Network Security: Attacks and Defenses

Transcription

1 Network Security: Attacks and Defenses Christian CALLEGARI Department of Information Engineering University of Pisa PhD Winter School IP Traffic Characterization and Anomaly Detection 8th - 12th February Turin, Italy

2 Acknowledgments C. Callegari Network Security: Attacks and Defenses 2 / 95

3 Short Bio Post-Doctoral Fellow with the Telecommunication Network research group at the Dept. of Information Engineering of the University of Pisa B.E. degree in 2002 from the University of Pisa, discussing a thesis on Network Firewalls M.S. degree in 2004 from the University of Pisa, discussing a thesis on Network Simulation PhD in 2008 from the University of Pisa, discussing a thesis on Network Anomaly Detection Contacts Dept. of Information Engineering Via Caruso Pisa - Italy christian.callegari@iet.unipi.it C. Callegari Network Security: Attacks and Defenses 3 / 95

4 What about you? C. Callegari Network Security: Attacks and Defenses 4 / 95

5 Outline 1 Introduction 2 Network Anomalies 3 Intrusion Detection Systems C. Callegari Network Security: Attacks and Defenses 5 / 95

6 Outline Introduction 1 Introduction Basic Principles Intruders Intrusions 2 Network Anomalies 3 Intrusion Detection Systems C. Callegari Network Security: Attacks and Defenses 6 / 95

7 Network Security Introduction Basic Principles Definition from Wikipedia In the field of networking, the specialist area of network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together. C. Callegari Network Security: Attacks and Defenses 7 / 95

8 Information Security Introduction Basic Principles Definition from Wikipedia Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction C. Callegari Network Security: Attacks and Defenses 8 / 95

9 Who is vulnerable? Introduction Basic Principles Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations ANYONE ON THE NETWORK C. Callegari Network Security: Attacks and Defenses 9 / 95

10 Cornstones Introduction Basic Principles Confidentiality Availability Integrity Authenticity Non-repudiation C. Callegari Network Security: Attacks and Defenses 10 / 95

11 Confidentiality Introduction Basic Principles Definition Confidentiality has been defined by the International Organization for Standardization (ISO) in ISO as ensuring that information is accessible only to those authorized to have access Confidentiality is one of the design goals for many crypto-systems Possible solutions: cryptography, IPSec C. Callegari Network Security: Attacks and Defenses 11 / 95

12 Availability Introduction Basic Principles Definition The degree to which a system, subsystem, or equipment is operable and in a committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time. Simply put, availability is the proportion of time a system is in a functioning condition C. Callegari Network Security: Attacks and Defenses 12 / 95

13 Integrity Introduction Basic Principles Definition Data integrity is data that has a complete or whole structure. All characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions and lineage must be correct for data to be complete. Integrity can be guaranteed by several security mechanisms (e.g., hash function, data authentication, digital signature) Trivial example: CRC of the IP header C. Callegari Network Security: Attacks and Defenses 13 / 95

14 Authenticity Introduction Basic Principles Definition Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true Mechanisms able to guarantee Information authenticity: A difficult-to-reproduce physical artifact, such as a seal, signature, watermark, special stationery, or fingerprint. A shared secret, such as a passphrase, in the content of the message. An electronic signature; public key infrastructure is often used to cryptographically guarantee that a message has been signed by the holder of a particular private key. C. Callegari Network Security: Attacks and Defenses 14 / 95

15 Non-repudiation Introduction Basic Principles Definition Non-repudiation is the concept of ensuring that a party in a dispute cannot repudiate, or refute the validity of a statement or contract The most common method of asserting the digital origin of data is through digital certificates. The ways in which a party may attempt to repudiate a signature present a challenge to the trustworthiness of the signatures themselves. The standard approach to mitigating these risks is to involve a trusted third party. C. Callegari Network Security: Attacks and Defenses 15 / 95

