Survey of Information Assurance

Intrusion Detection systems

Agenda

• The Early Systems • Network Based Detection

– Architecture– Benefits– Challenges

• Host Based Detection– Architecture– Benefits– Challenges

• Detection Mechanisms

Scope of Discussions

• Details of signature matching algorithms not covered.• Validity of data collected by an IDS from legal point of view not discussed.• Data Mining Techniques and data refinement is not discussed.• Business aspect of Intrusion detection not covered.

IDS – systems that collect information from a variety of

system & network resources, and then analyze the information for

signs of intrusion and misuse.

The Early Systems

1980 James P. Anderson wrote a technical report “Computer Security Threat Monitoring and Surveillance”

1985 US Navy funded development of IDES (Intrusion Detection Expert System)

1986 Dorothy Denning published “An Intrusion Detection Model”

1987 First Annual Intrusion Detection Workshop held for experts to share ideas.

1989 Todd Heberlien wrote “A Network Security Monitor” (NSM). NSM is capable of detecting anomalous activity in heterogeneous network by monitoring TCP/IP packets

1990 US Navy completes study of IDS research and examines 5 systems in detail.

The Early Systems (continued..)

1992 CMDS (Computer Misuse Detection System) by Screen Application international Corporation. Stalker is developed by Haystack Labs. These are first commercial Host based IDS and are targeted at UNIX

1994 Researchers at Air Force Cryptological Support Center create ASIM, a robust IDS and later commercialize it through a company they formed, i.e. Wheelgroup

1997 Cisco acquires Wheelgroup and starts a program to build Network IDS. Internet Security Systems releases Realsecure for Windows NT

1998 Creators of Stalker and CMDS join into Centrax corporation and release eNTrax for Windows NT.

1999 FIDNet (Federal Intrusion Detection Network) is created to protect government sites.

Capabilities Comparison among early IDS

Capabilities Comparison among early IDS (contd…)

Flaws of early IDS

• No platform independence - IDS could not analyze data from systems other than the one it was designed for. i.e. the systems were OS specific.

• No system independence – IDS could not process data from systems other than the original targets to which they had been designed.

• Bad UI – The user interfaces were far from intuitive due to research nature of these projects.

Types of IDS

• Network Based Intrusion Detection Systems– System is used to analyze network packets, i.e. the data

sent out of the host interface.– Packets are usually “sniffed” off the network.– The IDS is uniquely positioned to detect access attempts

and DOS attacks originating from outside

• Host Based Intrusion Detection Systems– Analyze data originating at the host– Have no access/monitoring for data in the network or data

originating at other hosts.

Network Based IDS

• Unauthorized access– Unauthorized login– Jump-off Point for other Attacks

• Data/Resource Theft– Password Downloads– Bandwidth Theft

• DOS – denial of service– Malformed Packets– Packet Flooding– Distributed DOS

A B C of NETWORK BASED IDS

A – ArchitectureB – BenefitsC – Challenges

Network Based IDS - Architecture

• Sensors are deployed across the network that report to a central console.

• Sensors: Self contained detection engines that obtain packets in the network, search for intrusion-like behavior and send information back to central console.

• Types:– Traditional Sensor: sensors monitor network segments, not individual

machines.– Network Node: An agent is placed on each machine in the network,

which monitors only traffic received by given machine.

A Standard Network IDSNetwork sensor Command

Console

1 2

7Data Base

4 6 Response Subsystem

8Data Forensics

5Security Officer

3 Log

9 Report

TCP/IP Records

Network PacketsDetection Engine

Alert

Traditional Sensor based Architecture

• Steps:– A packet is sent (by anyone) on or outside the network.– It is sniffed by the sensor– The sensor-resident detection engine examines the packet for pre-

defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console.

– Security Officer is notified. – A response is generated. It may be automated or directed by security

officer. It may include reconfiguration of sensor/router/firewall.– A log entry is made.– A comparison is made with data base and report is created.– The incident is stored in data base to establish any long-term trend

using Data Forensics.

A Sensor Based Network IDSNetwork sensor

Command Console

1 2

7Data Base

3

6 Response Subsystem

8Data Forensics

5Security Officer

4 Log

9 Report

TCP/IP Records

Network Packets

Detection Engine

Alert

Distributed Network-Node Architecture

• Steps:– A packet is sent (by anyone) on or outside the network.– It is sniffed by the sensor placed on destination machine. – The sensor-resident detection engine examines the packet for pre-

defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console.

– Security Officer is notified. – A local response is generated. – A log entry is made.– A comparison is made with data base and report is created.– The incident is stored in data base to establish any long-term trend

using Data Forensics.

A Distributed Network Node IDSNetwork sensor Command

Console

1

2 6Data Base

4

7 Data Forensics

Security Officer

8 Report

TCP/IP Records

Network Packets

Detection Engine Alert

3Local Response

5

Network Based IDS: Benefits

• Outsider Deterrence– Responding to attack attempt with Legal Notice, e-mail

warning etc.

• Detection– Signature matching– Statistical behavioral analysis

• Automated Response and Notification– Notify System Administrator– Reconfigure router/firewall to block attacking Source

Address

Network Based IDS: Challenges

• Packet Reassembly – 1998 Ptacek and Newsham’s paper “Insertion, Evasion,

and DOS: Eluding Network Intrusion Detection”

• High Speed Networks• Sniffer Detection Programs

– Antisniff (1999)

• Switched Networks– ATM

• Encryption

Host Based IDS

• Abuse of privilege– Administrative lapse (incorrect privilege assignment,

domain addition, ex-employee– Privileged user disclosing data

• Changes in Security Configuration– Admin rights to user, WFH user laptops– Guest Account– Open registry (windows NT defaults)– Legal Notice Missing

A B C of HOST BASED IDS

A – ArchitectureB – BenefitsC – Challenges

Host Based IDS - Architecture

• Usually Agent based• Agent: An executable that runs on target host and

communicates with a Central Command Console.• Types:

– Centralized Host Based Architecture– Distributed Real-Time Architecture– Agentless Host-Based Intrusion Detection

Centralized Host Based Architecture

• Steps:– An event record is created (a program executed, a file

accessed, etc.)– The agent centralizes the audit file to CC (Command

Console)– Detection engine processes the file– Log is created– Alert is generated

Centralized Host Based Architecture (contd…)

– Security Officer is notified– Response is generated – The alert is stored– Raw data is moved to data archive– Reports are generated

A Centralized Host Based IDSTarget Host Command

Console

1 2

7Data Base

4 6 Response Subsystem

8Data Forensics

5Security Officer

3 Log

9 Report

Audit Subsystem

Audit DataDetection Engine

AlertCollectorRaw Data

Centralized

Distributed Real-Time Architecture

• Steps:– An event record is born – The file is read in REAL-TIME and processed through

target-resident engine– Security Officer is notified– Response is generated – The alert is generated and sent to central console– Data Forensics is used to look for long term trends; no

raw data archive or statistical data – Reports are generated

A Distributed Real-Time Host IDSTarget Host Command

Console

1

2 6Data Base

4

7 Data Forensics

Security Officer

8 Report

Audit Subsystem

Audit Data

Detection Engine Alert

3Local Response

5

Collector

Agent Less Architecture

• There are no host-based agents• The Central console monitors systems

through API that provides it with a “remote control” of the data source

• Example: Windows NT/2000 has an API with such capabilities. Kane Security Monitor makes use of this facility.

Host Based IDS: Benefits

• Insider Deterrence• Detection• Notification and Response

– Log off user/Disable account– Execute local script

• Damage Assessment• Attack Anticipation• Prosecution Support

Host Based IDS: Challenges

• Performance– Case of Distributed Real-Time Architecture

• Deployment/Maintenance • Compromise

– Disabling or shutting of user agent

• Spoofing– Inserting into audit records– Erasing audits

DETECTION MECHANISMS

Network Based SignaturesHost Based Signatures

Network Based Signatures (1 of 2)

• Packet Content Inspection– The packet data (payload) is inspected for

patterns or signatures.– Example: FTP Site Exec

Pattern within data (c7a5 db87 c7a5 db01) exec cat /etc/passwd\r\n

Network Based Signatures (2 of 2)

• Packet Header Inspection – The packet header is inspected for patterns or

signatures.– Example:

• Broadcast Attack • Land Attack

Host Based Signatures

• Single Event Signatures – Writing to an executable

• Access flags “WriteData” “WriteAttributes” “WriteEA” “AppendData” etc.

• Multi Event Signatures– Repeated Failed Logins

• Multi-Host Signatures– Events distributed over multiple hosts

Limitations of IDS

• Not an answer to primary network security issues

• Requires a standard firewall and malware protection system

• May not be able to detect new attack but does provide data to trace such activity.

Latest trends: IDS and IPS• IPS – Intrusion prevention systems. IPS is

much more active when compared to IDS and hence seen as better security technology.

• IDS/IPS functionality is usually incorporated into the firewall or VPN.

• These technologies can be used for rate-limiting a particular kind of data.

• More of L7 analysis being incorporated into IDS/IPS systems

Questions?

References

• Content and Diagram-references from The Practical intrusion Detection Handbook by Paul E. Proctor

• http://www.sans.org/resources/idfaq/what_is_id.php?portal=3ddecea0aa1dd75e13d0c7f68b7a57eb

• http://www.networksecurityjournal.com/intrusion-detection/

• http://www.networksecurityjournal.com/features/current-trends-in-ids-ips-052907/