Intrusion Detection System (IDS)

Transcription

1 Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes the conform do security not not to include meet are a to under policy set statistically allowed of sequences specifications attack least to do one of of Principles Intrusion Detection created Related and detection: operated consists to detect of system procedures intrusions and systems 3 Intrusion works tolerance prevention reaction correction activities Introduction (continued) What type when can instigator system action is be of a intrusion that both with attack user attempts users harmful from of an was inside information to intent not gain and legally entry outside assets system allowed into in or takes which disrupt to take an Introduction Goal: Intruder Requires program unprivileged Nonprivilegeduser (violates insert will privilege; a modify back and attacker door may system must not into enters normally acquire configuration a system privilege acquire as privilege file or 2 Attacker program s security #1) may specification cause break policy program in (violates using sequence to #2) act in ways of commands that violate that Example Just detected several Computer financial malicious Millions Only IDS or If complimentary using you a over substitute. are 0.1% antivirus use implemented mostly of computer losses 90% acts Security of jobs antivirus companies thereafter. of software in product misunderstood have interconnected excess security Institute, firewall been then do of are your affected breaches not $455M should 4/7/02 protections spending and use security networks also was IDS. are because in reported the thought caused consider strategy.most that appropriate that last of were that intrusion 12 by were of adding intrusion months as 80% installed. running a budget firewall organizations reported defiant IDS and IDS on product as t IDS. of a Scary Stastics these 4 Intrusion correction activities 6 5 1

2 Notify an external security service organization Alert False Noise True Confidence Alarm attack or negative positive filtering alarm stimulus value Provide useful information about intrusions that take place Signature-based Statistical anomaly-based 8 10 Problem with this approach? Define dynamic When or IDS Requires than May clipping can generate signature-based measured and behavior detect much level, characterize many of new more activity IDS the false types system. overhead will correct is positives of trigger outside attacks static and baseline form processing alert and/or parameters acceptable capacity 12 Detects activates Where Notify or pagers should a administrators an alarm violation external the alarm security of directly its be configuration service sent? of trouble organization via and e Intrusion Detection Systems (IDSs) Prevent discovery Detect Document Act especially Provide as quality attacks and problem useful of and existing deal large control punishment and information with behaviors and other threat preambles complex security to about by an increasing enterprises organization to violations design intrusions attacks and the that administration, perceived take place risk of 7 Why Use IDS? Characterize Examine known Widely distinct Pattern/signature data known traffic ways in search to penetrate of patterns a sysem that match 9 Problem used signatures with because this approach many attacks? have clear and Signature-Based IDS IDS Terminology Intrusion Detection Methods Statistical Anomaly-Based IDS

3 IDSs network host application network-based host-based application-based operate Types of IDSs Resides segment of When patterns Installed watch segment attacks traffic examining on of at computer specific an going organization s packets, into place and appliance in a s NIDS the out network; network of connected looks particular looks where for attack for network to it signs can Network-Based (NIDS) based 14 segment To Done stack: In invalid are use detect process application examined by data using an of attack, packets for special protocol unexpected NIDSs implementation stack verification, verification, look packet for higher-order behavior attack NIDSs of TCP/IP patterns look improper protocols for Good enable large existing network network organization are networks operations design with passive to and use little and a placement disruption few can devices be of deployed to NIDS to normal monitor can into 16 NIDSs not be detectable not usually by susceptible attackers to direct attack and may recognize Require Cannot Some specifically Having become forms analyze reliably access problems attacks those of overwhelmed to attack ascertain encrypted involving all with traffic are certain if not packets by attack fragmented to switches easily be network monitored was discerned successful volume packets by and or NIDSs, fail not to 18 Advantages and Disadvantages of NIDSs NIDS Signature Matching Advantages and Disadvantages of NIDSs (continued)

