Intrusion Detection

1
Intrusion Detection
2
Intruders

• Gain hostile or unwanted access to the system.
• Either local or via network
• Varying levels of competence
• May seem benign
• May use compromised system to launch other
  attacks
• Aim to increase their own privileges on system

3
Types of Intruders

• Masquerader usually an outsider, not authorized
  to use the system, but penetrates the system
  through legitimate user account
• Misfeasor usually an inside legitimate user who
  accesses assets not authorized, or is authorized
  but misuses privileges
• Clandestine user an insider or outsider user who
  has supervisory access to the system

4
Intrusion Techniques

• Basic attack methodology
• Take possession of target machine and gather
  unauthorized information
• Obtain initial access
• Escalate privileges
• Remove traces of intrusion
• Main goal is to acquire passwords

5
Why Need Intrusion Detection?

• Security failures are inevitable
• Need to detect intrusions
• Blocked if detected quickly
• Act as deterrent
• Collect information to improve security
• Data within organization is often more important
  than the network itself
• Commerce, Government, Business, and Academia

6
Intrusion Detection System

• Types of IDS
• Host-based IDS
• Network-based IDS

T1 ch22 T2 ch25
7
Host-based IDS

• Use OS auditing mechanisms
• e.g., logs all direct or indirect events
  generated by a user
• Monitor user activities
• e.g., Analyze shell commands
• Monitor executions of system programs
• e.g., Analyze system calls made by sendmail
• Involve monitoring of
• communications in and out of a machine
• integrity of system files
• processes running

8
Examples of Host-based IDS

• Black Ice (http//www.networkice.com)
• Windows Operation System
• Zone Alarm (http//www.zonealarm.com)
• Windows Operation System
• Internet Security Systems (ISS) RealSecure
  (http//www.iss.net)
• Windows and Unix Operating System
• Linux Intrusion Detection Systems (LIDS)
  (http//www.lids.org)
• Linux Operating System

9
Strengths and Drawbacks of Host-based IDS

• Strengths
• Easy attack identification
• Can monitor key components
• Near real-time detection and response.
• No additional hardware needed
• Drawbacks
• Type of information needed to be logged in is a
  matter of experience.
• Unselective logging of messages may greatly
  increase audit and analysis burdens.
• Selective logging has risk that attack
  manifestations be missed.

10
Network-based IDS

• Deploy special sensors at strategic locations
• e.g., Packet sniffing via tcpdump at routers
• Inspect network traffic
• Watch for violations of protocols and unusual
  connection patterns
• Monitor user activities
• Look into data portions of packets for malicious
  command sequences
• Monitor packets for some sort of signature as
  they pass a sensor

11
Common Network Signs of Intrusion Detection

• String
• Look for a text string that indicates a possible
  attack.
• Port
• Watch for connection attempts to well-known
  frequently attacked ports.
• Header
• Look for suspiciously dangerous or illogical
  combinations of packets and headers.
• Example Winnuke, where a packet is destined for
  NetBIOS port, and Urgent pointer or Out Of Band
  pointer is set, resulting in "blue screen of
  death" for Windows systems.

12
Some Examples of Network-based IDS

• Internet Security Systems (ISS) RealSecure
  (http//www.iss.net)
• Windows and Unix Operating System
• Snort (http//www.snort.org)
• Open Source
• Windows and Unix Operating System
• Cisco NetRanger (http//www.cisco.com)
• Unix Based Appliance Intrusion Detection System

13
Strengths and Drawbacksof Network-based IDS

• Strengths
• Cost of ownership reduced
• Packet analysis feasible
• Real time detection and response
• Malicious intent detection before real intrusion
  happens
• Operating system independence
• Drawbacks
• Packets can be lost on flooded networks
  Reassemble packets could be incorrect and trigger
  false alarm
• Not handle encrypted data
• Depending on network architecture
• High false-positive
• Configuration needs expertise
• Privacy compromised

14
Hybrid of Network-based and Host-based IDS
HIDS
Internet
HIDS
NIDS
HIDS
NIDS
NIDS
15
Intrusion Detection Techniques

• Profile-based
• Signature-based
• Rule-based
• State Transition Analysis
• Pattern Matching

16
ID Techniques Profile-based

• Profile identification of subjects and their
  normal behavior
• Subject a user account, a service, a group, or
  a network domain, etc.
• Approaches
• Intrusion Detection Expert System (IDES)
• Wisdom and Sense (W S)
• Specification-based
• Advantages easy to implement capable of
  detecting new intrusion scenarios
• Disadvantage high false alarms

17
ID Techniques Signature-based

• Find specific event sequences (signatures) by
  scanning system activities
• Event a generic system activity, such as
  deleting a file, sending an e-mail
• Types
• Rule-based
• State-transition analysis
• Pattern matching
• Can detect known intrusion patterns efficiently,
  but not unknown intrusion patterns and variants
  of intrusion signatures.

18
Rule-based Intrusion Detection

• Based on expert system
• Most basic signature-based IDS
• If condition, then action
• Condition specifies constraints on audit record
• Action specifies action to be taken if condition
  is satisfied.

