Intrusion Detection Systems

Advanced Computer Networks 2007

Reinhard Wallnerreinhard.wallner@student.tugraz.at

2

Outline

n Introductionn Types of IDSn How works an IDSn Attacks to IDSn Intrusion Prevention Systemsn Limits of IDSn Operation examplesn Some Products

3

What is an IDS …

n System to detect unwanted manipulations to computer systems

n Identification of misuse and abnormal behavior

n Detect many types of malicious network traffic and computer usage

4

Motivation

n Other security measures are not sufficient (Authentication, Firewall, …)

n Attacks motivated by¨ financial¨ political¨ military or¨ personal reasons

n We want to detect intrusionsn We want to prevent intrusions

5

What does an IDS?

n Logging and preparing for analysisn Analysis

n Presentation (i.e. an Alarm)n Reaction (only in Intrusion Prevention

Systems IPS)

6

Types of IDS

n Host based IDS (HIDS)n Network based IDS (NIDS)

n Hybrid IDS (combination of HIDS and NIDS)

7

Passive vs. Reactive System

n Passive System¨Detects a potential security breach¨Logs the information¨Signals an Alert

n A Reactive System additionally¨Resets the connection¨Reprograms the firewall¨Automatically or manually

8

Host based IDS (HIDS) 1

n Installed on a hostn Monitors system objects and remembers its

attributes, e.g. file-system objectsn Creates a checksum (optional)n Database to store objects and attributesn Reports anomalies in form of logs, e-mails or

similarn Detects unauthorized insider activity or file

modification

9

Host based IDS (HIDS) 2

n Pro¨Detailed information about attack

n Con¨HIDS itself can be attacked (and if attacked

host is down, HIDS is also down)

¨Local installation on each host

¨Host resources are needed

10

Network based IDS (NIDS) 1

n Monitors network trafficn Try to find suspicious patternsn I.e. Portscan detectionn NIDS collaborates with other systems like

Firewalln Detects attempts from outside the trusted

network

11

Network based IDS (NIDS) 2

n Pro¨ Controls a network segment, not only one host¨ A defect of one host is no risk for the NIDS

n Con¨ The bandwidth of the NIDS can be overloaded

¨ In switched networksn Using of Taps

n Port mirroring on switch

12

Hybrid IDS

n Combination of HIDS and NIDSn Management console necessary

n Network sensorsn Host sensors

13

Logging

n Differently on different IDS’s

n On HIDS¨ Detailed Information à specific Analysis possible

n On NIDS¨ Distributed Sensors

¨ Management station

n Privacy problem

14

Analysis 1

• Integrity check / Target monitoring¨ Cryptographic signature or checksum to secure the

integrity of files¨ On demand (post mortem or reactive) integrity check¨ Simple to implement

n Signature detection / Misuse detection¨ Compares network traffic with known signatures of

attacks¨ Pattern matching procedures¨ Reassembling of fragmented packets necessary

15

Analysis 2

n Anomaly detection¨ Detects anomalies on user behavior¨ I.e. a secretary uses at 11 p.m. applications like

nmap, gcc¨ Privacy problem!!!

n Stealth Probes¨ attempts to detect attackers that act over prolonged

periods of time¨ combination of Signature detection and Anomaly

detection

16

Attacks to IDS

n Integrity check with signature¨ is secure if the cryptograpical system is good enough

(i.e. RSA) and¨ if private key isn’t stored on the host

n Integrity check with checksum ¨ the integrity of the initial database can be tampered

(à WORM-Medium)n Signature detection can be attacked by

¨ DDoS¨ Insertion or Evasion attacks

17

Insertion Attack

n Idea: uses packets accepted by the IDS accept but not by the host

n i.e. attacker sends packets¨

¨Packet with * isn’t accepted by host

¨Host will Stop because IDS don’t know this Signature

H X* A L T

18

Intrusion Prevention Systems (IPS)

n Extended IDSn Automated reactions to alarms from IDS

¨ i.e. updates a firewall blacklist

¨Changes or interrupts actively network traffic

¨Try to prevent attacks in real time

n Honeypotsn Tarpits

19

Honeypot

n Runs alone on a servern Simulates services or proxy servers (Sugarcane)n Logs activityn Legitimated users don’t know and therefore never address a

honeypotn Automated attacks cannot distinguish the honeypot from a normal

hostn Used for

¨ attracting and binding attacks¨ detecting and analyzing of new attacks¨ protecting of production systems¨ conservation of evidence (court of law)

20

Tarpit

n Tries to delay the distribution velocity of Spammers and Worms

n IP-, TCP- or Application-Level Tarpitsn Example: HTTP-Tarpit

¨ Tries to block the Harvester (Search engine that searches email addresses on web pages) of the spammer

¨ Delivers web page very late¨ Inserts a lot of links to himself¨ Therefore the Harvester falls into the trap

21

Limits of IDS / IPS

n Positive and negative failuresn Unknown attacks cannot detected or preventedn Cryptographically methods can be a problemn Legal restrictions in identification and logging of

attackersn Needs other tools (Firewall, Router,…) to

prevent intrusionn Never 100% protection

22

Operation examples 1

Operation of an NIDS: the IDS and the Firewall supplement each other. [5]

23

Operation examples 2

Operation of an HIDS: observation of specific systems or applications . [5]

24

Operation examples 3

Operation of an hybrid IDS: observation of the internal network . [5]

25

Intrusion Detection Message Exchange Format (IDMEF)n Standardized communication protocol n Protocol to communicate between the IDS

components (Sensors – Management console, …)

n Main requirements to the protocol¨ Authentication of the sender¨ Reliable information¨ Resistance to attacks

26

Summary

n IDS are necessary because security incidents become more numerous and other security measures aren’t sufficient

n IDS is an active System à needs administrationn IDS itself can be attackedn Cryptographically data can be a problemn Never 100% protectionn Privacy must be taken into account

27

IDS/IPS Applications

n Snort [http://www.snort.org/ ] (NIPS)n Prelude [ http://www.prelude-ids.org/ ] (Hypbid IDS)

n Hogwash [http://hogwash.sourceforge.net/ ], combination of IDS and Firewall

n Honeyd [ http://www.honeyd.org/ ], Honeypotn LaBrea

[ http://labrea.sourceforge.net/labrea-info.html ], Honeypot and IDS

28

Literature

n [1] http://en.wikipedia.org/wiki/Intrusion_detection_systemn [2] http://de.wikipedia.org/wiki/Intrusion_Detection_Systemn [3] http://en.wikipedia.org/wiki/Honeypot_%28computing%29n [4] Einbruchserkennung in Netzwerke

http://www.net-tex.de/net/ids.htmln [5] Bundesamt für Sicherheit in der Informationstechnik,

Intrusion-Detection Grundlagenhttp://www.bsi.de/literat/studien/ids02/dokumente/Grundlagenv10.pdf

n [6] The Internet Engineering Task Force (IETF),Intrusion Detection Message Exchange Format(IDMEF) http://www3.ietf.org/proceedings/01mar/I-D/idwg-idmef-xml-03.txt

29

Questions

n Explain the three kinds of IDS. What are the advantages and disadvantages?¨Slides 8-12

n Which methods about analyzing in IDS do you know? How can these methods attacked?¨Slides 14-16

Thanks for your attention!

Reinhard Wallner

reinhard.wallner@student.tugraz.at