16 The Security Triangle Introduction Basic Principles C. Callegari Network Security: Attacks and Defenses 16 / 95

17 Introduction A taxonomy of the intruders Intruders Intruders can be classified as Masquerader: an individual who is not authorized to use the computer and who penetrates a system s access control to exploit a legitimate user s account Misfeasor: a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access, but misuses his/her privileges Clandestine User: an individual who seizes supervisory control of the system and uses the control to evade auditing and access controls or to suppress audit collection C. Callegari Network Security: Attacks and Defenses 17 / 95

18 Introduction A taxonomy of the intrusions Intrusions can be classified as Intrusions Eavesdropping and Packet Sniffing: passive interception of network traffic Snooping and Downloading Tampering and Data Diddling: unauthorized changes to data or records Spoofing: impersonating other users Jamming or Flooding: overwhelming a system s resources Injecting Malicious Code Exploiting Design or Implementation Flaws (e.g., buffer overflow) Cracking Passwords and Keys C. Callegari Network Security: Attacks and Defenses 18 / 95

19 State of the Art Introduction Intrusions C. Callegari Network Security: Attacks and Defenses 19 / 95

20 Outline Network Anomalies 1 Introduction 2 Network Anomalies Information gathering Passive attacks Spoofing attacks Scanning attacks DoS attacks Man-in-the-Middle DNS Cache Poisoning 3 Intrusion Detection Systems C. Callegari Network Security: Attacks and Defenses 20 / 95

21 Network Anomalies Security Vulnerabilities Attacks on Different Layers: L2 Attacks IP Attacks ICMP Attacks Routing Attacks TCP Attacks Application Layer Attacks C. Callegari Network Security: Attacks and Defenses 21 / 95

22 Network Anomalies Network Attack: Life Cycle 1 Information gathering (active or passive) 2 Scanning 3 Gaining access 4 Maintaining access 5 Clearing tracks C. Callegari Network Security: Attacks and Defenses 22 / 95

23 Social Engineering Network Anomalies Information gathering Definition Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques Passive: involves acquiring information without directly interacting with the target (e.g., searching public records or news releases) Active: involves interacting with the target directly by any means (e.g., telephone calls to the help desk or technical dept.) C. Callegari Network Security: Attacks and Defenses 23 / 95

24 whois Network Anomalies Information gathering WHOIS is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name an IP address block an autonomous system number some additional information C. Callegari Network Security: Attacks and Defenses 24 / 95

25 WHOIS Network Anomalies Information gathering C. Callegari Network Security: Attacks and Defenses 25 / 95

26 whois Network Anomalies Information gathering C. Callegari Network Security: Attacks and Defenses 26 / 95

27 whois Network Anomalies Information gathering C. Callegari Network Security: Attacks and Defenses 27 / 95

28 host & nslookup Network Anomalies Information gathering host and nslookup are utilities for performing Domain Name System lookups C. Callegari Network Security: Attacks and Defenses 28 / 95

29 nslookup Network Anomalies Information gathering nslookup can provide some additional functionalities C. Callegari Network Security: Attacks and Defenses 29 / 95

30 Passive attacks Network Anomalies Passive attacks A passive attack is characterised by the interception of messages without modification There is no change to the network data or systems The message itself may be read or its occurrence may simply be logged. Some protocols do not crypt the data!!! You can easily recover login/password information for protocols, such as FTP, Telnet, SMTP,... C. Callegari Network Security: Attacks and Defenses 30 / 95

31 Eavesdropping Network Anomalies Passive attacks Eavesdropping is the act of secretly listening to the private conversation of others without their consent Some tools - Packet Analyzers (usually called Sniffers ): tcpdump ethereal/wireshark Cain and Abel Sniffing can be easily done on a classical ethernet, but not on a switched ethernet In a switched ethernet there are two possibilities: switch mirroring port Man-in-the-Middle attack C. Callegari Network Security: Attacks and Defenses 31 / 95

