CS419 Computer Security

Transcription

1 CS419 Computer Security Vinod Ganapathy Topic: Intrusion Detection and Firewalls

2 Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

3 Principles of Intrusion Detection Characteristics of systems not under attack User, process actions conform to statistically predictable pattern User, process actions do not include sequences of actions that subvert the security policy Process actions correspond to a set of specifications describing what the processes are allowed to do Systems under attack do not meet at least one of these

4 Example Goal: insert a back door into a system Intruder will modify system configuration file or program Requires privilege; attacker enters system as an unprivileged user and must acquire privilege Nonprivileged user may not normally acquire privilege (violates #1) Attacker may break in using sequence of commands that violate security policy (violates #2) Attacker may cause program to act in ways that violate program s specification

5 Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time, especially when system responds to intrusion Problem: analyzing commands may impact response time of system May suffice to report intrusion occurred a few minutes or hours ago

6 Goals of IDS Present analysis in simple, easy-tounderstand format Ideally a binary indicator Usually more complex, allowing analyst to examine suspected attack User interface critical, especially when monitoring many systems Be accurate Minimize false positives, false negatives Minimize time spent verifying attacks, looking for them

7 Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software vulnerabilities to execute code to get backdoor or e.g. buffer overflow to gain protected information e.g. password guessing or acquisition

8 Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - manage / direct / view IDS

9 Models of Intrusion Detection Anomaly detection What is usual, is known What is unusual, is bad Misuse detection What is bad, is known What is not bad, is good

10 IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration

11 Why is intrusion detection hard? Metrics to optimize for: Precision (False positives, False negatives) Runtime performance Let us examine precision in detail: Suppose an intrusion detection system vendor tells you that they have % detection rate. Is that good? What is detection rate? How is it related to false positive rate? Let us step back and recall some probability theory

12 Bayes rule

13 Let us define some terms P(A) = probability of IDS raising an alarm P( A) = 1 P(A) P(I) = probability of intrusive behavior. i.e., an intrusion actually happening on the system being monitored Detection rate = P(A I) = % False positive rate = P(A I) = 0.01% False negative rate = P( A I) True negative rate = P( A I)

14 What do we really want from an IDS? P(I A) is as high as possible (i.e., that an alarm really denotes an intrusion) P( I A) is as high as possible (i.e., if IDS does not raise an alarm, then it is very likely we don't have an intrusion). Let us use Bayes rule:

15 Let's plug in some values Consider a typical enterprise network that has a few tens of nodes, about a dozen users, a few servers Typical for an IDS on such a network to receive in excess of 1000,000 packets Suppose only one real intrusion per day. P(I) = 10E-6 P( I) =

16 Let's plug in some values P(I A) = [ * P(A I)]/ [ * P(A I) * P(A I)] Let us plug in Detection rate = P(A I) = % and False positive rate = P(A I) = 0.01% P(I A) is approximately 1/10001 = This is called the base-rate fallacy!

17 IDS Architecture Basically, a sophisticated audit system Sensor: gathers data for analysis Analyzer: it analyzes data obtained from the sensor according to its internal rules Notifier obtains results from analyzer, and takes some action May simply notify security officer May reconfigure agents, director to alter collection, analysis methods May activate response mechanism

18 Sensors Obtains information and sends to analyzer May put information into another form Preprocessing of records to extract relevant parts May delete unneeded information Analyzer may request agent send other information

19 Example IDS uses failed login attempts in its analysis Sensor scans login log every 5 minutes, sends director for each new login attempt: Time of failed login Account name and entered password Analyzer requests all records of login (failed or not) for particular user Suspecting a brute-force cracking attempt

20 Host-Based Sensors Obtain information from logs May use many logs as sources May be security-related or not May be virtual logs if agent is part of the kernel Very non-portable Sensor generates its information Scans information needed by IDS, turns it into equivalent of log record Typically, check policy; may be very complex

21 Network-Based Sensors Detects network-oriented attacks Denial of service attack introduced by flooding a network Monitor traffic for a large number of hosts Examine the contents of the traffic itself Agent must have same view of traffic as destination TTL tricks, fragmentation may obscure this End-to-end encryption defeats content monitoring Not traffic analysis, though

