Intrusion Detection -- A 20 year practice. Outline. Till Peng Liu School of IST Penn State University

Similar documents
CHAPTER 2 DARPA KDDCUP99 DATASET

Intrusion Detection Systems

2. INTRUDER DETECTION SYSTEMS

Alfonso Valdes Keith Skinner SRI International

Firewalls, Tunnels, and Network Intrusion Detection

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

INTRUSION DETECTION SYSTEM

Statistical Anomaly Intrusion Detection System

Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets

Introduction to Security

CS Review. Prof. Clarkson Spring 2017

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Network Security. Chapter 0. Attacks and Attack Detection

Computer Security: Principles and Practice

Mining Audit Data for Intrusion Detection Systems Using Support Vector Machines and Neural Networks

Network Traffic Anomaly Detection Based on Packet Bytes ABSTRACT Bugs in the attack. Evasion. 1. INTRODUCTION User Behavior. 2.

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Intrusion Detection Systems (IDS)

CHAPTER V KDD CUP 99 DATASET. With the widespread use of computer networks, the number of attacks has grown

Intrusion Detection Systems (IDS)

RUSMA MULYADI. Advisor: Dr. Daniel Zeng

Cisco IOS Firewall Intrusion Detection System Commands

Security System and COntrol 1

Anomaly Intrusion Detection System Using Hierarchical Gaussian Mixture Model

INTRUSION DETECTION WITH TREE-BASED DATA MINING CLASSIFICATION TECHNIQUES BY USING KDD DATASET

Common Network Attacks

CS 392 Network Security. Nasir Memon Polytechnic University Module 5 Intrusion Detection

CSE 565 Computer Security Fall 2018

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Network Performance Analysis System. White Paper

Combination of Three Machine Learning Algorithms for Intrusion Detection Systems in Computer Networks

Raj Jain. Washington University in St. Louis

Network Security: Firewall, VPN, IDS/IPS, SIEM

IDS: Signature Detection

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

UMSSIA INTRUSION DETECTION

Network attack analysis via k-means clustering

A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and Forensics

system to cover their tracks, the HIDS can provide an independent audit trail of the attack.

NetDetector The Most Advanced Network Security and Forensics Analysis System

FUZZY KERNEL C-MEANS ALGORITHM FOR INTRUSION DETECTION SYSTEMS

Chapter 4. Network Security. Part I

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks (Technical Report CS )

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Intrusion Detection System

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Configuring attack detection and prevention 1

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

CSE 565 Computer Security Fall 2018

Basic Concepts in Intrusion Detection

A Hierarchical SOM based Intrusion Detection System

ProCurve Network Immunity

CE Advanced Network Security

Hybrid Modular Approach for Anomaly Detection

Network Security. Course notes. Version

Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10

COMPUTER NETWORK SECURITY

Configuring attack detection and prevention 1

IBM i Version 7.3. Security Intrusion detection IBM

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Chapter 9. Firewalls

Application Defense: An emerging Security Concept

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Module 19 : Threats in Network What makes a Network Vulnerable?

Attack Prevention Technology White Paper

Lecture 12. Application Layer. Application Layer 1

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Intruders and Intrusion Detection. Mahalingam Ramkumar

Security and Authentication

Strategic Infrastructure Security

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Efficient Method for Intrusion Detection in Multitenant Data Center

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Unified Networks Administration & Monitoring System Specifications : YM - IT. YM Unified Networks Administration & Monitoring System

Compare Security Analytics Solutions

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Systems and Network Security (NETW-1002)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Network Security. Tadayoshi Kohno

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Comparison of variable learning rate and Levenberg-Marquardt back-propagation training algorithms for detecting attacks in Intrusion Detection Systems

Firewall and IDS/IPS. What is a firewall?

Network Vulnerability Scan

Check Point DDoS Protector Introduction

Bayesian Learning Networks Approach to Cybercrime Detection

Networking interview questions

Exam Questions JN0-633

Intelligent Network Management Using Graph Differential Anomaly Visualization Qi Liao

Transcription:

Intrusion Detection -- A 20 year practice Peng Liu School of IST Penn State University Pennsylvania State Unviersity 1 Outline Motivation Intrusion Detection Techniques Intrusion Detection Products Some New Research Directions Pennsylvania State Unviersity 2 Till 1980 access access The system Reference monitor Pennsylvania State Unviersity 3 1

However attacks do succeed attack attack The system Reference monitor Pennsylvania State Unviersity 4 How serious? FBI investigates 500 organizations 1996, 42% had a security breach 1997, 50% 1998, 64% Total lost 1997, 100 million 1998, 138 million Pennsylvania State Unviersity 5 Next Generation Security How to detect and respond to these successful attacks such that critical function can be sustained? Pennsylvania State Unviersity 6 2

What is intrusion detection? If computer security measures are analogous to the fences and locks of the physical world, then intrusion detection is like a burglar alarm system. Pennsylvania State Unviersity 7 Outline Motivation Intrusion Detection (ID) Techniques Intrusion Detection Products Some New Research Directions Pennsylvania State Unviersity 8 ID Systems ID Systems Host-based Network-based Application-based Pennsylvania State Unviersity 9 3

