Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Intrusion Detection SystemsIntrusion Detection Systems

Present byPresent by

Ali FanianAli Fanian

In the Name of AllahIn the Name of Allah

OutlineOutline

Intrusion ConceptIntrusion Concept

Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)

Types of IDSTypes of IDS

Attacks to the IDSAttacks to the IDS

Gateway Intrusion Detection SystemGateway Intrusion Detection System

Host-based Intrusion DetectionHost-based Intrusion Detection

What is an intrusion?What is an intrusion?

An intrusion can be defined as “any set of An intrusion can be defined as “any set of actions that attempt to compromise the:actions that attempt to compromise the:– IntegrityIntegrity– confidentiality, or confidentiality, or – availability availability

of a resource”. of a resource”.

IntrudersIntruders

InsiderInsider: abuse by a person with : abuse by a person with authorized access to the system.authorized access to the system.

HackerHacker: attack the via communication : attack the via communication links (e.g. Internet). links (e.g. Internet).

Malicious softwareMalicious software (`MalWare`, Trojan (`MalWare`, Trojan horse, Virus)horse, Virus): attack on the system by : attack on the system by software running on it. software running on it.

Intrusion ExamplesIntrusion Examples

VirusVirusBuffer-overflowsBuffer-overflows– 2000 Outlook Express vulnerability.2000 Outlook Express vulnerability.

Denial of Service (DOS)Denial of Service (DOS)– explicit attempt by attackers to prevent legitimate explicit attempt by attackers to prevent legitimate

users of a service from using that service.users of a service from using that service.

Address spoofingAddress spoofing– a malicious user uses a fake IP address to send a malicious user uses a fake IP address to send

malicious packets to a target.malicious packets to a target.

Many othersMany others

OutlineOutline








Systems that detect attacks on computer Systems that detect attacks on computer systemssystems..


Intrusion Prevention System can Intrusion Prevention System can prevent the network fromprevent the network from outside outside attacks.attacks.

InternetInternet

Intruder

Intruder Victim

IPS

IDS BasicIDS Basic FunctionsFunctions

MonitoringMonitoring– Collect the information from the networkCollect the information from the network

AnalyzingAnalyzing– Determine what, if any thing, is of interestDetermine what, if any thing, is of interest

Reporting Reporting – Generate conclusions and otherwise act on Generate conclusions and otherwise act on

analysis resultsanalysis results


Firewalls are typically placed on the network Firewalls are typically placed on the network perimeter protecting against external attacksperimeter protecting against external attacksFirewalls allow traffic only to legitimate hosts Firewalls allow traffic only to legitimate hosts and servicesand servicesTraffic to the legitimate hosts/services can Traffic to the legitimate hosts/services can have attackshave attacksSolution?Solution?– Intrusion Detection SystemsIntrusion Detection Systems– Monitor data and behaviorMonitor data and behavior– Report when identify attacksReport when identify attacks

Traditional IDS response tends to be passive Traditional IDS response tends to be passive responseresponseSecondary investigation required because IDS is Secondary investigation required because IDS is still imperfectstill imperfect

These days, IDS can be set up to respond to These days, IDS can be set up to respond to events automatically – “active response”events automatically – “active response”


Active response – dropping connection, Active response – dropping connection, reconfiguring networking devices (firewalls, reconfiguring networking devices (firewalls, routers)routers)


Alarm investigation resource would affect the Alarm investigation resource would affect the delays in response in both active and passive delays in response in both active and passive responseresponse

If multiple alarm types involved, which alarm to If multiple alarm types involved, which alarm to investigate is an issueinvestigate is an issue


Passive responsePassive response– potential damage cost - resulting from potential damage cost - resulting from

alarmed events not investigated immediatelyalarmed events not investigated immediately– low false alarm costs since alarmed events low false alarm costs since alarmed events

are not disruptedare not disrupted


Active responseActive response– It could prevent attack damage because the It could prevent attack damage because the

events are terminated immediatelyevents are terminated immediately– higher false alarm costs contingent on the higher false alarm costs contingent on the

performance of the IDSperformance of the IDS


Audit Log ArchitectureAudit Log Architecture

The SystemBeing Monitored

IDS

AlertsReports

Profiles

Audit Log Data

Inline ArchitectureInline Architecture

The SystemBeing Monitored

IDS

AlertsReports

SnifferData

Profiles

OutlineOutline








Host-basedHost-based Network-Network-basedbased

Signature-Signature-basedbased

Anomaly-Anomaly-basedbased

Signature-based IDSSignature-based IDS

CharacteristicsCharacteristics– Uses known pattern matching to signify attackUses known pattern matching to signify attack