32 Wireshark Network Anomalies Passive attacks C. Callegari Network Security: Attacks and Defenses 32 / 95

33 Spoofing attacks Network Anomalies Spoofing attacks A spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Spoofing can be realized at different layers: MAC layer: ifconfig <if> hw ether <MAC addr> IP layer: ifconfig <if> <ip addr> Application layer: e.g., The sender information shown in s (the From field) can be spoofed easily. This technique is commonly used by spammers to hide the origin of their s C. Callegari Network Security: Attacks and Defenses 33 / 95

34 Recall: IP header Network Anomalies Scanning attacks C. Callegari Network Security: Attacks and Defenses 34 / 95

35 Recall: TCP header Network Anomalies Scanning attacks C. Callegari Network Security: Attacks and Defenses 35 / 95

36 Network Anomalies Scanning attacks Recall: TCP Connection Establishment C. Callegari Network Security: Attacks and Defenses 36 / 95

37 Recall: ICMP Network Anomalies Scanning attacks C. Callegari Network Security: Attacks and Defenses 37 / 95

38 Scanning attacks Network Anomalies Scanning attacks Network Scan Network Scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment Host Scan Host attack is a procedure for identifying open/filtered/closed port on a host Vulnerability Scan A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses ( C. Callegari Network Security: Attacks and Defenses 38 / 95

39 Network Scan Network Anomalies Scanning attacks The most common way of a scanning a network is the ping sweep technique Ping Sweep A ping sweep is a technique used to determine which of a range of IP addresses map to live hosts It consists of ICMP ECHO request packets sent to multiple hosts If a given address is live, it will return an ICMP ECHO reply ICMP TIMESTAMP and ICMP INFO can be used in a similar manner (useful if the victim machines are configured not to answer to the ICMP ECHO request packets) C. Callegari Network Security: Attacks and Defenses 39 / 95

40 Network Scan Network Anomalies Scanning attacks It can be useful to identify victim machines as well as zombies Classical tool: hping, nmap nmap -sp /24 C. Callegari Network Security: Attacks and Defenses 40 / 95

41 Host Scan Network Anomalies Scanning attacks The result of a scan on a port is usually generalized into one of three categories: Open or Accepted: The host sent a reply indicating that a service is listening on the port Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port (e.g., ICMP port unreachable message) Filtered, Dropped or Blocked: There was no reply from the host C. Callegari Network Security: Attacks and Defenses 41 / 95

42 Host Scan Network Anomalies Scanning attacks A host scan can be performed in several ways: SYN scanning also known as half-open scanning nmap -ss UDP scanning nmap -su ACK scanning: can be useful in the case packet filtering blocks packets without the ACK flag set. It does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered (useful to detect the presence of a firewall) nmap -sa C. Callegari Network Security: Attacks and Defenses 42 / 95

43 Host Scan Network Anomalies Scanning attacks A host scan can be performed in several ways: FIN scanning: useful if the SYN packets are blocked by the firewall. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand nmap -sf Xmas scanning: TCP packets with all the flags set nmap -sx C. Callegari Network Security: Attacks and Defenses 43 / 95

44 Host Scan Network Anomalies Scanning attacks C. Callegari Network Security: Attacks and Defenses 44 / 95

45 OS guess Network Anomalies Scanning attacks A Sniffer can use the TCP/IP stack fingerprinting to guess the O.S. running on a machine. The TCP/IP fields that may vary include the following: Initial packet size (16 bits) Initial TTL (8 bits) Window size (16 bits) Max segment size (16 bits) Window scaling value (8 bits) don t fragment flag (1 bit) sackok flag (1 bit) nop flag (1 bit) These values may be combined to form a 67-bit signature, or fingerprint, for the target machine C. Callegari Network Security: Attacks and Defenses 45 / 95

