Network Intrusion Detection SystemsPresented by Keith Elliott

Background

Why are they used?

Movement towards more secured computing systems

Management is becoming cognizant of growing cyber-threats

Where are they used?

Medium to Large Businesses

Anyone than can afford them

Open-source solutions (SNORT)

Types of Attacks

Code Obfuscation

Polymorphism

Shell-code is constantly mutating

Characterized by:

Execution of GetPC code

Read operations from input stream

Port Scans

Denial of Service (DoS)

Types of NIDS

HIDS (Host Intrusion Detection System)

Operates on a single host

Uses host’s computation resources

NIDS (Network Intrusion Detection System)

Stand-alone hardware

Expensive

Methods of Detection

Signature Based

Compares packets to database of known threats

Heuristics Based

Analyzes and categorizes packets into groups

Normal, Hostile

Many different techniques being developed

Pro’s and Con’s

Signature Based

Require constant updates by administrators

Can only detect currently known threats

Heuristics

Have the ability to identify new/unknown threats

Can easily mistake infrequent normal traffic as hostile

Heuristic Detection Techniques

Cellular Automata

Genetic Algorithms

Neural Networks

Bioinformatics

Network‐Level Emulation

Measured:

Cellular Automata

Solves problems in an evolutionary way

Consists of number of cells organized in the form of a lattice

Each cell is considered independent

Its states only depends on its two adjacent cells

Fuzzy States are generally used

Categorizations are done using membership functions

As data is passed and classified each cell mutates randomly

Neural Networks In general model multivariate non-linear

functions using nodes called neurons

Good at classification problems

Separated in 5 categories for experiment

Normal Connections

DoS (Denial of Service)

R2L (Remote to Local), U2R (User to Remote)

Probe/Surveillance

Best Results came from Over-Sampling Training data

Network-Level Emulation Inspects client-initiated data of each network

flow

Server-initiated data is ignored

Reconstructs the application-level stream using TCP stream reassembly

Emulator repeats execution of code from each possible entry point in the stream

Execution of polymorphic shell-code is identified by two runtime behavioral characteristics

Execution of GetPC code

Several Read operations from within the stream

Statistics Collected

Real World Deployment of nemu (Network-Level Emulation)

Sensors in Europe have been operating since March 9th, 2007

Collected from National Research Networks and one Educational Network

As of February 13th, 2008

1,053,332 attacks targeting 21 different ports

31% were launched from 8981 unique Ips

68% (Rest) were from 204 infected hosts

Ports Attacked 25 - SMTP

42 – WINS, Nameserver

80 - HTTP

110 – POP3

135 – Microsoft EPMAP

also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS

139 – Netbios Session Service

143 - IMAP

445 – Microsoft Active Directory, Windows Shares, SMB File Sharing

1025 – NFS or IIS

2967 – Symantec Antivirus Corporate Edition

Evading NIDS Insertion Attacks

Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.

Evading Attacks

Sends packets which the IDS rejects but target accepts

Both end up giving different streams to the IDS and End-Host

Fragmentation is used in both – we all should know this by now

Methods of Evading NIDS Case 1: The IDS fragmentation reassembly

timeout is less than fragmentation reassembly timeout of the Victim.

Methods of Evading NIDS cont. Case 2: The IDS fragmentation reassembly

timeout is more than the fragmentation reassembly timeout of the operating system.

Methods of Evading NIDS cont. Case 2: TTL Based Attacks

Topology of victims network must be know

Methods of Evading NIDS cont. Overlapping Fragments

Exploits differences in Operating System Behavior

Conclusion

Network Threats are on the rise

Better to have Heuristic based system

Tons of research being performed which is uncovering new and more efficient methods

SNORT can handle all mentioned methods of evasion.

Any questions?