462intrusion detection system61838 Intrusion Detection Systems I

7/30/2019 462intrusion detection system61838 Intrusion Detection Systems I

1/21

Intrusion Detection Systems

(I)


2/21

Definitions

Intrusion A set of actions aimed to compromise thesecurity goals, namely

Integrity, confidentiality, or availability, of a

computing and networking resource

Intrusion detection The process of identifying and responding tointrusion activities


3/21

Prevent

Why Is Intrusion DetectionNecessary?

DetectReact/

Survive

Security principles: layered mechanisms


4/21

Elements of Intrusion Detection

Primary assumptions: System activities are observable Normal and intrusive activities have distinctevidence

Components of intrusion detectionsystems: From an algorithmic perspective: Features - capture intrusion evidences

Models - piece evidences together

From a system architecture perspective: Audit data processor, knowledge base, decisionengine, alarm generation and responses


5/21

Components of IntrusionDetection System

Audit Data

Preprocessor

Audit Records

Activity Data

Detection

ModelsDetection Engine

Alarms

Decision

Table

Decision EngineAction/Report

system activities areobservable

normal and intrusiveactivities have distinct

evidence


6/21

Intrusion Detection Approaches

Modeling Features: evidences extracted from auditdata

Analysis approach: piecing the evidences

together Misuse detection (a.k.a. signature-based)

Anomaly detection (a.k.a. statistical-based)

Deployment: Network-based or Host-

based Development and maintenance

Hand-coding of expert knowledge Learning based on audit data


7/21

Misuse Detection

Intrusion

Patterns

activities

patternmatching

intrusion

Cant detect new attacks

Example: if(src_ip == dst_ip) thenland attack


8/21

Anomaly Detection

activity

measures

0

10

20

30

40

50

60

70

80

90

CPU ProcessSize

normal profile

abnormal

probable

intrusion

Relatively high false positive rate -anomalies can just be new

normal activities.


9/21

tcpdump

BSM

Network Packets

Operating System

Events

Monitoring Networks and Hosts


10/21

Key Performance Metrics

Algorithm Alarm: A; Intrusion: I Detection (true alarm) rate: P(A|I) False negative rate P(A|I)

False alarm rate: P(A|I) True negative rate P(A|I)

Bayesian detection rate: P(I|A) Architecture

Scalable Resilient to attacks


11/21

Bayesian Detection Rate

Base-rate fallacy Even if false alarm rate P(A|I) is very low,Bayesian detection rate P(I|A) is still low ifbase-rate P(I) is low

E.g. ifP(A|I) = 1, P(A|I) = 10-5, P(I) =210-5, P(I|A) = 66%

Implications to IDS Design algorithms to reduce false alarmrate

Deploy IDS to appropriate point/layer with

sufficiently high base rate

P I A P I P A I P I P A I P I P A I


12/21

Example ROC Curve

Ideal system should have 100%detection rate with 0% false alarm

% Detect

% False Alarm

IDS1

IDS2


13/21

Host-Based IDSs

Using OS auditing mechanisms

E.G., BSM on Solaris: logs all direct orindirect events generated by a user

strace for system calls made by a program

Monitoring user activities

E.G., Analyze shell commands

Monitoring executions of systemprograms

E.G., Analyze system calls made bysendmail


14/21

Network IDSs

Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at routers

Inspecting network traffic Watch for violations of protocols and

unusual connection patterns Monitoring user activities

Look into the data portions of the packetsfor malicious command sequences

May be easily defeated by encryption Data portions and some header informationcan be encrypted

Other problems


15/21

Architecture of Network IDS

Network

libpcap

Event Engine

Policy Script Interpreter

Packet stream

Filtered packet stream

Event stream

Alerts/notificationsPolicy script

Event control

tcpdump filters


16/21

Firewall Versus Network IDS

Firewall Active filtering

Fail-close

Network IDS Passive monitoring Fail-open

FW

IDS


17/21

Requirements of Network IDS

High-speed, large volume monitoring No packet filter drops

Real-time notification Mechanism separate from policy Extensible Broad detection coverage Economy in resource usage

Resilience to stress Resilience to attacks upon the IDS

itself!


18/21

Eluding Network IDS What the IDS sees may not be what the

end system gets.

Insertion and evasion attacks. IDS needs to perform full reassembly ofpackets.

But there are still ambiguities in protocolsand operating systems:

E.G. TTL, fragments.

Need to normalize the packets.


19/21

Insertion Attack

A T X T A C

A T T A CK K

T X T C A A K

End-System sees: IDS sees:

Attackers data stream Examples: badchecksum,

TTL.


20/21

Evasion Attack

A T T C KAT T A C

K

T T C A A K

End-System sees: IDS sees:

Attackers data stream Example:

fragmentation

overlap


21/21

DoS Attacks on Network IDS Resource exhaustion

CPU resources

Memory Network bandwidth

Abusing reactive IDS False positives

Nuisance attacks or errorpackets/connections

Documents

462intrusion detection system61838 Intrusion Detection Systems I