Prof. Dr.- Ing. Firoz Kaderali Dipl.-Ing. Alex Essoh

Transcription

1 Intrusion Detection - Introduction and Outline Prof. Dr.- Ing. Firoz Kaderali Dil.-Ing. Alex Essoh

2 Talk Outline Motivation Intrusions Intrusion Prevention Intrusion Detection Major Intrusion Detection Aroaches Deartment of Communication Systems / FTK 2

3 What is an intrusion? A set of actions that attemts to comromise the integrity, confidentiality, or availability of comuter resources by causing a DoS, creating a backdoor (Trojan Horse), lanting viruses and exloiting software vulnerabilities [AND80]. An intrusion is a violation of the security olicy of a system [KUM95]. An intrusion is unauthorized access to, and/or activities in, an information system [NST97] Deartment of Communication Systems / FTK 3

4 Motivation Dramatic increase in incidents Attacks are becoming more and more comlex and attackers focus on new vulnerabilities The resulting damages have been enormous Deartment of Communication Systems / FTK 4

5 Talk Outline Motivation Intrusion Categories Protocol related attacks Remote access attacks Malware Denial of Service (DoS) Intrusion Prevention Intrusion Detection Major Intrusion Detection Aroaches Deartment of Communication Systems / FTK 5

6 IP Soofing Deartment of Communication Systems / FTK 6

7 Talk Outline Motivation Intrusions Intrusion Prevention Intrusion Detection Major Intrusion Detection Aroaches Deartment of Communication Systems / FTK 7

8 Firewalls + Access Control Firewalls acket filters simle roxies generic roxies imlement different alications, but are not able to analyse or filter data streams. Firewalls are mainly used to filter external traffic, but according to several studies nearly 70-80% of all intruders are internal! Access Control Which subject is allowed to access which object. Many attacks are not detectable e.g. user imersonalisation Deartment of Communication Systems / FTK 8

9 Talk Outline Motivation Intrusions Intrusion Prevention Intrusion Detection Definition Intrusion Detection Tyes Major Intrusion Detection Aroaches Deartment of Communication Systems / FTK 9

10 Intrusion Detection - Definition Intrusion detection is the rocess of identifying and resonding to malicious activity targeted at comuting and networking resources [AMO99]. The rocess of identifying that an intrusion has been attemted, is occurring, or has occurred [NST97] Deartment of Communication Systems / FTK 10

11 Host-based Intrusion Detection Systems (HIDSs) How are intrusions detected on a host? System Integrity Verification (SIV) Snashot of the system (baseline) Crytograhic Check Sums Comarison current state and baseline Examle: Triwire (see htt:// Automated log files analysis on each oerating system diverse log files are available Windows (Alication logs, System logs, Security logs) Solaris Basic Security Modul (BSM) Linux (Last log) Alication logs (Web Server) Examle: Logsurfer (see htt:// Deartment of Communication Systems / FTK 11

12 Web Server logs access log [06/Nov/2003:10:39: ] GET /middle.html HTTP/ [06/Nov/2003:10:35: ] GET /alice.gif HTTP/ [06/Nov/2003:10:36: ] GET /home/user/down.html HTTP/ [06/Nov/2003:10:37: ] GET /rint.gif HTTP/ [06/Nov/2003:10:38: ] GET /logo.jg HTTP/ [02/Feb/2004:10:41: ] GET /scrits/.\%252e/.\%252e\/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1\ [02/Feb/2004:13:01: ] GET /scrits/.\%\%..\%255c\%255c../winnt/system32/cmd.exe?/c+dir" [03/Feb/2004:07:20: ] CONNECT :1337 HTTP/1.0" 404 error log [12/Feb/2004:09:04: ] GET /main.h HTTP/ [12/Feb/2004:09:04: ] GET /hinfo.h HTTP/ [12/Feb/2004:09:04: ] GET /test.h HTTP/ [12/Feb/2004:09:04: ] GET /index.h3 HTTP/ [12/Feb/2004:10:12: ] GET /scrits/..\%255c\%255c../winnt/system32/cmd.exe?/c+dir" [14/Feb/2004:14:41: ] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/ last log (Linux) Se 16 11:55:40 server Failed assword for root from ort 1137 ssh2 Se 16 11:55:46 server Failed assword for root from ort 1137 ssh2 Se 16 11:55:55 server Failed assword for root from ort 1137 ssh2 Se 16 11:55:59 server Acceted assword for root from ort 1137 ssh Deartment of Communication Systems / FTK 12

