91.460.201 & 91.530.202 Selected Topics: Digital Forensics Overview of Intrusion...
-
Upload
isabella-williamson -
Category
Documents
-
view
220 -
download
0
Transcript of 91.460.201 & 91.530.202 Selected Topics: Digital Forensics Overview of Intrusion...
91.460.201 & 91.530.202 Selected Topics: Digital
Forensics
Overview of Intrusion Detection/prevention
Xinwen Fu
CS@UMLBy Dr. Xinwen Fu 2
Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions
CS@UMLBy Dr. Xinwen Fu 3
A Big Picture of Cyber Space
Firewall
Switch
Intrusion Detection System
Internet
http://www.inmon.com/tutorials/ids.php
Router
UML
TAMU
CS@UMLBy Dr. Xinwen Fu 4
What is Intrusion Detection? "a process of identifying and responding to malicious
activity targeted at computing and networking resources"
Incident occurs: Point-in-Time or Ongoing
pre-incidentpreparation
pre-incidentpreparation
Detectionof
Incidents
Detectionof
Incidents
Initial Response
Initial Response
FormulateResponseStrategy
FormulateResponseStrategy
DataCollection
DataCollection
DataAnalysis
DataAnalysis ReportingReporting
Investigate the incident
Resolution, Recovery, Implement Security MeasuresResolution, Recovery, Implement Security Measures
CSIRT:ComputerSecurityIncident
ResponseTeam
CS@UMLBy Dr. Xinwen Fu 5
A Brief History of Intrusion Detection 1970s – Rudimentary audit-trail analysis 1980s – Signature-Based expert systems 1990s – Explosion of available IDS systems 2000s
Emergence of Active IDS Intrusion Detection and Prevention (IDP) Intrusion Prevention Systems (IPS)
Convergence of Technologies Firewall + IDP + Anti-Virus Appliances and Security Switches
Host =
> N
etw
ork
=>
Perim
ete
r
CS@UMLBy Dr. Xinwen Fu 6
A Sample Intrusion Detection System (IDS)
CS@UMLBy Dr. Xinwen Fu 7
Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions
CS@UMLBy Dr. Xinwen Fu 8
Internet
UML
TAMU
Mid-Continent
ComCast
CS@UMLBy Dr. Xinwen Fu 9
HIDS: Host-Based Intrusion Detection System HIDS resides on a single host system System analyzes:
Network packets entering and leaving the host Audit trails and log files on the host Processes and systems running on the host
Recent advances in Intrusion Prevention: Protocol enforcement Stack enforcement File checksum monitoring
All these attempt to protect against exploitation of software vulnerabilities by buffer overflow or protocol anomalies
CS@UMLBy Dr. Xinwen Fu 10
Buffer overflows1. void main(int argc, char *argv[]) {2. char buffer[512];
3. if (argc > 1)4. strcpy(buffer,argv[1]);5. }
CS@UMLBy Dr. Xinwen Fu 11
What is happening within your code?1. Stack is used to
store local variables and the return address (where your function should return when it finishes)
2. An attacker’s input consists of A malicious code A new return address
(pointing to the malicious code)
CS@UMLBy Dr. Xinwen Fu 12
Where is the HIDS on the Internet?
TAMU
Mid-Continent
ComCast
UML
CS@UMLBy Dr. Xinwen Fu 13
NIDS: Network-Based Intrusion Detection System NIDS listens to the entire network segment System analyzes:
Network packets passing along the network cable Audit trails and log files sent to NIDS by hosts Processes and systems running on the network hosts
Recent advances in Intrusion Prevention: “Active” rules to shutdown connections “Integration” to firewalls to disable attackers “Data Mining” to summarize the events
CS@UMLBy Dr. Xinwen Fu 14
Where is the NIDS on the Internet?
TAMU
Mid-Continent
ComCast
UML
CS@UMLBy Dr. Xinwen Fu 15
PIDS: Perimeter-Based Intrusion Detection System PIDS resides on a gateway/edge router System analyzes:
Network packets passing through the gateway Audit trails and log files on the gateway Processes and systems running on the gateway
Recent advances in Intrusion Prevention: Actively blocking known malicious attacks Zero-latency blocking
CS@UMLBy Dr. Xinwen Fu 16
Where is PIDS on the Internet?
