Intrusion Detection Systems - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Intrusion Detection Systems

Description:

Protocol-anomaly IDSs detected Code Red attacks, unlike signature-based systems, ... it uses a GET request to post and execute malicious code on the victim server. ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 22
Provided by: csK4
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
  • Presented By Siddharth Maini

2
Contents
  • Why IDS?
  • What are Intrusion Detection Systems?
  • Types of Intrusion Detection Systems
  • Network-Based
  • Host-Based
  • Decoys
  • Signature-Based
  • Anomaly-Based
  • Anomaly-based Vs. Other forms of Intrusion
    Detection Systems
  • Behavior Anomaly-based
  • Traffic Anomaly-based
  • Protocol Anomaly
  • Protocol Based Vs. Signature-Based Systems
  • Justification
  • Deploying IDS
  • Conclusion
  • References

3
Why IDS?
  • Rapid growth of networking technologies has lead
    to an increase in the number of security
    challenges
  • To meet such challenges, firewalls other
    controls can impede unauthorized access to the
    resources to some extent
  • But they are limited in preventing hackers from
    launching Trojans, Worms many other malicious
    attacks
  • So going an extra step against unauthorized
    access lead to the development of IDS

4
What are Intrusion Detection Systems?
  • They monitor analyze events that occur on a
    network or system by looking for intrusion
    attempts
  • They can respond to attacks in real time
  • They work like burglar alarms by alerting
    administrators of any unusual activity
  • They provide different functions based on the
    type of network infrastructure
  • They also simplify the task of verifying
    categorizing threats in form of reports to the
    executive management

5
(Contd.)
  • Companies should invest in an IDS which
  • IS NOT difficult to support
  • DOES NOT report a large number of false positives
  • SHOULD keep up with the network speed
  • False positives are attack alerts generated which
    in reality there were not the original attacks
  • Due to this an IDS which generates a large number
    of false positives is difficult to manage
  • As a result the systems administrator
  • Might start ignoring alerts because they look
    like false positives
  • This might lead to a compromise of the companys
    network.

6
Types of Intrusion Detection Systems
  • Network-Based
  • They capture analyze packets that pass on the
    network segment by placing the network interface
    card in promiscuous mode
  • Each sensor looks at packets that are carried on
    that network segment to which the sensor is
    connected
  • When a predefined condition occurs, administrator
    is notified
  • A typical network deployment consists of one or
    more sensors performing local analysis
    reporting attack information back to a
    centralized console
  • E.g. reporting DoS attacks
  • Host-Based
  • Software needs to be loaded directly on the host
    to be monitored
  • The software monitors system files, processes,
    and log files for suspicious activity.
  • Such as change in file size / attributes
  • Creation of new files
  • Some host-based IDSs can monitor for changes in
    user privileges.
  • Gaining higher-level privileges or setting up new
    user accounts is a common approach used by an
    adversary on the internal network.
  • On critical servers, detection of this kind of
    abuse is important and needs to be monitored
    directly on the host.
  • Therefore, a combination of host-based and
    network-based detection on large networks is
    recommended
  • False positives can occur when an authorized user
    changes the file

7
(Contd.)
  • Decoys
  • A decoy also called as a honey pot is a system
    that, when installed on a critical network, is
    designed to lure a potential hacker away from
    other more important systems on that network.
  • As a result, the attacker grabs the bait, and the
    system administrator is warned of unauthorized
    activity in this zone.
  • Decoys are placed throughout corporations and
    financial institutions in conjunction with
    network-based and host-based IDSs.
  • Decoys involve designing a system considered to
    be of interest to a potential attacker.
  • The system needs to look real, have real data,
    and have enticing enough data to keep the
    attacker around while capturing his moves.
  • The skill of the attacker can be learned once
    captured.
  • Ideally, once the attacker is in the decoy,
    tracking him or her back to the real source of
    the attack, and then watching and recording
    (digitally stamping) every keystroke, prepares
    you with evidence to capture the attacker and
    take legal action

