IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions of known or potential exploits grouped into rule sets IDS matches data against rule sets; on success, potential attack found Rule-based anomaly detection Analyze historical audit records for expected behavior, then match with current behavior similar in terms of its approach to statistical anomaly detection Rule-based penetration identification Rules identify known penetrations / weaknesses Often by analyzing attack scripts from Internet Supplemented with rules from security experts Issue: Cannot detect attacks unknown to developers of rule set 15
IDS: Requirements Run continually Minimal human supervision Fault tolerant E.g. ability to recover from system crashes Provide graceful degradation of service E.g. mostly unaffected by failure of single IDS components Resist subversion E.g. ability to self detect modification by attacker Impose a minimal overhead on system Scale to monitor large numbers of systems Configured according to system security policies Adapt to changes in systems and users 16
Intrusion Detection Structures 17
Host-Based IDS Specialized software to monitor system activity to detect suspicious behavior Primary purpose is to detect intrusions, log suspicious events, and send alerts Can detect both external and internal intrusions Two approaches, often used in combination: Anomaly detection - defines normal/expected behavior threshold detection profile based Signature detection defines attack patterns 18
Distributed Host-Based IDS Host agent module: Collects audits on host and transmits them to the central manager LAN monitor agent module: Collects and reports LAN audits to central manager Central manager module: Correlates reports from hosts and LAN monitor to detect intrusion 19
Distributed Host-Based IDS Filter: Retains records of security interest Create standardised host audit record (HAR) Template-driven logic: Scans for: notable events (failed access, change of access control) know attack pattern Abnormality of user behaviour Sends alert to central manager Central manager: Draw inferences form HARs Can request additional HARs from hosts 20
Network-Based IDS (NIDS) Network-based IDS (NIDS) Monitor traffic at selected points on a network In (near) real time to detect intrusion patterns May examine network, transport and/or application level protocol activity directed toward systems Comprises a number of sensors Inline Actual traffic passes through the sensor possibly realized as part of other net device, i.e. no additional hardware required Passive Monitors copy of actual traffic, therefore more efficient than inline 21
NIDS: Sensor Deployment Positions of network IDS to analyse: 1) problems with firewall policy and attacks from the outside world that could penetrate the perimeter defence 2) number and types of attacks from the Internet targeting the network 3) major backbone networks and detect unauthorized activities by authorized users within organisation s network 4) attacks targeting critical system resources 22
NIDS: Intrusion Detection Techniques Signature detection At application, transport, network layers; unexpected application services, policy violations Anomaly detection Detection of denial of service attacks, scanning, worms Function of sensors Sends an alert and logs information if violation detected Used by analysis module to refine intrusion detection parameters and algorithms Used by security admin to improve protection 23
Distributed Adaptive Intrusion Detection Issues of former IDSs: Monitor selective network parts and may miss an attack Less appropriate for loose boundaries (e.g. host may joined/or disappear) Distributed adaptive IDS: Does not rely on perimeter defence like firewalls Each host, network device considered as a sensor Nodes use peer-to-peer gossip protocol to inform each other of suspicions If enough gossip messages receiver, then an attack is assumed 24
Intrusion Detection Exchange Format Data source: Raw data at IDS to detect unauthorized/undesired activity Sensor: collects data from the data source & forwards events to the analyzer Analyzer: process analyzing data collected for unauthorized/undesired activity Administrator: human with overall responsibility for setting security policy of org Manager: Process from which operator manages components of ID system Operator: human that is the primary user of the IDS manager 25
SNORT 26
SNORT Lightweight IDS Real-time packet capture and rule analysis Passive or inline Components Packet Decoder: Identifies and isolate protocol headers at the data link, network, transport, and application layers. Detection Engine: Does intrusion detection. Analyses each packet using rules defined for this configuration of Snort by the security administrator. Logger: Log packets that matches a rule for later analysis Alerter: Send alert for detected message. Whether a log, or an alert is created is determined by the snort rules. 27
SNORT Rules Use a simple, flexible rule definition language With fixed header and zero or more options Header includes: Action: What to do when a packet that matches the rule criteria is found Protocol: If packet protocol matches this field then analysis proceeds Source IP: Source of packet Source port: For the specified protocol (e.g.,a TCP port). Direction: Unidirectional (->) or bidirectional (<->) Dest IP, dest port Example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) 28
Honeypot 29
Honeypots Decoy systems Filled with fabricated info Instrumented with monitors / event loggers Divert and hold attacker to collect activity info Without exposing production systems Initially were single systems More recently are/emulate entire networks 30
Honeypot Deployment Positions of honeypot: 1) Tracking attempts to connect to unused IP addresses within the scope of the network 2) External available services 3) Catch internal attacks, and detect badly configured firewalls that forwards impermissible traffic from the Internet to the internal network 31
Maleware 32
Malicious Software Programs exploiting system vulnerabilities Known as malicious software or malware program fragments that need a host program e.g. viruses, logic bombs, and backdoors independent self-contained programs e.g. worms, bots replicating or not Sophisticated threat to computer systems 33
Malware Terminology Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot 34
Viruses Piece of software that infects programs modifying them to include a copy of the virus so it executes secretly when host program is run Specific to operating system and hardware taking advantage of their details and weaknesses Phases of typical virus: Dormant: Propagation: Triggering: Execution: Idle state, eventually waiting for some events to start (e.g. presence of a program, file,.. ) Virus copies itself to other programs Activation of the designed malicious function Execution of intended malicious function 35
Virus Structure Components: Infection mechanism - enables replication Trigger - event that makes payload activate Payload - what it does, malicious or benign Prepended / postpended / embedded When infected program invoked, executes virus code then original program code Avoidance of virus: Block initial infection (difficult/in general impossible) Block propagation (with access controls) 36