46 OS guess Network Anomalies Scanning attacks nmap -O C. Callegari Network Security: Attacks and Defenses 46 / 95

47 Idle Scan Network Anomalies Scanning attacks The idle scan is a TCP port scan method that through utility software tools such as Nmap and Hping allows sending spoofed packets to a computer. First of all it is necessary to identify a zombie (by means of a ping sweep) The zombie must be inactive in the Internet namp -si <zombie IP> <victim IP> C. Callegari Network Security: Attacks and Defenses 47 / 95

48 Network Anomalies Idle Scan - Open port Scanning attacks C. Callegari Network Security: Attacks and Defenses 48 / 95

49 Network Anomalies Idle Scan - Closed port Scanning attacks C. Callegari Network Security: Attacks and Defenses 49 / 95

50 Network Anomalies Idle Scan - Filtered port Scanning attacks C. Callegari Network Security: Attacks and Defenses 50 / 95

51 Denial of Service Network Anomalies DoS attacks A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. The five basic types of attack are: 1 Consumption of computational resources, such as bandwidth, disk space, or processor time 2 Disruption of configuration information, such as routing information 3 Disruption of state information, such as unsolicited resetting of TCP sessions 4 Disruption of physical network components 5 Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately C. Callegari Network Security: Attacks and Defenses 51 / 95

52 SYN Flooding Network Anomalies DoS attacks The SYN flood is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK. There are two methods, but both involve the server not receiving the ACK: A malicious client can skip sending this last ACK message Or by spoofing the source IP address in the SYN The technology often used in 1996 for allocating resources for half open TCP connections involved a queue which was often very short (e.g., 8 entries long) with each entry of the queue being removed upon a completed connection, or upon expiry (e.g., after 3 minutes). C. Callegari Network Security: Attacks and Defenses 52 / 95

53 SYN cookies Network Anomalies DoS attacks SYN cookies provide protection against the SYN flood by eliminating the resources allocated on the target host. Daniel J. Bernstein, the technique s primary inventor, defines SYN Cookies as particular choices of initial TCP sequence numbers by TCP servers. SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number C. Callegari Network Security: Attacks and Defenses 53 / 95

54 SYN cookies Network Anomalies DoS attacks SYN cookie calculation: n = t(5bits) m(3bits) s(24bits), where t = A slowly-incrementing timestamp (typically time() logically right-shifted 6 positions, which gives a 64 second resolution) m = The maximum segment size (MSS) value that the server would have stored in the SYN queue entry s = The result of a cryptographic secret function computed over the server IP address and port number, the client IP address and port number, and the value t. The returned value s must be a 24-bit value. When the server receives back an ACK (the seq number will be n + 1), it performs the following operations: Checks the value t against the current time to see if the connection is expired. Recomputes s to determine whether this is, indeed, a valid SYN Cookie. Decodes the value m from the 3-bit encoding in the SYN Cookie, which it then can use to reconstruct the SYN queue entry Drawbacks: the server is limited to only 8 unique MSS values the server must reject all TCP options a connection may freeze when the final ACK of the three-way handshake is lost and the client first awaits data from the server C. Callegari Network Security: Attacks and Defenses 54 / 95

55 UDP Flooding Network Anomalies DoS attacks UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result the host will: Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet. For a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients C. Callegari Network Security: Attacks and Defenses 55 / 95

56 ICMP Flooding Network Anomalies DoS attacks A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets Smurf attack A Smurf attack consists of sending a large amount of ICMP echo request traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim Most OSs can be configured not to answer to ICMP packets sent to broadcast IP address, but this doen prevent the victim to be attacked Ping of Death A ping of death (abbreviated POD ) is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. Several OSs crash, when receiving an ICMP Echo request bytes long (fragmented, since it is longer than the maximum allowed packet length) C. Callegari Network Security: Attacks and Defenses 56 / 95

