-
DahliaAsyiqin bt AhmadZainaddin
1
-
Classifications 1of2
Signaturevs.AnomalybasedDefinesmodelforassessingpolicyviolations
A ti P iActivevs.PassiveProbing(snoop)versusmonitoring
Hostvs.NetworkDefinestheeventsourceDefinestheeventsource
2
-
Classifications 2of2
Centralizedvs.DistributedLocationofanalysis
R lTi I
lRealTimevs.IntervalDetermineswhennotificationtakesplace
3
-
WaystoDetectanIntrusionSignatureRecognition
Catchtheintrusionsintermsofthecharacteristicsofknownattacksorsystemvulnerabilities.
AnomalyDetection
Detectanyactionthatsignificantlydeviatesfromthenormalbehavior.
4
-
Signature RecognitionSignatureRecognition
alsoknownasmisuserecognitionBasedonknownattackactions.UsemodelsofbadbehaviorEachsignatureisanobservedpolicyviolation
Examples:Bufferoverflowstrings,SQLinjectionattacks,virusdefinitions
DetectionoccurswhenbadbehaviorisobservedDetectionoccurswhenbadbehaviorisobservedListofsignaturesmustbekeptcurrent
5
-
SignatureRecognitiong gMethods&System
Method System
Rule based Languages RUSSEL P BESTRule-based Languages
RUSSEL,P-BEST
State Transition Analysis STAT f il (STAT USTAT NSTAT N
tSTAfamily(STAT,USTAT,NSTAT,NetSTAT)
Colored Petri Automata IDIOT
Expert System IDES,NIDX,P-BEST,ISOA
Case Based reasoning AutiGUARD
6
-
Anomaly DetectionAnomalyDetection
UsesmodelofgoodbehaviorDetectionoccurswhenobservedbehaviordeviatesf
db h ifromgoodbehaviorUsefulfordetectingnovelattacksM i f l i
iMaygenerateexcessivefalsepositives
7
-
AnomalyDetectionMethods&ySystem
Method SystemStatisticalmethod IDES,NIDES,EMERALD
MachineLearningtechniquesTime
BasedinductiveTimeBasedinductiveMachineInstanceBasedLearningN lN t
kNeuralNetwork
Dataminingapproaches JAM,MADAMID
8
-
AnomalyDetectionDisadvantages
Basedonauditdatacollectedoveraperiodofnormaloperation.
Wh i (i i )d i h i i d i
illWhenanoise(intrusion)datainthetrainingdata,itwillmakeamisclassification.
Howtodecidethefeaturestobeused.Thefeaturesareusuallydecidedbydomainexperts.Itmaybenotcompletely.
9
-
Signature Recognition vs.
AnomalySignatureRecognitionvs.AnomalyDetection
Advantage Disadvantage
Signature Recognition
Accurately and generate much fewer
Cannot detect novel or unknown attacksRecognition generate much
fewer
false alarmor unknown attacks
Anomaly Is able to detect High false-alarmAnomaly Detection
Is able to detect unknown attacks based on audit
High false alarm and limited by training data.
10
-
TypesofIntrusionDetection
HostBasedIDS(HIDS)
Network BasedIDS(NIDS)NetworkBasedIDS(NIDS)
Hybrid
11
-
HIDSHostbasedintrusiondetectionsystemsorHIDSareinstalledasagentsonahostH
b dIDS h kf i i b h ki
HostbasedIDSscheckforintrusionsbycheckinginformationatthehostoroperatingsystemlevel.TheseIDSsexaminemanyaspectsofyourhosts
suchTheseIDSsexaminemanyaspectsofyourhosts,suchassystemcalls,auditlogs,errorandmessageslogs.Todetectanyintruderactivity.y
y
12
-
HIDS:BENEFITSIthasfirsthandinformationonthesuccessoftheattack.
