15
Intrusion Detection Intrusion Detection and Response and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Presented by: Nithin Premachandran Nithin Premachandran

Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Embed Size (px)

Citation preview

Page 1: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Intrusion Detection and Intrusion Detection and ResponseResponse

David A. Dampier, Mississippi State UniversityAmbareen Siraj, Mississippi State University

Presented by:Presented by:

Nithin PremachandranNithin Premachandran

Page 2: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

OutlineOutline

Cyber SecurityCyber Security

Notion of Intrusion DetectionNotion of Intrusion Detection

Types of IntrusionTypes of Intrusion

Methods to detect intrusion Methods to detect intrusion

Types of DetectionTypes of Detection

Factors in SelectionFactors in Selection

ForensicsForensics

SummarySummary

Page 3: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Cyber SecurityCyber Security

Measures to secure systems:Measures to secure systems:

Prevention: actions taken to prevent unauthorized access to a system Prevention: actions taken to prevent unauthorized access to a system

Detection: discover failures in prevention Detection: discover failures in prevention

Response: actions taken after an attack, attempted attack, or damage. Response: actions taken after an attack, attempted attack, or damage.

Page 4: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Intrusion DetectionIntrusion Detection

attempts to access protected resources that affects the expected attempts to access protected resources that affects the expected performance of the systems and/or challenges the security policy of the performance of the systems and/or challenges the security policy of the systems systems

““act of detecting actions that attempt to compromise the Confidentiality, act of detecting actions that attempt to compromise the Confidentiality, Integrity or Availability of a resource”.Integrity or Availability of a resource”.

Detect these intrusion attempts – take action and defend the system, Detect these intrusion attempts – take action and defend the system, stop the intrusion, stop the intrusion, and repair the damage and repair the damage

IDS:IDS: Suite of different techniques Suite of different techniques

used to detect several types of malicious behaviors that can used to detect several types of malicious behaviors that can compromise the security and trust of a computer compromise the security and trust of a computer

Available in different productsAvailable in different products monitors systems and networks for security violations and then monitors systems and networks for security violations and then

reports them reports them

Page 5: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Types of IntrusionTypes of Intrusion Physical intrusion:Physical intrusion: physical access to a machine physical access to a machine

““insider” threats insider” threats misusing the privileges misusing the privileges remove components for examination remove components for examination Installation of malicious softwareInstallation of malicious software

Targeted intrusion:Targeted intrusion: particular system is targeted particular system is targeted

unauthorized user masquerading as an authorized user unauthorized user masquerading as an authorized user obtained illegal access in system obtained illegal access in system Installation of malicious softwareInstallation of malicious software

Random Intrusion:Random Intrusion: Open door discovered by accidentOpen door discovered by accident

Port scan attacks Port scan attacks Denial-of-service attacks Denial-of-service attacks Spoofed attacks Spoofed attacks Installation of malicious softwareInstallation of malicious software

Page 6: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Detection TechniqueDetection Technique

ID carried: ID carried: Host based and network-basedHost based and network-based

Host Based:Host Based: look for suspicious actions recorded in audit log files look for suspicious actions recorded in audit log files

IDS typically monitors system events and security logs IDS typically monitors system events and security logs

compares new log entry, analyzes deviation from normal compares new log entry, analyzes deviation from normal

Suspicious behavior - Alert and perform defensive action Suspicious behavior - Alert and perform defensive action

Check key file system – execute through checksums Check key file system – execute through checksums

listen to port activity listen to port activity

Suitable for external network Suitable for external network

Examples: Tripwire (Examples: Tripwire (http://tripwire.com/),http://tripwire.com/), Samhain Samhain (http://la-samhna.de/samhain/), (http://la-samhna.de/samhain/), RealSecure RealSecure (http://www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1026533)(http://www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1026533)

Page 7: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Detection Technique (Cont)Detection Technique (Cont)

Network Based Intrusion Detection:Network Based Intrusion Detection:

Uses Network packet - audit scoreUses Network packet - audit score

NIC's put in promiscuous mode - monitor and analyze all trafficNIC's put in promiscuous mode - monitor and analyze all traffic

matches character of malicious sign matches character of malicious sign

Signatures: Signatures: String sign - look for text string indicating possible attackString sign - look for text string indicating possible attack

Port sign - watch for connection attempts to well known frequently attacked portPort sign - watch for connection attempts to well known frequently attacked port

Header sign - watch for dangerous or illogical combination in packet headers. Header sign - watch for dangerous or illogical combination in packet headers.

Example: Snort, Cisco Intrusion Detection System and Symantec NetProwlerExample: Snort, Cisco Intrusion Detection System and Symantec NetProwler

Page 8: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Types of Intrusion DetectionTypes of Intrusion Detection

Anomaly and Misuse detection techniqueAnomaly and Misuse detection technique

Anomaly detection :Anomaly detection : Technique based on observation of deviation from Technique based on observation of deviation from normal system usage patternnormal system usage pattern

Anaomaly detector constantly calculates variance of present profile from Anaomaly detector constantly calculates variance of present profile from original oneoriginal one

any change ? - flag any change ? - flag

Example: Activity measure, CPU time used, number of network connections in Example: Activity measure, CPU time used, number of network connections in certain time , keystrokes, time of day usage certain time , keystrokes, time of day usage

