CS 392 Network Security. Nasir Memon Polytechnic University Module 5 Intrusion Detection

Similar documents
Introduction to Security

CE Advanced Network Security

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Intrusion Detection Systems

Intrusion Detection Systems (IDS)

Overview Intrusion Detection Systems and Practices

Intrusion Detection Systems (IDS)

2. INTRUDER DETECTION SYSTEMS

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Computer Security: Principles and Practice

CS Review. Prof. Clarkson Spring 2017

CS 356 Operating System Security. Fall 2013

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Statistical Anomaly Intrusion Detection System

Effective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System

Intrusion Detection -- A 20 year practice. Outline. Till Peng Liu School of IST Penn State University

Firewalls, Tunnels, and Network Intrusion Detection

UMSSIA INTRUSION DETECTION

Intrusion Detection System

intelop Stealth IPS false Positive

CSE 565 Computer Security Fall 2018

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CSE 565 Computer Security Fall 2018

IDS: Signature Detection

0x1A Great Papers in Computer Security

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Intruders and Intrusion Detection. Mahalingam Ramkumar

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Goals of IDS. Goals of IDS

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

CIS 5373 Systems Security

Network Security. Chapter 0. Attacks and Attack Detection

Configuring attack detection and prevention 1

Intrusion Detection. October 19, 2018

Basic Concepts in Intrusion Detection

CS Review. Prof. Clarkson Spring 2016

Chapter 22: Intrusion Detection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Security and Authentication

Technical Aspects of Intrusion Detection Techniques

NetDetector The Most Advanced Network Security and Forensics Analysis System

Overview of Honeypot Security System for E-Banking

Best practices with Snare Enterprise Agents

Efficient Network Intrusion Detection System Navaneethakrishnan.P a*,theivanathan.g b

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Invisible Trojan: A Design and Implementation

Intrusion Detection Using Data Mining Technique (Classification)

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

19.1. Security must consider external environment of the system, and protect it from:

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Access Controls. CISSP Guide to Security Essentials Chapter 2

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Raj Jain. Washington University in St. Louis

Intrusion Detection Systems and Network Security

Distributed Denial of Service (DDoS)

Configuring attack detection and prevention 1

Intrusion Detection Issues and Technologies

CSE543 - Computer and Network Security Module: Intrusion Detection

Configuring Anomaly Detection

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack

Intrusion Detection and Prevention

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

ANALYSIS ON IDS EVALUATION USING A QUANTITATIVE ASSESSMENT APPROACH

OSSIM Fast Guide

How AlienVault ICS SIEM Supports Compliance with CFATS

CSE543 - Computer and Network Security Module: Intrusion Detection

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

Intruders and Intrusion Detection. Mahalingam Ramkumar

ProCurve Network Immunity

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Cisco IOS Firewall Intrusion Detection System Commands

Anomaly Detection in Communication Networks

Security System and COntrol 1

Network Security: Firewall, VPN, IDS/IPS, SIEM

Security Information & Event Management (SIEM)

CIS Controls Measures and Metrics for Version 7

Top-Down Network Design

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

CIS Controls Measures and Metrics for Version 7

GCIH. GIAC Certified Incident Handler.

Intrusion Detection - Snort

Scrutinizer Flow Analytics

Chapter 25: Intrusion Detection

Implementation of Signature-based Detection System using Snort in Windows

Network Security. Course notes. Version

CS 161 Computer Security

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Intrusion Detection - Snort

ReVirt: Enabling Intrusion Analysis through Virtual Machine Logging and Replay

Detecting Specific Threats

Intrusion Detection and Malware Analysis

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

Transcription:

CS 392 Network Security Nasir Memon Polytechnic University Module 5 Intrusion Detection

Course Logistics HW 2 due tonight!! HW 2 assigned due next week. Lab open. Schedule on web. 2/14 IDS 2

Types of intrusion External attacks attempted break-ins, denial of service attacks, port-scans Masquerading as some other user Misuse of privileges, malicious attacks Clandestine users: exploiting bugs in privileged programs 2/14 IDS 3

Fighting intrusion Prevention: isolate from network, strict authentication measures, encryption Preemption: do unto others before they do unto you Deterrence: dire warnings, we have a bomb too. Deflection: diversionary techniques to lure away Detection Counter attacks 2/14 IDS 4

