Firewalls and Intrusion Detection Systems Vyas Sekar [email protected] Carnegie Mellon...
-
Upload
alisha-boone -
Category
Documents
-
view
225 -
download
3
Transcript of Firewalls and Intrusion Detection Systems Vyas Sekar [email protected] Carnegie Mellon...
![Page 2: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/2.jpg)
2
IDS and Firewall GoalsExpressiveness: What kinds of policies can we write?
Effectiveness: How well does it detect attacks while avoiding false positives?
Efficiency: How many resources does it take, and how quickly does it decide?
Ease of use: How much training is necessary? Can a non-security expert use it?
Security: Can the system itself be attacked?
Transparency: How intrusive is it to use?
![Page 3: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/3.jpg)
3
Taxonomy• Approach: Policy vs Anomaly• Location: Network vs. Host• Action: Detect vs. Prevent• Semantics: IP vs TCP vs App
Type Example
Host, Rule, IDS Tripwire
Host, Rule, IPS Personal Firewall
Net, Rule, IDS Snort
Net, Rule, IPS Network firewall
Host, Anomaly, IDS System call monitoring
Net, Anomaly, IDS Working set of connections
Net, Anomaly, IPS
![Page 4: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/4.jpg)
4
FirewallsDimensions:1. Host vs. Network2. Stateless vs. Stateful3. Network Layer
![Page 5: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/5.jpg)
5
Firewall Goals
Provide defense in depth by:1. Blocking attacks against hosts and services2. Control traffic between zones of trust
![Page 6: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/6.jpg)
6
Logical Viewpoint
Inside OutsideFirewall
For each message m, either:• Allow with or without modification• Block by dropping or sending rejection notice• Queue
m
?
![Page 7: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/7.jpg)
7
Placement
Host-based Firewall
Network-Based Firewall
Host Firewall Outside
Firewall OutsideHost B
Host C
Host A
Features:• Faithful to local
configuration• Travels with you
Features:• Protect whole network• Can make decisions on
all of traffic (traffic-based anomaly)
![Page 8: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/8.jpg)
8
Parameters
Types of Firewalls1. Packet Filtering2. Stateful Inspection3. Application proxy
Policies1. Default allow2. Default deny
![Page 9: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/9.jpg)
9
Recall: Protocol Stack
Application(e.g., SSL)
Transport (e.g., TCP, UDP)
Network (e.g., IP)
Link Layer(e.g., ethernet)
Physical
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
dataTCPIPETH ETH
Link (Ethernet) Header
Link (Ethernet) Trailer
IP Header
![Page 10: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/10.jpg)
10
Stateless FirewallFilter by packet header fields1. IP Field
(e.g., src, dst)2. Protocol
(e.g., TCP, UDP, ...)3. Flags
(e.g., SYN, ACK)
Application
Transport
Network
Link Layer
Firewall
Outside Inside
Example: only allow incoming DNS packets to nameserver A.A.A.A.
Allow UDP port 53 to A.A.A.ADeny UDP port 53 allFail-safe good
practice
e.g., ipchains in Linux 2.2
![Page 11: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/11.jpg)
11
Need to keep state
Inside Outside
Listening
Store SNc, SNs
Wait
SNCrandC
ANC0Syn
SYN/ACK:SNSrandS
ANSSNC
Established
ACK: SNSNC+1ANSNS
Example: TCP HandshakeFirewall
Desired Policy: Every SYN/ACK must have been preceded
by a SYN
![Page 12: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/12.jpg)
12
Stateful Inspection Firewall
Added state (plus obligation to manage)
– Timeouts– Size of table
State
Application
Transport
Network
Link Layer
Outside Inside
e.g., iptables in Linux 2.4
![Page 13: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/13.jpg)
13
Stateful More Expressive
Inside Outside
Listening
Store SNc, SNs
Wait
SNCrandC
ANC0Syn
SYN/ACK:SNSrandS
ANSSNC
Established
ACK: SNSNC+1ANSNS
Example: TCP HandshakeFirewall
Record SNc in table
Verify ANs in table
![Page 14: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/14.jpg)
14
Stateful Firewalls
Pros• More expressive
Cons• State-holding attack• Mismatch between
firewalls understanding of protocol and protected hosts
![Page 15: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/15.jpg)
15
Application Firewall
Check protocol messages directly
Examples:– SMTP virus scanner– Proxies– Application-level
callbacks
State
Application
Transport
Network
Link Layer
Outside Inside
![Page 16: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/16.jpg)
16
Firewall Placement
![Page 17: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/17.jpg)
17
Demilitarized Zone (DMZ)
Inside OutsideFirewall
DMZ
WWW
NNTP
DNS
SMTP
![Page 18: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/18.jpg)
Typical Firewall Configuration
• Internal hosts can access DMZ and Internet
• External hosts can access DMZ only, not Intranet
• DMZ hosts can access Internet only
• Advantages?
