Intrusion Detection Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion Detection Systems

Description:

Intrusion Detection Systems Presently there is much interest in systems, which can detect intrusions, IDS (Intrusion Detection System). IDS are of very different ... – PowerPoint PPT presentation

Number of Views:160
Avg rating:3.0/5.0
Slides: 37
Provided by: DiPi5
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
2
Intrusion Detection Systems
  • Presently there is much interest in systems,
    which can detect intrusions, IDS (Intrusion
    Detection System).
  • IDS are of very different character.
  • Some focus on one machine and try to stop the
    intruder from doing damage, such is LIDS for
    Linux.
  • Some can detect a worm attack from the way it
    spreads from machine to machine, like GrIDS.

3
Intrusion Detection Systems
  • Several are actually data mining, they determine
    from logfiles if there is an intrusion based on
    reasoning by an expert system, NSTAT is an
    example.
  • Many IDS implementations are listening passively
    to some LAN segment, look at the traffic and
    detect an intrusion. Snort IDS is a popular
    freeware program of this Network IDS-type.
  • Other IDS solutions protect one machine by access
    controls.

4
What is Intrusion Detection
  • Intrusion detection systems (IDSs) are designed
    for
  • detecting, blocking and reporting unauthorized
    activity in computer networks.
  • The life expectancy of a default installation of
    Linux Red Hat 6.2 server is estimated to be less
    than 72 hours.
  • The fastest compromise happened in 15 minutes
    (including scanning, probing and attacking)
  • Netbios scans affecting Windows computers were
    executed with the average of 17 per day
  • (source Honeynet Project)

5
Unauthorized Use of Computer Systems Within Last
12 Months (source CSI/FBI Study)
  1. Motivation for Intrusion Detection

6
Most Common Attacks (source CSI/FBI)
  1. Motivation for Intrusion Detection
  • In year 2002 most common attacks were
  • Virus (78)
  • Insider Abuse of Net Access (78)
  • Laptop theft (55)
  • Denial of Service and System Penetration (40)
  • Unauthorized Access by Insiders (38)

(Red color shows the attack types, which IDS can
decrease)
7
Definitions
  • Intrusion
  • A set of actions aimed to compromise the security
    goals, namely
  • Integrity, confidentiality, or availability, of a
    computing and networking resource
  • Intrusion detection
  • The process of identifying and responding to
    intrusion activities

8
Why Is Intrusion Detection Necessary?
Security principles layered mechanisms
9
Elements of Intrusion Detection
  • Primary assumptions
  • System activities are observable
  • Normal and intrusive activities have distinct
    evidence
  • Components of intrusion detection systems
  • From an algorithmic perspective
  • Features - capture intrusion evidences
  • Models - piece evidences together
  • From a system architecture perspective
  • Audit data processor, knowledge base, decision
    engine, alarm generation and responses

10
Components of Intrusion Detection System
system activities are observable
normal and intrusive activities have distinct
evidence
11
1. Application based2. Host based 3.
Network based.
Different Types of IDSs
12
Different Types of IDSs
  • Application IDS
  • Watch application logs
  • Watch user actions
  • Stop attacks targeted against an application
  • Advantages
  • Encrypted data can be read
  • Problems
  • Positioned too high in the attack chain (the
    attacks reach the application)

13
Different Types of IDSs
  • Host IDS
  • Watch kernel operations
  • Watch network interface
  • Stop illegal system operations
  • Drop attack packets at network driver
  • Advantages
  • Encrypted data can be read
  • Each host contributes to the detection process
  • Problems
  • Positioned too high in the attack chain (the
    attacks reach the network driver)

14
Different Types of IDSs
  • Network IDS
  • Watch network traffic
  • Watch active services and servers
  • Report and possibly stop network level attacks
  • Advantages
  • Attacks can be stopped early enough (before they
    reach the hosts or applications)
  • Attack information from different subnets can be
    correlated
  • Problems
  • Encrypted data cannot be read
  • Annoyances to normal traffic if for some reason
    normal traffic is dropped

15
Application-, Host- and Network IDS Comparison
2. Different Types of IDSs
16
Diagram
Simple Process Model for ID
Parse data, filter data and execute Detection
Algorithms
For example applications log network driver, or
network cable
Drop packets, send alerts, update routing
tables, kill processes etc.
17
Misuse Detection
IDS principle of detection
There are two basic methods used by ID Systems
misuse detection and anomaly detection.
  • Search attack signatures, which are patterns,
    byte code or expressions belonging to a specific
    attack.
  • often called signature-based detection
  • A signature is created by analysing an attack
    method
  • The patterns are stored inside the IDS

Example Rule
Alert tcp !192.168.1.0/24 any -gt 192.168.1.0/24
111 (Content 00 01 86 A5msgExternal
Mountd access)
18
Example of a NIDS, snort
  • Enable NIDS mode of Snort
  • ./snort -dev -l ./log -h 192.168.1.0/24 -c snort
    .conf
  • The above command means that let Snort work as
    NIDS for the network 192.168.1.0/24 according to
    the rules inside snort.conf file.
  • Sample rule
  • alert udp any any -gt 192.168.1.0/24 5060
  • (content"01 6a 42 c8" msg SIP session
    signaling")
  • The rules are modular and it is easy to add new
    rules. Typically the rules make alarms of all old
    security breaches so that you cannot notice any
    new breaches.