Signature-based IDSSignature-based IDS

Advantages?Advantages?– Widely availableWidely available– Fairly fastFairly fast– Easy to implementEasy to implement– Easy to updateEasy to update

Disadvantages?Disadvantages?– Cannot detect attacks for which it has no signatureCannot detect attacks for which it has no signature

Anomaly-based IDSAnomaly-based IDS

CharacteristicsCharacteristics–Uses statistical model or machine learning engine Uses statistical model or machine learning engine

to characterize normal usage behaviorsto characterize normal usage behaviors–Recognizes departures from normal as potential Recognizes departures from normal as potential

intrusionsintrusions

Anomaly-based IDSAnomaly-based IDS

Advantages?Advantages?–Can detect attempts to exploit new and Can detect attempts to exploit new and

unforeseen vulnerabilitiesunforeseen vulnerabilities–Can recognize authorized usage that falls Can recognize authorized usage that falls

outside the normal patternoutside the normal pattern

Disadvantages?Disadvantages?–Generally slower, more resource intensive Generally slower, more resource intensive

compared to signature-based IDScompared to signature-based IDS

–Greater complexity, difficult to configureGreater complexity, difficult to configure

–Higher percentages of false alertsHigher percentages of false alerts

More Problems with Anomaly More Problems with Anomaly DetectionDetection

The dynamic update problem is unsolved.The dynamic update problem is unsolved.– You can train these systems successfully to handle You can train these systems successfully to handle

static environments, but computer networks are static environments, but computer networks are dynamic.dynamic.

– If you try to retrain an existing system to deal with If you try to retrain an existing system to deal with new events, it will usually forget its old training. You new events, it will usually forget its old training. You have to give it the old training data as well as the new.have to give it the old training data as well as the new.

Possible Approaches to Possible Approaches to Anomaly DetectionAnomaly Detection

Neural networksNeural networksExpert systemsExpert systemsStatistical decision theoryStatistical decision theory

Network-based IDSNetwork-based IDS

CharacteristicsCharacteristics– NIDS examine raw packets in the network NIDS examine raw packets in the network

passively and triggers alertspassively and triggers alerts

Network-based IDSNetwork-based IDSAdvantages?Advantages?– Easy deploymentEasy deployment– Difficult to evadeDifficult to evade

Disadvantages?Disadvantages?– NIDS needs to create traffic seen at the end hostNIDS needs to create traffic seen at the end host– Need to have the complete network topology and Need to have the complete network topology and

complete host behaviorcomplete host behavior

Host-based IDSHost-based IDS

CharacteristicsCharacteristics– Runs on single hostRuns on single host– Can analyzeCan analyze logs, integrity of files and logs, integrity of files and

directories, etc.directories, etc.

Host-based IDSHost-based IDS

AdvantagesAdvantages

– More accurate than NIDSMore accurate than NIDS

– Less volume of traffic so less overheadLess volume of traffic so less overhead

DisadvantagesDisadvantages– Deployment is expensiveDeployment is expensive– What happens when host get compromised?What happens when host get compromised?

Honey Pots and Burglar AlarmsHoney Pots and Burglar Alarms

Burglar alarms are resources on the network Burglar alarms are resources on the network that generate an alarm if accessed that generate an alarm if accessed incorrectly.incorrectly.Honey pots are burglar alarms dressed up to Honey pots are burglar alarms dressed up to look attractive. look attractive.

Have to look real to the attackersHave to look real to the attackers

Intrusion Detection Using Intrusion Detection Using Honey PotHoney Pot

Honey pot is a “decoy” system that Honey pot is a “decoy” system that appears to have several vulnerabilities for appears to have several vulnerabilities for easy access to its resources.easy access to its resources.

It provides a mechanism so that It provides a mechanism so that intrusions can be trapped before attack is intrusions can be trapped before attack is made on real assets.made on real assets.

Intrusion Detection Using Intrusion Detection Using Honey Pot (cont.)Honey Pot (cont.)

Multi-level Log Mechanism (MLLM)Multi-level Log Mechanism (MLLM)

MLLM logs the attacker’s activities intoMLLM logs the attacker’s activities into– Remote Log ServerRemote Log Server– Sniffer ServerSniffer Server

An Architecture for Intrusion DetectionAn Architecture for Intrusion Detection

using Honey Potusing Honey Pot

Intrusion Detection Using Intrusion Detection Using Honey Pot (cont.)Honey Pot (cont.)