Example ID Systems Host based Network based ComputerWatch, Discovery, Haystack, IDES (EMERALD), ISOA, MIDAS, USTAT, Wisdom and Sense ISOA, IDES, NADIR, DIDS, NSM, GrIDS, NetSTAT, NID Pennsylvania State Unviersity 10 Host based ID Systems access resources Intrusion Detector warnings Audit trail Reference monitor Pennsylvania State Unviersity 11 Host attacks Local to Root (L2R) Attempted break-in Masquerading Leakage by legitimate user Inference by legitimate user Trojan horse Virus Pennsylvania State Unviersity 12 4

Ex 1: Detect masquerading Masquerading - the attacker uses a legitimate user s account Observation: the attacker s behavior may differ considerably from that of the legitimate user The idea build a profile of the legitimate user if a behavior (on behalf of the user) is very different from the profile, raise a warning use measures to quantify profiles and behaviors Pennsylvania State Unviersity 13 Host Measures (for a session) Measure Description CPU usage CPU time Audit Record # of audit records (for each hour) File Usage # of times each file was accessed System Errors # of times each type of error occurred Directory Usage Whether a directory was accessed System Call # of times each system call was used Pennsylvania State Unviersity 14 Types of Measures Intensity measures - the number of audit records per time interval Audit record distribution measure Categorical measures - names of files, terminals, and remote hosts Counting measures Pennsylvania State Unviersity 15 5

The Haystack Algorithm (1) <cpu time, file usage, commands used> session vector Audit trail <30, 3, 5> session vector <[20,40], [2,5], [2,4]> threshold vector (the profile) <1, 1, 0> bernoulli vector <10, 20, 30> weight vector 1*10 + 1*20 + 0*30 = 30 intrusion score suspicion quotient Pennsylvania State Unviersity 16 The Haystack Algorithm (2) suspicion quotient - the probability that a random session s intrusion score is less than or equal to the session s Session 1 -- 50 Session 2 -- 30 Session 3 -- 60 Session 4 -- 40 Session 5 -- 10 Session 6 -- 60 Session 7 -- 20 Session 8 -- 30 Session 9 -- 40 Session 10 -- 50 suspicion quotient = 0.40 0 - very suspicious 1 - very normal Pennsylvania State Unviersity 17 The NIDES Algorithm NIEDS score value -- 2 T 2 2 2 2 T = ( S + S +... + Sn ) / n 1 Si 2 represents some aspect of behavior historical distribution of Qi i Q is got by comparing the short-term behavior with the profile Pennsylvania State Unviersity 18 6

Ex 1: summary This approach is an anomaly detection approach This approach is profile based This approach is a statistical approach This approach can be used to detect many other kinds of attacks Pennsylvania State Unviersity 19 How good is an ID technique? Detection rate False alarm rate Detection latency Pennsylvania State Unviersity 20 Other Anomaly Detection Techniques Rule based (i.e., threshold based) Using neural networks Temporal sequence learning Mining profiles Pennsylvania State Unviersity 21 7

Ex 2: detect a L2R attack The attack: (in SunOS 4.1.1) % ln target -x % -x Note: target is a setuid shell script owned by the root Note: executing -x invokes an interactive subshell with root privileges Observation: all such attacks have the same pattern The idea: if a behavior matches the pattern, then it is a L2R attack Pennsylvania State Unviersity 22 Using state transition diagrams to specify patterns A signature Event1: hardlink(file1, file2) Event2: execute(file2) 0 initial state 1 2 1. name(file2)= -* 1. not euid = USER 2. not owner(file1)=user 3. permitted(suid, file1) 4. shell_script(file1) 5. permitted(xgrp, file1) or permitted(xoth, file1) Pennsylvania State Unviersity 23 Using rules to specify and detect signatures Event: hardlink(file1, file2) Condition: the resulted state satisfies (1) name(file2)= -* ; (2) not owner(file1)=user; (3) permitted(suid, file1); (4) shell_script(file1); (5) permitted(xgrp, file1) or permitted(xoth, file1) Action: put (USER, file2) into state 1 Rule 1 Event: execute(file2) Condition: (1) the before state satisfies (a) (USER, file2) is in state 1; (2) the after state satisfies (a) not euid=user Action: raise a warning of hardlink attack Rule 2 Pennsylvania State Unviersity 24 8

Ex 2: summary This approach is a signature-based detection approach Either rules or state transition diagrams can be used to specify a signature Detection is done by matching signatures This approach can be used to detect many other kinds of attacks Pennsylvania State Unviersity 25 Anomaly detection vs. Signature-based detection Anomaly detection Good for unknown attacks Limited for known attacks Signature-based Unable to detect unknown attacks Good for known attacks Pennsylvania State Unviersity 26 An network-based ID system Internet sensor Firewall sensor Bastion host sensor Bastion host Local ID sensor Internal Firewall sensor Host 1 Local ID sensor... Host n Local ID Global ID Coordinator sensor Bastion host Pennsylvania State Unviersity 27 9

