The Role of Intrusion Detection Systems IDSs

1
The Role of Intrusion Detection Systems(IDSs)
Article Authors - John McHugh - Alan Christie
- Julia Allen
Presentation - Ali Ardalan - October 12th, 2000
2
Article Overview

• This article considers the role of IDSs in an
  organizations overall defensive posture and
  provides guidelines for IDS deployment, operation
  maintenance.

3
Intrusion Detection Historical Context

• Yesterday
• Early hackers were simply interested in proving
  that they could break into systems
• 1980, John Andersons - Computer Security Threat
  Monitoring Surveillance
• 1987, Dorothy Dennings - An Intrusion Detection
  Model
• Today
• Hackers of today are motivated by financial,
  political and military objectives

4
The Evolution of Hacker Capability
Attack Sophistication vs. Intruder Technical
Knowledge
5
The Two Schools of IDSs

• Pattern Matching
• Strengths
• Able to detect industry standard accepted
  attacks
• Able to easily name classify attack types
• Developing attack signatures for comparison is
  fairly straight forward
• Able to identify previously unseen attacks with
  similar patterns
• Weaknesses
• Unable to detect truly novel attacks
• Constantly suffer from false alarms

• Anomaly Detection
• Strengths
• Difficult for attackers to mask noise
  distributions, so as to deter detection
• Strong ability to recognize novel attacks
• Weaknesses
• Substantial system training is required
• Modifications to the system require re-training
  result in false alarms during the interim

6
Phenomenology of IDSs

• Network Based
• What do they do?
• Are physically separate network entities
• Examines packets on a network segment
• Can simultaneously monitor multiple hosts
• Strengths/Weaknesses?
• Easy to deploy maintain
• Have little impact on the systems performance
• Can suffer from performance problems

• Host Based
• What do they do?
• Operate on an existing network element
• Inspects audit or log data to detect intrusive
  activities
• Can simultaneously monitor multiple applications
• Strengths/Weaknesses?
• Detect intrusions that are not externally
  observable
• Can seriously affect host systems performance
• Successful intrusions can disable host based
  IDSs

7
A Properly Deployed IDS

• 1 Can recognize both intrusions and DOS
  activities and invoke countermeasures against
  them in real time.
• 2 Can provide warnings that the system is
  under attack, even when not vulnerable.
• 3 Can confirm secure configuration and
  operation of other security mechanisms such as
  firewalls.
• 4 Can collect forensic information during an
  attack allowing for future location
  prosecution of intruders.

8
A Suggested Security Solution

• Make Intruder Tasks Substantially More Difficult
• Configure inner network sensors to recognize
  intrusive unexpected protocols
• Place external sensors beyond firewalls to
  validate firewall rules
• Configure host based sensors on servers, looking
  for abnormal behavior by applications and within
  the operating system
• Install a well designed network of multiple
  firewalls
• Adhere to a clearly defined mission-specific
  security policy
• Remove ability to use all unneeded services
• Regularly use of integrity checking tools
• Minimize vulnerability by constantly applying
  updates patches

9
Architecture for Suggested Solution
DMZ
Firewall
Network Sensor
Internet
Web Server Application Server DB Server E-mail
Server
Intranet
Firewall
Workstations
Host Sensor
Host Sensor
Network Sensor
Analyzer (Host)
Network Sensor
IDS Management Console
Analyzer (Network)
Alerts! Incident Reports!
10
The IDS Landscape

• Vendors frequently release new IDS products
• Vendors aggressively compete for market share,
  buy out each other and discontinue IDS product
  lines.
• There are no Industry Standards for Comparison
• This are very little objective third party
  evaluations
• IDS Marketing literature is vague, not clear
• Work required to use maintain IDS systems
• Metrics for proper functioning false alarms

11
A Sampling of ID Tools

• Commercial Products
• Easier to install configure due to GUIs
• RealSecure (Real-time IDS, Host Network
  sensors)
• Tripwire (Post intrusion, files integrity tool)
• Public-Domain Tools
• Users develop understanding of ID abilities
  limitations
• Shadow (Joint Venture Navy, NSA, SANS
  Institute)
• Snort (Open source, public domain effort)
• Research Prototypes
• Developed for academic purposes, not
  maintained
• Emerald (3 Tier Service, Domain, Enterprise
  Monitors)
• Stat (State Transition, sequence of actions)

12
Test Scenarios

• IBM Zurich IDS Test Lab, 1999
• NetRanger 2.1.2
• Detected 18 of 32 attacks
• RealSecure 3.0x
• Detected 30 of 42 attacks

• MIT Lincoln Labs Evaluations, 1998 1999
• 32 Attack types, 4 Categories
• Denial of Service, Remote-Local, User-Root,
  Probing Surveillance
• Best system detected 75 of the 120 attacks
  present
• Best system generated 2 false alarms per day
• Average system generated 10 false alarms per day

13
IDSs, the Next Target for Attack

• Smart attackers will attack the IDSs
• Disable IDS entirely
• Trick IDSs into providing false information
• Necessity for Protection of IDSs
• Encryption of Log Files
• Proper setting of IDS access controls
• Regular integrity checks of IDS Files

14
Article Conclusions

• ID technology is immature and its effectiveness
  is limited
• Much of the current effort seems to be aimed at
  detecting attacks made by relatively unskilled
  and unfocused attackers.
• Anticipate modest improvement in actual
  algorithms for IDS
• High expectations for improvements in detection
  and false alarms due to research in multiple
  sensor correlation