TAMU
Mid-Continent
Prairiewave
CS@UMLBy Dr. Xinwen Fu 17
Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions
CS@UMLBy Dr. Xinwen Fu 18
Throughput - Real Time Intrusion Detection Current technology can perform at gigabit speeds To exceed that speed, there are various options:
Software Signature sets, based on protocol Optimization; reduction in requirement to scan
Hardware Co-processor chips: ASIC (application-specific integrated
circuit) or others Faster main processors
This is important for host and network IDP But for perimeter IDP, how fast is your ISP link?
CS@UMLBy Dr. Xinwen Fu 19
The Emergence of Intrusion Prevention If you detect an attack and know it's an attack
It seems sensible to block it
However, three problems are apparent: 1. False Positives (false alarm) – Blocking normal traffic2. Denial Of Service – Blocking spoofed hosts3. Latency – Delays in blocking limit effectiveness
Evolution of the technology, and merging of firewall and IDP functionality is solving these problems
CS@UMLBy Dr. Xinwen Fu 20
A Big Picture of Intrusion Detection and Prevention Being Together
Prevent Detect
CS@UMLBy Dr. Xinwen Fu 21
Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions
CS@UMLBy Dr. Xinwen Fu 22
SQL Slammer Worm The Fastest Internet Worm in History Time line:
July 24th 2002, Microsoft announced vulnerability January 25th 2003, SQL Slammer worm unleashed 05:29:36GMT first detection It infected more than 90 percent of vulnerable
hosts within 10 minutes The Worm:
376 byte viral payload in a single UDP packet Infects machines with a single packet over UDP/1434 UDP is a broadcast protocol: Possible to infect multiple
hosts with 1 packet
CS@UMLBy Dr. Xinwen Fu 23
Hosts infected With Slammer A before-and-after animation showing the number of
infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC.
http://www.caida.org/research/security/sapphire/
CS@UMLBy Dr. Xinwen Fu 24
How to stop SQL Slammer? Patch Firewall / VPN:
Block UDP/1434 (inbound and outbound) Use a VPN for access to sensitive services
Intrusion Detection and Prevention: UDP/1434 is a well known protocol: Well known vulnerability, 6 months before exploit IDP signatures can detect and block exploits of this
vulnerability The size of the packet is anomalous behavior
Zero-Latency Active IDS/IDP is the only way of blocking this worm
CS@UMLBy Dr. Xinwen Fu 25
Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions
CS@UMLBy Dr. Xinwen Fu 26
Future Directions What do you think?
CS@UMLBy Dr. Xinwen Fu 27
IDS Classification
Intrusion detection approach
ProtectedSystems
StructureData
SourcesBehavior after
an AttackAnalysisTiming
Anomaly detection
Signature detection
HIDS NIDS Hybrids
CentralizedSystem
DistributedSystem
AgentSystem
AuditTrail
NetworkPackets
System State
Analysis (Kernel, Services, File, etc.)
ActiveIDS
PassiveIDS
On-the-flyProcessing
IntervalBased IDS
Intrusion Detection Approach
CS@UMLBy Dr. Xinwen Fu 28
Terms Anomaly detection: explores issues in intrusion detection
associated with deviations from normal system or user behavior
Signature detection: discriminates between anomaly or attack patterns (signatures) and known intrusion detection signatures (also called rules based detection)
HIDS: uses information derived from a single host NIDS: exploits information obtained from a whole segment
of a local network Passive IDS: simply generate alerts and log network
packets Active IDS: detect and respond to attacks, attempt to patch
software holes before getting hacked or act proactively by logging out potential intruders, or blocking services
CS@UMLBy Dr. Xinwen Fu 29
References Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection
Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture), http://www.windowsecurity.com/pages/article_p.asp?id=1147, Apr 07, 2003
Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part 2 - Classification; methods; techniques, http://www.windowsecurity.com/pages/article_p.asp?id=1335, Jun 15, 2004
Cisco IDS Solution, http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit09186a008033a458.html, 2005
Randy Stauber, Defense In Depth, http://www.infosecwriters.com/texts.php?op=display&id=170, 19/05/04
CS@UMLBy Dr. Xinwen Fu 30
Cat with Boots