Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems

Intrusion Detection Systems: Overview IDS Acronyms & Definition Components Recognition & Response Security Interoperability & Cooperation HIDS NIDS Summary & Software Summary & Software IDS deployment

Intrusion Detection Systems: Acronyms IDS => Intrusion Detection System - HIDS => Host based IDS - NIDS => Network based IDS IPS => Intrusion Prevention System (IRS => Intrusion Response System)

Intrusion Detection Systems: Definition An IDS is a system used for active monitoring of computer systems and networks to detect or even react to (prevent) attacks and abuse. It should be seen as a integrated process supported by various technical tools, not just the tools themselves.

Intrusion Detection Systems: Components Networkbased Sensors They monitor and analyze the traffic of system or a network segment. Normally a dedicated system is used for this task. In recent years these systems get integrated into the network devices itself. (Extensionboard or systemslot wired internally)

Intrusion Detection Systems: Components Hostbased Sensors They are installed on the monitored systems themselves and are able to detect attacks directed to operating systems and services.

Intrusion Detection Systems: Components Database components Sensors generate a huge amount of data over a long timespan that has to be stored somewhere. Small datasets can be stored in files, larger ones are stored in databases. Databases offer higher performance for event access, aggregation and analyzer.

Intrusion Detection Systems: Components Management components The management station (>=1) is used to configure and calibrate the IDS. Sometimes it is combined with the analysis station or a sensor has it's own management already integrated.

Intrusion Detection Systems: Components Analysis components A analysis station has tools to display and analyze IDS events & alarms. It represents the intelligent part of an IDS and is used to generate reports. (CMD Line, Web GUI, specific IDS GUI)

Intrusion Detection Systems: Components Communication components Communication between IDS components uses different protocols and is different in terms of data amount and behavior. The channels used should provide sufficient bandwidth and security.

Intrusion Detection Systems: Attackrecognition Patternrecognition known attack detection (pattern comparison) Anomalydetection protocolanlysis statistical data comparison artificial intelligence honeypots topologychange Aggregation & Correlation

Intrusion Detection Systems: Intrusionresponse Documentation Alerting Countermeasures temporary countermeasure permanent configuration change manual, semi-automated, automatic (counterattack)

Intrusion Detection Systems: Flow

Intrusion Detection Systems: IDS Security Confidentiality An IDS should protect the internal communication channels and it's access points Integrity An IDS should be protected against manipulation Availability An IDS should be protected against attacks Accountability Any access to the IDS should restricted according the assigned user role and logged accordingly

Intrusion Detection Systems: IDS collaboration Virus scanner specialized HIDS sensor & enforcement agent Content filter (proxy) network traffic enforcement agent Vulnerability scanner specialized NIDS sensor & IDS calibration Firewalls specialized NIDS sensor & enforcement agent

Intrusion Detection Systems: HIDS Host(based) Intrusion Detection System HIDS is a monitor for behavior and state of a system and it's users. Nowadays a lot of software has part HIDS character. Systemcall profiling Config and registry changes Integrity of binaries User and service behaviour

Intrusion Detection Systems: HIDS software aide / tripwire / samhain / osiris - File integrity checker (MD5 databases) - Checks permissions, owner... systemcall auditor - Checks what systemcalls a binary uses ossec / logwatch - Loganalyzer chkrootkit, rkhunter Rootkitdetection

Intrusion Detection Systems: NIDS (Deep) Packet (Protocol) inspection - e.g try to detect an overlong URL Attackpattern recognition - e.g a portscan followed by malformed service request packets Traffic mapping - e.g. who talks with who normally Malware detection (content analysis) - e.g. shellcode, viruses...