• If a service gets compromised in DMZ it cannot affect internal hosts
InternetInternet
IntranetIntranet
DMZDMZ
XX
18
![Page 19: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/19.jpg)
19
Dual Firewall
Inside OutsideHubDMZ
InteriorFirewall
ExteriorFirewall
![Page 20: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/20.jpg)
20
References
Elizabeth D. ZwickySimon Cooper
D. Brent Chapman
William R CheswickSteven M Bellovin
Aviel D Rubin
![Page 21: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/21.jpg)
21
Intrusion Detection and Prevetion Systems
![Page 22: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/22.jpg)
22
Logical Viewpoint
Inside OutsideIDS/IPS
For each message m, either:• Report m (IPS: drop or log)• Allow m• Queue
m
?
![Page 23: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/23.jpg)
23
Overview• Approach: Policy vs Anomaly• Location: Network vs. Host• Action: Detect vs. Prevent• Semantics: “looks deeper”
![Page 24: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/24.jpg)
24
Policy-Based IDSUse pre-determined rules to detect attacks
Examples: Regular expressions (snort), Cryptographic hash (tripwire,
snort)Detect any fragments less than 256 bytesalert tcp any any -> any any (minfrag: 256; msg: "Tiny fragments detected, possible hostile activity";)Detect IMAP buffer overflowalert tcp any any -> 192.168.1.0/24 143 ( content: "|90C8 C0FF FFFF|/bin/sh"; msg: "IMAP buffer overflow!”;)
Example Snort rules
![Page 25: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/25.jpg)
25
Modeling System Calls [wagner&dean 2001]
Entry(f)Entry(g)
Exit(f)Exit(g)
open()
close()
exit()
getuid() geteuid()
f(int x) { if(x){ getuid(); } else{ geteuid();} x++;}g() { fd = open("foo", O_RDONLY); f(0); close(fd); f(1); exit(0);}
Execution inconsistent with automata indicates attack
![Page 26: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/26.jpg)
26
Anomaly Detection
Distribution of “normal” events
IDS
New Event
Attack
Safe
![Page 27: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/27.jpg)
27
Example: Working Sets
Alice
Days 1 to 300
reddit xkcd
slashdot
fark
working setof hosts
Alice
Day 300
outside working set
reddit xkcd
slashdot
fark18487
![Page 28: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/28.jpg)
28
Anomaly Detection
Pros• Does not require pre-
determining policy (an “unknown” threat)
Cons• Requires attacks are
not strongly related to known traffic
• Learning distributions is hard
![Page 29: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/29.jpg)
29
Attacks and Evasion
![Page 30: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/30.jpg)
30
State Holding Attack
Firewall AttackerInside
SynSyn
Syn...
1. SynFlood
2. Exhaust Resources
3. Sneak Packet
Assume stateful TCP policy
![Page 31: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/31.jpg)
31
Fragmentation
Octet 1 Octet 2 Octet 3 Octet 4
Ver IHL TOS Total Length
ID 0DF
MF
Frag ID
...