57 Recall: ARP Network Anomalies Man-in-the-Middle The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host s link layer or hardware address when only its Internet Layer (IP) or Network Layer address is known C. Callegari Network Security: Attacks and Defenses 57 / 95

58 ARP Spoofing Network Anomalies Man-in-the-Middle ARP poisoning An attacker C can send a spoofed ARP reply (gratuitous ARP) message to a given host A, saying to be host B MAC flooding By MAC flooding a switch s ARP table with spoofed ARP replies, the attacker can overload switches, making them enter in forwarding mode C. Callegari Network Security: Attacks and Defenses 58 / 95

59 Man-in-the-Middle Network Anomalies Man-in-the-Middle A given host C poisoning the ARP cache of two hosts communicating with each other A and B, can realize a Man-in-the-Middle attack, where: host A communicates with host C, believing to communicate with host B host B communicates with host C, believing to communicate with host A host C can intercept (active sniffing) or modify the whole traffic C. Callegari Network Security: Attacks and Defenses 59 / 95

60 Man-in-the-Middle Network Anomalies Man-in-the-Middle C. Callegari Network Security: Attacks and Defenses 60 / 95

61 DNS packet Network Anomalies DNS Cache Poisoning Query ID: a unique identifier created in the query packet QR (Query / Response): Set to 0 for a query by a client, 1 for a response from a server Opcode: Set by client to 0 for a standard query; the other types aren t used in our examples AA (Authoritative Answer): Set to 1 in a server response if this answer is Authoritative, 0 if not TC (Truncated): Set to 1 in a server response if the answer can t fit in the 512-byte limit of a UDP packet response RD (Recursion Desired): The client sets this to 1 if it wishes that the server will perform the entire lookup of the name recursively RA (Recursion Available): The server sets this to indicate that it will (1) or won t (0) support recursion Z: reserved C. Callegari Network Security: Attacks and Defenses 61 / 95

62 DNS packet Network Anomalies DNS Cache Poisoning rcode: Response code from the server: indicates success or failure Question record count: The client fills in the next section with a single question record that specifies what it s looking for: it includes the name ( the type (A, NS, MX, etc.), and the class (virtually always IN=Internet) Answer/authority/additional record count: Set by the server, these provide various kinds of answers to the query from the client DNS Question/Answer data: This is the area that holds the question/answer data referenced by the count fields above C. Callegari Network Security: Attacks and Defenses 62 / 95

63 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 63 / 95

64 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 64 / 95

65 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 65 / 95

66 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 66 / 95

67 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 67 / 95

68 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 68 / 95

69 Standard DNS query Network Anomalies DNS Cache Poisoning C. Callegari Network Security: Attacks and Defenses 69 / 95

70 Standard DNS query Network Anomalies DNS Cache Poisoning DNS Cache Once we get an authoritative answer for a given name, we can save it in a local cache to use to satisfy future queries directly DNS Cache TTL Each entry in the DNS cache has a time-to-live, measure in seconds. The administrator of the zone specifies this information for every resource record C. Callegari Network Security: Attacks and Defenses 70 / 95

71 Network Anomalies DNS Cache Poisoning DNS Cache Poisoning- guessing the query ID C. Callegari Network Security: Attacks and Defenses 71 / 95

72 Network Anomalies DNS Cache Poisoning DNS Cache Poisoning - Version 1 C. Callegari Network Security: Attacks and Defenses 72 / 95

73 Network Anomalies DNS Cache Poisoning DNS Cache Poisoning Note that the attack only works if: name isn t already in the cache bad guy guesses the query ID bad guy is faster than the real nameserver C. Callegari Network Security: Attacks and Defenses 73 / 95

74 Network Anomalies DNS Cache Poisoning DNS Cache Poisoning - Kaminsky version C. Callegari Network Security: Attacks and Defenses 74 / 95

75 Outline Intrusion Detection Systems 1 Introduction 2 Network Anomalies 3 Intrusion Detection Systems Motivations Taxonomy of the Intrusion Detection Systems Some Useful Definitions Evaluation Data-set C. Callegari Network Security: Attacks and Defenses 75 / 95

