate action • may notify a security officer via a gui • may be proactive in combating an attack

  44. Systems to Look At • Courtney – monitors for use of SATAN • SATAN – system for finding weaknesses in Unix • IDIP – coordinates IDS’s on firewalls to block attacks • NSM – develops profiles of system usage and compares against profiles e.g. repeated telnet connections of short duration

  45. Systems to Look At • DIDS – distributed IDS based on NSM and works in conjunction with host based IDS’s • NSM is network based only • AAFID – autonomous agents that report data, distributes components of IDS into pieces • eliminates a single point of failure, director is distributed

  46. Incident Response • Ideally you want to • detect attack as it starts • take defensive measures • work automatically • can be very system resource intensive • why ?

  47. Incident Response • Definition: • Jailing • placing an attacker in a confined area of the system • letting them think that they are inside the system • allows one to observe the hacker • sometimes referred to as a honey pot • usually has a faked file system • may intercept system calls and do something (kernel)

  48. Incident Response • Goal • to restore system to comply with security policy • replace / fix damaged resources

  49. Incident Response • Six phases: • preparation • procedures and methods for detection • backups • identification • id the attack • trigger for following phases

  50. Incident Response • Containment • limits the damage as much as possible • may not be possible if you have a real time system • attacks generally probe for a while and then do damage • you can get a chance to contain if you detect probing

More Related