Title: Intrusion Detection Systems
1Intrusion Detection Systems
- Sai Nandoor
- Priya Selvam
- Balaji Badam
2How insecure are we?
- Attacks on computer infrastructures are a serious
problem. - Information theft is up over 250 in the last 5
years. - 99 of all major companies report at least one
major incident. - Telecom and computer fraud totaled 10 billion in
the US alone. - Source Eugene H Spafford. Security Seminar,
- Department of Computer Sciences, Purdue
University, Jan 2002.
3IDS Based on Data Source
- Host Based IDS
- Its role is to identify tampering or malicious
activity occurring on the system. - This is achieved by monitoring log files, users,
and the file system. - Network Based IDS
- Its role is to identify tampering or malicious
activity occurring in the network traffic. - This is achieved by monitoring network traffic on
the wire for specific activities/signatures that
represent an attack. - Hybrid IDS
- Combination of network and host based IDS.
4Host Based - Network Based
5Advantages
Network Host
Lowers cost of ownership Lower cost of entry
Detects what HIDS miss Detects what NIDS miss
Difficult to remove evidence Verifies success/failure of attack
Real-time detection response Suited for encrypted environments
Detects unsuccessful attacks Monitors specific activities
OS independent Requires no additional hardware
6Host Based IDS
- Specific files to be monitored are defined in a
configuration file. - Digest of the file is stored in a database.
- Multiple digest algorithms can be used.
- Examples
- TRIPWIRE/AIDE/SAMHAIN
7TRIPWIRE
- Can be reconfigured to prevent false-alarms.
- Flexible policy language with predefined policy
files and wildcard support.
AIDE
- Similar to lighter version TRIPWIRE
SAMHAIN
- Support for Stealth mode of operation.
- Encrypted and authenticated client/server
connections.
8Network Based IDS
- Packet Sniffing front end.
- Pattern matching engine.
- Backend database.
- Examples
- SNORT/SHOKI/BRO
9SNORT
- Can also operate as packet sniffer/logger.
- Flexible rule based language to describe traffic.
- Can perform protocol analysis, content
searching/matching.
SHOKI
- Multi-filter rule sets that match individual
packets. - SNORT rules can be converted to SHOKI filters.
BRO
- Provides its own language.
- Passive, doesnt terminate malicious activity.
10SNORT Rules
- var EXTERNAL_NET !128.3.0.0/16,131.243.0.0/16
- var HTTP_SERVERS 128.3.0.0/16,131.243.0.0/16
- var HTTP_PORTS 80
- preprocessor http_decode 80 unicode
iis_alt_unicode double_encode iis_flip_slash
full_whitespace - output alert_fast alarms.log
- include file1.config
- alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
HTTP_PORTS (msg"WEB-ATTACKS ps command
attempt" flowto_server,established
uricontent"/bin/ps" nocase sid1328
classtypeweb-application-attack rev4)
11Bro Rules
- rule sid-1328
- header ip91 6
- header ip124 ! 128.3.0.0/16,131.243.0.0/16
- header ip164 128.3.0.0/16,131.243.0.0/16
- header tcp22 80
- tcp-state originator,established
- http /.\/\\bBiInN\/\\pPsS/
- msg "WEB-ATTACKS ps command attempt"
-
SHOKI Rules
tcp 65536 THRESHOLD11020 SAMP-6 http
h(tp)// ALL tcp 65536
HOST_SCAN22040 SAMP-7 host scan NULL
ALL tcp 65536 PORT_SCAN33050
SAMP-8 p_scan 0x687474 ALL
12ACID screen capture for SNORT
13Hybrid IDS
- Can be clustered
- Centralized database
- Provides file protection by using digest
- Network sensing using packet sniffing
- Blends strengths of HIDS NIDS
- Examples
- MANHUNT/PRELUDE/DRAGON
14MANHUNT
- Detects new and modified attacks
- Dynamically reassign ports scanned
- Flowchaser and Trackback to fight DDoS
PRELUDE
- Incorporates information from other IDS
- Provides hooks to firewalls, honeypots, etc
- Uses multiple sensors and a report server
DRAGON
- Provides IDS evasion counter measures, by Keeping
a large database of known hacker techniques and
searching for anomalies.
15Goals
- Design a hybrid system
- Send instantaneous alerts to network
administrator and other hosts - Use secure communication channels
- Keep configuration file secure
- Keep checksum database secure
- Maintain list of intruders
- Maintain a log of attacks
16Design
Intruder
Host
Administrator
Firewall
Database
Other Hosts
17Implementation
- Dedicated Sockets for Communication
- Messages encrypted using AES
- Configuration file included in list of secure
files - Checksums encoded using AES
- Network Administrator maintains log of intrusions
- Hosts maintain a list of intruders
18Sample execution
19Future Work
Lessons Learned
- Hybrid IDS involves a lot of components
- Comm. between hosts and admins must be secure
- Configuration files are vulnerable
- Hybrid IDS provides better security
- Network sensors to defend DDoS attacks
- Incorporate different hashing algorithms
- Add feature to track sources of DDoS
- Incorporate data from existing IDS
- Add a file change notification component
20References
- Intrusion Detection Systems
- By Ricky M. Magalhaes http//www.windowsecurity.co
m - An Introduction to Intrusion Detection
- By Aurobindo Sundaram, ACM Crossroads
- Network Vs. Host Based Intrusion Detection
- http//www.isskk.co.jp
- IDS Products
- http//www.netsmart.net.au
- Intrusion Detection and Network Auditing on the
Internet - http//www.infosyssec.com