Intrusion Detection Final.ppt

Embed Size (px)

DESCRIPTION

presentation on intrusion detection systems in network security

Citation preview

PowerPoint Presentation

INTRUSION DETECTION

PRESENTED BY: Manmeet Kaur 13-508Anmol Dabra 13-515Sapna 13-522

AgendaIntroduction to IDS Manmeet Kaur

Methodology of Intrusion Detection- Anmol Dabra

Deployment of IDS SapnaBrief Introduction to IntrusionThe level of seriousness and sophistication of recent cyber-attacks has risen dramatically over the past 10 years

The availability of widespread free automated intrusion tools and exploit scripts duplicate the known methods of attack

Attacks are getting more sophisticated and easy to copy

Increased connectivity and complexity, increased availability of vulnerability information and attack scripts via the Internet, and dependence on distributed network services

The nature of computer crime is that it is unpredictable, previous threats or attacks can not be used as a metric to prepare for future threats or attacks the basis for all todays signature-based ID products INTRUSIONDictionary meaning Entrance by force or without permission or welcome.

An intrusion is a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may render the property unreliable or unusable.

The person who intrudes is an intruder.Types of Intruders :

Attack and IntrusionAttack and intrusion can be viewed from a number of perspectives; the intruder and the victim Each perspective brings with it a criterion for judging the success of the attackAn intrusion has taken place if the attack is considered successful from the victims point of view (the victim has experienced some loss or consequences) Vulnerability in the victims system that is exploited by the intruder with an objective enables a successful attack The intrusion process ends when some or all objectives of the intruder are realized or the intruder gives up Because multiple perspectives are involved in a single attack, defining what constitutes an attack is difficult Intrusion is a significant security problem for networked systems and this trespass can be either:

User Trespass 1. in form of unauthorized logon to a machine or 2. authorized user acquiring privileges beyond those that have been authorized.

Software Trespass in the form of Virus , Worm or Trojan horses.Consequences of IntrusionIf an intrusion has occurred without the user knowing/reacting to it, the danger exists that the intruder gets control over all of the resources and thus over the whole computer/network Once accessing the network, the intruders main focus is to get control of the system and to erase signs of entry. The intruder may operate on stealth mode an secretly spread from system to system, using the compromised network as a springboard The intruder has various kinds of scripts; parking, cleanup of log files; system, event files, file integrity checker files, and ID systems files (Wipe 1.0, Wzap.c, Zap.c), etc. that he can use to strengthen his position and making it almost impossible to get control over the computer/network again.Loss of reputation Loss of confidentiality Loss of valuable data Intrusion TechniquesPassword GuessingIt is the most common attack.Following techniques are used to guess try default password shipped with systemexhaustively try all short passwords (1-3 characters long)try all words in systems online dictionarytrying users personal info (full name , spouse , children etc.)try all legitimate license plates no. for the statetry users phone no , social security no , room no etc.tap line between user and host system.

Password Capturewatching over shoulder as password is entered monitoring an insecure network login (e.g. telnet, FTP, web, email) extracting recorded info after successful login (web history/cache, last number dialled etc.) using Trojan horse to bypass restriction on accessEx -A game invited system operators to use it in spare time. It did play a game , but in the background it copied the password file.