76 Intrusion Detection Systems Motivations Why an intrusion detection system? Network security mainly means PREVENTION Physical protection for hardware Passwords, access tokens, etc. for authentication Access control list for authorization Cryptography for secrecy Backups and redundancy for authenticity... and so on BUT Absolute security cannot be guaranteed! C. Callegari Network Security: Attacks and Defenses 76 / 95

77 Intrusion Detection Systems Motivations What is an Intrusion Detection System? Prevention is suitable when Internal users are trusted Limited interaction with other networks Need for a system which acts when prevention fails Intrusion Detection System An intrusion detection system (IDS) is a software/hardware tool used to detect unauthorized accesses to a computer system or a network C. Callegari Network Security: Attacks and Defenses 77 / 95

78 IDS Taxonomy Intrusion Detection Systems IDS Taxonomy Intrusion Detection Systems are classified on the basis of several criteria: 1 Scope Host IDS (HIDS) Network IDS (NIDS) 2 Architecture Centralized Distributed 3 Analysis Techniques Stateful Stateless 4 Detection Techniques Misuse Based IDS Anomaly Based IDS C. Callegari Network Security: Attacks and Defenses 78 / 95

79 Intrusion Detection Systems Host based vs. Network based IDS Taxonomy Host based IDS Aimed at detecting attacks related to a specific host Architecture/Operating System dependent Processing of high level information (e.g. system calls) Effective in detecting insider misuse Network based IDS Aimed at detecting attacks towards hosts connected to a LAN Architecture/Operating System independent Processing data at lower level of granularity (packets) Effective in detecting attacks from the outside C. Callegari Network Security: Attacks and Defenses 79 / 95

80 Intrusion Detection Systems IDS Taxonomy Centralized IDS vs. Distributed IDS Centralized IDS All the operations are performed by the same machine More simple to realize Only one point of failure Distributed IDS Composed of several components Sensors which generate security events Console to monitor events and alerts and control the sensors Central Engine that records events and generate alarms May need to deal with different data formats Need of a secure communication protocol (IPFIX) C. Callegari Network Security: Attacks and Defenses 80 / 95

81 Intrusion Detection Systems Stateless IDS vs. Stateful IDS IDS Taxonomy Stateless IDS Treats each event independently of the others Simple system design High processing speed Stateful IDS Maintains information about past events The effect of a certain event depends on its position in the events stream More complex system design More effective in detecting distributed attacks C. Callegari Network Security: Attacks and Defenses 81 / 95

82 Intrusion Detection Systems IDS Taxonomy Misuse based IDS vs. Anomaly based IDS Misuse based IDS Identifies intrusion by looking for patterns of traffic or of application data presumed to be malicious Pattern of misuses are stored in a database Effective in detecting only known attacks Anomaly based IDS Identifies intrusions by classifying activity as either anomalous or normal Needs a training phase to recognize normal activity Able to detect new attacks Generates more false alarms than a misuse based IDS C. Callegari Network Security: Attacks and Defenses 82 / 95

83 Intrusion Detection Systems IDS State of the Art IDS Taxonomy BUT... Focus is on Network based IDSs (The only ones effective in detecting Distributed Denial of Service - DDoS) State of the art IDSs are Misuse Based Most attacks are realized by means of software tools available on the Internet Most attacks are well-known attacks... The most dangerous attacks are those written ad hoc by the intruder! C. Callegari Network Security: Attacks and Defenses 83 / 95

84 The best choice? Intrusion Detection Systems IDS Taxonomy Combined use of both HIDS (for insider attacks) & NIDS (for outsider attacks) Misuse IDS (low False Alarm rate) & Anomaly IDS (for new attacks) Stateless IDS (fast data process) & Stateful IDS (for complex attacks) Distributed IDS Not a single point of failure More effective in monitoring large networks C. Callegari Network Security: Attacks and Defenses 84 / 95