13 Network-based Intrusion Detection Systems (NIDSs) How are intrusions detected on a network? NIDS Deloyment Deartment of Communication Systems / FTK 13

14 Talk Outline Motivation Intrusions Intrusion Prevention Intrusion Detection Major Intrusion Detection Aroaches Anomaly Detection Misuse Detection Deartment of Communication Systems / FTK 14

15 Anomaly Detection Normal behaviour of a subject e.g. a user or a rogram is rofiled (long term behaviour). The rofile is then comared to the actual behaviour (short term behaviour). A new observation is then classified as an anomaly if it does not fit into a redefined tolerance bound. Anomaly Detection Models Statistical models Markov chains Multivariate analysis Deartment of Communication Systems / FTK 15

16 How are anomalies detected using Markov chains? The normal user behaviour is fully characterised by the transition robability matrix P P = M n1 12 M n 2 13 M n 3 L L L M L 1n 2 n 3 n M nn P n k ij ij = P ij = 1 j and the initial robability distribution Q Q = ( q q L L q ) 0, 1, n q i = k N Deartment of Communication Systems / FTK 16

17 How are anomalies detected using Markov chains? Whenever a sequence of events S 1, S 2, L, S N takes lace a check is made to see whether this sequence is abnormal or not. The robability of the event sequence occurring is calculated using the Markov chain. The robability that a sequence of state S 1, S 2, L, S N occurs is [NON00]: P ( S S L S N ) = A low robability for the sequence transition is likely to be an anomaly. 1, 2,, 1 i 1 q S N i = 2 P S S i Deartment of Communication Systems / FTK 17

18 How are anomalies detected using multivariate analysis? Generally we have n revious observations (norm rofile) and the goal is to check whether a new observation x n + 1 resect to revious observations [DEN87]. x 1 K x n is abnormal with If the variable to be analysed is a multivariable, the n revious observations can be reresented as follows: X = x x M x n x x x M n 2 The goal is to check whether the new observation is abnormal or not. L L M L x x x 1 2 M n X = ( y, y 2, L, y 1 ) ( x ( n+ 1)1, x( n+ 1)2, x( n+ 1)3, Lx( n+ 1) ) Models (Hotelling s Test, Chi-Square Multivariate Test) [NON01][NQC01][NON02] Deartment of Communication Systems / FTK 18

19 Hotelling s Test for Anomaly Detection Introduced by Harald Hotelling and works as follows: At first the normal behaviour of the multivariable has to be determined by calculating 1. the mean of the multivariable X = ( y y, L ) 1, 2 y 2. and the variance co-variance matrix n 1 S = ( Xi X)( Xi X) n 1 i= 1 t X i is the ith observation of the multivariable Then secondly the Hotelling s test for a new observation t x x x x ) at discrete time interval (n+1) is calculated: ( ( n+ 1)1, ( n+ 1)2, ( n+ 1)3, L ( n+ 1) T 2 = + t 1 ( X ( n+ 1) X ) S ( X ( n 1) X ) Deartment of Communication Systems / FTK 19

20 Hotelling s Test for Anomaly Detection Thirdly the Hotelling s test has to be transformed into a F distribution n ( n ) with and (n-) degrees by multilying T² with. ( n + 1)( n 1) n ( n ) ( n + 1)( n 1) 2 Fourthly the obtained value T is then comared to the tabulated value for a given level of significance. α If the comuted value is greater than the tabulated value, the observation can be classed as abnormal Deartment of Communication Systems / FTK 20

21 Deartment of Communication Systems / FTK 21 Chi-Square Test for Anomaly Detection The Chi-Square test is used to see how much the result of the exeriment differs from the emirical result. The Chi-Square test is calculated as follows [NQC01]: Anomalies can be detected if X² is bigger than the exected tolerance bound. = = = = + = i i i i n i i i i y y x E E X X 2 1 1) ( ) ( ) (

22 Methods Comarison A Markov chain erforms better than a Hotelling s - or a Chi- Square test [NON01]. Hotelling s test (95 % detection rate at 0 % false alarm) Chi-Square test (60% detection rate at 0% false alarm) But after 5% false alarm, Chi-Square erforms better. Conclusion: the difference between the Hotelling s - and the Chi-Square test is not very big. [NON02] Deartment of Communication Systems / FTK 22

