computer security principles and practice l.
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Security: Principles and Practice PowerPoint Presentation
Download Presentation
Computer Security: Principles and Practice

Loading in 2 Seconds...

play fullscreen
1 / 51

Computer Security: Principles and Practice - PowerPoint PPT Presentation

  • Uploaded on

Computer Security: Principles and Practice. Chapter 6 – Intrusion Detection. by William Stallings and Lawrie Brown Lecture slides: Some by Lawrie Brown, some by Susan Lincke. Objectives. The student should be able to:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Security: Principles and Practice' - forbes

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer security principles and practice

Computer Security: Principles and Practice

Chapter 6 – Intrusion Detection

by William Stallings and Lawrie Brown

Lecture slides: Some by Lawrie Brown, some by Susan Lincke


The student should be able to:

Define how a signature-based, anomaly-based, and rule-based IDS works.

Define false positives, false negatives, and how both affect the sensitivity of an IDS.

Describe the difference between an IDS and IPS and the advantages/disadvantages of each.

Describe when you would use a host IDS and/or a network IDS and some advantages of each.

Describe functions of different Host IDS systems: System integrity verifiers, statistics monitors, deception systems, and configuration auditors. (skip for 2012)

Draw the internal configuration of a tap, and describe how a switch SPAN port works (Not 2012).

Describe the three responses that CISCO IDS’s can support in response to an attack (Not 2012).

Describe the capabilities of Snort, including its features, cost, programmability, configurability, and its directory structure.

examples of intrusion
Examples of Intrusion
  • remote root compromise
  • web server defacement
  • guessing / cracking passwords
  • copying viewing sensitive data / databases
  • running a packet sniffer
  • distributing pirated software
  • using an unsecured modem to access net
  • impersonating a user to reset password
  • using an unattended workstation
security intrusion detection
Security Intrusion & Detection

Security Intrusion

a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection

a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

insider attacks
Insider Attacks
  • among most difficult to detect and prevent
  • employees have access & systems knowledge
  • may be motivated by revenge / entitlement
    • when employment terminated
    • taking customer data when move to competitor
  • IDS / IPS may help but also need:
    • least privilege, monitor logs, strong authentication, termination process to block access & mirror data
insider behavior example
Insider Behavior Example
  • create network accounts for themselves and their friends
  • access accounts and applications they wouldn't normally use for their daily jobs
  • e-mail former and prospective employers
  • conduct furtive instant-messaging chats
  • visit web sites that cater to disgruntled employees, such as f'
  • perform large downloads and file copying
  • access the network during off hours.
intrusion techniques
Intrusion Techniques
  • objective to gain access or increase privileges
  • initial attacks often exploit system or software vulnerabilities to execute code to get backdoor
    • e.g. buffer overflow
  • or to gain protected information
    • e.g. password guessing or acquisition
intrusion detection systems
Intrusion Detection Systems
  • classify intrusion detection systems (IDSs) as:
    • Host-based IDS: monitor single host activity
    • Network-based IDS: monitor network traffic
  • logical components:
    • sensors - collect data
    • analyzers - determine if intrusion has occurred
    • user interface - manage / direct / view IDS
ids principles
IDS Principles
  • assume intruder behavior differs from legitimate users
    • expect overlap as shown
    • observe deviations

from past history

    • problems of:
      • false positives
      • false negatives
      • must compromise
ids principles10
IDS Principles

Where to set limit (draw arrow)?

  • false positives: normal behavior labeled attack
  • false negatives: attack labeled normal behavior
  • must compromise
ids requirements
IDS Requirements
  • run continually
  • be fault tolerant
  • resist subversion
  • impose a minimal overhead on system (if hids)
  • configured according to system security policies
  • adapt to changes in systems and users
  • scale to monitor large numbers of systems
  • provide graceful degradation of service
  • allow dynamic reconfiguration
host based ids
Host-Based IDS
  • specialized software to monitor system activity to detect suspicious behavior
    • primary purpose is to detect intrusions, log suspicious events, and send alerts
    • can detect both external and internal intrusions
  • two approaches, often used in combination:
    • anomaly detection - defines normal/expected behavior
      • threshold detection
      • profile based
    • signature detection - defines proper behavior
audit records
Audit Records
  • a fundamental tool for intrusion detection
  • two variants:
    • native audit records - provided by O/S
      • always available but may not be optimum
    • detection-specific audit records - IDS specific
      • additional overhead but specific to IDS task
      • often log individual elementary actions
audit record contents
Audit Record Contents

