Stephen S. Yau CSE 465-591, Fall 2006 1 Intrusion Detection.

Stephen S. YauStephen S. Yau CSE 465-591, Fall 2006CSE 465-591, Fall 2006 11

Intrusion Intrusion DetectionDetection


IntrudersIntrudersGain hostile or unwanted access Gain hostile or unwanted access to the system.to the system.Either local or via networkEither local or via networkVarying levels of competenceVarying levels of competenceMay seem benignMay seem benignMay use compromised system to May use compromised system to launch other attackslaunch other attacksAim to increase their own Aim to increase their own privileges on systemprivileges on system


Types of IntrudersTypes of IntrudersMasqueraderMasquerader: : usually an outsider,usually an outsider, not not authorized to use the system, but penetrates authorized to use the system, but penetrates the system through legitimate user account the system through legitimate user account

MisfeasorMisfeasor: : usually an insideusually an inside legitimate user legitimate user who accesses assets not authorized, or is who accesses assets not authorized, or is authorized but misuses privileges authorized but misuses privileges

Clandestine userClandestine user:: an insider or outsider an insider or outsider user who has supervisory access to the user who has supervisory access to the system system


Intrusion TechniquesIntrusion Techniques

Basic attack methodologyBasic attack methodology – Take possession of target machine Take possession of target machine

and gather unauthorized informationand gather unauthorized information– Obtain initial access Obtain initial access – Escalate privilegesEscalate privileges– Remove traces of intrusionRemove traces of intrusion

Main goal is to acquire passwordsMain goal is to acquire passwords


Why Need Intrusion Why Need Intrusion Detection?Detection?Security failures are inevitableSecurity failures are inevitable

Need to detect intrusionsNeed to detect intrusions– Blocked if detected quicklyBlocked if detected quickly– Act as deterrentAct as deterrent– Collect information to improve Collect information to improve

securitysecurityData within organization is often more Data within organization is often more important than the network itselfimportant than the network itself– Commerce, Government, Business, Commerce, Government, Business,

and Academiaand Academia


Intrusion Detection Intrusion Detection SystemSystem

Types of IDSTypes of IDS– Host-based IDSHost-based IDS– Network-based IDSNetwork-based IDS T1:

ch22 T2: ch25


Host-based IDSHost-based IDSUse OS auditing mechanismsUse OS auditing mechanisms• e.g., logs all direct or indirect events e.g., logs all direct or indirect events

generated by a usergenerated by a userMonitor user activitiesMonitor user activities• e.g., Analyze shell commandse.g., Analyze shell commandsMonitor executions of system programsMonitor executions of system programs• e.g., Analyze system calls made by e.g., Analyze system calls made by

sendmailsendmailInvolve monitoring ofInvolve monitoring of– communications in and out of a machinecommunications in and out of a machine– integrity of system filesintegrity of system files– processes runningprocesses running


Examples of Host-based Examples of Host-based IDSIDS

Black Ice Black Ice ((http://www.networkice.comhttp://www.networkice.com))– Windows Operation SystemWindows Operation System

Zone Alarm Zone Alarm ((http://www.zonealarm.comhttp://www.zonealarm.com))– Windows Operation SystemWindows Operation System

Internet Security Systems (ISS) Internet Security Systems (ISS) RealSecure RealSecure ((http://www.iss.nethttp://www.iss.net))– Windows and Unix Operating SystemWindows and Unix Operating System

Linux Intrusion Detection Systems Linux Intrusion Detection Systems (LIDS) (LIDS) ((http://www.lids.orghttp://www.lids.org))– Linux Operating SystemLinux Operating System


Strengths and Drawbacks of Strengths and Drawbacks of

Host-based IDSHost-based IDSStrengths:Strengths:– Easy attack identificationEasy attack identification– Can monitor key componentsCan monitor key components– Near real-time detection and response.Near real-time detection and response.– No additional hardware neededNo additional hardware needed

Drawbacks:Drawbacks:– Type of information needed to be logged in Type of information needed to be logged in

is a matter of experience.is a matter of experience.– Unselective logging of messages may Unselective logging of messages may

greatly increase audit and analysis greatly increase audit and analysis burdens. burdens.

– Selective logging has risk that attack Selective logging has risk that attack manifestations be missed.manifestations be missed.