4 Host-based detect deletes Most configuration Advantage so when that HIDSs traveling when it key can over system intruder work access over NIDS: change files on information network creates, the can management principle log usually modifies, files encrypted be of installed or Host-Based IDS Pose Vulnerable Does non-host Susceptible operating more management both system to direct issues attacks and against 19 Can use inflict not large network detect a to performance amounts some multi-host devices denial-of disk overhead of-service scanning, space on nor attacks its scanning host systems of Disadvantages HIDSs Advantages Disadvantages Aware Able More application to susceptible of operate specific and user even to users; attack when can incoming observe interaction data is encrypted between 21 Less capable of detecting software tampering when traveling over network attacks Functions have Not Can systems stored detect affected been in that programs audit decrypted on local inconsistencies may by host logs use events elude were system, of and a switched used network-based is host where in available by how systems examining encrypted applications for IDS and processing protocols records traffic detect and will 20 Can inflict a performance overhead on its host systems Application-based management systems, AppIDS File Network Configuration Execution System etc may ) Space systems, for be configured abnormal IDS content (AppIDS) events to management intercept examines requests: systems, application accounting (database 22 Less capable of detecting software tampering Log Reviews other Patterns entire Requires quantities collection, file IDSs network monitor that log allocation of for files log signify movement, and patterns data (LFM) generated its of attack considerable systems and similar storage, may by signatures servers, are be NIDS viewed much and resources network analysis easier holistically since to of devices, identify large it will and involve when even 24 Advantages and Disadvantages of AppIDSs Advantages of HIDSs Application-Based IDS Log File Monitors

5 NIST sensors recommends four locations for NIDS Location network DMZ 1: 2: 3: 4: behind outside On major critical each an network external subnets backbones firewall, in the Deploying Network-Based IDSs Proper painstaking Deployment critical Installation 25 installed, degree systems of implementation or coverage continues and the begins first organization time-consuming it with is until willing of implementing HIDSs either reaches to task all live can systems planned with be most are Deploying Host-Based IDSs 27 Location 4: On critical subnets 26 degree of coverage it is willing to live with Some countermeasures LaBrea: organizations : takes up unused to stop implement IP attacks address active space Typically launch Attack attacker, system Footprinting: target Web organization successful protocol used network : a first logical to step collect attack series sequence, of samspade.org attack-find information of steps to launch out processes that the attacker ipaddresses used against would by an a of target need the to t28 Whois Network Whoisinformation: information: reconnaissance: whois.net ping sweep Learn From Attackers Active Intrusion Prevention Scanning and Analysis Tools

6 Fingerprinting: organization s footprinting structure These can network vulnerability quickly tools for that and pinpoint are anticipated phase s need systematic operational Internet reveals valuable a prompt the useful addresses attack survey to parts nature network repair information of of of the collected all to target defender systems of close target about system during the or since internal or the they 31 vulnerability organization: systematic survey of all of target Tools computers information Can resources, The attackers Example scan more used and software: specific or active by specific their defenders both on scans the nmap attackers a types scanner network, useful of be and computers, is, information generic and the defenders other better protocols, useful it can identify give or Several firewall analyzing Although administrator s tools rules the mostly automate and rules s work, design assist can remote the to be facilitate administrator used discovery by network attackers of in 32 Detecting system There protocols RemOS are (OS) many a target very tools valuable computer s that use to s an operating XProbe to determine a remote networking attacker computer s 36 Scanning and Analysis Tools (continued) Operating System Detection Tools Port Scanners Firewall Analysis Tools RemOS

7 Active detailed determines Passive client-side scanners software vulnerability information; vulnerabilities vulnerable scanners initiate versions typically traffic scan have listen of not networks both ability to in found determine on server network to for find and active highly holes and Vulnerability Scanners Attack Toolkit

8 Network network Can information issues In on To be have the network use provide on under wrong knowledge packet network and tool direct traffic for network analyzes hands, that sniffer that diagnosing authorization collects organization a consent legally, administrator them sniffer copies and of administrator can the owners owns resolving be of content with packets used of network creators valuable networking must eavesdrop from Packet Sniffers have knowledge and consent of the content creators