Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection...
Transcript of Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection...
![Page 1: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/1.jpg)
Intrusion Detection
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
1 / 46
![Page 2: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/2.jpg)
Motivation
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
2 / 46
■ We can’t prevent all break-ins■ There will always be new holes, new attacks,
and new attackers■ We need some way to cope
![Page 3: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/3.jpg)
Defenses
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
3 / 46
■ Harden the host■ Deploy a firewall■ Encrypt connections■ Use an intrusion detection system (IDS) to let
us know that our other defenses have failed. . .
![Page 4: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/4.jpg)
Just an Overview
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
4 / 46
■ This lecture will just scratch the surface■ For more details, take COMS E6185
![Page 5: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/5.jpg)
Generic Architecture
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
5 / 46
CountermeasuresDetector/
Analyzer
System
Probes Events Actions
ConfigDatabase
![Page 6: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/6.jpg)
Fundamental Choices
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
6 / 46
■ Location■ Type■ Actions
![Page 7: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/7.jpg)
Location
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
7 / 46
■ Host-resident■ Network-based■ Firewall-based
![Page 8: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/8.jpg)
Type
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
8 / 46
■ Misuse detection (signature-based)
◆ Specification-based◆ Hand-built
■ Anomaly detection (statistical)
◆ Hand-coded◆ Learning-based
![Page 9: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/9.jpg)
Actions
Intrusion Detection
Motivation
Defenses
Just an Overview
Generic ArchitectureFundamentalChoices
Location
Type
Actions
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
9 / 46
■ Alarms■ Shutdown
![Page 10: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/10.jpg)
Location
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
10 / 46
![Page 11: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/11.jpg)
Host-Based
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
11 / 46
NetworkHost IDS
■ OS auditing mechanisms (log files, SolarisBSM, etc)
■ Socket tap■ System call traces■ Shell command history■ Windows registry accesses■ Note: some of these also useful for forensics
![Page 12: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/12.jpg)
Advantages and Disadvantage
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
12 / 46
■ No confusion about what has happened■ Data is already decrypted■ But — may be expensive■ Subvertible■ Use a VM?■ Useful precaution: transmit data off-node
immediately
![Page 13: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/13.jpg)
The Big Advantages of Host IDS
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
13 / 46
■ More time■ More context■ Everything is reassembled■ Look at entire item, not streams■ Example: it’s all but impossible to do email
virus scanning in the network
![Page 14: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/14.jpg)
Network-Based
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
14 / 46
■ Packet-sniffing (via tcpdump?)■ In-line or in parallel?■ Can be confused■ Can’t handle encrypted traffic
![Page 15: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/15.jpg)
Net-Resident: Parallel
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
15 / 46
Alerting network
NetworkHost
IDS
■ Very unobtrusive■ But — need special hardware to tap an
Ethernet■ Need some network connection to the IDS
![Page 16: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/16.jpg)
Tapping an Ethernet
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
16 / 46
■ Cannot simply wire IDS to jack■ Best solution: one-way tap gear■ Note: taps one traffic direction only; may need
a pair of them■ Some switches have a monitoring port (AKA
spanning port, mirroring port, etc) — canreceive copies of data from any other port
![Page 17: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/17.jpg)
Net-Resident: Serial
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
17 / 46
IDS NetworkHost
■ Can’t miss packets■ But — if it crashes, the host is unreachable■ (Often part of firewalls)■ More detectable, via timing■ Can the IDS box be hacked?
![Page 18: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/18.jpg)
TCP Normalization
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
18 / 46
■ Attackers can play games with TCP/IP toconfuse network-resident IDS
■ Example: overlapping fragments:
s u a n n e
r o o t
Which fragment is honored? Varies!■ TTL games: give some packets a TTL just
high enough to reach the IDS, but not highenough to reach the destination host
■ Solution: TCP normalizer, to fix these
![Page 19: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/19.jpg)
Locations
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
19 / 46
■ Outside the firewall?■ We know there are bad guys there; what’s the
point?■ Just inside? What’s the threat model?■ On sensitive internal nets?■ In front of each sensitive host?■ In “dark space”?
![Page 20: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/20.jpg)
What’s Dark Space?
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
20 / 46
■ A block of address space not used by realmachines and not pointed to by DNS entries
■ There is no legitimate reason to send packetsto such addresses
■ Therefore, any host sending to such addressesis up to no good
■ Commonly used to detect scanning worms
![Page 21: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/21.jpg)
What’s the Purpose of the IDS?
