Intrusion Detection Systems

Transcription

1 Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado

2 Work Topics 1. Definition 2. Characteristics of IDS 3. Evolution of intrusion detection systems 4. Passive and/or reactive systems 5. Advantages and disadvantages of IDS 6. Comparisson with firewalls 7. Network Based Intrusion Detection System and Host Based Intrusion Detection system 8. Limitations of IDS 9. Evasion Techniques 10. Examples of Intrusion Detection systems 11. Terminology

3 Definition of Intrusion Detection Systems Device or software application that monitors network or system activities for malicious activities or policy violations Produces reports to a Management Station Burglar alarm for our network First line of defense in our system

4 Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection systems are focused on identifying possible incidents, logging information about them, and reporting attempts They have become a necessary addition to the security infrastructure of nearly every organization

5 Help information systems prepare for, and deal with attacks. They accomplish this by collecting information from a variety of systems and network sources, and then analyzing the information for possible security problems. Provide: Monitoring and analysis of user and system activity Auditing of system configurations and vulnerabilities Assessing the integrity of critical system and data files Statistical analysis of activity patterns based on the matching to known attacks Abnormal activity analysis Operating system audit

6 Characteristics of Intrusion Detection systems It must run continually without human supervision. The system must be reliable enough to allow it to run in the background. It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart. The system should be able to monitor itself to ensure that it has not been subverted.

7 It must impose minimal overhead on the system, meaning it must not slow down the computer. It must be easily tailored to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns. It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt.

8 Evolution of Intrusion Detection systems The concept of ids have been around for almost twenty years from now, but lately its popularity has raised and has been seen as an indispensable addition to software security. It has begun with a paper by James Anderson as he calls for a misuse and specific user events detection necessary. In 1983, Dr. Dorothy Denning began working on a project of these systems, and one year later he helped to develop the first model for intrusion detection. In 1988 there was a second model for the US air force that produced an IDS that analyzed audit data by comparing it with defined patterns. In the early 90 s Haystack Labs was the first commercial vendor of IDS tools, beginning a new era for network security.

9 Passive or Reactive systems A passive IDS simply detects and alerts an intrusion attempt. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way. Reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user

10 Advantages and disadvantages of IDS There are no doubts that an IDS is extremely important in keeping our network safe from malicious activities, we can actually tell that is indispensable to government or big business networks. round-the-clock activity; Versatile capability of these systems (they can adapt to a users need and allow custom-built network security).

11 Disadvantages: Incapability of distinguish malicious activity from a friend activity False positives and false negatives A false positive is a situation when and IDS triggers an alarm without a true security intrusion, which is problematic because diminish the value of real security alerts. False negative is the inability to detect true security events, meaning malicious activity is not detected.

12 Comparison with Firewalls There is a fine line between a firewall and IDS. Firewalls monitor computer communication ports, make computers invisible on the Internet, and can be programmed to alert the user to potential threats or to work quietly in the background, blocking unauthorized communications. Basically, a firewall is the first line of perimeter defense, however once the number of attacks and vulnerabilities are rising, network administrators are looking to extend firewalls.

13 Intrusion detection is considered by many to complement network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response. There is also technology called Intrusion Prevention System. An IPS is essentially a firewall which combines network-level and application-level filtering with reactive IDS to proactively protect the network. It seems that as time goes on firewalls, they take on more attributes from each other and blur the line even more.

14 Network Based Intrusion Detection System and Host Based Intrusion Detection system Network Based IDS Intrusion detection is network-based when the system is used to analyze network packets. Network packets are usually sniffed off the network, although they can derive from the output of switches and routers. There are many attack scenarios that would not be detected by host-based technology, thereby highlighting the differences between the two A NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network while a hostbased system examines user and software activity on a host

15 Host Based IDS o A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system. o Host-based systems are designed more to deter insiders, but can t effectively deter outsiders. The exact opposite is true for network intrusion detection systems. o Host-based systems provide poor real-time response and cannot effectively protect against one-time catastrophic events. o They are, however, excellent at detecting and responding to long term attacks, such as data thieving or disgruntled employees. o Host-based intrusion detection systems also analyze user statistics to determine misuse. This method is called statistical analysis.

16 Limitations of IDS However necessary, an IDS cannot provide completely accurate detection. They have serious limitations, such as: Noise can severely limit an Intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate. It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored. Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies;

17 Other limitations to the IDS are the fact they can t perform a handful of basic functions, such as: Compensating for weak or missing security mechanisms in the protection infrastructure. Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network or processing load. Detecting newly published attacks or variants of existing attacks. Effectively responding to attacks launched by sophisticated attackers Automatically investigating attacks without human intervention. Resisting attacks that are intended to defeat or circumvent them Compensating for problems with the fidelity of information sources Dealing effectively with switched networks

18 Evasion Techniques IDS evasion techniques are modifications made to attacks in order to prevent detection. They may appear in many forms, such as: Obfuscating attack payload - An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. Fragmentation and Small Packets - One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack

19 Protocol Violations - Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. Overlapping Fragments - An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. Denial of Service - An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS

20 Examples of Intrusion Detection systems There are a lot of IDS available, due to the previously mentioned increase in information flow and consequently the increasing need for protection. Here are a few IDS software:

21 Types of IDS The most important and significant types of IDS are the previously mentioned Network Based IDS and the Host Based IDS, however, there are a few more and are worth mentioning. Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets. Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.

22 Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies. It works on the notion that attack behavior differs enough from normal user behavior such that it can be detected by cataloging and identifying the differences involved. Some IDS are knowledge-based, which preemptively alert security administrators before an intrusion occur using a database of common attacks. Alternatively, there are behavioral-based IDS that track all resource usage for anomalies, which is usually a positive sign of malicious activity.