What is IDS? An intrusion is defined as the unauthorized use, misuse, or abuse of computer systems by either authorized users or external perpetrators. Intrusion Detection System (IDS) is the system that attempts to identify these intrusions. Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources. 2/14 IDS 5

Why Is IDS Necessary? It s difficult to ensure that an information system will be free of security flaws. New bugs keep surfacing. Even is network is secured from outsiders, how do you guard against malicious insiders? It s hard to prevent naive users from opening e-mail viruses and download rigged programs unknowingly. 2/14 IDS 6

Examples of IDS in daily life Car Alarms Fire detectors CO detectors House Alarms Surveillance Systems Spy Satellites, and spy planes (U2 and SR-71) 2/14 IDS 7

Architecture of a Generic IDS DATABASE CONFIGURATION DETECTOR ALARMS COUNTERMEASURE PROBES AUDITS ACTIONS SYSTEM 2/14 IDS 8

Efficiency of IDS Accuracy: the proper detection of attacks and the absence of false alarms Performance: the rate at which audit events are processed Completeness: to detect all attacks Fault tolerance: resistance to attacks Timeliness: time elapsed between intrusion and detection 2/14 IDS 9

Taxonomy Elements Detection method: the characteristics of the analyzer Behavior based Knowledge based Behavior on detection: the response to attacks Active response Passive alerting 2/14 IDS 10

Taxonomy Elements(cont d) Audit source location: the kind of input information of the analyzer Host-based: system sources, accounting, syslog, C2 security audit Network-based: SNMP information, network packets Application log files Intrusion-detection alerts 2/14 IDS 11

Taxonomy Elements(cont d) Detection paradigm: detection mechanism State-based Transition-based For each of these you could have perturbing or nonperturbing paradigm. Usage frequency Continuous monitoring Periodical analysis 2/14 IDS 12

Detection Method Knowledge-based: to use the information about the attacks and look for evidence of the exploitation of these attacks. Behavior-based: to use the information about the normal behavior of the system it monitors and look for deviations from the observed usage. 2/14 IDS 13

Knowledge-based Intrusion Detection Advantages Low false-alarm rates Easy for security officer to understand the problem Drawbacks Difficult to gather and maintain the required information on the attacks Generalization issue Difficult to detect the insider attacks involving an abuse of privileges 2/14 IDS 14

Knowledge-based Techniques Expert systems Signature analysis Petri nets State-transition analysis 2/14 IDS 15

Behavior-based Intrusion Detection Advantages The ability of detecting new and unforeseen vulnerabilities Less dependent on OS-specific mechanisms Abuse of privilege types of attacks detection Drawbacks High false-alarm rate 2/14 IDS 16

Behavior-based Intrusion Detection Statistics Expert systems Neural networks User intention identification Computer immunology 2/14 IDS 17

Detection Techniques used in IDS Origin Name Knowledge-based Behavior-based ES SA PN STA Stat ES NN UII Univ. Namur ASAX X AT&T ComputerWatch X USAF Haystack X DIDS X X CS Hyperview X X X SRI IDES X X NIDES X X Emerald X X Purdue U. IDIOT X UCDavis NSM X X GrIDS X LANL W&S X Nadir X X Cisco NetRanger X ISS RealSecure X Securenet C. SecureNet X X X X NAI CyberCop Server X UCSB STAT X USTAT X Stanford U. Swatch X MCNC-NCSU JiNao X X Abbreviations used: ES: expert system; SA: signature analysis; PN: Petri net; STA: state transition analysis; Stat: statistics; NN: neural network; UII: user intention identification 2/14 IDS 18

Behavior on Detection Passive vs. Active detection Most early IDS s were passive. Newer techniques moving to Active Shut down vulnerable services Reconfigure firewall Restore modified configuration file 2/14 IDS 19

Audit source location: Host System sources: ps, who etc. Difficult to use in continuous audit collection Accounting: Lack of parameterizations Lack of precise time-stamp Lack of precise command identification Absence of system daemon activity Delay of obtaining information Syslog: swatch 2/14 IDS 20