Intrusion Detection Systems: NIDS software Snort Prelude Bro Suricata HLBR X-RAY (Windows discontinued / last release 2006) Winpooch (Windows discontinued /last release 2007)

Intrusion Detection Systems: Snort www.snort.org (The defacto standard) Signature based detection Limited anomaly detection Prevention using flexresp Opensource Large community support

Intrusion Detection Systems: Snort modules Preprocessors - stream5: TCP reassembly & state tracking - frag3: IP defragmentation module - sfportscan: port scan detecttion - <protocol>: portocol specific inspection (http,ssh,dns...) Output - syslog / binarylog / tcpdump format, csv - database / fastlog - prelude - recation plugins/scritps

Intrusion Detection Systems: Prelude http://www.prelude-technologies.com - libprelude - IDMEF - Sensors - Managers - Frontend

Intrusion Detection Systems: IDS deployment Placement - Inside firewall (Only sees in/out attempts of hosts) - Outside firewall (Lot of false positives due to internet noise) - Between internal network segments Types -Inline -Mirroport (Spanport) => out of band -Network tap => out of band

Intrusion Detection Systems: IDS drawbacks False positives Enumeration of evil (blacklist) Expanding bandwidth Encryption (SSL, TLS, IPSec) Evasion Protocol abuse Encoding

Intrusion Detection Systems: Facts IDS does not prevent anything by itself but makes the event visible and thus allows a response IDS requires user experience and training IDS requires a lot of initial work before it can be used in a productive environment IDS needs to be maintained constantly IDS is more than just tools it should be an integrated security process

Intrusion Detection Systems: Bibliography BSI-Leitfaden zur Einführung von Intrusion-Detection- Systemen (alt, aber gut) https://www.bsi.bund.de/cln_165/contentbsi/publikationen/studien/ids02/index_htm.html Network Intrusion Detection (2002) Stephen Northcutt, Judy Novak (ISBN-10: 0735712654) Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century (2009) Ryan Trost (ISBN-10: 0321591801) Product / Project specific documentation

Intrusion Detection Systems Intrusion Detection Systems

Intrusion Detection Systems: Overview IDS Acronyms & Definition Components Recognition & Response Security Interoperability & Cooperation HIDS NIDS Summary & Software Summary & Software IDS deployment

Intrusion Detection Systems: Acronyms IDS => Intrusion Detection System - HIDS => Host based IDS - NIDS => Network based IDS IPS => Intrusion Prevention System (IRS => Intrusion Response System) Be carefull in literature the meaning of these acronyms can differ!

Intrusion Detection Systems: Definition An IDS is a system used for active monitoring of computer systems and networks to detect or even react to (prevent) attacks and abuse. It should be seen as a integrated process supported by various technical tools, not just the tools themselves.

Intrusion Detection Systems: Components Networkbased Sensors They monitor and analyze the traffic of system or a network segment. Normally a dedicated system is used for this task. In recent years these systems get integrated into the network devices itself. (Extensionboard or systemslot wired internally) Advantages of network sensors are that it's possible to install them in a invisible way, this makes them very resistant to detection and/or attacks. They do not add load to the systems they monitor (protect) and distributed attacks can be detected, contrary to host based sensors. There are several problems that network sensors have to cope with. The speed of the increased bandwidth in networks cannot be matched by faster sensors. Nowadays senors can cope easily with 100MBit links but in a Gigabit (or faster) network with high packet rates it gets very difficult to deploy sensors capable of monitoring all the link traffic. Compared to a network device that only has to read the packet header and then decide what to with the packet a sensor has to process (configuration dependent) the entire packet. Normally this in done by comparing against multiple signatures and thus requires a lot of performance and resources. The biggest problem of network sensors though is encrypted traffic. Attack examples: - DDOS - SYN flood - malicious URL (overlong, special character...) - port scans - embedded virus / worm / Trojan horse / exploit code

Intrusion Detection Systems: Components Hostbased Sensors They are installed on the monitored systems themselves and are able to detect attacks directed to operating systems and services. Host based sensors have to be installed on any system to be monitored. They have to match the installed OS and its applications and are normally visible to the system and its users. Host based sensors are used to detect / check: - File integrity - File and application access - Login failure - Access violations - Suspicious behaviour (user) - Configuration changes - Host specific network traffic (even encrypted one (with application support)) A host based sensor have to be programmed specifically to it's purpose. It has a performance impact on the host and consumes bandwidth to report it's findings.

