1 / 86

Intrusion Detection

Intrusion Detection. Chapter 22 in “Introduction to Computer Security”. Chapter 22: Intrusion Detection. Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response. Lecture 1. Intrusion.

carol
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Detection Chapter 22 in “Introduction to Computer Security”

  2. Chapter 22: Intrusion Detection • Principles • Basics • Models of Intrusion Detection • Architecture of an IDS • Organization • Incident Response

  3. Lecture 1

  4. Intrusion • An intrusion is a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable. • Types • Attempted break-ins • Masquerade attacks • Penetrations of the security control system • Leakage • Denial of service • Malicious use

  5. The System Intrusion Process • Reconnaissance • Gather information about the target system and the details of its working and weak points. • Vulnerability assessment is part of intrusion process. • Physical Intrusion • Enter an organization network masquerading as legitimate users, including administrative privileges, remote access privileges.

  6. The System Intrusion Process • Denial of Service • DoS attacks are where the intruder attempts to crash a service or the machine, overload network links, overload the CPU, or fill up the disk. • Ping-of-Death, sends an invalid fragment, which starts before the end of packet, but extends past the end of the packet. • SYN flood, sends a huge number of TCP SYN packets to let victim wait. • Land/Latierra, sends a forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection.

  7. The Dangers of System Intrusions • Loss of personal data that may be stored on a computer. The victim may not notice the loss of digital information. • Compromised privacy. A lot of individual data is kept on individuals by organizations, i.e., bank, mortgage company. • Legal Liability. Hack may use your computer to break into other systems in two or three level hacking.

  8. 22.1 Principles of Intrusion Detection • Characteristics of systems not under attack • User, process actions conform to statistically predictable pattern • User, process actions do not include sequences of actions that subvert the security policy • Process actions correspond to a set of specifications describing what the processes are allowed to do • Systems under attack do not meet at least one of these

  9. Example • Goal: insert a back door into a system • Intruder will modify system configuration file or program • Requires privilege; attacker enters system as an unprivileged user and must acquire privilege • Nonprivileged user may not normally acquire privilege (violates #1) • Attacker may break in using sequence of commands that violate security policy (violates #2) • Attacker may cause program to act in ways that violate program’s specification (violates #3)

  10. 22.2 Basic Intrusion Detection • Attack tool is automated script designed to violate a security policy • Example: rootkit,(http://en.wikipedia.org/wiki/Rootkit) • Includes password sniffer • Designed to hide itself using Trojaned versions of various programs (ps, ls, find, netstat, etc.) • Adds back doors (login, telnetd, etc.) • Has tools to clean up log entries (zapper, etc.)

  11. Detection • Rootkit configuration files cause ls, du, etc. to hide information • ls lists all files in a directory • Except those hidden by configuration file • dirdump (local program to list directory entries) lists them too • Run both and compare counts • If they differ, ls is doctored • Other approaches possible

  12. Key Point • Rootkit does not alter kernel or file structures to conceal files, processes, and network connections • It alters the programs or system calls that interpret those structures • Find some entry point for interpretation that rootkit did not alter • The inconsistency is an anomaly (violates #1)

  13. Denning’s Model • Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions • Includes deviation from usual actions • Includes execution of actions leading to break-ins • Includes actions inconsistent with specifications of privileged programs

  14. Goals of IDS • Detect wide variety of intrusions • Previously known and unknown attacks • Suggests need to learn/adapt to new attacks or changes in behavior • Detect intrusions in timely fashion • May need to be be real-time, especially when system responds to intrusion • Problem: analyzing commands may impact response time of system • May suffice to report intrusion occurred a few minutes or hours ago

  15. Goals of IDS • Present analysis in simple, easy-to-understand format • Ideally a binary indicator • Usually more complex, allowing analyst to examine suspected attack • User interface critical, especially when monitoring many systems • Be accurate • Minimize false positives, false negatives • Minimize time spent verifying attacks, looking for them

  16. 22.3 Models of Intrusion Detection • An intrusion detection system (IDS) is a system used to detect unauthorized intrusions into computer systems and networks. • Anomaly detection (behavior-based detection) • What is usual, is known • What is unusual, is bad • Challenges? Solutions? • Misuse detection (signature-based detection) • What is bad, is known • What is not bad, is good • Typical misuses: unauthorized access, unauthorized modification, denial of service • Specification-based detection • What is good, is known • What is not good, is bad

  17. 22.3.1 Anomaly Detection • Anomaly based systems are “learning” systems in a sense that they work by continuously creating “norms” of activities. • Anomaly detection compares observed activity against expected normal usage profiles “learned”. • Assumption: all intrusive activities are necessarily anomalous. • Any activity on the system is checked against “normal” profiles, is a deemed acceptable or not not based on the presence of such activity in the profile database.