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
21 / 46
■ Unless you’re a researcher, all you care aboutis real threats to your own machines
■ Inside edge of the firewall? Can detect dataexfiltration, but misses insider attacks
■ Sensitive internal nets: detect threats aimed atthem
■ Watching each host? Detect attacks on insidehosts from other hosts on the same LAN
■ Dark space? Detect scanning worms (andattackers)
![Page 22: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/22.jpg)
Auto-Quarantine
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
22 / 46
■ Many organizations implement“auto-quarantine”
■ This is especially common for universityresidence hall networks
■ Machines that do too much scanning (and inparticular attempt to probe dark space) areassumed to be virus-infected
■ They’re moved to a separate net; the only sitesthey can contact are Windows Update, theMac equivlanet, anti-virus companies, and thelike
![Page 23: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/23.jpg)
Honeypots and Honeynets
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
23 / 46
■ Special-purpose host or network designed to beattacked
■ Equipped with copious monitoring■ Lure the attacker in deeper■ Waste the attacker’s time; study the attacker’s
technique■ Note well: keeping honeypot (and dark space)
addresses secret is vital
![Page 24: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/24.jpg)
Extrusion Detection
Intrusion Detection
Location
Host-BasedAdvantages andDisadvantage
The Big Advantagesof Host IDS
Network-BasedNet-Resident:Parallel
Tapping an Ethernet
Net-Resident: Serial
TCP Normalization
Locations
What’s Dark Space?
What’s the Purposeof the IDS?
Auto-Quarantine
Honeypots andHoneynets
Extrusion Detection
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
24 / 46
■ Detect bad things leaving your network■ Detect sensitive things leaving your network■ Finds theft of inside information, either by
attacker or by rogue insider■ Can be done in the network or in application
gateways
![Page 25: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/25.jpg)
IDS Types
Intrusion Detection
Location
IDS Types
Signature-Based
Specification-BasedSignatures
Anomaly-BasedDetection
Actions
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
25 / 46
![Page 26: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/26.jpg)
Signature-Based
Intrusion Detection
Location
IDS Types
Signature-Based
Specification-BasedSignatures
Anomaly-BasedDetection
Actions
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
26 / 46
■ Enumerate known types of misbehavior■ Basis for most anti-virus software■ New attacks require new signatures■ Advantage: few false positives■ Disadvantage: can’t detect new attacks
![Page 27: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/27.jpg)
Specification-Based Signatures
Intrusion Detection
Location
IDS Types
Signature-Based
Specification-BasedSignatures
Anomaly-BasedDetection
Actions
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
27 / 46
■ Define all possible legal behavior■ Note: not necessarily protocol-based — want
to know what’s legal in your environment■ Anything else is an attack■ But — very hard to build such a model
![Page 28: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/28.jpg)
Anomaly-Based Detection
Intrusion Detection
Location
IDS Types
Signature-Based
Specification-BasedSignatures
Anomaly-BasedDetection
Actions
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
28 / 46
■ Learn what “normal” is■ Train system in known-safe environment■ Any departure from this is presumed suspicious■ Can detect novel attacks■ But — frequent false positives
![Page 29: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/29.jpg)
Actions
Intrusion Detection
Location
IDS Types
Signature-Based
Specification-BasedSignatures
Anomaly-BasedDetection
Actions
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
29 / 46
■ Alarms — rely on a human to react⇒ Good for after-the-fact clean-up⇒ But — can’t cope with high alarm rate
■ Shutting it down — prevent further damage⇒ But — can turn into a denial of service attack
![Page 30: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/30.jpg)
Simple Monitoring
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
30 / 46
![Page 31: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/31.jpg)
A Simple Approach
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
31 / 46
■ I ran this command for a while, on two hosts:
tcpdump -p -l "tcp[13] == 0x2 and dst $us"
■ What does it do?■ Logs all TCP SYN-only packets addressed to
us (tcp[13] is the flags byte in the TCPheader; 0x2 is SYN)
![Page 32: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/32.jpg)
Some Results
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
32 / 46
■ About 85 probes apiece, during a 30-hour run■ 63 different ports scanned■ Some obvious: http, ssh, Windows file-sharing,
SMTP, web proxy■ Some strange: 49400–49402, 8081–8090,
81–86■ Some ominous: terabase, radmin-port■ Most probers looked at one port; one looked
at 46 ports
![Page 33: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/33.jpg)
The Most Probed Ports
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
33 / 46
Scans Port
3 ms-wbt-server3 ssh5 80005 http-alt6 ms-sql-s6 radmin-port7 BackupExec8 smtp9 WebProxy9 http
![Page 34: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/34.jpg)
What Did The Probers Want?
