1 / 20

Intrusion Detection Systems

Intrusion Detection Systems. Sai Nandoor Priya Selvam Balaji Badam. How insecure are we?. Attacks on computer infrastructures are a serious problem. Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident.

cruz
Download Presentation

Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam

  2. How insecure are we? • Attacks on computer infrastructures are a serious problem. • Information theft is up over 250% in the last 5 years. • 99% of all major companies report at least one major incident. • Telecom and computer fraud totaled $10 billion in the US alone. • Source: Eugene H Spafford. Security Seminar, Department of Computer Sciences, Purdue University, Jan 1996.

  3. IDS Based on Data Source Host Based IDS Its role is to identify tampering or malicious activity occurring on the system. This is achieved by monitoring log files, users, and the file system. Network Based IDS Its role is to identify tampering or malicious activity occurring in the network traffic. This is achieved by monitoring network traffic on the wire for specific activities/signatures that represent an attack. Hybrid IDS Combination of network and host based IDS.

  4. Host Based - Network Based

  5. Advantages

  6. Host Based IDS Specific files to be monitored are defined in a configuration file. Digest of the file is stored in a database. Multiple digest algorithms can be used. Examples: TRIPWIRE/AIDE/SAMHAIN

  7. TRIPWIRE AIDE • Similar to lighter version TRIPWIRE Can be reconfigured to prevent false-alarms. Flexible policy language with predefined policy files and wildcard support. SAMHAIN • Support for Stealth mode of operation. • Encrypted and authenticated client/server connections.

  8. Network Based IDS Packet Sniffing front end. Pattern matching engine. Backend database. Examples: SNORT/SHOKI/BRO

  9. SNORT • Can also operate as packet sniffer/logger. • Flexible rule based language to describe traffic. • Can perform protocol analysis, content searching/matching. SHOKI Provides its own language. Passive, doesn’t terminate malicious activity. • Multi-filter rule sets that match individual packets. • SNORT rules can be converted to SHOKI filters. BRO

  10. SNORT Rules var EXTERNAL_NET ![128.3.0.0/16,131.243.0.0/16] var HTTP_SERVERS [128.3.0.0/16,131.243.0.0/16] var HTTP_PORTS 80 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace output alert_fast: alarms.log include file1.config alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)

  11. Bro’ Rules rule sid-1328 { header ip[9:1] == 6 header ip[12:4] != 128.3.0.0/16,131.243.0.0/16 header ip[16:4] == 128.3.0.0/16,131.243.0.0/16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" } SHOKI Rules tcp 65536 THRESHOLD:1:10:20 SAMP-6 http h([t]*p):// ALL tcp 65536 HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL tcp 65536 PORT_SCAN:3:30:50 SAMP-8 p_scan 0x687474 ALL

  12. ACID screen capture for SNORT

  13. Hybrid IDS Can be clustered Centralized database Provides file protection by using digest Network sensing using packet sniffing Blends strengths of HIDS & NIDS Examples: MANHUNT/PRELUDE/DRAGON

  14. MANHUNT PRELUDE • Incorporates information from other IDS • Provides hooks to firewalls, honeypots, etc • Uses multiple sensors and a report server Detects new and modified attacks Dynamically reassign ports scanned Flowchaser and Trackback to fight DDoS DRAGON • Provides IDS evasion counter measures, by Keeping a large database of known hacker techniques and searching for anomalies.

  15. Goals • Design a hybrid system • Send instantaneous alerts to network administrator and other hosts • Use secure communication channels • Keep configuration file secure • Keep checksum database secure • Maintain list of intruders • Maintain a log of attacks

  16. Design Intruder Host Administrator Firewall Database OtherHosts

  17. Implementation • Dedicated Sockets for Communication • Messages encrypted using AES • Configuration file included in list of secure files • Checksums encoded using AES • Network Administrator maintains log of intrusions • Hosts maintain a list of intruders

  18. Sample execution

  19. Lessons Learned Future Work • Hybrid IDS involves a lot of components • Comm. between hosts and admins must be secure • Configuration files are vulnerable • Hybrid IDS provides better security • Network sensors to defend DDoS attacks • Incorporate different hashing algorithms • Add feature to track sources of DDoS • Incorporate data from existing IDS • Add a file change notification component

  20. References • Intrusion Detection Systems By Ricky M. Magalhaes http://www.windowsecurity.com • An Introduction to Intrusion Detection By Aurobindo Sundaram, ACM Crossroads • Network Vs. Host Based Intrusion Detection http://www.isskk.co.jp • IDS Products http://www.netsmart.net.au • Intrusion Detection and Network Auditing on the Internet http://www.infosyssec.com

More Related