1 / 28

Behavior Intrusion Detection: Enhanced

Behavior Intrusion Detection: Enhanced. Hakan Evecek Rodolfo Ortiz. GOALS. Discuss the characteristics of a Behavior Intrusion Detection Systems Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets. Provide the results.

ievans
Download Presentation

Behavior Intrusion Detection: Enhanced

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Behavior Intrusion Detection:Enhanced Hakan Evecek Rodolfo Ortiz

  2. GOALS • Discuss the characteristics of a Behavior Intrusion Detection Systems • Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets. • Provide the results. • Analyze the behavior of protocols when firewall enabled/disabled. • Present an approach to prioritize suspicious packets. • How to enhance Behavior IDS

  3. WHATIS IDS? • IDS is concerned with the detection of hostile actions towards a computer system or network. • There are two types: • Anomaly detection (Behavior IDS) • Signature detection

  4. OVERVIEW OF BIDS They can be described as an alarm for strange system behavior. Based on statistics. • Advantages • They don’t need to know the details of an attack • Dynamic, they are automatically updated • Disadvantages • Many false positives are generated during the sensor training • The training must be extensive so that the baseline is accurate

  5. OVERVIEW OF BIDS Anomalies to be detected: • Traffic to unused ports • Non standard service assigned to one standard port (port 80 set for peer sharing) • Too much UDP/TCP traffic • More bytes coming to a HTTP server than outgoing bytes

  6. HP5000 SW THE PROJECT Measure timing for DNS, ICMP and HTTP/HTTPSEstablish a baseline for different packet sequencesLabel packets outside the baseline for further analysis IDS Sensor DB Intranet(10.0.0.0/24) IDS Sensor (FC4) Internet DNS Web Server Server Intra2(win2003) Firewall Firewall DLink SW2 DLink SW1 IDS Inner(FC4) IDSOuter(FC4) DMZ(192.168.0.0/24) Intra1 (XP)

  7. Firewall Intra1 (XP) SERVER IDS Inner A B ICMP Request ICMP Reply C D ICMP

  8. Firewall Intra1 (XP) DNS SERVER IDS Inner A B DNS Request DNS Reply C D DNS

  9. Firewall Intra1 (XP) WEB SERVER IDS Inner A SYN B C SYN ACK D ACK E F GET G HTTP

  10. Firewall Intra1 (XP) WEB SERVER IDS Inner SYN SYN ACK ACK CLIENT HELLO CERTIFICATECLIENT KEY EXCHANGECERTIFICATE VERIFYCHANGE CIPHER SPECFINISHED APPLICATION DATA APPLICATION DATA HTTPS SERVER HELLOCERTIFICATESERVER KEY EXCHANGECERTIFICATE REQUESTSERVER HELLO DONE

  11. m m m ± - + s s s 3 1 3 DATA OBTAINED • Units are in seconds. • In a normal distribution, approximately 99.7% of the population will be in the interval defined by • works well for the upper bound, but the lower bound is defined by • Using the formula above, we get a confidence interval

  12. ICMP Time (sec) • Firewall • Blue-enabled • Pink-disabled • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number

  13. DNS Time (sec) • Firewall • Blue-enabled • Pink-disabled • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number

  14. HTTP vs. HTTPS Time (sec) • Firewall enabled • Blue-HTTP • Pink-HTTPS • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number

  15. HTTP vs. HTTPS Time (sec) • Firewall disabled • Blue-HTTP • Pink-HTTPS • Packets outside the range in a circle • 3 times standard deviation Packet Sequence Number

  16. HTTP vs. HTTPS

  17. m m + - s s 3 1 PROPOSED APPROACH Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound. Label the suspicious packets and give them priorities based on their distance from the confidence interval. Upper bound Lower bound

  18. ICMP Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number

  19. DNS Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number

  20. HTTP Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number

  21. HTTPS Time (sec) • Firewall enabled 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Packet Sequence Number

  22. SUSPICIOUS PACKETS • The suspicious packets are defined. • Then prioritize/label the packets based on the distance from the mean. • How do we know it’s an attack? • Define a behavior for each kind of attack, e.g. worms

  23. A:? -> C:D C:? -> E:D A C WORMS BEHAVIOR • Based on “A behavioral approach to worm detection”[20] • Need to look for this pattern of information–behavioral signature- in the database. • Host A and C and E are infected • D is port number

  24. FUTURE WORK • What to do with the packet? How to know if it is from an intruder? • What data do we need to store? • How to collect the data towards an automated process? • How can SNORT create the intervals automatically? • Implement the approach in SNORT’s source code • Analyzing other protocols

  25. FUTURE WORK • Analyzing other scenarios like an internet server instead of a local server • Analyze wireless communication • DNSSecure • Behavioral signatures for other attacks

  26. CONCLUSION • Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives. • The intervals work in the studied protocols, results may change for other protocols. • Intervals need to be tested using attacks like DDoS, worms, etc. • HTTP and HTTPS graphs are different because more information is exchanged and timing varies.

  27. REFERENCES • Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003 • Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and Julia Allen • Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002 • Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003

  28. QUESTIONS?

More Related