Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
2
Fundamental issue
How many here think they can keep all attackers out of their network?
3
Proposed solution
Lets atleast detect the attackers...
It's easy, right?
4
The behaviour of an intruder● Assume I am attacking your home network● What unusual behaviour would you expect?
5
Type I and II errors● Lets take an example from the juridical system● We have a man charged of murder. There are 4
possible outcomes:– The man is guilty and he hangs– The man is guilty and he goes free– The man is innocent and he hangs– The man is innocent and he goes free
6
Type I and II errors
Hangs Free
Guilty True positive
Innocent True negative
Type II error(False Negative)
Type I Error(False Positive)
7
We need to minimize both errors● A false positive might prevent us from using the
system– Or, even worse, can mask a real attack
● Typical example: Burglars● A false negative means we missed an attack...● What is a 0.0001% false positive rate on a
gigabit line? (assuming 500byte packets)
8
IDS or IPS● An IDS only detects attacks
– It is up to the administrator to act when he gets the report
● An IPS detects and blocks attacks– It's a complete solution for preventing attacks– Firewalls and AV can be described as IPS
● IPS typically assumes IDS
9
● We can do Anomality detection– Logs– Counters– Apply statistical methods and compare to old data– Can detect unknown threats
● We can do Signature detection– Compare actions to signatures– If we match a rule we have a positive– Typically much better performance against known
threats
Host based IDS
10
Log parsers● You can not hope to spot important data in logs● There are plenty of packets doing log parsing
and creating reports● Examples:
– Sawmill– Logparser– Hatchet
● A logparser can often illustrate the log
11
What needs urgent attention?
12
What needs urgent attention?
13
What needs urgent attention?
14
What are the advantages and disadvantages of this approach?
15
Antivirus● AV is the basic example of Signature Detection● Effective against known threats
– Works only against viruses and tools– Typically no protection against active attackers
● Many AV companies are developing additional IDS to improve the performance against unknown threats
● Some AV software has Anomality detection functionality
16
Blacklight (FSecure)
17
Tripwire● Tripwire builds a database over all files in the
computer● Files protected by tripwire will trigger the IDS if
changed● Tripwire can enforce limitations on the software
that may run● Can we trust tripwire on a rooted computer?
– Any other issues?
18
Honeyfiles● Lets spread out some interesting looking files
– A few programs for viruses– ”My credit cards.txt”– Etc.
● Any access attempt to these files is considered hostile by the IDS
● Several AV programs implements this to capture viruses
● Read ”The Cuckoo's Egg”
19
Distributed Host IDS● In most cases an attacker will use the network● If we can combine information from several
systems we might be able to track the attacker– Example: Block portscans– Example: Track intrusion attempts
● Read: ”A Distributed Host-based Worm Detection System”– Cheetancheri, Agosta, Dash
20
Network IDS● All HIDS have a common weakness
– The host● We want to track intrutions on a network wide
scale● Therefor we need network equipment with IDS
functionality
21
Placement of the NIDS● We can place it in-line
– Lets us do IPS● We can place it out-
of-line– Lets it be totally
transparent● Other placement
issues very similar to firewalls
22
Honeypots● Computers intended to be rooted by the
attacker● Allows us to monitor attackers and capture data● Especially efficient against bot-nets and
automated attack tools● See: Honeynet.org
23
Snort● The major free NIDS in use today● Large community supporting the application● Can handle line speed up to 1gbit
– Using reasonable rulesets (and tweaking)● Several steps for each packet
– Decoding– Preprocessing– Detection– Output
24
Demo of Snort
25
How do we handle intrusions?● Four steps:
– Containment– Eradicction– Recovery– Follow-up
● Typically done by IRT (Incidence Responce Team) in larger organizations
● Pulling the plug is not always the right answer!
26
Recommended reading● Security Visualization
– How to make security easy to understand– Some of the illustrations come from there– http://secviz.org/
● HoneyNet project– Lets setup IDS systems to track hackers!– http://www.honeynet.org
● Halting State (Charles Stross)– A thriller starting with Orcs robbing a bank in an
MMORPG...
27
Questions?
28
Extra: Fragmentation attacks(Pictures from Security Focus)
29
Fragmentation attacks
30
Fragmentation attacks
31
Fragmentation attacks