Distributed Intrusion Detection

1
Distributed Intrusion Detection

• Mamata Desai (99305903)
• M.Tech.,CSE dept,
• IIT Bombay

2
Overview

• What is intrusion ?
• Dealing with intrusion
• Intrusion detection principles
• Our problem definition
• Packages analyzed
• Our approach
• Experiments and Results
• Conclusions

3
What is intrusion ?

• The potential possibility of a deliberate
  unauthorized attempt to
• Access information
• Manipulate information
• Render a system unreliable or unusable
• Types of intrusions
• External attacks
• Password cracks, network sniffing, machine
  services discovery utilities, packet spoofing,
  flooding utilities, DOS attacks
• Internal penetrations Masqueraders, clandestine
  users
• Misfeasors authorized misuse

4
Example attacks

• Password cracking
• Buffer overflow
• Network reconnaissance
• Denial of service (DoS)
• IP spoofing

5
Dealing with intrusion

• Prevention
• isolate from n/w, strict auth, encryption
• Preemption
• do unto others, before they do unto you
• Deterrence
• dire warnings we have a bomb too
• Deflection
• diversionary techniques to lure away
• Counter measures
• Detection

6
Intrusion Detection principles

• Anomaly-based
• Form an opinion on what constitutes normal, and
  decide on a threshold to flag as abnormal
• Cannot distinguish illegal from abnormal
• Signature-based
• Model signatures of previous attacks and flag
  matching patterns
• Cannot detect new intrusions
• Compound

7
System characteristics

• Time of detection
• Granularity of data processing
• Source of audit data
• Response to detected intrusions
• passive v/s active
• Locus of data-processing
• Locus of data-collection
• Security
• Degree of inter-operability

8
Host-based v/s Network-based IDS

• Host-based IDS
• Verifies success or failure of an attack
• Monitors specific system activities
• Detects attacks that n/w based systems miss
• Well-suited for encrypted and switched
  environments
• Near-real-time detection and response
• Requires no additional hardware
• Lower cost of entry

9
contd.

• Network-based IDS
• Lower cost of ownership
• Detects attacks that host-based systems miss
• More difficult for an attacker to remove evidence
• Real-time detection and response
• Detects unsuccessful attacks and malicious intent
• Operating system independence
• Performance issues

10
Our problem definition

• Portscanning
• Our laboratory setup
• Multiple machines with similar configuration
• Portscan on a single machine
• Distributed portscan - Small evasive scans on
  multiple machines
• Aim Detect such distributed scans

11
Typical lab setup
12
Types of Portscans

• Scan types
• TCP connect() scan
• Stealth SYN scan
• Stealth FIN scan
• Xmas scan
• Null scan
• Scan sweeps
• One-to-one, one-to-many, many-to-one, many-to-many

13
Normal sequence of packets
Source
Target
Network Messages
Send SYN, seqx
Receive SYN segment
Send SYN, seqy, ACK x1
Receive SYN ACK segment
Send ACK y1
Receive ACK segment
more packet exchanges
Send ACKFINRST
Receive ACKFINRST
14
Stealth SYN scan
Source
Target
Network Messages
Send SYN, seqx
Receive SYN segment
Send SYN, seqy, ACK x1
Receive SYN ACK segment
Send RST
Receive RST
15
Stealth FIN scan
Source
Target
Network Messages
Send FIN
Receive FIN
16
Stealth Xmas scan
Source
Target
Network Messages
Send FINPSHURG
Receive FINPSHURG
17
Packages analyzed

• Sniffit (http//sniffit.rug.ac.be/sniffit/sniffit.
  html)
• A network sniffer for TCP/UDP/ICMP packets
• Interactive mode
• Tcpdump (http//www.tcpdump.org)
• A tool for network monitoring and data
  acquisition
• Nmap (http//www.nmap.org)
• Network mapper for network exploration,
  security auditing
• Various types of TCP/UDP scans, ping scans

18
contd

• Portsentry (http//www.psionic.com/abacus/portsent
  ry)
• Host-based TCP/UDP portscan detection and active
  defense system
• Stealth scan detection
• Reacts to portscans by blocking hosts
• Internal state engine to remember previously
  connected hosts
• All violations reported to syslog
• Snort (http//www.snort.org)
• Network-based IDS real-time analysis and
  traffic logging
• Content searching/matching to detect attacks and
  probes buffer overflows, CGI attacks, SMB
  probes, OS fingerprinting attacks
• Rules language to describe traffic to collect or
  pass
• Alerts via syslog, user files, WinPopUp messages
• 3 functional modes sniffer, packet logger, NIDS

19
contd

• Portsentry
• Binds to all ports to be monitored
• A static list of ports monitored
• State engine different hosts
• Snort
• Preprocessor connections to P ports in T
  seconds
• V1.8 only one-to-one and one-to-many portscans
  detected

20
Our approach

• Pick up network packets
• Based on which type of portscan is to be
  analyzed, identify the scan signature
• Add each source and target IP address, to the
  correlation lists
• Use the correlation lists to infer the scan sweep
  one-to-one, one-to-many, many-to-one,
  many-to-many

21
Experimental Setup
22
Detection algorithm

• Examine each TCP packet on the network.
• Extract source and target IP addrs and ports.
• For each scan type to be detected, maintain a
  list of valid connections.
• When a scan signature is detected, add source and
  target IP addrs to 2 correlation lists pointed to
  by srcIP and tarIP, remove entry from connections
  list.

23
contd

• Identical correlation lists record source and
  target IP addrs info, along with number of scans.
• Scan sweeps one-to-one, one-to-many, many-to-one,
  and many-to-many are detected by passes thru the
  correlation lists.

24
(No Transcript)
25
Experiments
One-to-one scan
Source Target TCP ports
pro-13 pro-19 25, 119
pro-15 pro-21 21, 23, 80
pro-17 pro-23 22, 79
One-to-many scan
Source Target TCP ports
pro-13 pro-19 pro-21 pro-23 7, 20, 21 22, 23, 25, 53 69, 79, 80, 88
pro-15 pro-19 pro-21 110, 111, 119 139, 143, 194, 220
26
contd
Many-to-one scan
Source Target TCP ports
pro-13 pro-21 443, 513, 518
pro-15 pro-21 873, 3130, 6667
pro-17 pro-21 107, 20, 21, 23
Many-to-many scan
Source Target TCP ports
pro-13 pro-19 pro-21 pro-23 7, 20, 21, 79 80, 113, 119, 139 143, 194, 667
pro-15
pro-17
27
Conclusions

• All the scans performed by nmap were detected
  successfully by our detector and the correlations
  were accurate.
• Some stray incidents of ident lookups did get
  classified as scans, due to the way closed ports
  behave.