Network-based IDSNetwork-based IDSDeploy special sensors at strategic Deploy special sensors at strategic locationslocations• e.g., Packet sniffing via e.g., Packet sniffing via tcpdumptcpdump at routers at routers

Inspect network traffic Inspect network traffic • Watch for violations of protocols and Watch for violations of protocols and

unusual connection patternsunusual connection patterns

Monitor user activitiesMonitor user activities• Look into data portions of packets for Look into data portions of packets for

malicious command sequencesmalicious command sequences

Monitor packets for some sort of Monitor packets for some sort of signature as they pass a sensorsignature as they pass a sensor


Common Network Signs Common Network Signs of Intrusion Detectionof Intrusion Detection

StringString– Look for a text string that indicates a Look for a text string that indicates a

possible attack.possible attack.PortPort– Watch for connection attempts to well-Watch for connection attempts to well-

known frequently attacked ports.known frequently attacked ports.HeaderHeader– Look for suspiciously dangerous or illogical Look for suspiciously dangerous or illogical

combinations of packets and headers. combinations of packets and headers. – Example: Example: WinnukeWinnuke, where a packet is , where a packet is

destined for NetBIOS port, and Urgent destined for NetBIOS port, and Urgent pointer or pointer or Out Of BandOut Of Band pointer is set, pointer is set, resulting in "blue screen of death" for resulting in "blue screen of death" for Windows systems. Windows systems.


Some Examples of Some Examples of Network-based IDSNetwork-based IDS

Internet Security Systems (ISS) Internet Security Systems (ISS) RealSecure RealSecure ((http://www.iss.nethttp://www.iss.net))– Windows and Unix Operating SystemWindows and Unix Operating System

Snort Snort ((http://www.snort.orghttp://www.snort.org))– Open SourceOpen Source– Windows and Unix Operating SystemWindows and Unix Operating System

Cisco NetRanger Cisco NetRanger ((http://www.cisco.comhttp://www.cisco.com))– Unix Based Appliance Intrusion Detection Unix Based Appliance Intrusion Detection

SystemSystem


Strengths and DrawbacksStrengths and Drawbacksof Network-based IDSof Network-based IDS

Strengths:Strengths:– Cost of ownership reducedCost of ownership reduced– Packet analysis feasiblePacket analysis feasible– Real time detection and responseReal time detection and response– Malicious intent detection before real intrusion happensMalicious intent detection before real intrusion happens– Operating system independenceOperating system independence

Drawbacks:Drawbacks:– Packets can be lost on flooded networks; Reassemble

packets could be incorrect and trigger false alarm– Not handle encrypted data– Depending on network architectureDepending on network architecture– High false-positiveHigh false-positive– Configuration needs expertiseConfiguration needs expertise– Privacy compromisedPrivacy compromised


NIDSNIDS

NIDS

Hybrid of Network-based and Host-

based IDS

HIDS

HIDS

HIDS

Internet


Intrusion Detection Intrusion Detection TechniquesTechniques

Profile-based Profile-based

Signature-basedSignature-based– Rule-basedRule-based– State Transition AnalysisState Transition Analysis– Pattern MatchingPattern Matching


ID Techniques ID Techniques – – Profile-basedProfile-based

Profile: identification of subjects and their Profile: identification of subjects and their normal behaviornormal behaviorSubject: a user account, a service, a group, Subject: a user account, a service, a group, or a network domain, etc.or a network domain, etc.Approaches: Approaches: – Intrusion Detection Expert System (Intrusion Detection Expert System (IDESIDES))– Wisdom and Sense (Wisdom and Sense (W & SW & S))– Specification-basedSpecification-based

Advantages: easy to implement; capable of Advantages: easy to implement; capable of detecting new intrusion scenariosdetecting new intrusion scenariosDisadvantage: high false alarmsDisadvantage: high false alarms


ID TechniquesID Techniques– Signature-based– Signature-based

Find specific event sequences Find specific event sequences (signatures) by scanning system activities(signatures) by scanning system activitiesEvent: a generic system activity, such as Event: a generic system activity, such as deleting a file, sending an e-maildeleting a file, sending an e-mailTypes: Types: – Rule-basedRule-based– State-transition analysisState-transition analysis– Pattern matchingPattern matchingCan detect known intrusion patterns Can detect known intrusion patterns efficiently, but not unknown intrusion efficiently, but not unknown intrusion patterns and variants of intrusion patterns and variants of intrusion signatures.signatures.


Rule-based Intrusion Rule-based Intrusion DetectionDetection

Based on expert systemBased on expert system

Most basic signature-based IDSMost basic signature-based IDS

““If If condition,condition, then then actionaction””– ConditionCondition specifies constraints specifies constraints

on audit recordon audit record– ActionAction specifies action to be specifies action to be

taken if condition is satisfied.taken if condition is satisfied.