Password File ProtectionTo protect the file that relates ids to passwords , one of the two ways can be employed:1. One-way function System stores only the value of a function based on users password. When user presents a password , system transforms the password and compares it with stored value2.Access Control Access to password file be limited to one or a very few accounts.Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying databases containing credit card numbers viewing sensitive data without authorization running a packet sniffer distributing pirated software using an unsecured modem to access internalnetwork impersonating an executive to get information using an unattended workstationIntrusion DetectionWhat Is Intrusion DetectionE. Amoroso: Intrusion Detection is the process of identifying and responding to malicious activity targeted to computing and network resourcesAnalogy: security cameras and burglar alarms in a house; Intrusion detection in Information systems Categories: Attack detection and Intrusion detectionThe goal of intrusion detection is to positively identify all true attacks and negatively identify all non-attacks Characteristics of IDID monitors a whole System or just a part of it Intrusion Detection occurs either during an intrusion or after it ID can be stealth or openly advertised If suspicious activity occurs it produces an alarm and keeps logs that can be used for reports on long term development Human (Administrator) needed for alarm processing ID systems can produce an alarm and/or produce an automated response Motivation of IDThe motivation for intrusion detectionvaries for different sites:Some use IDS for tracking, tracing, and prosecution of intruders Some use IDS as a mechanism for protecting computing resources Some use IDS for identifying and correcting vulnerabilities Why Intrusion DetectionDetecting and reacting to an attack: Possible to stop the attack before anything serious happens and do damage control Knowledge of the attack and managing the damage Information gathering of the attack and trying to stop it from happening againInformation gathering of attacks against the ID system; useful data for the security administration Timely and correct response is imperative in IDS IDSAn intrusion detection system (IDS) is a system used to detect unauthorized intrusions into computer systems and networks. Intrusion detection as a technology is not new, it has been used for generations to defend valuable resources.If an intrusion is detected quickly enough , intruder can be identified and ejected from the system before any damage is done. Basis of IDSassumes intruder behavior differs from legitimate users in ways that can be quantified.cant expect to have a crisp , exact distinction.there will be some overlap , which causes problemsfalse +ves loose interpretation of intruder behaviour; auth. users identified as intrudersfalse ves tight interpretation of intruder behaviour; intruders not identified as intruders Behavior Profiles

Approaches to Intrusion Detection Detection MethodIt describes the characteristics of the analyzer. Detection can be performed according to two complementary strategies:Knowledge based intrusion detection (misuse detection)When the intrusion-detection system uses information about the attacks, we qualify it as knowledge-based.

Behaviour based intrusion detection (anomaly detection)When the intrusion-detection system uses information about the normal behavior of the system it monitors, we qualify it as behavior-based

Looking for events or sets of events that match a predefined pattern of events that describe a known attack. The patterns are called signatures. Rule-based systems: encoding intrusion scenarios as a set of rules. State-based intrusion scenario representations. Advantages: Very effective at detecting attacks without generating an overwhelming number offalse alarms. Disadvantages Can only detect those attacks they know abouttherefore they must be constanlyupdated with signatures of new attacks. Many misuse detectors are designed to use tighly defined signatures that prevent themfrom detecting variants of common attacks. Misuse detection(Signature based ID)Anomaly Detection

Identify abnormal unusual behavior (anomalies) on a host or network. They function on the assumption that attacks are different from normal (legitimate) activity and can therefore be detected by systems that identify these differences.

METHODS FOR ANOMALY DETECTION:Statistical measuresRule-based measuresMachine learning Data miningNeural networks

Anomaly Detection TechniquesStatistical measuresData related to behavior of legit users collected over a period of time.Statistical tests applied on observed behavior to determine whether that is not legit user behavior.Two types:1. Threshold detection2. Profile based1.Threshold Detectioninvolves counting the number of occurrences of a specific event type over an interval of timeif the count surpasses what is considered a reasonable number that one might expect to occur , intrusion is assumed.its a crude and ineffective detector of even slightly sophisticated attacks.hence it generates either a lot of false +ves or false ves.

2.Profile Based Anomaly Detectioncharacterizes past behavior of individual users or group of users.detects significant deviation from that behavior.a profile may contain a set of parameters , so that deviation on just a single parameter may not be sufficient to signal an alertfoundation of this approach is an analysis of audit records.Metrics for Profile Based Anomaly DetectionCounter non negative integer , only incremented. Ex no of logins in an hour by a userGauge non negative integer , may be inc or dec , used to measure current value of some entity. Ex no of outgoing messages Interval timer length of time between two related events. Ex time between successive logins to an accountResource utilization qty of res consumed during a specific perios. Ex no of pages printedADVANTAGESPrior knowledge of security flaws not requiredDetector program learns what is normal behavior and then looks for deviationsThis approach is not based on system dependent characteristics and vulnerabilities. Thus it is readily portable amongst a variety of systems.DISADVANTAGESUsually produce a large number of false alarms due to the unpredictable behaviors of users and networks.Often require extensive training sets of system event records in order to characterize normal behavior patternsRule Based Intrusion DetectionIt involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.Two types:1. Anomaly detection2. Penetration identificationRule-based Anomaly Detectionhistorical records analyzed to identify usage patternsautomatically rules are generated that describe those patternscurrent behavior is then observed and matched against the above set of rules to determine if it conforms to any historically observed pattern of behavior.different from statistical anomaly detection as this doesnt require knowledge of security vulnerabilities. Its based on observing past behavior.Rule-based Penetration Identificationbased on Expert System technologyrules generated here are specific to machine and operating systemrules are generated by experts rather than automated analysis of auditsystem administrators and security analysts are interviewed to collect a suite of known penetration scenarios and key events that threaten the security of the target system.ADVANTAGESeffective at detecting attacks without generating an overwhelming number of false alarms.DISADVANTAGESlack of flexibilitycan only detect those attacks they know abouttherefore they must be constanly updated with rules for new attacks.