23 Misuse Detection Diverse aroaches are used: State transition analysis [KOR95] Rule-based misuse detection IF, THEN rules are defined and alied to the data stream. Examle: SNORT (see htt:// Deartment of Communication Systems / FTK 23

24 SNORT Snort offers three oerational modes: Sniffer Packet logger Intrusion detection Each acket traversing the network is analysed in two stes: The Header of the snort rule is alied to the acket, if there is a match otions are alied to the rest of the ackets Deartment of Communication Systems / FTK 24

25 SNORT Rules Examle 1 Land attack: attacker sends an IP acket where the sender IP address equals to the receiver IP address. SNORT rule to detect a land attack: <alert i any any any any (msg: DoS Land attack ;samei;)> Examle 2 Unauthorized directory traversal attack: attacker tries to execute malicious commands on a vulnerable Internet Information Server (IIS). SNORT rule to detect an unauthorized directory traversal attack: <alert tc $External_Network any $My_Webserver $Ports (msg:cmd32.exe access ; content cmd32.exe ; nocase; )> Deartment of Communication Systems / FTK 25

26 Comarison Anomaly vs. Misuse Anomaly Detection Misuse Detection Advantages Novel attacks can be detected Lower false ositive rate Disadvantages Higher false ositive rate Novel attacks can not be detected Products: RealSecure (see htt:// Database of attacks has to be regularly udated Next-Generation Intrusion Detection Exert System (NIDES) (see htt:// Deartment of Communication Systems / FTK 26

27 Oen Issues New Methods to significantly decrease the number of false alarms. Which variables are suitable for anomaly detection? New algorithms to reduce the amount of audit trails for efficient intrusion detection. Intrusion correlations Deartment of Communication Systems / FTK 27

28 Literature [AMO99] Edward G. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Tras, and Resonse, Intrusions.Net Books, 1999 [AND80] Anderson, J. P., Comuter Security Threat Monitoring and Surveillance, James P. Anderson Co., Fort Washington, 1980 [DEN87] Dorothy E. Denning, An Intrusion Detection Model, IEEE Transactions on Software Engineering, volume 13, number 2, ages , 1987 [ECK03] Claudia Eckert, IT Sicherheit-Konzete-Verfahren-Protokolle, 2. Auflage, Oldenbourg, 2003 [KOR95] Koral Ilgun and R. A. Kemmerer and Philli A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Aroach, IEEE Trans. Softw. Eng., volume = 21, number = 3,1995, ages = , [KUM95] S. Kumar, Classification and Detection of Comuter Intrusions, PhD thesis, Det. of Comuter Science, Purdue University, August Deartment of Communication Systems / FTK 28

29 Literature [MAR01] David J. Marchette, Comuter Intrusion Detection and Network Monitoring: A Statistical Viewoint, Singer, 2001 [MUR90] Murray R. Siegel, Statistik, 2. überarbeitete Auflage, McGraw- Hill Book Comany Euroe, 1990 [NON00] Nong Ye, A Markov Chain Model of Temoral Behavior for Anomaly Detection, Proceedings of the 2000 IEEE, June 2000 [NON01] Nong Ye et al., Probabilistic Techniques for Intrusion Detection based on Comuter Audit Data, IEEE Transactions on Systems, MAN, and Cybernetics - Part A: Systems and Humans volume=31, number=4, ages= , July 2001 [NON02] Nong Ye et all, Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection, IEEE Transactions on COMPUTERS, volume 51, number 7, ages = , July Deartment of Communication Systems / FTK 29

30 Literature [NQC01] Nong Ye and Qiang Chen, An Anomaly Detection Technique based on a Chi-Square Statistic for detecting intrusions into information systems, Quality and Reliability Engineering International, volume=17, ages = , [NST97] NSTAC Intrusion Detection Subgrou Reort, Dec [RIC03] Robert Richardson, Eight AnnualCSI/FBI Comuter Crime and Security Survey, 2003 htt:// [SAC93] Lothar Sachs, Statistiche Methoden, Planung und Auswertung, Sringer Verlag, 1993 [SPE03] Ralh Senneberg, Intrusion Detection für Linux-Server, Markt + Technik, 2003 [SYM03] Symantec Internet Security Threat Reort Deartment of Communication Systems / FTK 30

31 End Thanks for your attention. Prof. Dr. Firoz Kaderali Det. Communication Systems FernUniversität Hagen Deartment of Communication Systems / FTK 31