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
34 / 46
■ WebProxy and SMTP are probably for spamemail and connection-laundering
■ The others look like probes for knownvulnerabilities
■ http could have been a “spider” or it could belooking for known holes
![Page 35: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/35.jpg)
Dshield.org Data
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
35 / 46
Name Port
25 495300 SMTP1433 128054 MS-SQL445 127354 microsoft-ds (Conficker?)
34724 108615135 72758 MS name resolution
8906 52924139 52508 NetBIOS
1434 51798 Slammer worm (2003)1211 48532
23 36005 Telnet
Note that some ports are mysterious
![Page 36: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/36.jpg)
Bad Neighborhoods
Intrusion Detection
Location
IDS Types
Simple Monitoring
A Simple Approach
Some ResultsThe Most ProbedPortsWhat Did TheProbers Want?
Dshield.org Data
Bad Neighborhoods
FindingCompromised Hosts
IDS in the RealWorld
36 / 46
■ I see more probes here than elsewhere. Why?■ There are different “neighborhoods” — ranges
of IP addresses — in cyberspace■ University networks are good hunting — few
firewalls, good bandwidth, manypoorly-administered machines
■ Newly-allocated network blocks have fewhosts, and aren’t scanned as much
![Page 37: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/37.jpg)
Finding Compromised Hosts
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
37 / 46
![Page 38: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/38.jpg)
Finding Attacking Hosts
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
38 / 46
■ Suppose you’ve identified an attacking host.Now what?
■ Get data: IP address and (when feasible) MACaddress
■ Find it
![Page 39: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/39.jpg)
Databases
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
39 / 46
■ Must be able to map IP address to location■ Must be able to map IP address to person■ Difficult on this campus — wide-open nets■ Primary reason for host registration in many
places
![Page 40: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/40.jpg)
Layer 2 Data
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
40 / 46
■ Enterprise-grade switches are “managed”■ They can map an IP address or a MAC address
to a physical port■ Especially useful if the attacker is forging
addresses. . .
![Page 41: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/41.jpg)
Switch Data
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
41 / 46
Note that a single MAC address has shown up ontwo different switch ports, in different buildings.This is reasonable for a laptop, but not for the CSdepartment’s FTP server!
![Page 42: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/42.jpg)
Locating an Evil WiFi Laptop
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
42 / 46
■ Ask the switch what access point it’s near■ Ping-flood the machine■ Wander around the room looking at the
lights. . .
![Page 43: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/43.jpg)
Cleaning Up a Host
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
Finding AttackingHosts
Databases
Layer 2 Data
Switch DataLocating an EvilWiFi Laptop
Cleaning Up a Host
IDS in the RealWorld
43 / 46
■ Suppose you find that one of your ownmachines is compromised
■ Will you prosecute? Call the police first, topreserve evidence
■ Will you (or can you) do forensics to learn howthe attacker got in?
■ At the least, figure out the patch level of allcomponents and note the configuration
■ Then — format the disk and reinstall;disinfecting a machine is often impossible
![Page 44: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/44.jpg)
IDS in the Real World
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
Evaluating an IDS
Problems withCommercial IDS
44 / 46
![Page 45: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/45.jpg)
Evaluating an IDS
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
Evaluating an IDS
Problems withCommercial IDS
45 / 46
■ Accuracy — false positive and false negativerate
■ Performance■ Ability to handle new attacks■ Fault tolerance■ Timeliness of alerts
![Page 46: Intrusion Detection - Columbia Universitysmb/classes/s09/l22.pdfMotivation Intrusion Detection Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location](https://reader034.fdocuments.us/reader034/viewer/2022051904/5ff57acc8c552511c817a891/html5/thumbnails/46.jpg)
Problems with Commercial IDS
Intrusion Detection
Location
IDS Types
Simple Monitoring
FindingCompromised Hosts
IDS in the RealWorld
Evaluating an IDS
Problems withCommercial IDS
46 / 46
■ Constant (often costly) updates required■ False negatives — missed attacks generate
false sense of security■ False positives — expensive to handle,
especially if you shut things down■ Bad sensor positioning