  18. 22.3.1 Anomaly Detection • Individual profile is a collection of common activities a user is expected to do and with little deviation from the expected form. Usage time, login time. • Group profile covers a group of users with a common work pattern, resource requests and usage, and historic activities. • Resource profile includes the monitoring of the user patterns of the system resources such as applications, accounts, storage media, protocols, communication ports. • Other profiles. For instance, executable profile.

  19. 22.3.1 Anomaly Detection • Threshold metrics • Statistical moments • Markov model

  20. Threshold Metrics • Counts number of events that occur • Between m and n events (inclusive) expected to occur • If number falls outside this range, anomalous • Example • Windows: lock user out after k failed sequential login attempts. Range is (0, k–1). • k or more failed logins deemed anomalous

  21. Difficulties • Appropriate threshold may depend on non-obvious factors • Typing skill of users • If keyboards are US keyboards, and most users are French, typing errors very common • Dvorak vs. non-Dvorak within the US • http://en.wikipedia.org/wiki/Dvorak_Simplified_Keyboard

  22. Statistical Moments • Analyzer computes standard deviation (first two moments), other measures of correlation (higher moments) • If measured values fall outside expected interval for particular moments, anomalous sum = x1 + x2 + .. + xn Sumsquqares = A new observation xn+1 is defined to be abnormal if it fallls outside a confidence interval that is d standard deviations from the mena for some parameter d: mean + d * stdev,

  23. Markov Model • Past state affects current transition • Anomalies based upon sequences of events, and not on occurrence of single event • Problem: need to train system to establish valid sequences • Use known, training data that is not anomalous • The more training data, the better the model • Training data should cover all possible normal uses of system

  24. Example: TIM • Time-based Inductive Learning • Sequence of events is abcdedeabcabc • TIM derives following rules: R1: abc (1.0) R2: cd (0.5) R3: ce (0.5) R4: de (1.0) R5: ea (0.5) R6: ed (0.5) • Seen: abd; triggers alert • c always follows ab in rule set • Seen: acf; no alert as multiple events can follow c • May add rule R7: cf (0.33); adjust R2, R3

  25. Potential Problems of Anomaly Detection • False Positive: Anomaly activities that are not intrusive are classified as intrusive. • False Negative: Intrusive activities that are not anomalous result in false negatives, that is events are not flagged intrusive, though they actually are. • Computational expensive because of the overhead of keeping track of, and possibly updating several system profile metrics.

  26. 22.3.2 Misuse Modeling • Determines whether a sequence of instructions being executed is known to violate the site security policy • Descriptions of known or potential exploits grouped into rule sets • IDS matches data against rule sets; on success, potential attack found • Cannot detect attacks unknown to developers of rule sets • No rules to cover them

  27. Example: Network Flight Recorder (NFR) • Built to make adding new rules easily • Architecture: • Packet sucker: read packets from network • Decision engine: uses filters to extract information • Backend: write data generated by filters to disk • Query backend allows administrators to extract raw, post-processed data from this file • Query backend is separate from NFR process • Strength: clean design and adaptability to the need of the users • Weakness: one must know what to look for

  28. N-Code Language • Users can write their own filters using N-code language • Example: ignore all traffic not intended for 2 web servers: # list of my web servers my_web_servers = [ 10.237.100.189 10.237.55.93 ] ; # we assume all HTTP traffic is on port 80 filter watch tcp ( client, dport:80 ) { if (ip.dest != my_web_servers) return; # now process the packet; we just write out packet info record system.time, ip.src, ip.dest to www._list; } www_list = recorder(“log”)

  29. 22.3.3 Specification Modeling • Determines whether execution of sequence of instructions violates specification • Only need to check programs that alter protection state of system • System traces, or sequences of events t1, … ti, ti+1, …, are basis of this • Event ti occurs at time C(ti) • Events in a system trace are totally ordered

  30. Examples • Subject S composed of processes p, q, r, with traces Tp, Tq, Tr has Ts = TpTqTr • Filtering function: apply to system trace • On process, program, host, user as 4-tuple < ANY, emacs, ANY, bishop > lists events with program “emacs”, user “bishop” < ANY, ANY, nobhill, ANY > list events on host “nobhill”

  31. Example: Apply to rdist • Ko, Levitt, Ruschitzka defined PE-grammar to describe accepted behavior of program • rdist creates temp file, copies contents into it, changes protection mask, owner of it, copies it into place • Attack: during copy, delete temp file and place symbolic link with same name as temp file • rdist changes mode, ownership to that of program

  32. Comparison and Contrast • Misuse detection: if all policy rules known, easy to construct rule sets to detect violations • Usual case is that much of policy is unspecified, so rule sets describe attacks, and are not complete • Anomaly detection: detects unusual events, but these are not necessarily security problems • Specification-based vs. misuse: spec assumes if specifications followed, policy not violated; misuse assumes if policy as embodied in rule sets followed, policy not violated