Network Attacks R2L - Remote to Local U2R - User to Root DoS - Denial of Service Probing Pennsylvania State Unviersity 28 Attacks on Solaris Hosts R2L U2R DoS Probing Dictionary, Ftp-write, Guest, Phf, Xlock, Xsnoop Eject, Ffbconfig, Fdformat, Ps Apache2, Back, Mailbomb, Neptune, Ping of Death, Process table, Smurf, Syslogd, UDP Storm IP Sweep, Mscan, Nmap, Portsweep, Saint, Satan Pennsylvania State Unviersity 29 Ex3: Detect TCP Hijacking Attacker Host A the bus Host B Assume A and B are talking via a TCP connection 1. B to A: A B 2357 ACK An ACK packet 2. Attacker to B: B A 2357 data A request packet 3. B to A: AB 2358 ACK An ACK packet; A will reject it 4. A to B: B A 2357 data B will reject it Pennsylvania State Unviersity 30 10

The signature for TCP hijack Event1: A receives an ACK Event2: B receives a request 0 1. B and A has an active connection 2. (Port-B, IP-B) 3. (Port-A, IP-A) 1 2 At host A: 1. Ack.SrcIP = IP-B 2. Ack.DstIP = IP-A 3. Ack.SrcPort = Port-B 4. Ack.DstPort = Port-A 5. Port-A.NextSeqNo < Ack.SeqNo 6. The Ack is rejected At host B: 1. Req.SrcIP = IP-A 2. Req.DstIP = IP-B 3. Req.SrcPort = Port-A 4. Req.DstPort = Port-B 5. Port-B.NextSeqNo > Req.SeqNo 6. The request is rejected Pennsylvania State Unviersity 31 Centralized detection A s (B s) sensor sends each received packet and Port-A s NextSeqNo (Port-B s NextSeqNo) to the ID coordinator When the ID coordinator receives the report from A s sensor, it enters state 1 When the ID coordinator receives the report from B s sensor, it enters state 2 and raises a warning Pennsylvania State Unviersity 32 Distributed detection A s sensor does some local ID. When it enters state 1, it will inform the ID coordinator B s sensor does some local ID. When it enters state 2, it will inform the ID coordinator When the ID coordinator receives the two reports from A s sensor and B s sensor, it raises a warning. Pennsylvania State Unviersity 33 11

Centralized vs. Distributed ID Centralized ID More communication overhead More cost More accurate Distributed ID More scalable More collaboration overhead Pennsylvania State Unviersity 34 Ex 3: summary Network ID needs info from multiple sensors Each sensor reports two kinds of info network traffic host activities Either centralized or distributed ID are possible Either anomaly detection or signature-based techniques are useful Pennsylvania State Unviersity 35 ID techniques: A Summary ID techniques anomaly detection techniques signature-based techniques others statistical profiles neural networks temporal sequence learning mining profiles rule based rule based state transition diagrams storage jamming healthy system specification parametric non-parametric Pennsylvania State Unviersity 36 12

Outline Motivation Intrusion Detection (ID) Techniques Intrusion Detection Products Some New Research Directions Pennsylvania State Unviersity 37 Commercial ID Systems VCC by Tripwire CMDS by SAIC SecureNetPro & Kane Secure Enterprise by intrusion.com INTOUCH NSA by TTI NetRanger by Wheelgroup PolyCenter by Digital Real Secure by ISS WatchDog by InfoStream Stalker Pennsylvania State Unviersity 38 SecureNetPro: An example screening router Internet Web Mail SecureNetPro Sensor Backup network internal router Firewall SecureNetPro Sensor host Corp. network SecureNetPro Console host SecureNetPro Sensor SecureNetPro Console Pennsylvania State Unviersity 39 13

SecureNetPro: features 100 Mbps real-time detection monitor over 50 segments simultaneously more than 300 common attack signatures session replay via TCP/IP reconstruction stateful application layer protocol decoding e-mail notification; customizable reports Pennsylvania State Unviersity 40 Outline Motivation Intrusion Detection (ID) Techniques Intrusion Detection Products Some New Research Directions Pennsylvania State Unviersity 41 New Directions Application-aware intrusion detection database applications distributed applications on CORBA or DCOM Automatic profile and rule management Collaborative intrusion detection Advanced ID techniques QoS of intrusion detection systems Pennsylvania State Unviersity 42 14

Ex: Mining rules from trails Rules are useful for both signature based detection and anomaly detection Managing rules manually has many limitations: ad-hoc, prone to errors, etc. The idea mine signatures for known attacks from network traffics and host trails mine profiles from legitimate network traffics and host trails Pennsylvania State Unviersity 43 Acknowledgements Some materials of this lecture are from Prof. Peng Ning at North Carolina State University Pennsylvania State Unviersity 44 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback