View
214
Download
1
Category
Preview:
Citation preview
Intrusion Detection and Intrusion Detection and ResponseResponse
David A. Dampier, Mississippi State UniversityAmbareen Siraj, Mississippi State University
Presented by:Presented by:
Nithin PremachandranNithin Premachandran
OutlineOutline
Cyber SecurityCyber Security
Notion of Intrusion DetectionNotion of Intrusion Detection
Types of IntrusionTypes of Intrusion
Methods to detect intrusion Methods to detect intrusion
Types of DetectionTypes of Detection
Factors in SelectionFactors in Selection
ForensicsForensics
SummarySummary
Cyber SecurityCyber Security
Measures to secure systems:Measures to secure systems:
Prevention: actions taken to prevent unauthorized access to a system Prevention: actions taken to prevent unauthorized access to a system
Detection: discover failures in prevention Detection: discover failures in prevention
Response: actions taken after an attack, attempted attack, or damage. Response: actions taken after an attack, attempted attack, or damage.
Intrusion DetectionIntrusion Detection
attempts to access protected resources that affects the expected attempts to access protected resources that affects the expected performance of the systems and/or challenges the security policy of the performance of the systems and/or challenges the security policy of the systems systems
““act of detecting actions that attempt to compromise the Confidentiality, act of detecting actions that attempt to compromise the Confidentiality, Integrity or Availability of a resource”.Integrity or Availability of a resource”.
Detect these intrusion attempts – take action and defend the system, Detect these intrusion attempts – take action and defend the system, stop the intrusion, stop the intrusion, and repair the damage and repair the damage
IDS:IDS: Suite of different techniques Suite of different techniques
used to detect several types of malicious behaviors that can used to detect several types of malicious behaviors that can compromise the security and trust of a computer compromise the security and trust of a computer
Available in different productsAvailable in different products monitors systems and networks for security violations and then monitors systems and networks for security violations and then
reports them reports them
Types of IntrusionTypes of Intrusion Physical intrusion:Physical intrusion: physical access to a machine physical access to a machine
““insider” threats insider” threats misusing the privileges misusing the privileges remove components for examination remove components for examination Installation of malicious softwareInstallation of malicious software
Targeted intrusion:Targeted intrusion: particular system is targeted particular system is targeted
unauthorized user masquerading as an authorized user unauthorized user masquerading as an authorized user obtained illegal access in system obtained illegal access in system Installation of malicious softwareInstallation of malicious software
Random Intrusion:Random Intrusion: Open door discovered by accidentOpen door discovered by accident
Port scan attacks Port scan attacks Denial-of-service attacks Denial-of-service attacks Spoofed attacks Spoofed attacks Installation of malicious softwareInstallation of malicious software
Detection TechniqueDetection Technique
ID carried: ID carried: Host based and network-basedHost based and network-based
Host Based:Host Based: look for suspicious actions recorded in audit log files look for suspicious actions recorded in audit log files
IDS typically monitors system events and security logs IDS typically monitors system events and security logs
compares new log entry, analyzes deviation from normal compares new log entry, analyzes deviation from normal
Suspicious behavior - Alert and perform defensive action Suspicious behavior - Alert and perform defensive action
Check key file system – execute through checksums Check key file system – execute through checksums
listen to port activity listen to port activity
Suitable for external network Suitable for external network
Examples: Tripwire (Examples: Tripwire (http://tripwire.com/),http://tripwire.com/), Samhain Samhain (http://la-samhna.de/samhain/), (http://la-samhna.de/samhain/), RealSecure RealSecure (http://www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1026533)(http://www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1026533)
Detection Technique (Cont)Detection Technique (Cont)
Network Based Intrusion Detection:Network Based Intrusion Detection:
Uses Network packet - audit scoreUses Network packet - audit score
NIC's put in promiscuous mode - monitor and analyze all trafficNIC's put in promiscuous mode - monitor and analyze all traffic
matches character of malicious sign matches character of malicious sign
Signatures: Signatures: String sign - look for text string indicating possible attackString sign - look for text string indicating possible attack
Port sign - watch for connection attempts to well known frequently attacked portPort sign - watch for connection attempts to well known frequently attacked port
Header sign - watch for dangerous or illogical combination in packet headers. Header sign - watch for dangerous or illogical combination in packet headers.