Intrusion Detection Systems: Components Database components Sensors generate a huge amount of data over a long timespan that has to be stored somewhere. Small datasets can be stored in files, larger ones are stored in databases. Databases offer higher performance for event access, aggregation and analyzer..

Intrusion Detection Systems: Components Management components The management station (>=1) is used to configure and calibrate the IDS. Sometimes it is combined with the analysis station or a sensor has it's own management already integrated. Normally a management station is used to complete the following tasks: - Add/Remove Components (Sensors, DB's, Analysis- Management stations) - Management of the monitored objects. - Logical grouping and preprocessing configuration - IDS Policy - creation - management - assignment - deployment

Intrusion Detection Systems: Components Analysis components A analysis station has tools to display and analyze IDS events & alarms. It represents the intelligent part of an IDS and is used to generate reports. (CMD Line, Web GUI, specific IDS GUI) An analysis station is used to detect and analyze IDS events. - Display IDS Events - Sorting & Classification of IDS Events - Correlation of IDS Events - Alarming - Reaction proposal or actual reaction - Store preprocessed data & results for further use - Report generation - Longtime & Trend analysis

Intrusion Detection Systems: Components Communication components Communication between IDS components uses different protocols and is different in terms of data amount and behavior. The channels used should provide sufficient bandwidth and security. Sensors-> Databases - Events - Alarms Sensors -> Manifestation - Heartbeat - Status Management station -> Databases - Status - Configuration Management station -> IDS Components - Configuration - Policy - Status - Reaction commands Management station-> Analysis station - Alerts Analysis station -> Databases - Events - Alarms (already aggregated events)

Intrusion Detection Systems: Attackrecognition Patternrecognition known attack detection (pattern comparison) Anomalydetection protocolanlysis statistical data comparison artificial intelligence honeypots topologychange Aggregation & Correlation Pattern recognition and protocol analysis are the methods mostly used in todays IDS. More advanced methods using AI or honeypots are only used in prototypes or in a scientific / educational environment. Pattern recognition examples: - Byte sequence eg. 00 45 af 1e - SYN requests on different ports in sequence - x login attempts in y minutes There are a huge amount patterns and its variations needed to detect known attacks. It's possible to generate more general and thus less signatures but this tends to a increased number of false positives. Protocol analysis tries to detect any abnormal use of a defined protocol. As an example is non random content in a ICMP message. This method is quite successful but very performance intensive. Statistical data comparison uses recorded behavior data as a reference value and compares actual behavior against it. As example abnormal high data flow during nighttime from system a to system b. Or a user x accesses service b, c, d never used before. The huge amount of data produced by sensors is normally pre aggregated to condense the useful information in the smallest possible size. 65535 ports scan events on a host are aggregated in one event. Correlation is a intelligent merge of events from various sensors to an IDS alert. As example NIDS-> Multiple session initiaion attempts on a SSH service and HIDS-> 50 login failures on SSH server in 5 minutes is correlated in a SSH service attack.

Intrusion Detection Systems: Intrusionresponse Documentation Alerting Countermeasures temporary countermeasure permanent configuration change manual, semi-automated, automatic (counterattack) Documentation is necessary prior to the analyze of the events. Normally a documented event consist of (Time, affected system, type of attack) Additional data like packet content can be used later to get a more profound analysis. Alerting can be done depending on severity and type of attack over various ways to different recipients. (Email, SMS, SNMP-Trap, Pager, automated phone calls). Depending on type of alert and alerted person it should be presented in a way appropriate to the knowledge of the recipient and the transport way. (A bad example would be sending whole specific service log files to a CSO) Processes on how a person should respond to an alert should be in place prior to it's first occurrence. Countermeasures should be defined to improve the response to an alert. As example to a distributed attack on a web shop, an appropriate response could be to temporary block the service by inserting a firewall rule. Automated or semi-automated countermeasures should be used very carefully as they can easily lead to unintended service disruption. (A weapon can always be used against it's wearer) Real counterattacks are discussed in the IDS community but not used (as far as I know) due to legal implications.

