Intrusion Detection Systems: What, Why, and How

1
Intrusion Detection Systems What, Why, and How

• Network Security Group 1
• CS4235B Fall 2005

2
Introduction

• What is an IDS?
• Why do we need it?

3
IDS Components

• Sensor(s)
• Console
• Central Engine

4
Types of IDS

• Network Intrusion Detection Systems
• Host-Based Intrusion Detection Systems
• Hybrid Intrusion Detection Systems
• Signature-Based Intrusion Detection Systems
• Anomaly-Based Intrusion Detection Systems

5
Network Intrusion Detection Systems

• Monitor packets on the network
• Detect malicious activity
• Read and scan incoming and outgoing packets for
  patterns that are out of the ordinary
• Customizable to work with other systems

6
Host-Based Intrusion Detection System

• Monitor and analyze the computer system they are
  installed on
• Checks whether anything/anyone has circumvented
  the security policy enforced by the operating
  system
• Aware of the state of the computer system

7
Hybrid Intrusion Detection Systems

• Combines Host agent data with network information
  
• Comprehensive view of the network
• Works as a single, powerful, and distributed
  application

8
Signature-Based Intrusion Detection Systems

• Watch for patterns of events specific to known
  and documented attacks
• Typically connected to a large database which
  houses attack signatures
• Presumed to be able to detect only attacks
  known to its database
• Performance lag when intrusion patterns match
  several attack signatures

9
Anomaly-Based Intrusion Detection Systems

• Identify intrusions by detecting anomalies
• Works on notion that attack behavior differs
  enough from normal user behavior
• System administrator defines the baseline of
  normal behavior
• Ability to detect new attacks
• Issues (False Positives, Heavy processing
  overheads, Time to create statistically
  significant baselines)

10
What is a Honeypot?

• An information system resource whose value lies
  in unauthorized or illicit use of that resource
  Spitzner
• Honeypot is put up for several reasons
• To watch what attackers do, in order to learn
  about new attacks
• To lure an attacker to a place in which one may
  be able to learn enough to identify and stop the
  attacker
• To distract adversaries from more valuable
  machines on a network

11
Types of Honeypots

• Production Honeypots
• Easy to use
• Capture only limited information
• Used primarily by companies or corporations
• Also called Low Interaction Honeypots
• Research Honeypots
• Complex to deploy and maintain
• Capture intensive information
• Used primarily by research, military or govt.
  organizations
• Also called High Interaction Honeypots

12
Uses of Honeypots

• Prevent Attacks
• Network Security
• Studying traffic patterns
• Determine new hacker techniques
• Detect Attacks
• Spam Prevention
• Fake Open Relay
• Credit card fraud identification

13
Advantages Disadvantages

• Advantages
• Simple to create and maintain
• Collect information of great value
• Reduce false positives
• Capture any activity, can work in IPv6/Encrypted
  Network
• Disadvantages
• Can only track activity that directly interacts
  with them
• Level of risk

14
Building a Honeypot

• A standard box which is of interest is built and
  placed on the internet
• Issues
• How to track the black-hats moves
• How to alert/know when the system is probed or
  compromised
• How to stop the black-hat from compromising other
  systems

15
Building a Honeypot (contd..)

• Place the honeypot on its own network behind a
  firewall
• Advantages
• Firewall Logs First layer of tracking
• Firewall alerting capability
• Traffic Control by Firewall
• Restoration mechanism

16
Research _at_ Georgia Tech

• Computer Science Department
• Wenke Lee, Professor
• Yi-An Huang, PhD Student

17
Research _at_ Georgia Tech

• Anomaly Detection
• Wireless Network Intrusion Detection

18
Architecture for Intrusion Detection

• Data Collection
• Local Detection
• Cooperative Detection
• Intrusion Response
• Multi-Layer Integrated Intrusion Detection and
  Response

19
Anomaly Detection in Mobile Ad-Hoc Networks

• Building an Anomaly Detection Model
• Detecting Abnormal Updates to Routing Tables
• Detecting Abnormal Activities in Other Layers

20
The Future of IDS

• IDS is a valuable part of security scheme
• IDS will be around in the future
• IDS will change with technology
• Current problems exist with IDS that need to be
  addressed

21
Current Problems

• High traffic and high speed networks often
  bottleneck with IDS
• IDS are either blind to the network or the
  individual hosts
• How can an IDS scan encrypted files
• Whether to use anomaly or signature based
  detection

22
Whats Next?

• Hybrid anomaly and signature based detection
  schemes
• Better hardware should keep up with the increase
  in network speed as well as smart scanning
• More efficient scanning algorithms
• Combination of network and host IDS
• Paint a more clear picture of the network
• Application level IDS for encrypted
  communications
• Advances in open source IDS
• Sometimes the best things in life are free

23
SNORT

• A GPL-Licensed open-source light-weight IDS
• Capable of performing real-time traffic analysis
  and packet logging
• Can be used to detect a variety of attacks and
  probes, such as buffer overflows, stealth port
  scans, CGI attacks, SMB probes, OS fingerprinting
  attempts and more
• Can also be used for Intrusion Prevention purposes

24
Why Snort?

• Snort is free
• Snort is configurable
• Snort is widely used
• Snort is interoperable

25
More About Snort

• Snort uses a flexible rules language to describe
  traffic that it should collect or pass, as well
  as a detection engine that utilizes a modular
  plugin architecture. It also includes a real-time
  alerting capability.
• Snort can be configured to run in following
  modes
• Sniffer mode, which simply reads the packets off
  the network.
• Packet Logger mode, which logs the packets to
  disk
• Network Intrusion Detection mode, which allows
  snort to analyze traffic on the fly.

26
Components of Snort

• When a network packet hits an Ethernet wire that
  Snort is sniffing, it takes the following path
• Packet capture library - tosses Snort network
  packets from the network card. Libpcap on
  Unix/Linux, WinPcap on Windows.
• Packet Decoder - takes apart the data sent over
  from the packet capture library.
• Preprocessor - operates on decoded packets,
  performing a variety of transformations. Plug-ins
  can be added here
• Detection Engine - heart of Snort. Compares the
  decoded information from the packets with its
  ruleset.
• Output - generates logs and alerts. Output
  plug-ins can be added here.

27
Snort Tools

• Snort has a wide variety of plug-ins and tools
  available. The most useful tools are
• BASE a web front-end to query and analyze the
  alerts coming in from a Snort IDS system.
• Snort Inline a modified version of Snort that
  works as an IPS. Accepts packets from iptables
  and uses rule types to tell iptables whether the
  packet should be dropped, rejected, modified or
  allowed to pass.
• Guardian an active response utility that
  updates firewall rules based on Snort alerts.
• MIDAS a centralized cross-platform network
  monitoring and NDIS that uses Snort as its base
  IDS.
• Demarc PureSecure - a centralized intrusion
  detection and security suite that integrates the
  Snort IDS.