19
Anomaly Detection
IDS principle of detection
Distinguish abnormal from normal
  • Threshold Detection
  • X events in Y seconds triggers the alarm
  • Statistical Measures
  • Current traffic profile matches the normal
    profile
  • Rule-Based Methods
  • Jack never logs in at 6 to 8 AM
  • If Jack just sent email from Espoo office, he
    should not send email from New York office at the
    same time

20
Anomaly/Misuse Detection Comparison
IDS principle of detection
21
Responses
IDS response principles
  • Alerts and notifications email, SMS, pager
    (important issue alert path must be bulletproof)
  • Increase Surveillance log more
  • Throttling slow down malicious traffic
  • Blocking Access drop data, update
    firewall/router
  • Make Counterattack Eye for an eye tactics
  • Honey Pots and Padded Cells route the hacker to
    a fake system and let him play freely

22
Detection problems
IDS problems in the detection stage
  • True positive, TP, is a malicious attack that is
    correctly detected as malicious.
  • True negative, TN, is a not an attack and is
    correctly classified as benign.
  • False positive, FP, is not an attack but has been
    classified as an attack.
  • False negative, FN, is an attack that has been
    incorrectly classified as a benign.
  • Detection rate is obtained by testing the IDS
    against set of intrusive scenarios

The false alarm rate is the limiting factor for
the performance in an IDS.
23
Advanced IDS Techniques
For Protection
  • Stream Reassembly follow connections and
    sessions
  • Traffic Normalization see that protocols are
    followed
  • Bayesian Networks Data mining and decision
    networks
  • Graphical IDSs (for example GrIDS) use graphs to
    model attacks
  • Feature equality heuristics port stepping,
    packet gap recognition
  • Genetic Programming, Human immune systems
  • Tens of research systems exist

For Attacks
  • Evasion methods (fragmentation, mutation etc.)
  • IDS trashing (DoS tools to like stick/snot to
    crash IDS capability

24
Evaluation of IDS
  • Type I error (false negative)
  • Intrusive but not being detected
  • Type II error (false positive)
  • Not intrusive but being detected as intrusive
  • Evaluation
  • How to measure?
  • ROC - Receiver Operating Characteristics curve
    analysis - detection rate vs. False alarm rate
  • What else? Efficiency? Cost?

25
Example ROC Curve
IDS
Detect
False Alarm
  • Ideal system should have 100 detection rate with
    0 false alarm

26
Next Generation IDSs
  • Adaptive
  • Detect new intrusions
  • Scenario-based
  • Correlate (multiple sources of) audit data and
    attack information
  • Cost-sensitive
  • Model cost factors related to intrusion detection
  • Dynamically configure IDS components for best
    protection/cost performance

27
Adaptive IDSs
ID Modeling Engine
IDS
anomaly detection
semiautomatic
IDS
IDS
28
Semi-automatic Generation of ID Models
models
Learning
features
patterns
connection/ session records
Data mining
packets/ events (ASCII)
raw audit data
29
The Feature Construction Problem
flag
dst
service
h1 http S0
h1 http S0
syn flood
h1 http S0
h2 http S0
normal
h4 http S0
h2 ftp S0
existing features useless
construct features with high information gain
How? Use temporal and statistical patterns, e.g.,
a lot of S0 connections to same service/host
within a short time window
30
Feature Construction Example
  • An example syn flood patterns (dst_host is
    reference attribute)
  • (flag S0, service http), (flag S0, service
    http) ? (flag S0, service http) 0.6, 2s
  • add features
  • count the connections to the same dst_host in the
    past 2 seconds, and among these connections,
  • the percentage with the same service,
  • the percentage with S0

31
An Adaptive IDS Architecture
32
Detecting Intruders
  • Commercially the most used IDS systems are
    probably misuse based Network ID Systems, but
    Host-level IDS is also needed.
  • As an example of a Host-level IDS let us look at
    LIDS for Linux.
  • The philosophy of LIDS is to have a three layer
    protection
  • Firewall
  • PortSentry
  • LIDS
  • The firewall limits access to only allowed ports.
    In a Web-server only the TCP port 80 is
    absolutely necessary.
  • Disable ports which are not used, for instance by
    removing the daemons or by modifying
    /etc/inetd.conf. Leave only the basic activities
    needed.

33
Detecting Intruders
  • PortSentry is put to some port, which is often
    scanned but not used in the system.
  • One should find suitable ports where to put
    PortSentry by looking at ports which are scanned
    often, like 143 or 111.
  • Typically nowadays hackers do sweep scanning
    looking at only one port in several machines.
  • PortSentry monitors activity on specific TCP/UDP
    ports. The PortSentry can take actions, like
    denying further access to the port.

34
Detecting Intruders
  • This is based on the assumption that the hacker
    will first probe with a scanner the machine for
    weaknesses.
  • You install PortSentry in TCP-mode by portsentry
    -tcp
  • ports are in portsentry.conf -file.

35
Detecting Intruders
  • LIDS
  • LIDS is an intrusion detection system that
    resides in the Linux kernel.
  • It basically limits the rights of a root user to
    do modifications. It limits root access to direct
    port access, direct memory access, raw access,
    modification of log files, limits access to file
    system. It also prevents installation of sniffers
    or changing firewall rules.

36
Detecting Intruders
  • LIDS
  • An administrator can remove the protection by
    giving a password to LIDS, but if a hacker breaks
    into the root, he cannot without LIDS password do
    much damage.
  • Is this good? it certainly makes the life of a
    hacker more difficult, but what about a hacker
    getting into the kernel?
  • How nice it is being an administrator using LIDS?
Write a Comment
User Comments (0)
About PowerShow.com