Intrusion Detection Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion Detection Systems

Description:

Telecom and computer fraud totaled $10 billion in the US alone. Source: Eugene H Spafford. Security Seminar, Department of Computer Sciences, ... – PowerPoint PPT presentation

Number of Views:273
Avg rating:3.0/5.0
Slides: 21
Provided by: EAS3455
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
  • Sai Nandoor
  • Priya Selvam
  • Balaji Badam

2
How insecure are we?
  • Attacks on computer infrastructures are a serious
    problem.
  • Information theft is up over 250 in the last 5
    years.
  • 99 of all major companies report at least one
    major incident.
  • Telecom and computer fraud totaled 10 billion in
    the US alone.
  • Source Eugene H Spafford. Security Seminar,
  • Department of Computer Sciences, Purdue
    University, Jan 2002.

3
IDS Based on Data Source
  • Host Based IDS
  • Its role is to identify tampering or malicious
    activity occurring on the system.
  • This is achieved by monitoring log files, users,
    and the file system.
  • Network Based IDS
  • Its role is to identify tampering or malicious
    activity occurring in the network traffic.
  • This is achieved by monitoring network traffic on
    the wire for specific activities/signatures that
    represent an attack.
  • Hybrid IDS
  • Combination of network and host based IDS.

4
Host Based - Network Based
5
Advantages
Network Host
Lowers cost of ownership Lower cost of entry
Detects what HIDS miss Detects what NIDS miss
Difficult to remove evidence Verifies success/failure of attack
Real-time detection response Suited for encrypted environments
Detects unsuccessful attacks Monitors specific activities
OS independent Requires no additional hardware
6
Host Based IDS
  • Specific files to be monitored are defined in a
    configuration file.
  • Digest of the file is stored in a database.
  • Multiple digest algorithms can be used.
  • Examples
  • TRIPWIRE/AIDE/SAMHAIN

7
TRIPWIRE
  • Can be reconfigured to prevent false-alarms.
  • Flexible policy language with predefined policy
    files and wildcard support.

AIDE
  • Similar to lighter version TRIPWIRE

SAMHAIN
  • Support for Stealth mode of operation.
  • Encrypted and authenticated client/server
    connections.

8
Network Based IDS
  • Packet Sniffing front end.
  • Pattern matching engine.
  • Backend database.
  • Examples
  • SNORT/SHOKI/BRO

9
SNORT
  • Can also operate as packet sniffer/logger.
  • Flexible rule based language to describe traffic.
  • Can perform protocol analysis, content
    searching/matching.

SHOKI
  • Multi-filter rule sets that match individual
    packets.
  • SNORT rules can be converted to SHOKI filters.

BRO
  • Provides its own language.
  • Passive, doesnt terminate malicious activity.

10
SNORT Rules
  • var EXTERNAL_NET !128.3.0.0/16,131.243.0.0/16
  • var HTTP_SERVERS 128.3.0.0/16,131.243.0.0/16
  • var HTTP_PORTS 80
  • preprocessor http_decode 80 unicode
    iis_alt_unicode double_encode iis_flip_slash
    full_whitespace
  • output alert_fast alarms.log
  • include file1.config
  • alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
    HTTP_PORTS (msg"WEB-ATTACKS ps command
    attempt" flowto_server,established
    uricontent"/bin/ps" nocase sid1328
    classtypeweb-application-attack rev4)

11
Bro Rules
  • rule sid-1328
  • header ip91 6
  • header ip124 ! 128.3.0.0/16,131.243.0.0/16
  • header ip164 128.3.0.0/16,131.243.0.0/16
  • header tcp22 80
  • tcp-state originator,established
  • http /.\/\\bBiInN\/\\pPsS/
  • msg "WEB-ATTACKS ps command attempt"

SHOKI Rules
tcp 65536 THRESHOLD11020 SAMP-6 http
h(tp)// ALL tcp 65536
HOST_SCAN22040 SAMP-7 host scan NULL
ALL tcp 65536 PORT_SCAN33050
SAMP-8 p_scan 0x687474 ALL
12
ACID screen capture for SNORT
13
Hybrid IDS
  • Can be clustered
  • Centralized database
  • Provides file protection by using digest
  • Network sensing using packet sniffing
  • Blends strengths of HIDS NIDS
  • Examples
  • MANHUNT/PRELUDE/DRAGON

14
MANHUNT
  • Detects new and modified attacks
  • Dynamically reassign ports scanned
  • Flowchaser and Trackback to fight DDoS

PRELUDE
  • Incorporates information from other IDS
  • Provides hooks to firewalls, honeypots, etc
  • Uses multiple sensors and a report server

DRAGON
  • Provides IDS evasion counter measures, by Keeping
    a large database of known hacker techniques and
    searching for anomalies.

15
Goals
  • Design a hybrid system
  • Send instantaneous alerts to network
    administrator and other hosts
  • Use secure communication channels
  • Keep configuration file secure
  • Keep checksum database secure
  • Maintain list of intruders
  • Maintain a log of attacks

16
Design
Intruder
Host
Administrator
Firewall
Database
Other Hosts
17
Implementation
  • Dedicated Sockets for Communication
  • Messages encrypted using AES
  • Configuration file included in list of secure
    files
  • Checksums encoded using AES
  • Network Administrator maintains log of intrusions
  • Hosts maintain a list of intruders

18
Sample execution
19
Future Work
Lessons Learned
  • Hybrid IDS involves a lot of components
  • Comm. between hosts and admins must be secure
  • Configuration files are vulnerable
  • Hybrid IDS provides better security
  • Network sensors to defend DDoS attacks
  • Incorporate different hashing algorithms
  • Add feature to track sources of DDoS
  • Incorporate data from existing IDS
  • Add a file change notification component

20
References
  • Intrusion Detection Systems
  • By Ricky M. Magalhaes http//www.windowsecurity.co
    m
  • An Introduction to Intrusion Detection
  • By Aurobindo Sundaram, ACM Crossroads
  • Network Vs. Host Based Intrusion Detection
  • http//www.isskk.co.jp
  • IDS Products
  • http//www.netsmart.net.au
  • Intrusion Detection and Network Auditing on the
    Internet
  • http//www.infosyssec.com
Write a Comment
User Comments (0)
About PowerShow.com