19
Rule-based Intrusion Detection (cont.)

• Observe events happening on system
• Apply rules to decide if activity is suspicious
• Rule-based Anomaly Detection
• Generating rules involves analysis of audit data
  and identification of usage patterns
• Observe current data and match data against rules
  to see if it conforms to abnormal behavior
• Example If a server finds that 40 of the
  packets received are Internet Control Message
  Protocol (ICMP) echo requests from diverse
  sources, it may be regarded as a DoS attack.
  Rule Percentage of echo request in ICMP gt 40
  ? DoS attack happens

20
Strengths and Drawbacksof Rule-based Intrusion
Detection

• Strengths
• The inference engine is simple
• The system is powerful to detected intrusion
  specified in those rules
• Easy to implement
• Limitations
• Direct dependence on audit records.
• Rules are created using audit records of known
  penetrations.
• Slight variations in attacks could make
  penetration undetected.
• If someone changes audit trail, penetration may
  not be detected.
• Difficult for distributed processing

21
State Transition Analysis

• State is a snapshot of the system with all the
  volatile and permanent memory locations.
• State represents some attribute of system not
  whole system state
• State is generic, e.g. user is root now
• Transition is an action that will make state
  changed.
• Penetration is viewed as a sequence of actions
  performed by an attacker that leads from an
  initial state to a compromised (insecure) state.
• Penetration sequence represented by finite state
  machine
• node is a state
• arc is an action (or transition)
• Signature actions are a sequence of identified
  actions which will trigger transition from one
  state to another.

22
State Transition Analysis (cont.)

• Information retrieved from audit data are
  represented graphically in State Transition
  Diagram
• As actions of an intrusion are completed one by
  one, the target machine changes its state from
  one state to another when certain actions are
  performed. When the machine changes from some
  normal state to a compromised state, an intrusion
  is detected and reported

23
Strengths and Drawbacksof State Transition
Analysis

• Strengths
• State Transition Analysis identifies a number of
  signature actions and represents them visually.
• State Transition Diagram identifies precisely the
  requirements and penetrations
• Lists of actions that must occur for completion
  of certain penetration.
• Provide efficient reasoning support.
• Drawbacks
• It cannot represent complex intrusion scenarios.

24
Pattern Matching Approach

• Each intrusion signature is represented as a
  Petri net
• A Petri net is a graphical and mathematical
  modeling tool. It consists of places,
  transitions, and arcs that connect them. Input
  arcs connect places with transitions, while
  output arcs start at a transition and end at a
  place.
• Has strong expressive power

(Reference James L. Peterson, Petri Net theory
and modeling of systems)
25
Pattern Matching Approach (cont.)

• Characteristics of patterns used to model attacks
• Linearity Specifies a sequence of events
  comprising the signature pattern which is a
  sequence of events without conjunction and
  disjunction.
• Unification Instantiates variables to earlier
  events and matches these events to later
  occurring events.
• Occurrence Specifies the relative placement in
  time of an event with respect to the previous
  events.
• Beginning Specifies the absolute time of match
  of the beginning of a pattern.
• Duration Specifies constraints on the time
  duration for which the event must be active.

Reference S. Kumar, E. H. Spafford, An
Application of Pattern Matching in Intrusion
Detection http//www.csee.umbc.edu/cadip/docs/Net
workIntrusion/pattern.pdf
26
Pattern Matching Approach (cont.)

• Use Petri nets to capture
• Each signature corresponds to a particular Petri
  net automaton
• Nodes represents tokens edges represents
  transitions
• Final state of signature is a compromised state
• Generate an intrusion pattern
• Identify existence of files or other entities
  created by an attacker
• Identify a sequence of events
• Identify two or more sequences of events under
  temporal relation
• Identify duration of events
• Identify interval of events

27
Strengths and Drawbacksof Pattern Matching
Approach

• Strengths
• Rule based sequential patterns detect anomalous
  activities that are difficult using traditional
  methods.
• Systems built using this model are highly
  adaptive to changes by users if a new pattern
  found, it is easier to define it by Petri net.
• Anomalous activities detected and reported within
  seconds of receiving audit events.
• Drawbacks
• Requires experience to generate rules
• Difficult to verify the completeness set of rules

28
References

• Matt Bishop, Introduction to Computer Security,
  Addison- Wesley, 2004, ISBN 0321247442
  (textbook1)
• Matt Bishop, Computer Security Art and Science,
  Addison- Wesley, 2002, ISBN 0201440997
  (textbook2)
• M. Merkow, J. Breithaupt, Information Security
  Principles and Practices, Prentice Hall, August
  2005, 448 pages, ISBN 0131547291
• James L. Peterson, Petri Net theory and modeling
  of systems
• S. Kumar, E. H. Spafford, An Application of
  Pattern Matching in Intrusion Detection.
  Available at http//www.csee.umbc.edu/cadip/docs/
  NetworkIntrusion/pattern.pdf