1 / 25

Intrusion Detection

Intrusion Detection. CS461/ECE422 Spring 2012. Reading Material. Chapter 8 of the text. Outline. What are intrusions? Who are intruders Host-based Intrusion Detection Network-based Intrusion Detection. What is an Intrusion?. Who are the Intruders. Hackers Possibly benign

Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Detection CS461/ECE422 Spring 2012

  2. Reading Material • Chapter 8 of the text

  3. Outline • What are intrusions? Who are intruders • Host-based Intrusion Detection • Network-based Intrusion Detection

  4. What is an Intrusion?

  5. Who are the Intruders • Hackers • Possibly benign • Outside access • Clever, plenty of time. Community to share with. • Criminal Organizations • Outside access, mostly. Social-engineering • In it for the money. Not benign • Insiders • Should have some access • May be exploiting degree of access or intent of access • May work from the inside to increase access • Motivated by money, revenge

  6. Who are the Intruders? • Masquerader • Pretend to be a legitimate user. E.g., guess a password • Misfeasor • Legitimate user behaving badly • Clandestine • Seizes privileged control of the system. Able to clean up audit logs and evade access controls

  7. Intrusion Detection • Holy Grail: Detect and correct “bad” system behaviour • Detection can be viewed as two classes • Anomaly detection: Use statistical techniques to determine unusual behaviour • Mis-use detection: Use signatures to determine occurrence of known attacks • Detection can be performed on host data (HIDS), network data (NIDS), or a hybrid of both

  8. Bad Detections • False Positive • Detect activity as an intrusion, but it isn’t • Reduce by loosening intrusion detection rules • False Negative • Miss reporting bad behavior as an intrusion • Reduce by tightening intrusion detection rules

  9. IDS Architecture • Agents/sensors run at the lowest level gathering data. Perform some basic processing. • Agents send data to a Director/analyzerthat performs more significant processing of the data. Potentially there is a hierarchy of agents and directors • Director has information from multiple sources and can perform a time-based correlation to derive more significant actions • Directors invoke Notifiers to perform some action in response to a detected attack • Popup a window on a screen • Send an email or a page • Send a new syslog message elsewhere. • Adjust a firewall or some other policy to block future action from the attacker • User interface • Reviewing events • Configuring system

  10. IDS Elements

  11. Data Sources • Direct data • Network packets • System calls • Indirect data • Syslog data, Windows event logs • Events from other intrusion detection systems • Netflow information generated by routers about network traffic

  12. Anomaly/statistical detection • Seems like using statistics will result in a more adaptable and self-tuning system • Statistics, neural networks, data mining, etc. • How do you characterize normal? • Create training data from observing “good” runs • Threshold detection vs Profile-based • How do you adjust to real changes in behaviour? • Gradual changes can be easily addressed. Gradually adjust expected changes over time • Rapid changes can occur. E.g., different behaviour after work hours or changing to a work on the next project

  13. Example Anomaly Detection • System call analysis • Forrest’s Paper http://www.cs.unm.edu/~forrest/publications/acsac08.pdf • Profile each program on the sequence of system calls • Keep a running window of n consecutive systems calls • During training runs build up data base of system call sequences • During normal operation, check for sequences not in the database • Indicative of malicious operation either via code injection or abnormal execution for the environment

  14. Evasion • Mimicry: tailor attack sequences to include conform to statistical patterns • E.g., use same sequences of system calls as normal software, with different arguments • Training: confuse training into classifying malicious behavior as good • Affect training phase • Gradually change statistical patterns (“frog boiling”)

  15. Mis-use/Signature Detection • Fixed signatures are used in most deployed Network IDS products • E.g., Cisco, ISS, Snort • Like virus scanners, part of the value of the product is the team of people producing new signatures for newly observed malevolent behaviour • The static signature mechanism has obvious problems in that a dedicated attacker can adjust his behaviour to avoid matching the signature. • The volume of signatures can result in many false positives • Must tune the IDS to match the characteristics of your network • E.g., what might be unusual in a network of Unix systems might be normal in a network of Windows Systems (or visa versa) • Can result in IDS tuned too low to miss real events • Can hide real attacks in the mass of false positives

  16. Creating Signatures • Rule-based anomaly detection • Analyze historical data • Build rules to describe patterns found in historical data • Rule-based penetration identification • Use knowledge of attacks to build rules to detect those attacks • E.g, rules to detect brute force password attacks

  17. Example Signature • Signature for port sweep • A set of TCP packets attempting to connect to a sequence of ports on the same device in a fixed amount of time • In some environments, the admin might run nmap periodically to get an inventory of what is on the network • You would not want to activate this signature in that case

  18. Host Based IDS • Tripwire – Very basic detection of changes to installed binaries • More recent HIDS. Look at patterns of actions of system calls, file activity, etc. to permit, deny, or query operations • Cisco Security Agent • Symantec • McAfee Entercept

  19. Classical NIDS deployment

  20. NIDS Remediation Options • Log the event • Send text or email • Reset the connection • Change the configuration of a nearby router or firewall to block future connections

  21. Intrusion Protection Systems (IPS) • Another name for inline NIDS • Latest buzz among the current NIDS vendors • Requires very fast signature handling • Slow signature handling will not only miss attacks but it will also cause the delay of valid traffic • Specialized hardware required for high volume gateways • When IDS is inline, the intrusion detector can take direct steps to remediate. • If you move IDS into the network processing path, how is this different from really clever firewalling?

  22. Network IPS scenario

  23. Honey Pots • Reconnaissance for the good guys • Deploy a fake system • Observe it being attacked • Resource management • Cannot be completely passive • Must provide enough information to keep attacker interested • Must ensure that bait does not run away • Scale • Host, network, dark address space

  24. Honey Pots

  25. Summary • Detecting intrusions accurately enough is difficult • Dynamic IDS is necessary to keep up with attackers • IDS can be applied to hosts and networks

More Related