85 The best choice? Intrusion Detection Systems IDS Taxonomy C. Callegari Network Security: Attacks and Defenses 85 / 95

86 Definitions Intrusion Detection Systems Some Useful Definitions False Positive (FP): the error of rejecting a null hypothesis when it is actually true. In our case it implies the creation of an alarm in correspondence of normal activities False Negative (FN): the error of failing to reject a null hypothesis when it is in fact not true. In our case it corresponds to a missed detection C. Callegari Network Security: Attacks and Defenses 86 / 95

87 ROC Curve Intrusion Detection Systems Some Useful Definitions Plots Detection Rate vs. False Positive Rate Detection Rate Non Stationary ECDF Non Homogeneous MC Homogeneous MC False Alarm Rate C. Callegari Network Security: Attacks and Defenses 87 / 95

88 ROC Curve Intrusion Detection Systems Some Useful Definitions Results presented by the ROC are often considered incomplete because they do not take into account the cost of missed attacks they do not take into account the cost of false alarms they do not say if the system itself is resistant to attacks... Several researchers are working on more complete ways of representing the results C. Callegari Network Security: Attacks and Defenses 88 / 95

89 Intrusion Detection Systems DARPA Evaluation Program Evaluation Data-set The 1998/1999 DARPA/MIT IDS evaluation program is the most comprehensive evaluation performed to date It provides a corpus of data for the development, improvement, and evaluation of IDSs Different kind of data are available: Operating systems logs Network traffic Collected by an inside sniffer Collected by an outside sniffer The data model the network traffic measured between a US Air Force base and the Internet C. Callegari Network Security: Attacks and Defenses 89 / 95

90 Intrusion Detection Systems The DARPA Network Evaluation Data-set C. Callegari Network Security: Attacks and Defenses 90 / 95

91 Intrusion Detection Systems The DARPA Dataset Evaluation Data-set 5 weeks data Data from weeks 1 and 3 are attack free and can be used to train the system Data from week 2 contains labeled attacks and can be used to realize the signatures database Data from weeks 4 and 5 contains several attacks and can be used for the detection phase An Attack Truth list is provided Attacks are categorized as Denial of Service (DoS) User to Root (U2R) Remote to Local (R2L) Data Probe 177 instances of 59 different types of attacks C. Callegari Network Security: Attacks and Defenses 91 / 95

92 Other Data-sets Intrusion Detection Systems Evaluation Data-set The DARPA data-set has many drawbacks: simulated environment not up-to-date traffic the methodology used for generating the traffic has been shown to be inappropriate for simulating actual networks Other Data-sets: several publicly available traffic traces e.g. CAIDA, Abilene (Internet2), GEANT,... no ground truth is provided! C. Callegari Network Security: Attacks and Defenses 92 / 95

93 Base Rate Fallacy Intrusion Detection Systems Evaluation Data-set Let s define: A = alarm A = not an alarm I = attack I = not an attack P(A I) = False positive probability P( A I) = False negative probability Some definitions: P(A B) = P(A) P(B A) P(B) P(B) = i P(A i) P(B A i ) C. Callegari Network Security: Attacks and Defenses 93 / 95

94 Base Rate Fallacy Intrusion Detection Systems Evaluation Data-set Let s suppose: P(A I) = 0.99 P( A I) = 0.99 we have 2 attacks a day over 10 6 pkts (base rate = 1/500000) Applying the Bayes theorem: P(I A) = = Thus P(I A) = P(I) p(a I) P(I) p(a I) + P( I) p(a I) = 1/ / (1 1/500000) 0.01 C. Callegari Network Security: Attacks and Defenses 94 / 95

95 Intrusion Detection Systems Thank You for your attention Evaluation Data-set C. Callegari Network Security: Attacks and Defenses 95 / 95