Data
Frag 1 Frag 2 Frag 3
IP Hdr DF=0 MF=1 ID=0 Frag 1
IP Hdr DF=0 MF=1 ID=n Frag 2
IP Hdr DF=1 MF=0 ID=2n Frag 3
say n bytes
DF : Don’t fragment (0 = May, 1 = Don’t)MF: More fragments(0 = Last, 1 = More)Frag ID = Octet number
![Page 32: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/32.jpg)
32
ReassemblyData
Frag 1 Frag 2 Frag 3
IP Hdr DF=0 MF=1 ID=0 Frag 1
IP Hdr DF=0 MF=1 ID=n Frag 2
IP Hdr DF=1 MF=0 ID=2n Frag 3
Frag 1 Frag 2 Frag 3
0 Byte n Byte 2n
![Page 33: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/33.jpg)
33
Example2,366 byte packet enters a Ethernet network with a default MTU size of 1500
Packet 1: 1500 bytes– 20 bytes for IP header– 24 Bytes for TCP header– 1456 bytes will be data– DF = 0 (May fragment), and MF=1 (More fragments)– Fragment offset = 0
Packet 2: 910 bytes– 20 bytes for IP header– 24 bytes for the TCP header– 866 bytes will be data– DF = 0 (may fragment), MF = 0 (Last fragment)– Fragment offset = 182 (1456 bytes/8)
![Page 34: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/34.jpg)
34
Octet 1 Octet 2 Octet 3 Octet 4
Source Port Destination Port
Sequence Number
....
...DF=
1MF=1 ID=0 ...
1234(src port)
80(dst port)
...Packet 1
Overlapping Fragment Attack
...DF=
1MF=1 ID=2 ... 22 ...Packet 2
1234 8022
Assume Firewall Policy: Incoming Port 80 (HTTP) Incoming Port 22 (SSH)
Bypass policyTCP Hdr(Data!)
![Page 35: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/35.jpg)
Small TTL attack
35
same TCP seq #, “I” has short TTL
Internet
NIDS
Host
End-host sees:Attacker’s data stream
A T T I A C K A T T A C K
A
NIDS sees:
T T I A C K
![Page 36: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/36.jpg)
Fragmentation overlap attack
36
Internet
End-host sees:
NIDS sees:
Attacker’s data stream
NIDS
Host
A T T A I C K
same TCP seq #or same IP frag offset
A T T A I C K
A T T A I C K
![Page 37: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/37.jpg)
Potential Fix: traffic normalizerIntroduce “bump in the wire”: traffic normalizer to evade protocol ambiguities
37
Internet
NIDS
HostNormalizer
![Page 38: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/38.jpg)
Algorithmic complexity attacks
• DoS attacks not only serious for denying service, but can be more severe by using it as a component of an attack
• DoS attack on IDS enables other attacks to remain undetected
• E.g., “Denial of Service via Algorithmic Complexity Attacks” by Crosby and Wallach
38
![Page 39: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/39.jpg)
39
Detection TheoryBase Rate, fallacies, and detection systems
![Page 40: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/40.jpg)
40
Let be the set of all possible events. ΩFor example:
• Audit records produced on a host• Network packets seen
Ω
![Page 41: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/41.jpg)
41
Ω
I
Set of intrusion events I
Intrusion Rate:
Example: IDS Received 1,000,000 packets. 20 of them corresponded to an intrusion.The intrusion rate Pr[I] is:Pr[I] = 20/1,000,000 = .00002
![Page 42: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/42.jpg)
42
Ω
I A
Set of alerts A
Alert Rate:
Defn: Sound
![Page 43: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/43.jpg)
43
Ω
I
A
Defn: Complete
![Page 44: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/44.jpg)
44
Ω
I A
Defn: False PositiveDefn: False Negative
Defn: True Positive
Defn: True Negative
![Page 45: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/45.jpg)
45
Ω
I A
Defn: Detection rate
Think of the detection rate as the set ofintrusions raising an alert normalized by the set of all intrusions.
![Page 46: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/46.jpg)
48
Ω
I A
18 4
2
![Page 47: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/47.jpg)
50
Ω
I A
Think of the Bayesian detection rate as the set of intrusions raising an alert normalized by the set of all alerts. (vs. detection ratewhich normalizes on intrusions.)