BecauseahostbasedIDSexaminestrafficafteritreachesthetargetoftheattack(assuming
thehostisthetarget)targetoftheattack(assuming,thehostisthetarget)WithanetworkbasedIDS,thealarmsaregeneratedonknownintrusiveactivityOnlyaHIDScandeterminetheactualsuccessoffailureofanattack
HIDScanusethehostsownIPstacktoeasilydealwithHIDScanusethehost
sownIPstacktoeasilydealwithvariableTimeToLive(TTL)attacks
DifficulttodetectusinganetworkbasedIDS
13
-
HIDS
14
-
VARIABLETIMETOLIVEATTACKSAllpacketstravellingacrossthenetworkhaveaTTLvalue.EachrouterthathandlesthepacketdecreasestheTTLvaluebyone.valuebyone.IftheTTLvaluereacheszero,thepacketisdiscarded.Anattackercanlaunchanattackthatincludesbogus
k i h ll TTL l h h k h h
packetwithsmallerTTLvaluesthanthepacketsthanthepacketthatmakeuptherealattack.Ifthenetworkbasedsensorseesallthepackets,buttheptargethostseesonlytheactualattackpackets,theattackerhasmanagedtodistorttheinformationthatthesensorused,causingthesensortopotentiallymisstheattack.g
p y
15
-
VARIABLE TIMETOLIVE ATTACKSVARIABLETIME TO
LIVEATTACKS(contd)
ThefakepacketsstartwithaTTLof3,whereastherealattackpacketsstartwiththeaTTLof7Th
b h f k b h h
Thesensorseesbothsetofpackets,butthetargethostseesonlytherealattackpackets.Althoughthisattackispossible
itisnoteasytouseinAlthoughthisattackispossible,itisnoteasytouseinpracticebecauseitrequiresadetailedunderstandingofthenetworktopologyandlocationofIDSsensorsp
gy
16
-
HIDS:DRAWBACKLimitednetworkview
MosthostbasedIDSs,forexample,donotdetectportscansagainstthehost.ItisalmostimpossibleforahostbasedIDStodetectreconnaissancescansagainstyournetwork.Thesescansrepresentakeyindicatortomoreattacksagainstyournetworknetwork.
MustoperateoneveryOSonthenetworkHIDSmustcommunicatethisinformationtosometypeofcentralmanagementfacility.centralmanagementfacility.Anattackmighttakeahostsnetworkcommunicationoffline.Thishostthencannotcommunicateanyinformationtothecentralmanagementfacility.
17
-
NIDSNetworkIDS(NIDS)NIDSareintrusiondetectionsystemsthatcapturedata
k li h k di ( bl
packetstravelingonthenetworkmedia(cables,wireless)andmatchthemtoadatabaseofsignatures.DependinguponwhetherapacketismatchedwithanDependinguponwhetherapacketismatchedwithanintrudersignature,analertisgeneratedorthepacketisloggedtoafileordatabase.ggOnemajoruseofSnortisasaNIDS.
18
-
NIDS
19
-
NIDS:BENEFITSAnetworkbasedIDSexaminespackettolocateattacksagainstthenetwork.TheIDSsniffsthenetworkpacketsandcomparesthetrafficagainstnetworkpacketsandcomparesthetrafficagainstsignaturesforknownintrusiveactivity.Benefits:Benefits:
OverallnetworkperspectiveDoesnothavetorunoneveryOSonthenetworky
20
-
NIDS:DRAWBACKSBandwidth
Asnetworkpipesgrowlargerandlarger,itisdifficulttosuccessfullymonitorallthetrafficgoingacrossthenetworkatasinglepointinrealtime,withoutmissingpackets.,
g pNeedtoinstallmoresensorsthroughoutthenetworkatlocations
FragmentreassemblyNetworkpacketshaveamaximumsize.f d d d h d h b
dIfaconnectionneedstosenddatathatexceedsthismaximumbound,thedatamustbesentinmultiplepacketsThisisknownasfragmentation.Whenthereceivinghostgetsthefragmentedpackets,itmustreassemblethedata.g
pNotallhostsperformthereassemblyprocessinthesameorder.SomeOssstartwiththelastfragmentandworktowardthefirst.Othersstartatthefirstandworktowardthelast.Theorderdoesnotmatterifthefragmentsdonotoverlap.Iftheyoverlap,theresultdiffersforeachg
p y preassemblyprocess.
21
-
HYBRIDCHARATERISTICHybridsystemscombinethefunctionalityfromseveraldifferentIDScategoriestocreate
22
-
Activevs.PassiveIDSActiveIDS
ProbesystemstouncoverattackartifactsMaytakecorrective/preventiveaction
LockoutauserIDTerminateanetworkconnectionandupdateafirewallruleTerminateanetworkconnectionandupdateafirewallrule
PassiveIDSMonitor(donotalter)eventstream(
)Alerttheuser;userresponsibleforresponse
23
-
Centralizedvs.DistributedCentralized
Monitoring,analysis,anddetectionareperformedbyai l
tsinglesystemCanwekeepupwiththeeventstream?
DistributedDistributedManymonitoringpointsoragentscontributetotheprocessHowdowecommunicatesecurelyamongentities?
24
-
RealTimevs.IntervalRealTime
Detectionandresponseoccurbeforeintrusioncantakel (h f ll
)place(hopefully)
NecessaryforautonomousresponseIntervalInterval
Analysisanddetectionarereportedoversometimeinterval(e.g.,onceperday)Userisresponsibleforresponse
25
-
QuestionIsitactiveids=IPSCentralizeanddistributed
26