  33. 22.4 IDS Architecture • Basically, a sophisticated audit system • Agent like logger; it gathers data for analysis • Director like analyzer; it analyzes data obtained from the agents according to its internal rules • Notifier obtains results from director, and takes some action • May simply notify security officer • May reconfigure agents, director to alter collection, analysis methods • May activate response mechanism

  34. 22.4.1 Agents • Obtains information and sends to director • May put information into another form • Preprocessing of records to extract relevant parts • May delete unneeded information • Director may request agent send other information

  35. Example • IDS uses failed login attempts in its analysis • Agent scans login log every 5 minutes, sends director for each new login attempt: • Time of failed login • Account name and entered password • Director requests all records of login (failed or not) for particular user • Suspecting a brute-force cracking attempt

  36. Host-Based Agent • Obtain information from logs • May use many logs as sources • May be security-related or not • May be virtual logs if agent is part of the kernel • Agent generates its information • Scans information needed by IDS, turns it into equivalent of log record • Typically, check policy; may be very complex

  37. Network-Based Agents • Detects network-oriented attacks • Denial of service attack introduced by flooding a network • Monitor traffic for a large number of hosts • Examine the contents of the traffic itself • Agent must have same view of traffic as destination • TTL tricks, fragmentation may obscure this • End-to-end encryption defeats content monitoring • Not traffic analysis, though

  38. Network Issues • Network architecture dictates agent placement • Ethernet or broadcast medium: one agent per subnet • Point-to-point medium: one agent per connection, or agent at distribution/routing point • Focus is usually on intruders entering network • If few entry points, place network agents behind them • Does not help if inside attacks to be monitored

  39. Aggregation of Information • Agents produce information at multiple layers of abstraction • Application-monitoring agents provide one view (usually one line) of an event • System-monitoring agents provide a different view (usually many lines) of an event • Network-monitoring agents provide yet another view (involving many network packets) of an event

  40. 22.4.2 Director • Reduces information from agents • Eliminates unnecessary, redundant records • Analyzes remaining information to determine if attack under way • Analysis engine can use a number of techniques, discussed before, to do this • Usually run on separate system • Does not impact performance of monitored systems • Rules, profiles not available to ordinary users

  41. Example • Jane logs in to perform system maintenance during the day • She logs in at night to write reports • One night she begins recompiling the kernel • Agent #1 reports logins and logouts • Agent #2 reports commands executed • Neither agent spots discrepancy • Director correlates log, spots it at once

  42. Adaptive Directors • Modify profiles, rule sets to adapt their analysis to changes in system • Usually use machine learning or planning to determine how to do this • Example: use neural nets to analyze logs • Network adapted to users’ behavior over time • Used learning techniques to improve classification of events as anomalous • Reduced number of false alarms

  43. 22.4.3 Notifier • Accepts information from director • Takes appropriate action • Notify system security officer • Respond to attack • Often GUIs • Well-designed ones use visualization to convey information

  44. GrIDS GUI • GrIDS interface showing the progress of a worm as it spreads through network • Left is early in spread • Right is later on

  45. Other Examples • Courtney detected SATAN attacks • Added notification to system log • Could be configured to send email or paging message to system administrator • IDIP protocol coordinates IDSes to respond to attack • If an IDS detects attack over a network, notifies other IDSes on co-operative firewalls; they can then reject messages from the source

  46. Types of Intrusion Detection Systems • Network-Based Intrusion Detection Systems • Have the whole network as the monitoring scope, and monitor the traffic on the network to detect intrusions. • Can be run as an independent standalone machine where it promiscuously watches over all network traffic, • Or just monitor itself as the target machine to watch over its own traffic. (SYN-flood or a TCP port scan)

  47. Advantage of NIDS • Ability to detect attacks that a host-based system would miss because NIDSs monitor network traffic at a transport layer. • Difficulty to remove evidence compared with HIDSs. • Real-time detection and response. Real time notification allows for a quick and appropriate response. • Ability to detect unsuccessful attacks and malicious intent.

  48. Disadvantages of NIDS • Blind spots. Deployed at the border of an organization network, NIDS are blink to the whole inside network. • Encrypted data. NIDSs have no capabilities to decrypt encrypted data.

  49. Host-based Intrusion Detection Systems (HIDS) • Misuse is not confined only to the “bad” outsiders but within organizations. • Local inspection of systems is called HIDS to detect malicious activities on a single computer. • Monitor operating system specific logs including system, event, and security logs on Windows systems and syslog in Unix environments to monitor sudden changes in these logs. • They can be put on a remote host.

  50. Advantages of HIDS • Ability to verify success or failure of an attack quickly because they log continuing events that have actually occurred, have less false positive than their cousins. • Low level monitoring. Can see low-level activities such as file accesses, changes to file permissions, attempts to install new executables or attempts to access privileged services, etc. • Almost real-time detection and response. • Ability to deal with encrypted and switched environment. • Cost effectiveness. No additional hardware is needed to install HIDS.

More Related