8
(Contd.)
  • Signature-Based Detection
  • The use signature-based method that works like an
    antivirus
  • They examine the network packets traffic for
    specific patterns of attack.
  • Signatures must be developed specifically for the
    attack so the IDS can recognize the attack. These
    systems require large signature databases so that
    every packet can be compared to the database.
  • One of the greatest challenges of these systems
    is they must have advance knowledge of the attack
    to be detected.
  • As new attacks are discovered every day,
    intrusion detection systems which rely solely on
    this approach will always be out of date.
  • The other challenge for these systems is keeping
    up with the speed of the network.
  • As network speeds increase, the sensors lack the
    resources to look at every packet, so some
    packets are discarded.
  • As a the attacks could easily go unnoticed by the
    IDS.
  • In addition, higher speeds can increase the false
    positive rate

9
Anomaly Based Detection
  • General Idea
  • An anomaly is defined as something different,
    abnormal, peculiar, or not easily classified
  • In context of computer security, an anomaly can
    be defined as some action or data that is not
    considered normal for a given system, user, or
    network
  • It can include things such as traffic patterns,
    user activity, and application behavior
  • The general approach used by anomaly detection is
    that something (i.e., a network, a host, a set of
    users, etc.) is observed and compared against
    expected behavior.
  • If there is a variation from the expected, that
    variation is flagged as an anomaly.
  • One key difference between anomaly detection and
    other forms of detection is that, rather than
    defining what is not allowed or bad, it defines
    what is allowed or good.

10
Anomaly-based Vs. Other forms of IDS
  • Other forms of detection compare observed
    behavior with something known to be bad
  • They are also referred to as explicit detection
    systems as they operate well when the number of
    possible bad behaviors is small and does not
    change very rapidly.
  • In larger systems with greater variation, these
    conditions do not hold.
  • It becomes a very tedious task to maintain the
    list of what is bad

11
Anomaly Detection
  • Anomaly detection relies on having some
    definition of allowed behavior
  • The definition of what is allowed tends to be
    much shorter.
  • It also tends not to require changes as new
    problems are created or discovered
  • Anomaly detection systems monitor networks for
    two primary criteria
  • Characteristic deviation
  • Statistical deviation
  • Characteristic deviations tend to be more
    qualitative. For example, User joe123 does not
    normally use transfer files outside of the
    company.
  • Statistical deviations tend to be more
    quantitative. For example, This sites ICMP
    traffic never exceeds 15 of capacity.
  • Anomaly Detection Approaches
  • Behavioral
  • Traffic pattern
  • Protocol

12
Behavioral anomaly systems
  • They look for anomalies in behavior
  • They may also cover some statistical criteria
  • What type of applications protocols are used at
    various time of day
  • Relationships b/w source destination networks
  • What types of e-mail attachments are sent
  • E.g. Credit card fraud systems to monitor credit
    card usage
  • E.g. Detection of excessive use, detection of use
    at unusual hours and detection of changes in
    system calls made by user processes.
  • Such systems can be constructed to detect very
    subtle qualitative systems
  • But are difficult to design as user behavior
    might change

13
Traffic pattern anomaly systems
  • They look for anomalies of network traffic
    patterns
  • They are primarily statistical in nature
  • E.g. Simple Network Management Systems /
    Denial-of-Service monitoring systems
  • Disadvantage is that they are often unable to
    detect subtle quantitative or most qualitative
    anomalies.
  • They also present some difficulties in defining a
    reliable baseline upon which to perform the
    statistical analysis.

14
Protocol Anomaly IDS
  • It focuses on the content of the network
    communications at the protocol level.
  • As many attacks target protocols such as Telnet,
    HTTP, RPC, and SMTP.
  • Packets are state fully inspected in the context
    of previous packets transmitted of the same
    conversation.
  • As a conversation progresses, it is evaluated by
    a protocol state machine to determine if the
    protocol has been abused in any way.
  • The state machines are derived from the RFC
    protocol standards.
  • Common misuses of the protocols are also built
    into the state machines to allow for legitimate
    network traffic that deviates from the protocol
    standards.
  • Attackers can use certain programming errors
    (buffer overflows) to compromise or damage a
    system.
  • These attacks exploit poor programming practices
    and are quite common.
  • When protocol rules are modeled directly in the
    sensors, it is easy to identify traffic that
    violates the rules, such as unexpected data,
    extra characters, and invalid characters.