Misuse Detection vs. Anomaly DetectionMethodology

AdvantageDisadvantageMisuse DetectionAccurately and generate much fewer false alarmCannot detect novel or unknown attacksAnomaly DetectionIs able to detect unknown attacks based on auditHigh false-alarm and limited by training data.AUDIT RECORDSIts a fundamental tool for intrusion detectionRecord of ongoing activity by users maintained as input to IDSTwo plans:1. Native Audit Records All OS include accounting software that collects info of user activity. Adv. no additional collection s/w needed Disadv. might not contain needed info or not in convenient form.2. Detection-specific Audit Records A collection facility that generates audit records containing info required by IDS. Advantage - can be made vendor independent and ported to variety of systems . Disadvantage extra overhead of additional accounting package.Audit Record FormatEach audit record has following fields:Subject- Initiator of actionAction- Operation performed by subject on objectObject- Receptor of actionException-condition- Which, if any , exception condition is raised on returnResource Usage- amount used of some resourcesTime stamp- unique time and date stamp identifying when the action took placeBase-Rate FallacyPractically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarmsif too few intrusions detected -> false securityif too many false alarms -> ignore / waste time

This is very hard to doExisting systems seem not to have a good record

Distributed Intrusion DetectionMajor design issues:Different Audit Formats - diff systems employ diff native audit collection systemsIntegrity prevent intruder to mask his activities by altering transmitted audit dataConfidentiality because transmitted audit info can be valuableArchitecture Centralized: single central point of collection Decentralized: more than 1 analysis centresDistributed Intrusion Detection - Architecture

Main ComponentsHost Agent Module: Audit collection module on a single system. It collects data on security related events and transmits it to central managerLAN monitor Agent Module: Same as host agent module but it analyzes LAN traffic and transmits it to central managerCentral Manager Module: Gets data from above two and processes and correlates it to detect intrusionAgent Architecture

HONEYPOTSA honeypot is a system designed to look like something that an intruder can hack. They are built for many purposes but the overriding one is to deceive attackers and learn about their tools and methods. Decoy systems to lure attackersaway from accessing critical systemsto collect information of their activitiesto encourage attacker to stay on system so administrator can respondThey are filled with fabricated information

DEPLOYMENT OF IDSAUDIT SOURCE LOCATIONIntrusion Detection Systems can be characterized according to the source of the events they analyze. Typical system classes include host-based IDSsapplication-based IDSs network-based IDSscorrelation systemsHIDS Host-based IDSs (HIDS) detect attacks against a specific host by analyzing audit data produced by the host operating systems.

HOST IDSNETWORKHIDS contd.Audit sources include:System information(Accounting) : Operating systems make available to processes in user space, information about their internal working and security-relevant events.It provides information on the consumption of shared resources, such as processor time, memory, disk or network usage, and applications launched, by the users of the system.There exist programs that collect and show this information, e.g., ps, vmstat, top, netstat. The information provided is usually very complete and reliable because it is retrieved directly from the kernel. Unfortunately, few operating systems provide mechanism to systematically and continuously collect this information.Accounting pros and consProsAccounting is found almost everywhere, in network equipment, in mainframes as well as in UNIX workstations. This omnipresence has led some designers of intrusion-detection prototypes to try to use it as an audit source.The format of the accounting record is the same on all UNIXes, the information is compressed to gain disk space, and the overhead introduced by the recording process is very small.It is well integrated in modern operating systems, and easy to set up and exploitConsthe information identifying the command launched as well as the time stamps are too imprecise to allow efficient detection of attacks

Syslog facility [Lonvick, 2001] : Syslog is an audit facility provided by many UNIX-like operating systems. It allows programmers to specify a text message describing an event to be logged. Additional information, like the time when the event happened and the host where the program is running,is automatically added.