Predictive pattern generation- predict future events based on already Predictive pattern generation- predict future events based on already occurred occurred

Threshold monitoring- setting of values by defining acceptable behaviorThreshold monitoring- setting of values by defining acceptable behavior

Resource profiling - monitor use of accounts, applications etc develop historic Resource profiling - monitor use of accounts, applications etc develop historic profile profile

Page 9: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Types of Intrusion DetectionTypes of Intrusion Detection

Misuse DetectionMisuse Detection a.k.a Knowledge based intrusion detection system a.k.a Knowledge based intrusion detection system

Attack on weak points (vulnerabilities) of system based on accumulated Attack on weak points (vulnerabilities) of system based on accumulated knowledgeknowledge

Deploy homogeneous/heterogeneous suite of IDS - sensor to monitor Deploy homogeneous/heterogeneous suite of IDS - sensor to monitor different elements in various environmentsdifferent elements in various environments

Homogenous - multiple installations of the same types of sensors Homogenous - multiple installations of the same types of sensors

Heterogeneous - multiple installations of different types of sensors Heterogeneous - multiple installations of different types of sensors

Network based sensor- e.g. Snort captures IP spoofing attacksNetwork based sensor- e.g. Snort captures IP spoofing attacks

Host level sensor - monitor unauthorized changes in OS eg: Tripwire Host level sensor - monitor unauthorized changes in OS eg: Tripwire ((http://tripwire.com/)http://tripwire.com/)

Page 10: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Selection FactorsSelection Factors

Performance:Performance: High detection rate High detection rate Low false positive Low false positive Low false negatives Low false negatives Ability to report severity of the attack Ability to report severity of the attack Indicate outcome of an attacks Indicate outcome of an attacks collect and store intrusion reports collect and store intrusion reports

Benchmark Test: Benchmark Test: test a product for –test a product for – ease of installation, ease of installation, impact on system performance and impact on system performance and false alarm ratesfalse alarm rates

Technical support:Technical support: support, warranty, how often updates are support, warranty, how often updates are promulgated promulgated

Internal vs. external help desk:Internal vs. external help desk: vendor’s employees or contracted vendor’s employees or contracted one? one?

Page 11: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Selection FactorsSelection Factors

Software and hardware refreshment:Software and hardware refreshment: upgrade program for upgrade program for software/hardware components, ad-hoc releases to fix reported problems software/hardware components, ad-hoc releases to fix reported problems

Vendor Solvency:Vendor Solvency: vendors financial status and performance history vendors financial status and performance history

Product ratings:Product ratings: third party testing, Assurance measure the trust and third party testing, Assurance measure the trust and capability in their products. ISO Standard 15408 — the Common Criteria capability in their products. ISO Standard 15408 — the Common Criteria

Single vendor, multiple vendors, or third-party integrator:Single vendor, multiple vendors, or third-party integrator: number number of vendors involved to offer IDS capability: Risk of integration, acceptance of vendors involved to offer IDS capability: Risk of integration, acceptance

of responsibilityof responsibility

Page 12: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

ForensicForensic

"study of providing formal evidence that can be used in a court of "study of providing formal evidence that can be used in a court of law to enable the discovery, collection, and preservation of law to enable the discovery, collection, and preservation of evidence that can then be used to argue a case in court". evidence that can then be used to argue a case in court".

Collect, protect evidence about intrusion on machine.Collect, protect evidence about intrusion on machine.

Information in:Information in: Web server Web server

firewall logs, firewall logs,

system logs, system logs,

Searching RAM Searching RAM

Discover root cause of intrusion or attackDiscover root cause of intrusion or attack

Page 13: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Summary:Summary: IDSs -IDSs - role of “security cameras” for the security administrator role of “security cameras” for the security administrator

Try to prevent intrusionsTry to prevent intrusions – – use strong firewall use strong firewall

Assess software vulnerability: e.g lumension Assess software vulnerability: e.g lumension (http://www.lumension.com) (http://www.lumension.com)

Security Policy and ProceduresSecurity Policy and Procedures

Employee Training Employee Training

Use host based and network based IDS Use host based and network based IDS

Response and recovery process- forensic - Collect evidence of attacks Response and recovery process- forensic - Collect evidence of attacks to prosecute and reconstruct eventsto prosecute and reconstruct events

Page 14: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

ReferencesReferences

Siraj, Ambareen. Siraj, Ambareen. Intrusion Detection and ResponseIntrusion Detection and Response. Ed. Daniel . Ed. Daniel Ragsdale. Hershey, PA: Idea Group Publishing, 2006. Ragsdale. Hershey, PA: Idea Group Publishing, 2006.

““Intrusion Detection.” (27 Dec. 2007): Intrusion Detection.” (27 Dec. 2007): WikipediaWikipedia. . http://http://en.wikipedia.org/wiki/Intrusion_detectionen.wikipedia.org/wiki/Intrusion_detection. .

““Intrusion Detection System.” (15 Apr. 2008): Intrusion Detection System.” (15 Apr. 2008): WikipediaWikipedia. . http://http://en.wikipedia.org/wiki/Intrusion_Detection_Systemen.wikipedia.org/wiki/Intrusion_Detection_System. .

Page 15: Intrusion Detection and Response David A. Dampier, Mississippi State University Ambareen Siraj, Mississippi State University Presented by: Nithin Premachandran

Q&AQ&A