Subject: initiator of action

Action: Operation performed: login, read, perform I/O, execute

Object: Receptor of action: file, program message, printer, …

Exception-condition: Type of exception

Resource-usage: Amount of resources used

Time-stamp: When it occurred

anomaly detection
Anomaly Detection
  • threshold detection
    • checks excessive event occurrences over time
    • alone a crude and ineffective intruder detector
    • must determine both thresholds and time intervals
  • profile based
    • characterize past behavior of users / groups
    • then detect significant deviations
    • based on analysis of audit records
      • gather metrics: counter, gauge, interval timer, resource utilization
      • analyze: mean and standard deviation, multivariate, Markov process, time series, operational model
signature detection
Signature Detection
  • observe events on system and applying a set of rules to decide if intruder
  • approaches:
    • rule-based anomaly detection
      • analyze historical audit records for expected behavior, then match with current behavior
    • rule-based penetration identification
      • rules identify known penetrations / weaknesses
      • often by analyzing attack scripts from Internet
      • supplemented with rules from security experts
rule based penetration examples
Rule based penetration examples

Users should not read files in other users’ personal directories

Users must not write to others’ files

Users who log in after hours often access the same files they used earlier

Users do not generally open disk devices directly but rely on higher-level operating system utilities

Users should not be logged in more than once to the same system

Users do not make copies of system programs

signature versus anomaly based ids
Signature- versus Anomaly-Based IDS

Signature-based: Looks for attack signatures in packets or logs

Retains signatures in a signature database or rule set(s).

Can create custom rules – sometimes with wildcards

Benefits & Limitations

Benefit: Can name specific attacks, allowing for appropriate reaction


More signatures translates into lower transaction rates

Slight deviations from the signature won’t be caught: e.g., blank vs. %20

New attacks cannot be caught

anomaly based or heuristic looks for unexpected behavior
Anomaly-based or Heuristic: Looks for unexpected behavior

Baseline-based Intrusion Detection: ‘Expected’ performance is known

Thresholds are established differentiating normal vs. abnormal behavior

E.g., Rate of SYN or Ping packets change

E.g., Monitoring processor usage at night

E.g., Packet is not formatted as expected

Rule-based Intrusion Detection: Certain actions are not allowed

E.g., Log accesses to password file

Benefits & Limitations

Benefit: Quick at recognizing new large-scale worm attacks

Limitation: Cannot name the attack; Cannot detect attacks near norm

system sensitivity
System Sensitivity

False positive: Innocent action logged as an attack

False negative: Attack not recognized

Sensitivity of the system: The degree of False positives to False negatives

Administrator must achieve the right balance of sensitivity

types of nids ids ips
Types of NIDS: IDS, IPS

Passive mode or IDS: Monitors network traffic only

Does not affect performance of network traffic

Can be incapable of sending on network

Active mode or IPS: Performs inline processing of packets

Causes penalty on performance – problematic for very busy networks

Must be capable of sending on network

ids versus ips
IDS versus IPS

Intrusion Detection System (IDS): Sniffs and reports possible violations

Difference between Firewall/IDS: Can name attack

Intrusion Prevention System (IPS): Reports violations and prevents attacks from occurring

Does inline processing, similar to a Firewall: drop packets, reset connections, route suspicious traffic for analysis

Problems: Delays in processing; bottleneck

Since IDS/IPS have high rate of False Positives, they require extensive optimization

what an ids cannot detect
What an IDS Cannot Detect
  • Passwords not changed from default
  • File transfer of confidential files
  • Social engineering techniques
  • Decipher encrypted messages on a network

Bus or other broadcast configuration

Passwords not changed from default

File transfer of confidential files

Social engineering techniques

Decipher encrypted messages on a network

Star Configuration


Switch A

Router B



More Detail Below…

Tap Internal Configuration



Router B


Top Layer


The switch can buffer overlapping traffic to a degree. However be careful not to overload the switch.

how to attach an ids
How to Attach an IDS

Switch: Central router routes traffic only to destination node.

  • High throughput since the simultaneous transmissions can occur between different pairs.

Switch Port Analyzer (SPAN) allows a network sniffer to monitor TX/RX/both transmissions between 2 (or sometimes more) nodes (commonly switch & router)

  • Disadvantage: Switch only has one SPAN port, switch performance degradation
  • Advantage: No extra equipment, easy to install

Hub: Hub repeats traffic to all nodes

  • Disadvantage: Throughput limitations since all nodes share same physical link – cannot implement duplex transmission between switch/router
  • Advantage: Easy to install and configure