15
Protocol Based Vs. Signature-Based Systems
  • Protocol anomaly detection eliminates the need
    for extensive attack-signature databases
  • Watching for protocol anomalies is a more
    effective method of attack detection than
    watching for attack signatures as new attack
    methods and exploits are constantly being
    discovered.
  • By contrast, new protocols and extensions to
    existing protocols are developed more slowly.
  • The rules to ensure that a conversation is
    adhering to the protocol standards are specified
    in the protocol RFCs.
  • Given the types of attacks to date, experience
    shows that 80 of attacks violate protocol rules.
  • Hackers develop programs that attack poorly
    defined areas of protocol
  • Attacks can be spotted easily by
    protocol-anomaly-based IDSs.
  • E.g.
  • Protocol-anomaly IDSs detected Code Red attacks,
    unlike signature-based systems, which had to wait
    for an update to detect the attacks while leaving
    the firm at risk.
  • The Code Red attack violated the HTTP protocol
    because it uses a GET request to post and execute
    malicious code on the victim server.

16
Protocol Based Vs. Signature-Based Systems
17
Justification for Anomaly-Based Systems
  • A firm must know the moment it is under attack.
  • Between the launch of a new attack and the time
    when the security community becomes aware of it
    (and develops countermeasures) An attacker can
    take advantage of that window of opportunity to
    penetrate existing defenses.
  • Threats at this point in their life cycle are
    called zero-day attacks. Because they are not
    publicly known, they are not yet reflected in
    detection signatures and can sidestep existing
    defenses.
  • This is a powerful reason for a firm to deploy
    protocol detection.
  • On the other hand, Signature-based systems must
    wait for an update before they become able to
    detect the new attacks.

18
Deploying IDS
  • Six events that a good IDS should report
  • Intrusion attempt
  • Distributed Denial-of-Service (DDoS)
  • Denial-of-Service (DoS)
  • Suspicious Activity
  • Scanning port activity
  • Failed access attempts
  • Protocol Anomaly
  • Network event
  • Can be any event other than above
  • E.g. false positives
  • Logging should always be turned ON for all
    attacks especially buffer overflow attacks.
  • Intrusion attempts, DDoS and DoS attacks alert as
    HIGH priorities.
  • Suspicious activity and protocol anomalies alert
    as MEDIUM priorities.
  • Network events alert as LOW priority.

19
Deployment in a Simplified Network
  • To protect stop the enterprise IDSes from
    monitoring the traffic at these remote sites.
  • Might be used to cover e-business connections to
    partner sites
  • This is where the enterprises service for/ to
    access the outside world are kept including web
    servers, ftp servers and email servers
  • Allows the IDS to provide information about the
    network traffic and activity that affects these
    outward-facing servers
  • Majority of attacks are denial of service, web
    exploits, email attacks
  • Provides information about attackers
  • This might be used to take legal action against
    them

For the protection of mission critical servers
like ERP, CRM, PDM and accounting systems.
  • This is a central chokepoint of aggregate traffic
    that passes into and out of the enterprise
    private network.
  • In case only one IDS can be afforded, this is the
    place to put it.
  • This position allows the IDS to sound alarm
    incase something has made it through the firewall
    and into the private network.

20
Conclusion
  • A mix of different IDS should be used at various
    different locations in the companys enterprise
    server
  • Explicit IDS systems should be updated regularly
    with signatures etc.
  • IDS should be implemented w.r.t priorities
  • In case of Protocol Anomaly-based IDS start with
    a network diagram make a list of all protocols
    that pass ach aggregate point in the network
  • Observe the traffic for unknown protocols for
    some time all them to the list of known
    protocols

21
References
  • White Paper Comprehensive Intrusion Protection
    Solutions from Symantec
  • White Paper Intrusion Detection Systems
    Defining Protocol Anomaly Detection
  • SANS GSEC Practical Assignment v. 1.4b by German
    Rincon
  • A Justification for Intrusion Detection by Linda
    McCarthy
  • http//www.intrusion.com/products/download/Deployi
    ng_and_Tuning_NIDS.pdf
  • Principles of Information Security by Michael
    Whitman Herbert J. Mattord
Write a Comment
User Comments (0)
About PowerShow.com