Design Lines for a Long Term Competitive IDS

1
Design Lines for a Long Term Competitive IDS

• Erwan Lemonnier
• KTH-IT / Defcom

2
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Thesiss subject
• An analysis of IDSs difficulties and how to
  solve them.
• Two approaches are explored
• Designing efficient filters
• Improving IDS architecture (MIDS)

3
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Plan of Presentation
• Introduction to IDSs
• IDS challenges
• solution 1 Efficient filter design
• solution 2 MIDS, an alternative IDS architecture

4
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Introduction to IDSs
• IDSs are programs monitoring a computer system
  (network, host) to detect intrusion attempts.
• Typically made of a sensor, some filters, an
  alert-flow and a monitoring center.

Monitoring Center
Alert-flow
filter
filter
filter
filter
Filter
SENSOR API
SENSOR
Sensor
Monitored Data
Host / Network
Monitored System
5
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Sensors
• host based / network based
• Filters small programs analyzing sensor data to
  detect intrusions.
• Detection Strategies
• Signature
• Anomaly detection
• (protocol anomaly)

6
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• IDS Challenges
• Insertion Evasion
• Alert-flow control
• Encrypted traffic
• Learning from antiviruses
• Technical obstacles

7
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Insertion Evasion
• Efficient detection theoretically implies
  knowledge of monitored systems state and rules
• Despite standards, systems are implemented
  differently.
• Ex different TCP/IP stack implementation
• gt always make false assumptions on monitored
  systems reactions
• gt possible to shape the traffic so that the IDS
  accepts a packet but not the monitored system
  (Insertion) or the contrary (Evasion)

8
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Alert-flow control challenges
• False positives
• Can not be avoided
• Increase with traffic
• Hiding attacks
• IDS evasion
• Alert flood
• Slow rate attacks
• Distributed attacks

need for intelligent alert-flow
processing components
9
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Encrypted Traffic
• Network based IDS cant monitor encrypted traffic
• Only known solution decryption proxy
• but hard to deploy
• ex https

Network Based IDS
Decryption Proxy
Client
HTTP/SSL
HTTP Server
clear HTTP
HTTPS
10
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Learning from Antivirus
• Virus/Antivirus similar to Attacks/IDS
• similar techniques (signature, anomaly)
• probably similar results, but antivirus are more
  mature
• Evasion race (IDS evasion, polymorphism, etc.)
• need for reactive/automated filter updating
  process
• Anomaly detection effective if used with
  signatures

11
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Technical obstacles
• resistance to fragmentation/insertion/evasion
• gt efficient TCP/IP stack
• monitoring high rate traffic
• gt load balancing

12
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Solutions ?
• approach 1 improving filters
• approach 2 alternative IDS architectures

13
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Efficient filters
• improves detection alert-flow control
• how ?
• mixing signature anomaly detection
• protocol anomaly analysis engine enables
• efficient signature matching
• internal caching and filtering of alert-flow
• reduces volume of alert-flow
• more acurate analysis (corelation)

14
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Efficient filters Telnet filter example

15
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Efficient filters
• TCP filter example

16
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Alternative IDS structure
• IDSs are alert-flow management systems.
• Focus on
• multiplying alert sources
• merging alert-flows from different sources
• processing intelligently the alert-flow

17
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08
Suggested Architecture Multi IDS

• multiple IDSs
• host network based
• multiple filtering techniques
• alert-flow corelation

18
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Host based sensors
• detect the host side of an attack hidden to
  network based IDS (evasion, encryption, etc.)
• Multiple different network based sensors
• Many different TCP/IP stack implementation
• gt reduce risk of evasion/insertion
• Alert-flow merging and processing
• Merging alert-flow
• Shaping alert-flow to increase its informational
  load
• Alert corelation
• Data mining
• solve evasion/insertion, alert flow control
  encryption problems

19
Design Lines for a Long Term Competitive IDS -
Erwan Lemonnier - 2001/10/08

• Remaining problems
• reactive/automated filter updating process
• gt by out-sourcing IDS management to a
  specialized entity
• alert-flows corelation we are now working on it
  !
• Conclusion
• Intelligent data and alert-flow processing is the
  future of IDSs.