Tap: A ‘T’ or listening device forwards traffic to the NIDS

  • Disadvantage: Usually monitors in one direction only, dictates stealth configuration
  • Advantage: Fault tolerant on power failure, no throughput degradation, protects IDS from attacks
network based ids
Network-Based IDS
  • network-based IDS (NIDS)
    • monitor traffic at selected points on a network
    • in (near) real time to detect intrusion patterns
    • may examine network, transport and/or application level protocol activity directed toward systems
  • comprises a number of sensors
    • inline (possibly as part of other net device)
    • passive (monitors copy of traffic)
intrusion detection techniques
Intrusion Detection Techniques
  • signature detection
    • at application, transport, network layers; unexpected application services, policy violations
  • anomaly detection
    • of denial of service attacks, scanning, worms
  • when potential violation detected sensor sends an alert and logs information
    • used by analysis module to refine intrusion detection parameters and algorithms
    • by security admin to improve protection
  • are decoy systems
    • filled with fabricated info
    • instrumented with monitors / event loggers
    • divert and hold attacker to collect activity info
    • without exposing production systems
  • initially were single systems
  • more recently are/emulate entire networks
honeypot what is it
Honeypot: What is it?
  • System with NO OTHER USERS or USED APPLICATIONS – LOG all access attempts
  • Honeypots are high maintenance, high risk
  • Honeypots are not legally a form of entrapment
  • Types may include:
    • Port Monitor: Sockets-based program that listens for connections.
    • Deception System: Pretends it is a real application by sending valid replies (e.g. mail)
    • Multi-protocol Deception System: Pretends to support multiple applications
    • Full network system plus IDS


  • Watch and learn from attackers to strengthen defense
  • Lure an attacker to a safe place to identify and stop the attacker
  • Keep attackers busy in a safe environment for hours


  • A hacked honeypot can serve as launching pad into rest of network
  • Honeypots must be maintained and monitored
  • lightweight IDS
    • real-time packet capture and rule analysis
    • passive or inline
snort rules
  • use a simple, flexible rule definition language
  • with fixed header and zero or more options
  • header includes: action, protocol, source IP, source port, direction, dest IP, dest port
  • many options
  • example rule to detect TCP SYN-FIN attack:

Alert tcp $EXTERNAL_NET any -> $HOME_NET any \

(msg: "SCAN SYN FIN"; flags: SF, 12; \

reference: arachnids, 198; classtype: attempted-recon;)

snort nids nips

Snort Format:

{cmd} {protocol} {sourceIP} {sourcePort} {direction} {destIP} {destPort} (<keyword>:<value>; <keyword>:<value>)

  • Cmd=alert pass log activate dynamic
    • log=packet text only,
    • alert writes to alert file
  • Protocol=ipudpicmptcparp, igrp, gre, ospf, rip, …
  • Port= :1024 or 1024:6000
  • Direction= -> or <>
snort command example
Snort Command Example

Snort Format:

{cmd} {protocol} {sourceIP} {sourcePort} {direction} {destIP} {destPort} (<keyword>:<value>; <keyword>:<value>)



var HOME_NET []


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:”WEB-IIS cmd.exe access”; flags: A+; content:”cmd.exe”; nocase; classtype:web_application-attack;)

snort keywords
Snort Keywords

Keywords can include:

dsize: maximum packet size; larger sizes indicate problems.

ttl: IP time to live value.

fragbits: R=Reserved, D=Don’t Fragment, M=More Fragment.

ipopts: IP options: lsrr: loose source routing; ssrr=strict source routing.

flags: S=Syn, A=Ack, F=Fin, R=Reset, +=and/or more;

itype: ICMP packet type

content: <text or hexadecimal data to search for>

uricontent: Content of the URL (e.g., ”/bin/ps”)

offset: the position in the packet payload to begin searching for a match.

nocase: Deactivates case-sensitivity

sid: signature ID; describes more about the signature

ip_proto: protocol after IP header (e.g., DNS=53)

rev: rule revision number

logto: file to write log to.

snort ips additional commands
Snort IPS Additional Commands

New commands used for inline configurations:

drop: Alert and drop the packet

sdrop: Drop the packet but don’t trigger the alert

E.g.: sdropudp $EXTERNAL_NET any …

snort ips added keywords
Snort IPS Added Keywords


<resp_keyword> = rst_snd, rst_rcv, rst_all, icmp_net, icmp_host, icmp_port, icmp_all

Sends RST to packet sender/recipient/both; Sends host/port/network Unreachable


<react_keyword> = block, warn, msg, proxy

Used with HTTP-based attacks.

E.g.: alert tcp any any <> $HOME_NET 80 (content: “naughtyContent”; msg: “Not allowed!”; react: block,msg;)

replace: “text to replace content with”

Allows replacement of potentially dangerous text with safe text: “cmd.exe”->”nocmd.exe”

cisco secure intrusion detection
CISCO Secure Intrusion Detection

Management console: Must be in a secure location

May alarm, log, page, and/or email administrator

Allows configuration of necessary signatures

cisco secure intrusion detection50
CISCO Secure Intrusion Detection

Sensor Response to Attack: One or more of:

  • Shun: Dynamically rewrites the access lists to disallow attackers access to internal networks
    • Can change access lists on firewall or router.
  • Log: Save alarm information (at sensor and/or management console)
  • TCP Reset: Send a TCP reset to terminate the connection, after initial attack packets have reached victim.
  • introduced intruders & intrusion detection
    • hackers, criminals, insiders
  • intrusion detection approaches
    • host-based (single and distributed)
    • network
    • distributed adaptive
    • exchange format
  • honeypots
  • SNORT example