Audit source location: Network SNMP information Network packets Advantages: Detection of network specific attacks Usually information collected on separate machine so no impact on rest of system Facilitated cross-platform acquisition Disadvantages Difficult to identify culprit when intrusion detected With switched environment selection of appropriate location for sniffers not obvious Encryption makes it impossible to analyze payload Could be vulnerable to DoS 2/14 IDS 21

Audit source location: Network Application server Advantages Accuracy Completeness Performance Disadvantages Attacks detected only when application log is written or application maliciously used Many low level attacks will not be discovered: ping of death, teardrop. 2/14 IDS 22

Reusability CIDF (Common Intrusion Detection Framework) by DARPA IDWG (Intrusion Detection exchange format Working Group) by IETF 2/14 IDS 23

Characteristics of a normal computer Predictable usage pattern A typical user checks mail, checks news, stock prices, bank account when he/she logs in. Its abnormal for a user to run user management utilities once he/she logs in. Actions of Users and processes do not subvert security policies of the system Users who try to take advantage of a race condition to gain access to files 2/14 IDS 24

Characteristics of a normal computer Actions of processes confirms to security policies Some examples of action that do not confirm to confirms to security policies: sendmail trying to read passwd file!! System logger sending messages to a file in guest users directories 2/14 IDS 25

Modeling Techniques for Intrusion Detection Look for abnormalities (anomaly detection) Most Intruders use some kind of attack tool, such as rootkits, to break into a system. Root kits modify system configuration file and binaries, which could be detected. Look for unusual actions by users (misuse detection) User renaming, copying, or even trying to delete system files 2/14 IDS 26

Modeling Techniques (contd) Look for inconsistent behavior of privileged programs (Specification-based detection) Ftpd trying to read system configuration files (buffer overflow) passwd trying to write something to a file in user home directory (race condition) Tcp stack overloading the system (DOS attack) 2/14 IDS 27

Basic Intrusion Detection Main goals of IDS are: Diversity Detect wide verity of intrusions, by learning and adapting to the environment. Timeliness Detect intrusions in a timely fashion, but being timely does not mean real-time. Accuracy Detect attacks accurately by minimizing false positives and negatives Fault Tolerance With stand know IDS attacks such insertion, evasion, and Denial of Service. 2/14 IDS 28

Model (Intrusion Detection Techniques) ID systems are made of one or more models for detecting intrusions. The different kinds of models are: Anomaly Modeling Misuse Modeling Specification-based Modeling 2/14 IDS 29

Anomaly Modeling This technique basically looks for unexpected usage pattern A formal definition Anomaly detection analyzes a set of characteristics of the system and compares their behavior to a set of expected values. It reports when the computed statistics do not match the expected measurements 2/14 IDS 30

Anomaly Modeling Anomaly modeling is often done with three different types of statistical models Threshold Metric Statistical moments Marker model 2/14 IDS 31

Anomaly Modeling - Threshold Metric Based on the cardinality of events that happens over a period of time An alarm is raised if fewer then m or more than n events occur Example : Win2k lock a user after n unsuccessful login attempts here lower limit is 0 and upper limit is n The challenge in this sub-model is determining m and n 2/14 IDS 32

Anomaly Modeling - Statistical moments In statistics a moment is mean, standard deviation, or any other correlations Analyzer that uses this sub-model knows these moments and any event that falls outside the set interval above or below the moment is said to be anomalous Also takes change to system into account by aging data or altering the statistical rule base upon which they make decisions Provides more flexibility then threshold model, but more complex. 2/14 IDS 33

Anomaly Modeling Marker Model This model identifies intrusion by Examines the system at fixed intervals and keeps track of its state. A probability for each state at a give time interval is computed When an event occurs it changes the state of the system and if the probability for that state to occur at that time interval is low that event is considered anomalous 2/14 IDS 34

Misuse Modeling Misuse refers to an attack by an insider or authorized user This kind of modeling requires knowledge of vulnerabilities that attackers use to exploit. ID system incorporates this knowledge into rule set and uses this rule set. If an event matches any rule in the set, it reports a possible intrusion is under way Misuse based ID systems often use an expert system to analyze the data and apply the rule set. 2/14 IDS 35

Misuse Modeling These systems cannot detect attacks unknown to the developers of the rule set, even variations of known attack. 2/14 IDS 36

Specification Modeling Specification Modeling look states known not to be good. When the system enters such a state it reports possible intrusion Definition : Specification-based detection determines whether a sequence of instructions violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. 2/14 IDS 37

