Telecommunications Networking II

Lecture 41g

Intrusion Detection

Intrusion Detection

Ref: Edward Amoroso

Intrusion Detection

Intrusion Detection• For the purposes of this lecture, intrusion

detection is about detecting unauthorized, possibly malicious attempts to gain access to networks and computer systems, or to disrupt networks, systems, services and applications of authorized users

• To a large extent is is about the synthesis of indications of intrusions from many sources of such indications

Intrusion Detection• We know that intrusion detection is an

emerging approach for responding to the increasing diversity and sophistication of attacks on networks.

• As such, we can talk about the concepts of intrusion detection, we can talk about architectures and frameworks for intrusion detection, and we can talk about specific methods to detecting intrusions

Intrusion Detection

• An architecture and a framework for intrusion detection can lead to an effective intrusion detection infrastructure, into which new intrusion detection methods and signatures can be quickly and easily inserted

• An architecture and framework can also lead to breakthrough thinking on how to protect networks from attacks

Intrusion Detection

• However, the bottom line is that the attacker has the advantage, and at this time our intrusion detection methods are very primitive…often more conceptual than substantive

• That’s where the opportunity is for all of us!

Ethical and Legal Surveillance• Intrusion detection is based on observations of

actions that have been taken by network users• The body of law that governs the use of

computer networks is evolving rapidly• Monitoring computer usage raises issues and

controversies related to privacy rights and protections against arbitrary searches that derive from the U S Constitution

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularlydescribing the place to be searched, and the persons or things to be seized.

The Bill of Rights: U S Constitution

Mechanisms and Policies

• As technologists, we can, and should create mechanisms that allow people to create enforceable policies

• However, we need to understand, to some degree, the evolving body of law and the current interpretations of existing laws, in order to guide our thinking about what new mechanisms for intrusion detection may be acceptable and needed in the marketplace

Intrusion Detection

• The principal purpose of intrusion detection is to defend against attacks and to recover from attacks

• Layered network defense:

Defend-Detect-Respond

Intrusion Detection

• Layered network defense:

Defend-Detect-Respond

• Since intrusion detection is an imperfect process (I.e., reports and alarms may be in error), and since the attacker can respond by modifying his attack….the above steps may be part of a spiral process…I.e., iterative

Ref: Amoroso p16

Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources

Ref: Amoroso p17

• Process: Intrusion detection should be viewed first and foremost as a process ---one that involves technology, people, and tools. Processes involve time and interaction between entities

• Identifying: Intrusion detection can be done before, during, or after malicious activity proceeds

Ref: Amoroso p17

• Responding: Terminate services? Restore services on a prioritized basis? Remove or clean files files on trusted hosts containing malicious code? Attempt to catch the attacker(s)? Counter-attack?

• Malicious Activity: Security-relevant actions by people who intend to do harm

Responding• Note that, from the perspective of legitimate

network users… an attack-induced outage that lasts 20 milliseconds will probably be un-noticeable for most applications. An attack-induced outage that lasts 20 seconds will be noticeable, but not serious, for most users and applications. An attack-induced outage that lasts 5.5 hours (20,000 seconds) will generally be very serious for most users

Responding• How long it takes to recover is very much a

function of-the nature of the damage done-the cause of the initial damage (e.g., how to eliminate malicious code from trusted hosts)-the availability, trustworthiness, and accessibility of data that can be used to diagnose the damage and the cause of the damage

Responding

• How long it takes to recover is very much a function of (continued)-the availability of back-up resources: equipment, applications, and trusted data-how the overall network was architected-how good a job was done in planning and implementing recovery processes

Responding• An enlightening anecdote

A major telecommunications carrier experienced a widespread service outage of its SS7 systems used to provide “intelligent network services. Contact numbers for management personnel were listed in available directories. Unfortunately, they were “800” numbers.

Responding• Part of the response is in eliminating the

attack mechanisms that may be “inside” the network (I.e., harmful code resident in trusted hosts, malicious “insiders”), and in tightening up or modifying defenses

• Speed is essential…we must reduce the attackers advantage by “getting inside of his decision cycle”

Ref: Amoroso p17

“The basic principles of intrusion detection are derived from many sources, many of them having little or nothing to do with computing and networking resources…safecrackers and Internet crackers share a kindred spirit not often obvious because they live in such different worlds…unless, of course, they share a jail cell”

Analogies from Everyday LifeRef Amoroso p 18

• Network management systems collect data from many sources to allow for the efficient assignment and monitoring of resources and their utilization

• Monitoring of typical usage patterns to detect fraud (calling cards, credit cards)

• Reacting to situations that don’t seem normal (instinct and intuition)

Analogies from Everyday LifeRef Amoroso p 18

• Constant vigilance: surveillance cameras

• Stealth design: hidden surveillance cameras(trying to reduce the attacker’s advantage)

• Incenting adversaries to go elsewhere

Generic Intrusion Detection System

Network System or Network Element

Network System or Network Element

Observations

Intrusion Detection Engine

Data Policies Reports, alerts, autonomous actions

Generic Intrusion Detection System

A critical, but subtle aspect of the intrusion detection system strategy is to neutralize the attacker’s advantage by drawing on the concerted resources of large numbers of defenders…both in terms of the data they can provide, and in terms of the defense mechanisms they can conceive

Intrusion Detection Data• Historical data related to (anonymous) network

traffic and usage patterns

• Historical data related to specific users or applications

• User profiles: including trust levels, access privileges and roles (job descriptions)

• Signatures of known attacks

• Signatures of patterns considered to indicate a possible attack

Intrusion Detection Data• Historical data related to (anonymous) network

traffic and usage patterns:- numbers of packets per second, lengths of router buffer queues, frequency of occurrence of particular source-destination pairs, log-in attempts, usage levels for specific applications (all in the context of what time it is and what global events are currently underway)

• Which of the above are the most useful indicators or an attack?

Intrusion Detection Data• Historical data related to specific users or

applications:-How much traffic do I typically originate?-To what destinations?-For what applications?-What Web pages do I typically visit whenever I am using my computer?

Intrusion Detection Data• User profiles: including trust levels, access

privileges and roles (job descriptions)-If my job is to manage project xyz, why am I trying to access information about project ABC? -If I am a general officer, why am I gathering large quantities of detailed information?

Intrusion Detection Data• Signatures of known attacks (as in virus

scanning, but extended to distributed networks)

• Signatures of activities or patterns considered to indicate a possible attack (Politician: “People say I am a crook; do you think I am a crook”Advisor “I don’t know if you are a crook, but I know a lot of crooks who act like you”)

Intrusion Detection Data• Perennial issues:

-What to save (audit trails) -How long to save it -How large an impact on network system performance is tolerable-Extracting information from readily available data vs changing protocols and system designs to get the data that is needed

Tactical vs Strategic• Tactical: We can’t change the basic protocols or

the way that people implement networks and systems…so let’s do what we can on the assumption that we have to use the embedded base

• Strategic: Let’s start with a clean slate, and see how much better we could do. Let’s quantify the potential “gain” and ignore (temporarily) the associated “pain”

Intrusion Detection Engines

• Weapons in the arsenal-Data fusion-Pattern recognition-Visualization-Escalation

Data Fusion

• One of the key opportunities and challenges in achieving “situational awareness”-how to I integrate disparate data from many heterogeneous sources, in an automated fashion, to increase the contrast between normal events and an attack? -how do I force people to provide metadata?-How do I discount for credibility?

Pattern Recognition

• How do I program a computer to recognize patterns of attack?

• How do I program a computer to distill mountains of incoming measurement data to make it easier for a human operator to recognize an attack

Visualization• “I can’t describe it, but I’ll know it when I

see it”

-How to represent information in forms that leverage human perceptual capabilities, undocumented human experience, and human intuition-Minimize training requirements

Escalation

• If I’m becoming uneasy about something, maybe I should-increase surveillance levels at the expense of network performance-tighten up on access controls-revoke the access privileges of suspicious users-inform management personnel

The downside of escalation

• Too many false alarms can make a network useless to legitimate users

• Too far-reaching a control over escalation mechanisms can open up a new and very serious vulnerability: -Attack the management system

Decision Theory

• Given the information at hand, how do I decide what steps to take that will provide the most protection while causing the lease additional disruption of services-mathematical theories of decision making processes-modeling and visualization tools (nearly real time)