Intrusion Detection - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Intrusion Detection

Description:

Any set of actions that attempt to compromise the confidentiality, integrity, or ... Created the Intrusion Detection Expert System (IDES) ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 30
Provided by: james284
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection


1
Intrusion Detection
  • Dr. James P. Early
  • CS526 Lecture
  • November 8, 2005

2
Lecture Outline
  • Terminology
  • History
  • Challenges

3
What is an intrusion?
  • Any set of actions that attempt to compromise the
    confidentiality, integrity, or availability of a
    computer resource
  • Term is overloaded
  • Trying to detect a policy violation

4
Types of Violations
  • Attack
  • Attempts to exploit a vulnerability
  • Ex denial of service, privilege escalation
  • Intrusion
  • Masquerading as another legitimate user
  • Misuse
  • User abuses privileges
  • Often called the insider threat

5
Differentiating ID Systems
  • Monitoring strategy
  • Data sources
  • Analysis Type
  • Timing
  • Detection Goals
  • Control

6
Monitoring Strategy
  • Host
  • Internal computer sources
  • Ex OS audit and system logs
  • Network
  • Packets via sniffing
  • Application
  • Application event streams and logs
  • Target-based
  • Monitor object for changes
  • Ex Tripwire

7
Analysis Type
  • Misuse detection
  • Built with knowledge of bad behaviors
  • Collection of signatures
  • Examine event stream for signature match
  • Anomaly detection
  • Built with knowledge of normal behaviors
  • Examine event stream for deviations from normal

8
Timing
  • Batch/interval
  • Analysis is done on bulk data (files)
  • Analysis is periodic
  • Real-time
  • Analysis tries to keep pace with events
  • Results can be used to take timely action

9
Detection Goals
  • Accountability
  • Capability to attribute an action to the
    responsible party
  • Very challenging in networked environments
  • Response
  • Record result to a log
  • Trigger alarm
  • Adapter the system
  • Kill a process update a firewall rule

10
Control
  • Centralized
  • Central repository for data collection/analysis
  • Ex Tripwire (host) and SNORT (network)
  • Agent-based
  • Distributed collection using agents or sensors
  • Alerts can be sent to central collection point
  • Ex ESP (host) and AAFID (network)

11
History
  • 1970s - Observation by administrators
  • When an account is used
  • When/how much a resource is used
  • Early 1980s Usage models
  • First proposed by Anderson (1980)
  • Based on accounting logs
  • Login frequency, volume data processed, etc.
  • Batch processing not real time

12
Andersons Threat Matrix
13
History
  • Late 1980s Real-time Intrusion Detection
  • Principles formalized by D. Denning (from
    Purdue!)
  • Created the Intrusion Detection Expert System
    (IDES)
  • Hybrid of anomaly detection and an expert system
  • Used adaptive statistical profiles and policy
    rules
  • Many more followed
  • Haystack, MIDAS, NADIR, NSM, Wisdom and Sense

14
History
  • 1990s
  • Increased attention on network-based systems
  • GrIDS, EMERALD
  • Introduction of machine learning and data mining
    techniques
  • MADAMID (Mining Audit Data for Automated Models
    for Intrusion Detection)
  • ADAM (Audit Data Analysis and Mining)

15
Challenge Data Sources
  • Are we collecting the right information?
  • Does it permit identification of violations?
  • How much information is enough?
  • Where to collect?
  • Host versus network?
  • Format for interoperability?
  • IDMEF XML-based message format (2004)

16
System Features
  • Accounting information
  • Login attempts, time, CPU used
  • Resources accessed
  • Sequences of system calls
  • Hofmeyr (1998)
  • Sequences of user commands
  • Lane (1998)
  • Mouse movements
  • Pusara (2003)

17
Network Features
  • Packet header values
  • Mahoney (2002)
  • TCP Sessions
  • Lee (2002)
  • Behavioral features
  • Early (2005)

18
The Evasion Problem
  • Location can make IDS vulnerable
  • Overload monitor with events
  • Slow processing
  • Overload disk storage
  • DoS attacks
  • Ptacek and Newsham (1998)

Monitor
Victim
Dropped by network
19
Challenge Analysis Type
  • Misuse detection
  • Limited by available signatures
  • Cant detect new attacks
  • Must be updated frequently
  • Anomaly detection
  • Requires representative normal data
  • Requires attack-free data
  • Some systems combine approaches

20
Challenge Timing
  • Time to detect
  • How many signatures can be checked?
  • How long to verify model compliance?
  • Is there time to react?
  • Violations within idle interval
  • A file modification between Tripwire runs

21
Challenge Control
  • Centralized
  • Sufficient processing resources
  • Protection from attack
  • Agent-based
  • Secure communication
  • Efficiency
  • Does the agent make reasonable processing
    demands?
  • Subversion

22
Causes of Security Problems
  • System design and development
  • Software platform buffer overflows, stack
    smashing
  • Inadequate development process / quality
    assurance
  • Errors/bugs
  • System management
  • Failure to create adequate policies
  • Failure to maintain (patches, etc.)
  • Trust allocation
  • Protocols with inadequate authentication
  • Faulty cryptographic protocols
  • Failure to create adequate policies

23
Defining Policy
  • Consider this example
  • A hospital deploys a database system for patient
    records. The system consists of a centralized DB
    server accessed by client systems in the
    hospital. Clients access the information through
    a network of connected PCs and via wireless PDAs
  • What sorts of policy statements can we make about
    the hardware? Software? Users?

24
Defining Policy
  • Possible statements
  • The DB server software will be kept up to date
  • Unused network services (ports) on the DB server
    will be disabled
  • Wireless access will employ strong cryptographic
    protocols
  • Users are prohibited from examining records of
    patients not in their care
  • Machine readable policy is very hard problem
  • Particularly for misfeasance (i.e. insiders)

25
Performance Issues
  • False positive rates
  • Labeling a benign event as an attack
  • Particularly troublesome for anomaly detection
    systems
  • Dominate IDS performance
  • Base Rate Fallacy, Axelsson (1998)
  • False negative rates
  • Failure to detect an attack event
  • Data volume
  • Partitioning / filtering event streams

26
Honeypots and Honeynets
  • Real or virtual system
  • Any activity is an attack
  • Entice attackers to break in
  • Observe actions and tool usage
  • Record all activities
  • Use information to develop stronger defenses

27
Research Directions
  • Policy derivation/validation
  • Theorem provers
  • Worm propagation
  • Infrastructure protection
  • Routing and DNS tables
  • Feature extraction
  • Library interposition (Kuperman 2004)
  • Network protocols (Early 2005)

28
Questions?
29
References
  • Intrusion Detection, Rebecca Bace, Macmillan
    Technical Publishing, 2000
  • CERIAS
  • http//www.cerias.purdue.edu/tools_and_resources/h
    otlist/
  • Phillip Chan
  • http//www.cs.fit.edu/pkc/id/related/
Write a Comment
User Comments (0)
About PowerShow.com