Intrusion DetectionIntrusion Detection

ByBy

Vidya SatyanarayananVidya Satyanarayanan

What is Intrusion?What is Intrusion?Intrusion is an unauthorized attempt or achievement to

access, alter, render unavailable, or destroy information on a system or the system itself.

The art of detecting such activities is known as Intrusion Detection.

How do Intruders get into systems?How do Intruders get into systems? Physical Intrusion

System Intrusion

Remote Intrusion

Why can intruders get into systems?Why can intruders get into systems? Software bugs

System configuration

Password cracking

1. Clear-text sniffing

2. Encrypted sniffing

3. Replay attack

4. Password file stealing

Intrusion Detection SystemsIntrusion Detection Systems

IDSs fall into 2 categories:

1. Network-based IDSs

2. Host-based IDSs

Host-based IDSsHost-based IDSs

A host monitor looks at system logs for evidence of malicious or suspicious application activity.

More detailed logging. But can track only successful intrusions.

Monitoring happens in the host, so a successful attack can bring down the system and terminate the monitoring.

Can monitor changes to critical system files and changes in user privileges.

Can monitor TCP port activity and notify system admin when specific ports are accessed.

Drawbacks of Host-based IDSsDrawbacks of Host-based IDSs

Host-based IDSs are not real-time.

Tedious to secure the whole network.

Some Advantages:Some Advantages:

Can identify non-network-based attacks like activities of applications and process running on the host.

More likely to catch unknown attacks.

Network-based IDSsNetwork-based IDSsA network monitor watches live network packets and

looks for signs of computer crime, network attacks, network misuse and anomalies.

Can detect denial-of-service attack.

Ping-of-DeathPing-of-Death

SYN Flood SYN Flood

Land/Latierra Land/Latierra

Network-based IDSs become less effective as network traffic increases.

How are intrusions detected?How are intrusions detected?

Anomaly Detection (profile-based)Anomaly Detection (profile-based)

Misuse Detection (Signature-based)Misuse Detection (Signature-based)

Misuse DetectionMisuse Detection

Recognizes known attacks based on signatures and patterns. Starts defending the network immediately upon installation. Have low false alarm rate (false positives). Effective only against known threats. Ineffective against passive attacks such as n/w sniffing, wire

taps, IP or sequence number spoofing. Should constantly update the signature database.

Anomaly DetectionAnomaly Detection

Base-line measurements for “normal” user activity is developed and anything that deviates from the normal is detected.

Needs a lot of historical data for building an accurate model.

Can detect attempts to exploit new vulnerabilities.

Have high false alarms.

Can detect fraudulent activity of a privileged insider.

“Normal”

ActivityActivity

Normalizer

Alarming & Reporting

Rules

Engine

Known Malicious Activity

SensorActivity

Components of IDS

What happens after a NIDS What happens after a NIDS detects an attack?detects an attack?

Reconfigure firewall -Reconfigure firewall - Configure the firewall to filter out the IP address of the intruder.

Chime -Chime - Beep or play a .WAV file.

Log the attack -Log the attack - Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).

Launch program -Launch program - Launch a separate program to handle the event.

Terminate the TCP session -Terminate the TCP session - Forge a TCP FIN packet to force a connection to terminate.

Honeypot – a deception systemHoneypot – a deception system

A honeypot is a system designed to look like something that an intruder can hack. Like installing a machine on the network with no particular purpose other than to log all attempted access.

Network-based IDS ProductsNetwork-based IDS ProductsCiscoSecure IDS 2.5

ISS RealSecure 7

Dragon 6

NFR

Snort 1.8.6

Host-based IDS ProductsReal Secure Server Sensor

DragonSquire

NFR HID

Entercept 2.5