IDS PlacementIDS Placement

DNSServer

Intra1

Internet

Outer Firewall

Firewall

Inner Firewall

Firewall

SW

SW

MailServer

WebServer

DMZ

Router

IDS

IDS

IDS

OutlineOutline








Overload until IDS fails to keep up with the data

Overload packet filter (easy) Overload event engine (difficult because events

are light weighted and attacker doesn’t know policy script)

Overload Logging/Recording mechanism

Attacks to the IDSAttacks to the IDSAn Subterfuge attack attempts to mislead the IDS to the meaning of the analyzed traffic

IDS SoftwareIDS Software

SnortSnort Free, libpcap based, rules driven Free, libpcap based, rules driven IDSIDS package. Many package. Many add-on components available.add-on components available.……

OutlineOutline







What Is a Gateway IDS?What Is a Gateway IDS?

Gateway Intrusion Detection SystemGateway Intrusion Detection System– A network intrusion detection system which A network intrusion detection system which

acts as a network gatewayacts as a network gateway– Designed to stop malicious traffic and Designed to stop malicious traffic and

generate alerts on suspicious trafficgenerate alerts on suspicious traffic– An “ideal” gateway IDS is able to stop all An “ideal” gateway IDS is able to stop all

known exploitsknown exploits

GIDS vs NIDSGIDS vs NIDS

GIDSGIDS

Acts as network Acts as network gatewaygateway

Stops suspect Stops suspect packetspackets

Prevents successful Prevents successful intrusionsintrusions

False positives are False positives are VERY badVERY bad

NIDSNIDSOnly observes Only observes network trafficnetwork trafficLogs suspect packets Logs suspect packets and generates alertsand generates alertsCannot stop an Cannot stop an intruderintruderFalse positives are False positives are not as big of an issuenot as big of an issue

About Inline SnortAbout Inline Snort

Based on the Snort intrusion detection Based on the Snort intrusion detection systemsystemOperation is similar to some bridging Operation is similar to some bridging firewallsfirewallsUses snort rules with some additional Uses snort rules with some additional keywords to make forward/drop decisionskeywords to make forward/drop decisionsCompatible with most snort pluginsCompatible with most snort pluginsFreely available under the GPLFreely available under the GPL

Inline SnortInline Snort

drop Drops a packet, sends an rst, logs drop Drops a packet, sends an rst, logs the packet the packet

ignore Drops a packet without sending an ignore Drops a packet without sending an rst rst

sdrop Drops a packet, sends an rst, does sdrop Drops a packet, sends an rst, does not log the packet not log the packet

Content ReplacementContent Replacement

It can replace content in a packetIt can replace content in a packet– ““replace” keyword tells hogwash to replace a detected replace” keyword tells hogwash to replace a detected

string with another string.string with another string.– Example:Example:

alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;)replace:”yyy.yyy”;)

– Any content in the packet payload can be replaced.Any content in the packet payload can be replaced.– A great way to break an exploit without dropping the A great way to break an exploit without dropping the

packet!!packet!!

Sample snort RulesSample snort Rules

To drop incoming port 80 connections:To drop incoming port 80 connections:drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”)drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”)

To drop cmd.exe calls to your webservers:To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe drop tcp any any -> $HOMENET 80 (msg:“cmd.exe

attempt”; content: “cmd.exe”)attempt”; content: “cmd.exe”)

OutlineOutline








Anomaly detection:Anomaly detection:

IDS monitors system IDS monitors system call trace from the call trace from the appapp

DB contains a list of DB contains a list of subtraces that are subtraces that are allowed to appearallowed to appear

Any observed Any observed subtrace not in DB subtrace not in DB sets off alarmssets off alarms

App allowedtraces

IDS

Operating System

HIDS’ Advantages over NIDSHIDS’ Advantages over NIDS

HIDS can monitor user-specific activity of the HIDS can monitor user-specific activity of the systemsystem– Check process listing, local log files, system calls.Check process listing, local log files, system calls.– It is difficult for NIDS to associate packets to specific It is difficult for NIDS to associate packets to specific

users (except when content switch-based NIDS is users (except when content switch-based NIDS is used!) and to determine if the commands in the used!) and to determine if the commands in the packets violate specific user’s access privilege.packets violate specific user’s access privilege.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Documents

Transcript of Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.