Rule-based Intrusion Rule-based Intrusion Detection Detection (cont.)(cont.)

Observe events happening on systemObserve events happening on systemApply rules to decide if activity is suspiciousApply rules to decide if activity is suspiciousRule-based Anomaly Detection: Rule-based Anomaly Detection: – Generating rules involves analysis of audit data Generating rules involves analysis of audit data

and identification of usage patternsand identification of usage patterns– Observe current data and match data against Observe current data and match data against

rules to see if it conforms to abnormal behaviorrules to see if it conforms to abnormal behaviorExample: If a server finds that 40 % of the Example: If a server finds that 40 % of the packets received are packets received are Internet Control Internet Control Message Protocol (ICMP) echo requestsMessage Protocol (ICMP) echo requests from from diverse sources, it may be regarded as a DoS diverse sources, it may be regarded as a DoS attack. Rule: attack. Rule: Percentage of echo request in ICMP Percentage of echo request in ICMP >= 40% >= 40% DoS attack happens DoS attack happens


Strengths and DrawbacksStrengths and Drawbacksof Rule-based Intrusion of Rule-based Intrusion

DetectionDetectionStrengths:Strengths:– The inference engine is simpleThe inference engine is simple– The system is powerful to detected intrusion The system is powerful to detected intrusion

specified in those rulesspecified in those rules– Easy to implementEasy to implementLimitationsLimitations– Direct dependence on audit records.Direct dependence on audit records.– Rules are created using audit records of Rules are created using audit records of

known penetrations.known penetrations.Slight variations in attacks could make Slight variations in attacks could make penetration undetected.penetration undetected.

– If someone changes audit trail, penetration If someone changes audit trail, penetration may not be detected.may not be detected.

– Difficult for distributed processingDifficult for distributed processing


State Transition State Transition AnalysisAnalysis

StateState is a snapshot of the system with all the volatile is a snapshot of the system with all the volatile and permanent memory locations. and permanent memory locations. – State represents some attribute of system – not whole system State represents some attribute of system – not whole system

statestate– State is generic, e.g. “user is root now”State is generic, e.g. “user is root now”

TransitionTransition is an action that will make state changed. is an action that will make state changed.PenetrationPenetration is viewed as a sequence of actions is viewed as a sequence of actions performed by an attacker that leads from an initial performed by an attacker that leads from an initial state to a compromised (insecure) state. state to a compromised (insecure) state. – Penetration sequence represented by finite state machinePenetration sequence represented by finite state machine

node is a state node is a state arc is an action (or transition)arc is an action (or transition)

Signature actionsSignature actions are a sequence of identified are a sequence of identified actions which will trigger transition from one state to actions which will trigger transition from one state to another.another.


State Transition State Transition Analysis Analysis (cont.)(cont.)

Information retrieved from audit Information retrieved from audit data are represented graphically in data are represented graphically in State Transition Diagram State Transition Diagram As actions of an intrusion are As actions of an intrusion are completed one by one, the target completed one by one, the target machine changes its state from one machine changes its state from one state to another when certain state to another when certain actions are performed. When the actions are performed. When the machine changes from some machine changes from some normal state to a compromised normal state to a compromised state, an intrusion is detected and state, an intrusion is detected and reportedreported


Strengths and DrawbacksStrengths and Drawbacksof State Transition Analysisof State Transition AnalysisStrengths:Strengths:– State Transition Analysis identifies a number State Transition Analysis identifies a number

of signature actions and represents them of signature actions and represents them visually.visually.

– State Transition Diagram identifies State Transition Diagram identifies preciselyprecisely the requirements and penetrationsthe requirements and penetrations

– Lists of actions that must occur for Lists of actions that must occur for completioncompletion of certain penetration. of certain penetration.

– Provide efficient reasoning support.Provide efficient reasoning support.Drawbacks:Drawbacks:– It cannot represent complex intrusion scenarios.It cannot represent complex intrusion scenarios.


Pattern Matching Pattern Matching ApproachApproach

Each intrusion signature is Each intrusion signature is represented as a represented as a Petri netPetri net– A Petri net is a graphical and A Petri net is a graphical and

mathematical modeling tool. It mathematical modeling tool. It consists of consists of placesplaces, , transitionstransitions, and , and arcsarcs that connect them. that connect them. Input arcsInput arcs connect places with transitions, connect places with transitions, while while output arcsoutput arcs start at a start at a transition and end at a place. transition and end at a place.