PROSSyslog is very easy to use.

CONSApplications usually log information valuable for debugging purposes that is not necessarily tailored to the needs of intrusion detection. Furthermore, a specific audit format is not imposed by the facility but changes according to the program that uses it. Thus, it may be difficult to extract audit data from logs and perform sophisticated analysis. Finally, the logged information can be easily polluted by messages crafted by an attacker to cover her tracks.

C2 audit trail Some operating systems comply with the C2 level of the TCSEC standard and thus monitor the execution of system calls. The data obtained is accurate because it comes directly from within the kernel.PROSa strong identification of the user, its login identity, its real (current) identity, its effective (set-user-id bit) identity, its real and effective (set-group-id bit) group identities; a repartition of audit events into classes to facilitate the configuration of the audit system; a fine-grained parameterization of the information gathered according to user, class, audit event, and failure or success of the system call, and a shutdown of the machine if the audit system encounters an error status (usually a running out of disk space).CONSa heavy use of system resources when detailed monitoring is requested. Processor performance could potentially be reduced by as much as 20%, and requirements for local disk space storage and archiving are high;a possible denial-of-service attack by filling the audit file system; difficulty to set up the audit service owing to the number of parameters involved. difficulty to exploit the information obtained owing to its size and complexity. This is compounded by the heterogeneity of audit-system interfaces and audit record formats in the various operating systems,the parameterization of the audit system involving subjects (users) and actions (system calls or events), and only very rarely objects (on which the action is performed). Important objects should be monitored by an intrusion-detection tool, and this is done primarily by scanning the entire trail

NIDSNetwork-based IDSs (NIDSs) detect attacks by analyzing the network traffic exchanged on a network link.

Network-based information sources

SNMP informationThe Simple Network Management Protocol (SNMP) Management Information Base (MIB) is a repository of information used for network management purposes. It contains configuration information (routing tables,addresses, names) performance/accounting data (counters to measure the traffic at various network interfaces and at different layers of the network).Network packets

Low level analysis- on the header and/or the payload of a packet. By performing pattern matching, signature analysis, or some other kind of analysis of the raw content of the TCP or IP packetThe intrusion-detection system can perform its analysis quickly. This is a stateless approach that does not take session information into account because the latter could span several network packets.

Higher-level analysis- exploiting knowledge about the protocol followed by the communication.the intrusion-detection system acts as an application gateway and analyzes each packet with respect to the application or protocol being followed, the analysis is more thorough, but also much more costly. This is a stateful analysis. This analysis of the higher levels of the protocol also depends on the particular machine being protected, as implementations of the protocols are not identical from one network stack to another.Higher-level analysis supports more sophisticated analysis of the data, but it is usually slower and requires more resources.

NIDS contd.Network-based IDSs employ sensors that listen to the network segments of the network and report to a central management console which is typically used for analysis and reporting. Network sensors can also be implemented on some routers. One sensor will be needed for each network segment if the packets are routed to the segments by a switch (unless the switch allows traffic on the same virtual local area network to be copied to a mirror Switch Port Analyser port).

Disadvantages of Network-Based IDSs:

NIDS may have difficult processing all packets in a large or busy network and therefore, may fail to recognize an attack launched during periods of high traffic. Modern switch-based networks make NIDS more difficult: Switches subdivide networks into many small segments and provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring portsNIDS cannot analyze encrypted information. Most NIDS cannot tell whether or not an attack was successfulHIDS vs NIDS

HIDS vs NIDS

63The Future of IDSIDS is a quite new area in security engineeringThe current solution does not work very well in real lifeThere are still many things to complementThe future and the potential of IDS are really bright and attractiveReferenceshttp://www.springer.com/978-0-387-23398-7CPNI -TECHNICAL NOTE 09/03UNDERSTANDING INTRUSION DETECTION SYSTEMSIBM Research, Zurich Research Laboratory,Saumerstrasse 4, CH8803 Ruschlikon, Switzerland ,[email protected]

THANK YOU!