91.580.203 Computer

1
91.580.203 Computer Network Forensics

• Overview of Intrusion Detection/prevention
• Xinwen Fu

2
Outline

• What is intrusion detection
• Host, Network Perimeter Detection
• The Emergence of Intrusion Prevention
• Real-World Examples
• Future Directions

3
A Big Picture of Cyber Space
TAMU
Internet
Firewall
Intrusion Detection System
Router
UML
Switch
http//www.inmon.com/tutorials/ids.php
4
What is Intrusion Detection?

• "a process of identifying and responding to
  malicious activity targeted at computing and
  networking resources"

5
A Brief History of Intrusion Detection
Host gt Network gt Perimeter

• 1970s Rudimentary audit-trail analysis
• 1980s Signature-Based expert systems
• 1990s Explosion of available IDS systems
• 2000s
• Emergence of Active IDS
• Intrusion Detection and Prevention (IDP)
• Intrusion Prevention Systems (IPS)
• Convergence of Technologies
• Firewall IDP Anti-Virus
• Appliances and Security Switches

6
A Sample Intrusion Detection System (IDS)
7
Outline

• What is intrusion detection
• Host, Network Perimeter Detection
• The Emergence of Intrusion Prevention
• Real-World Examples
• Future Directions

8
Internet
Mid-Continent
ComCast
TAMU
UML
9
HIDS Host-Based Intrusion Detection System

• HIDS resides on a single host system
• System analyzes
• Network packets entering and leaving the host
• Audit trails and log files on the host
• Processes and systems running on the host
• Recent advances in Intrusion Prevention
• Protocol enforcement
• Stack enforcement
• File checksum monitoring
• All these attempt to protect against exploitation
  of software vulnerabilities by buffer overflow or
  protocol anomalies

10
Buffer overflows

1. void main(int argc, char argv)
2. char buffer512
3. if (argc gt 1)
4. strcpy(buffer,argv1)

11
What is happening within your code?

• Stack is used to store local variables and the
  return address (where your function should return
  when it finishes)
• An attackers input consists of
• A malicious code
• A new return address (pointing to the malicious
  code)

12
Where is the HIDS on the Internet?
Mid-Continent
ComCast
TAMU
UML
13
NIDS Network-Based Intrusion Detection System

• NIDS listens to the entire network segment
• System analyzes
• Network packets passing along the network cable
• Audit trails and log files sent to NIDS by hosts
• Processes and systems running on the network
  hosts
• Recent advances in Intrusion Prevention
• Active rules to shutdown connections
• Integration to firewalls to disable attackers
• Data Mining to summarize the events

14
Where is the NIDS on the Internet?
Mid-Continent
ComCast
TAMU
UML
15
PIDS Perimeter-Based Intrusion Detection System

• PIDS resides on a gateway/edge router
• System analyzes
• Network packets passing through the gateway
• Audit trails and log files on the gateway
• Processes and systems running on the gateway
• Recent advances in Intrusion Prevention
• Actively blocking known malicious attacks
• Zero-latency blocking

16
Where is PIDS on the Internet?
Mid-Continent
Prairiewave
TAMU
DSU
17
Outline

• What is intrusion detection
• Host, Network Perimeter Detection
• The Emergence of Intrusion Prevention
• Real-World Examples
• Future Directions

18
Throughput - Real Time Intrusion Detection

• Current technology can perform at gigabit speeds
• To exceed that speed, there are various options
• Software
• Signature sets, based on protocol
• Optimization reduction in requirement to scan
• Hardware
• Co-processor chips ASIC (application-specific
  integrated circuit) or others
• Faster main processors
• This is important for host and network IDP
• But for perimeter IDP, how fast is your ISP link?

19
The Emergence of Intrusion Prevention

• If you detect an attack and know it's an attack
• It seems sensible to block it
• However, three problems are apparent
• False Positives (false alarm) Blocking normal
  traffic
• Denial Of Service Blocking spoofed hosts
• Latency Delays in blocking limit effectiveness
• Evolution of the technology, and merging of
  firewall and IDP functionality is solving these
  problems

20
A Big Picture of Intrusion Detection and
Prevention Being Together
Prevent
21
Outline

• What is intrusion detection
• Host, Network Perimeter Detection
• The Emergence of Intrusion Prevention
• Real-World Examples
• Future Directions

22
SQL Slammer Worm

• The Fastest Internet Worm in History
• Time line
• July 24th 2002, Microsoft announced vulnerability
• January 25th 2003, SQL Slammer worm unleashed
• 052936GMT first detection
• It infected more than 90 percent of vulnerable
  hosts within 10 minutes
• The Worm
• 376 byte viral payload in a single UDP packet
• Infects machines with a single packet over
  UDP/1434
• UDP is a broadcast protocol Possible to infect
  multiple hosts with 1 packet

23
Hosts infected With Slammer

• A before-and-after animation showing the number
  of infected Sapphire hosts in a half-hour period
  between 0529 UTC and 0600 UTC.

http//www.caida.org/research/security/sapphire/
24
How to stop SQL Slammer?

• Patch
• Firewall / VPN
• Block UDP/1434 (inbound and outbound)
• Use a VPN for access to sensitive services
• Intrusion Detection and Prevention
• UDP/1434 is a well known protocol
• Well known vulnerability, 6 months before exploit
  
• IDP signatures can detect and block exploits of
  this vulnerability
• The size of the packet is anomalous behavior
• Zero-Latency Active IDS/IDP is the only way of
  blocking this worm

25
Outline

• What is intrusion detection
• Host, Network Perimeter Detection
• The Emergence of Intrusion Prevention
• Real-World Examples
• Future Directions

26
Future Directions

• What do you think?

27
IDS Classification
Intrusion Detection Approach
Intrusion detection approach
Protected Systems
Structure
Data Sources
Behavior after an Attack
Analysis Timing
System State Analysis (Kernel, Services,
File, etc.)
HIDS
NIDS
Hybrids
Audit Trail
Network Packets
On-the-fly Processing
Interval Based IDS
Anomaly detection
Signature detection
Centralized System
Distributed System
Agent System
Active IDS
Passive IDS
28
Terms

• Anomaly detection explores issues in intrusion
  detection associated with deviations from normal
  system or user behavior
• Signature detection discriminates between
  anomaly or attack patterns (signatures) and known
  intrusion detection signatures (also called rules
  based detection)
• HIDS uses information derived from a single host
• NIDS exploits information obtained from a whole
  segment of a local network
• Passive IDS simply generate alerts and log
  network packets
• Active IDS detect and respond to attacks,
  attempt to patch software holes before getting
  hacked or act proactively by logging out
  potential intruders, or blocking services

29
References

• Przemyslaw Kazienko Piotr Dorosz, Intrusion
  Detection Systems (IDS) Part I - (network
  intrusions attack symptoms IDS tasks and IDS
  architecture), http//www.windowsecurity.com/pages
  /article_p.asp?id1147, Apr 07, 2003
• Przemyslaw Kazienko Piotr Dorosz, Intrusion
  Detection Systems (IDS) Part 2 - Classification
  methods techniques, http//www.windowsecurity.com
  /pages/article_p.asp?id1335, Jun 15, 2004
• Cisco IDS Solution, http//www.cisco.com/en/US/net
  sol/ns340/ns394/ns171/networking_solutions_audienc
  e_business_benefit09186a008033a458.html, 2005
• Randy Stauber, Defense In Depth,
  http//www.infosecwriters.com/texts.php?opdisplay
  id170, 19/05/04

30
Cat with Boots