– Has strong expressive powerHas strong expressive power(Reference: (Reference: James L. Peterson, “Petri Net theory James L. Peterson, “Petri Net theory and modeling of systemsand modeling of systems”)


Pattern Matching Approach Pattern Matching Approach (cont.)(cont.)

Characteristics of patterns used to model Characteristics of patterns used to model attacksattacks– LinearityLinearity: Specifies a sequence of events : Specifies a sequence of events

comprising the signature pattern which is a comprising the signature pattern which is a sequence of events without conjunction and sequence of events without conjunction and disjunction.disjunction.

– UnificationUnification: Instantiates variables to earlier events : Instantiates variables to earlier events and matches these events to later occurring events.and matches these events to later occurring events.

– OccurrenceOccurrence: Specifies the relative placement in : Specifies the relative placement in time of an event with respect to the previous events.time of an event with respect to the previous events.

– BeginningBeginning: Specifies the absolute time of match of : Specifies the absolute time of match of the beginning of a pattern.the beginning of a pattern.

– DurationDuration: Specifies constraints on the time duration : Specifies constraints on the time duration for which the event must be active.for which the event must be active.Reference: S. Kumar, E. H. Spafford, “An Application of Pattern Reference: S. Kumar, E. H. Spafford, “An Application of Pattern

Matching in Intrusion Detection” Matching in Intrusion Detection” http://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdfhttp://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdf


Pattern Matching Approach Pattern Matching Approach (c(cont.)ont.)

Use Petri nets to capture Use Petri nets to capture – Each signature corresponds to a particular Each signature corresponds to a particular

Petri net automatonPetri net automaton– Nodes represents tokens; edges represents Nodes represents tokens; edges represents

transitionstransitions– Final state of signature is a compromised stateFinal state of signature is a compromised stateGenerate an intrusion patternGenerate an intrusion pattern

1.1. Identify existence of files or other entities Identify existence of files or other entities created by an attackercreated by an attacker

2.2. Identify a sequence of eventsIdentify a sequence of events3.3. Identify two or more sequences of events Identify two or more sequences of events

under temporal relationunder temporal relation4.4. Identify duration of eventsIdentify duration of events5.5. Identify interval of eventsIdentify interval of events


Strengths:Strengths:– Rule based sequential patternsRule based sequential patterns detect detect

anomalous activities that are difficult using anomalous activities that are difficult using traditional methods.traditional methods.

– Systems built using this model are highly Systems built using this model are highly adaptiveadaptive to changes by users; if a new pattern to changes by users; if a new pattern found, it is easier to define it by Petri net.found, it is easier to define it by Petri net.

– Anomalous activities detected and reported Anomalous activities detected and reported within seconds of receiving audit events.within seconds of receiving audit events.

Drawbacks:Drawbacks:– Requires experience to generate rulesRequires experience to generate rules– Difficult to verify the completeness set of rulesDifficult to verify the completeness set of rules

Strengths and DrawbacksStrengths and Drawbacksof Pattern Matching of Pattern Matching

ApproachApproach


ReferencesReferencesMatt BishopMatt Bishop, , Introduction to Computer Security, , Addison- WesleyAddison- Wesley, , 2004, ISBN: 0321247442 2004, ISBN: 0321247442 (textbook1)(textbook1)Matt Bishop, Matt Bishop, Computer Security: Art and Computer Security: Art and Science,Science, Addison- WesleyAddison- Wesley, , 2002, ISBN: 0201440997 2002, ISBN: 0201440997 (textbook2)(textbook2)M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Security: Information Security: Principles and PracticesPrinciples and Practices,, Prentice Hall, August Prentice Hall, August 2005, 448 pages, ISBN 0131547291 2005, 448 pages, ISBN 0131547291 James L. Peterson, “Petri Net theory and modeling James L. Peterson, “Petri Net theory and modeling of systemsof systems” S. Kumar, E. H. Spafford, “An Application of Pattern S. Kumar, E. H. Spafford, “An Application of Pattern Matching in Intrusion Detection”. Available at: Matching in Intrusion Detection”. Available at: http://www.csee.umbc.edu/cadip/docs/NetworkIntruhttp://www.csee.umbc.edu/cadip/docs/NetworkIntrusion/pattern.pdfsion/pattern.pdf

Stephen S. Yau CSE 465-591, Fall 2006 1 Intrusion Detection.

Documents

Transcript of Stephen S. Yau CSE 465-591, Fall 2006 1 Intrusion Detection.