22 Network Issues Network architecture dictates agent placement Ethernet or broadcast medium: one agent per subnet Point-to-point medium: one agent per connection, or agent at distribution/routing point Focus is usually on intruders entering network If few entry points, place network agents behind them Does not help if inside attacks to be monitored

23 Analyzer Reduces information from sensors Eliminates unnecessary, redundant records Analyzes remaining information to determine if attack under way Analysis engine can use a number of techniques, discussed before, to do this Usually run on separate system Does not impact performance of monitored systems Rules, profiles not available to ordinary users

24 Notifier Accepts information from director Takes appropriate action Notify system security officer Respond to attack Often GUIs Well-designed ones use visualization to convey information

25 Host-Based IDS specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions two approaches, often used in combination: anomaly detection - defines normal/expected behavior threshold detection profile based signature detection - defines (im)proper behavior

26 Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S always available but may not be optimum detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions e.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp

27 Anomaly Detection threshold detection checks excessive event occurrences over time alone a crude and ineffective intruder detector must determine both thresholds and time intervals profile based characterize past behavior of users / groups then detect significant deviations based on analysis of audit records gather metrics: counter, guage, interval timer, resource utilization analyze: mean and standard deviation, multivariate, markov process, time series, operational model

28 Threshold Metrics Counts number of events that occur Between m and n events (inclusive) expected to occur If number falls outside this range, anomalous Example Windows: lock user out after k failed sequential login attempts. Range is (0, k 1). k or more failed logins deemed anomalous

29 Difficulties Appropriate threshold may depend on non-obvious factors Typing skill of users If keyboards are US keyboards, and most users are French, typing errors very common Dvorak vs. non-dvorak within the US

30 Misuse Detection observe events on system and applying a set of rules to decide if intruder approaches: rule-based anomaly detection analyze historical audit records for expected behavior, then match with current behavior rule-based penetration identification rules identify known penetrations / weaknesses often by analyzing attack scripts from Internet supplemented with rules from security experts

31 Misuse Modeling Determines whether a sequence of instructions being executed is known to violate the site security policy Descriptions of known or potential exploits grouped into rule sets IDS matches data against rule sets; on success, potential attack found Cannot detect attacks unknown to developers of rule sets No rules to cover them

32 Distributed Host-Based IDS

33 Combining Sources: DIDS Neither network-based nor host-based monitoring sufficient to detect some attacks Attacker tries to telnet into system several times using different account names: network-based IDS detects this, but not host-based monitor Attacker tries to log into system using an account without password: host-based IDS detects this, but not network-based monitor DIDS uses agents on hosts being monitored, and a network monitor DIDS director uses expert system to analyze data

34 Handling Distributed Data Agent analyzes logs to extract entries of interest Agent uses signatures to look for attacks Summaries sent to director Other events forwarded directly to director DIDS model has agents report: Events (information in log entries) Action, domain

35 Distributed Host-Based IDS

36 Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic)

37 NIDS Sensor Deployment

38 Intrusion Detection Techniques signature at application, transport, network layers; unexpected application services, policy violations anomaly detection detection of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection

39 Honeypots are decoy systems filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems initially were single systems more recently are/emulate entire networks

40 Honeypot Deployment

41 SNORT lightweight IDS real-time packet capture and rule analysis passive or inline

42

43

44

45

46 SNORT Rules use a simple, flexible rule definition language with fixed header and zero or more options header includes: action, protocol, source IP, source port, direction, dest IP, dest port many options

47

48

49

50

51

52

53 Firewalls and IPSes effective means of protecting LANs internet connectivity essential for organization and individuals but creates a threat could secure workstations and servers also use firewall as perimeter defence single choke point to impose security

54 Firewall Capabilities & Limits capabilities: defines a single choke point provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop or mobile device infected outside then used inside

55 Types of Firewalls

56 Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted more conservative, controlled, visible to users forward - permit unless expressly prohibited easier to manage/use but less secure

57 Packet Filter Rules

58 Application-Level Gateway acts as a relay of application-level traffic user contacts gateway with remote host name authenticates themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads

59 Firewall Locations