Defn: Bayesian Detection rateCrux of IDS usefulness!
![Page 48: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/48.jpg)
52
Ω
I A2
4
18
About 18% of all alerts are false positives!
![Page 49: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/49.jpg)
53
Challenge
We’re often given the detection rate and know the intrusion rate, and want to calculate the Bayesian detection rate
– 99% accurate medical test– 99% accurate IDS– 99% accurate test for deception– ...
![Page 50: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/50.jpg)
54
Fact:
Proof:
![Page 51: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/51.jpg)
55
Calculating Bayesian Detection RateFact:
So to calculate the Bayesian detection rate:
One way is to compute:
![Page 52: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/52.jpg)
56
Example
• 1,000 people in the city
• 1 is a terrorist, and we have their pictures. Thus the base rate of terrorists is 1/1000
• Suppose we have a new terrorist facial recognition system that is 99% accurate.– 99/100 times when someone is a
terrorist there is an alarm– For every 100 good guys, the
alarm only goes off once.
• An alarm went off. Is the suspect really a terrorist?
City
(this times 10)
![Page 53: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/53.jpg)
57
Example
Answer: The facial recognition system is 99% accurate. That means there is only a 1% chance the guy is not the terrorist.
(this times 10)
City
Wrong!
![Page 54: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/54.jpg)
58
Formalization
• 1 is terrorists, and we have their pictures. Thus the base rate of terrorists is 1/1000. P[T] = 0.001
• 99/100 times when someone is a terrorist there is an alarm.P[A|T] = .99
• For every 100 good guys, the alarm only goes off once.P[A | not T] = .01
• Want to know P[T|A]
City
(this times 10)
![Page 55: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/55.jpg)
59
• 1 is terrorists, and we have their pictures. Thus the base rate of terrorists is 1/1000. P[T] = 0.001
• 99/100 times when someone is a terrorist there is an alarm.P[A|T] = .99
• For every 100 good guys, the alarm only goes off once.P[A | not T] = .01
• Want to know P[T|A]
City
(this times 10)
Intuition: Given 999 good guys, we have 999*.01 ≈ 9-10 false alarms
False alarms
![Page 56: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/56.jpg)
60
Unknown
Unknown
![Page 57: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/57.jpg)
61
Recall to get Pr[A]Fact:
Proof:
![Page 58: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/58.jpg)
63
..and to get Pr[A∩ I]Fact:
Proof:
![Page 59: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/59.jpg)
64
✓
✓
=
=
![Page 60: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/60.jpg)
65
=
![Page 61: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/61.jpg)
66
Visualization: ROC(Receiver Operating Characteristics Curve)
Plot true positive vs. false positive for a binary classifier at various threshold settings
![Page 62: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/62.jpg)
67
For IDS
Let – I be an intrusion,
A an alert from the IDS
– 1,000,000 msgs per day processed
– 2 attacks per day– 10 attacks per
message
False positives
70% detection requires
FP < 1/100,000
80% detection generates 40% FP
From Axelsson, RAID 99
![Page 63: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/63.jpg)
68
Why is anomaly detection hard
Think in terms of ROC curves and the Base Rate fallacy.
– Are real things rare? If so, hard to learn– Are real things common? If so, probably ok.
![Page 64: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/64.jpg)
69
Conclusion• Firewalls
– 3 types: Packet filtering, Stateful, and Application– Placement and DMZ
• IDS– Anomaly vs. policy-based detection
• How can we exploit for evasion?– E.g., fragmentation, TCP session reassembly, TTL
• How can we attack the defense infrastructure?– E.g., overload, algorithmic complexity
• Detection theory– Base rate fallacy
![Page 65: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/65.jpg)
70
Questions?
![Page 66: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/66.jpg)
END
![Page 67: Firewalls and Intrusion Detection Systems Vyas Sekar vsekar@andrew.cmu.edu Carnegie Mellon University.](https://reader035.fdocuments.us/reader035/viewer/2022081517/5697bfa01a28abf838c9562b/html5/thumbnails/67.jpg)
72
Thought