Intrusion Detection Systems: Flow

Intrusion Detection Systems: IDS Security Confidentiality An IDS should protect the internal communication channels and it's access points Integrity An IDS should be protected against manipulation Availability An IDS should be protected against attacks Accountability Any access to the IDS should restricted according the assigned user role and logged accordingly

Intrusion Detection Systems: IDS collaboration Virus scanner specialized HIDS sensor & enforcement agent Content filter (proxy) network traffic enforcement agent Vulnerability scanner specialized NIDS sensor & IDS calibration Firewalls specialized NIDS sensor & enforcement agent

Intrusion Detection Systems: HIDS Host(based) Intrusion Detection System HIDS is a monitor for behavior and state of a system and it's users. Nowadays a lot of software has part HIDS character. Systemcall profiling Config and registry changes Integrity of binaries User and service behaviour

Intrusion Detection Systems: HIDS software aide / tripwire / samhain / osiris - File integrity checker (MD5 databases) - Checks permissions, owner... systemcall auditor - Checks what systemcalls a binary uses ossec / logwatch - Loganalyzer chkrootkit, rkhunter Rootkitdetection

Intrusion Detection Systems: NIDS (Deep) Packet (Protocol) inspection - e.g try to detect an overlong URL Attackpattern recognition - e.g a portscan followed by malformed service request packets Traffic mapping - e.g. who talks with who normally Malware detection (content analysis) - e.g. shellcode, viruses...

Intrusion Detection Systems: NIDS software Snort Prelude Bro Suricata HLBR X-RAY (Windows discontinued / last release 2006) Winpooch (Windows discontinued /last release 2007)

Intrusion Detection Systems: Snort www.snort.org (The defacto standard) Signature based detection Limited anomaly detection Prevention using flexresp Opensource Large community support

Intrusion Detection Systems: Snort modules Preprocessors - stream5: TCP reassembly & state tracking - frag3: IP defragmentation module - sfportscan: port scan detecttion - <protocol>: portocol specific inspection (http,ssh,dns...) Output - syslog / binarylog / tcpdump format, csv - database / fastlog - prelude - recation plugins/scritps

Intrusion Detection Systems: Prelude http://www.prelude-technologies.com - libprelude - IDMEF - Sensors - Managers - Frontend

Intrusion Detection Systems: IDS deployment Placement - Inside firewall (Only sees in/out attempts of hosts) - Outside firewall (Lot of false positives due to internet noise) - Between internal network segments Types -Inline -Mirroport (Spanport) => out of band -Network tap => out of band

Intrusion Detection Systems: IDS drawbacks False positives Enumeration of evil (blacklist) Expanding bandwidth Encryption (SSL, TLS, IPSec) Evasion Protocol abuse Encoding

Intrusion Detection Systems: Facts IDS does not prevent anything by itself but makes the event visible and thus allows a response IDS requires user experience and training IDS requires a lot of initial work before it can be used in a productive environment IDS needs to be maintained constantly IDS is more than just tools it should be an integrated security process

Intrusion Detection Systems: Bibliography BSI-Leitfaden zur Einführung von Intrusion-Detection- Systemen (alt, aber gut) https://www.bsi.bund.de/cln_165/contentbsi/publikationen/studien/ids02/index_htm.html Network Intrusion Detection (2002) Stephen Northcutt, Judy Novak (ISBN-10: 0735712654) Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century (2009) Ryan Trost (ISBN-10: 0321591801) Product / Project specific documentation