Example: Snort, Cisco Intrusion Detection System and Symantec NetProwlerExample: Snort, Cisco Intrusion Detection System and Symantec NetProwler
Types of Intrusion DetectionTypes of Intrusion Detection
Anomaly and Misuse detection techniqueAnomaly and Misuse detection technique
Anomaly detection :Anomaly detection : Technique based on observation of deviation from Technique based on observation of deviation from normal system usage patternnormal system usage pattern
Anaomaly detector constantly calculates variance of present profile from Anaomaly detector constantly calculates variance of present profile from original oneoriginal one
any change ? - flag any change ? - flag
Example: Activity measure, CPU time used, number of network connections in Example: Activity measure, CPU time used, number of network connections in certain time , keystrokes, time of day usage certain time , keystrokes, time of day usage
Predictive pattern generation- predict future events based on already Predictive pattern generation- predict future events based on already occurred occurred
Threshold monitoring- setting of values by defining acceptable behaviorThreshold monitoring- setting of values by defining acceptable behavior
Resource profiling - monitor use of accounts, applications etc develop historic Resource profiling - monitor use of accounts, applications etc develop historic profile profile
Types of Intrusion DetectionTypes of Intrusion Detection
Misuse DetectionMisuse Detection a.k.a Knowledge based intrusion detection system a.k.a Knowledge based intrusion detection system
Attack on weak points (vulnerabilities) of system based on accumulated Attack on weak points (vulnerabilities) of system based on accumulated knowledgeknowledge
Deploy homogeneous/heterogeneous suite of IDS - sensor to monitor Deploy homogeneous/heterogeneous suite of IDS - sensor to monitor different elements in various environmentsdifferent elements in various environments
Homogenous - multiple installations of the same types of sensors Homogenous - multiple installations of the same types of sensors
Heterogeneous - multiple installations of different types of sensors Heterogeneous - multiple installations of different types of sensors
Network based sensor- e.g. Snort captures IP spoofing attacksNetwork based sensor- e.g. Snort captures IP spoofing attacks
Host level sensor - monitor unauthorized changes in OS eg: Tripwire Host level sensor - monitor unauthorized changes in OS eg: Tripwire ((http://tripwire.com/)http://tripwire.com/)
Selection FactorsSelection Factors
Performance:Performance: High detection rate High detection rate Low false positive Low false positive Low false negatives Low false negatives Ability to report severity of the attack Ability to report severity of the attack Indicate outcome of an attacks Indicate outcome of an attacks collect and store intrusion reports collect and store intrusion reports
Benchmark Test: Benchmark Test: test a product for –test a product for – ease of installation, ease of installation, impact on system performance and impact on system performance and false alarm ratesfalse alarm rates
Technical support:Technical support: support, warranty, how often updates are support, warranty, how often updates are promulgated promulgated
Internal vs. external help desk:Internal vs. external help desk: vendor’s employees or contracted vendor’s employees or contracted one? one?
Selection FactorsSelection Factors
Software and hardware refreshment:Software and hardware refreshment: upgrade program for upgrade program for software/hardware components, ad-hoc releases to fix reported problems software/hardware components, ad-hoc releases to fix reported problems
Vendor Solvency:Vendor Solvency: vendors financial status and performance history vendors financial status and performance history
Product ratings:Product ratings: third party testing, Assurance measure the trust and third party testing, Assurance measure the trust and capability in their products. ISO Standard 15408 — the Common Criteria capability in their products. ISO Standard 15408 — the Common Criteria
Single vendor, multiple vendors, or third-party integrator:Single vendor, multiple vendors, or third-party integrator: number number of vendors involved to offer IDS capability: Risk of integration, acceptance of vendors involved to offer IDS capability: Risk of integration, acceptance
of responsibilityof responsibility
ForensicForensic
"study of providing formal evidence that can be used in a court of "study of providing formal evidence that can be used in a court of law to enable the discovery, collection, and preservation of law to enable the discovery, collection, and preservation of evidence that can then be used to argue a case in court". evidence that can then be used to argue a case in court".
Collect, protect evidence about intrusion on machine.Collect, protect evidence about intrusion on machine.
Information in:Information in: Web server Web server
firewall logs, firewall logs,
system logs, system logs,
Searching RAM Searching RAM
Discover root cause of intrusion or attackDiscover root cause of intrusion or attack
Summary:Summary: IDSs -IDSs - role of “security cameras” for the security administrator role of “security cameras” for the security administrator
Try to prevent intrusionsTry to prevent intrusions – – use strong firewall use strong firewall
Assess software vulnerability: e.g lumension Assess software vulnerability: e.g lumension (http://www.lumension.com) (http://www.lumension.com)
Security Policy and ProceduresSecurity Policy and Procedures
Employee Training Employee Training
Use host based and network based IDS Use host based and network based IDS
Response and recovery process- forensic - Collect evidence of attacks Response and recovery process- forensic - Collect evidence of attacks to prosecute and reconstruct eventsto prosecute and reconstruct events
ReferencesReferences
Siraj, Ambareen. Siraj, Ambareen. Intrusion Detection and ResponseIntrusion Detection and Response. Ed. Daniel . Ed. Daniel Ragsdale. Hershey, PA: Idea Group Publishing, 2006. Ragsdale. Hershey, PA: Idea Group Publishing, 2006.
““Intrusion Detection.” (27 Dec. 2007): Intrusion Detection.” (27 Dec. 2007): WikipediaWikipedia. . http://http://en.wikipedia.org/wiki/Intrusion_detectionen.wikipedia.org/wiki/Intrusion_detection. .
““Intrusion Detection System.” (15 Apr. 2008): Intrusion Detection System.” (15 Apr. 2008): WikipediaWikipedia. . http://http://en.wikipedia.org/wiki/Intrusion_Detection_Systemen.wikipedia.org/wiki/Intrusion_Detection_System. .
Q&AQ&A
Recommended