IDS Architecture Director Corresponds to analyzer, it analyzes data sent by the agents. Directors are the heart of the ID systems and they are made using one or more ID models Agents Provides data to directory. Agents collect data from system logs, messages, and application logs Notifier Responds to Intrusions detected by Director 2/14 IDS 38

A Simplified IDS Architecture DATABASE CONFIGURATION DIRECTOR ALARMS NOTIFIER PROBES AGENT AUDITS SYSTEM ACTIONS 2/14 IDS 39

A More Realistic Architecture Inductive Learning Engine Detection Models Rules Audit Records Audit Data Preprocessor Host-logs: keyboard, application network-logs Activity Data Policies by Detection Engine experts Decision Table Final Assertion Decision Engine Action/Report 2/14 IDS 40

Agents - Host-Based Information Gathering Uses system and application logs Logs could be security or accounting logs, depending upon the goals of the intrusion detection mechanism Agents could also be integrated into the kernel for efficiency But these agents are not portable Putting these agents into application make application complex, therefore its best to let application log its output, and the agent simply analyzes that log 2/14 IDS 41

Agents - Combining Sources Agents aggregate sources before presenting it to director. The goal is to provide adequate data so that directory does not have to do much work to understand the data. Data can be viewed at several levels. Example : Consider a BSD UNIX system with two source of information: Application level log System call level log 2/14 IDS 42

Agents - Combining Sources Application call level log looks like: Feb 12 14:30:00 nob su: root to bishop on /dev/ttyp5 System call level log looks like : 13285 su CALL geteuid 13285 su RET geteuid 0 13285 su CALL stat(, ) 13285 su NAMO.. 13285 su RET stat 0 13285 su CALL open( ) 13285 su NAMI. 13285 su lseek.. 13285 su lseek.. 13285 su CALL read( ) 13285 su GIO fd 3 read 13285 su RET read. 13285 su CALL close(0x3) 13285 su RET close 0 2/14 IDS 43

Agents - Combining Sources The logs were created by BSD when a user changes privileges by typing su. Application log provides only the event that a user has elevated his/her privileges, and omits information about the process that elevated the privileges System log only provides information about the process, and constructing events from system could be challenging to director. 2/14 IDS 44

Agents - Combining Sources So what kind of information should the agent provide to director? (high level application logs or low level system call logs) Well it depends upon the ID mechanism used in directors. If the director is made using marker model then system call level logs might be more useful then application level logs. Or lets say director uses Misuse detection model then application level log would be useful to track the users easily and faster. 2/14 IDS 45

Director Director is the heart of the ID system. It also reduces the incoming logs to eliminate unnecessary records. As stated earlier directors are made using more then one model or techniques, because different techniques highlight different aspects of intrusions. Directors also adapt and alter profiles to changes in the system. Typical adaptive director use machine learning to determine how to alter their behavior. 2/14 IDS 46

Notifier Notifier accepts information from director and takes appropriate action. The simplest notifiers just send message in form of e-mail or alarm to security office, while the advanced once can reconfigure local firewalls, lock users, or stop services that are misbehaving. 2/14 IDS 47

Intrusion Response How can the system be protected once the intrusion is detected? The field intrusion response deals with this problem. This field is made of: Incident Prevention Intrusion handling Confinement Eradication 2/14 IDS 48

Intrusion Response - Incident Prevention Ideally, intrusion attempts will be detected and stopped before they succeed. In order to prevent an attack, the attack has to be identified before it completes. One efficient way of prevention is to Jail an attacker. 2/14 IDS 49

Intrusion Response - Incident Prevention Jailing an attacker allows the attacker to think the attack has succeeded, but place them in an confined area were their behavior can be monitored and controlled Example: Honey Pots 2/14 IDS 50

Intrusion Response Intrusion Handling Handling intrusion means restoring the system to comply with the site policy, and taking action against attackers. Intrusion handling consists of six phases: Preparation for an attack Identification of an attack Confinement of an attack Eradication of the attack Recovery from the attack Follow-up to the attack 2/14 IDS 51

Intrusion Response Confinement Confining an attack means limiting the access to the attacker. There are two approaches to do this : Passive monitoring Constrain access 2/14 IDS 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback