Segurança Redes e Dados

Similar documents
CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

Taxonomy of Intrusion Detection System

IDS / IPS. James E. Thiel S.W.A.T.

INTRUSION DETECTION SYSTEMS and Network Security

IDS : Intrusion Detection System the Survey of Information Security

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Role of Anomaly IDS in Network

Intruders and viruses. 8: Network Security 8-1

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Name. Description. Rationale

Network and Host-based Vulnerability Assessment

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Chapter 9 Firewalls and Intrusion Prevention Systems

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection Systems

How To Protect A Network From Attack From A Hacker (Hbss)

SURVEY OF INTRUSION DETECTION SYSTEM

Network- vs. Host-based Intrusion Detection

Computer Networks & Computer Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Hackers: Detection and Prevention

Radware s Behavioral Server Cracking Protection

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Firewalls, Tunnels, and Network Intrusion Detection

Network Based Intrusion Detection Using Honey pot Deception

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

USM IT Security Council Guide for Security Event Logging. Version 1.1

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

How To Protect Your Network From Attack From Outside From Inside And Outside

How To Protect Your Network From Attack From A Hacker On A University Server

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Performance Evaluation of Intrusion Detection Systems

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Intrusion Detections Systems

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Introduction of Intrusion Detection Systems

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Intrusion Detection System (IDS)

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

End-user Security Analytics Strengthens Protection with ArcSight

Intrusion Detection Systems

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

CSCE 465 Computer & Network Security

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Architecture Overview

Penetration Testing Service. By Comsec Information Security Consulting

SANS Top 20 Critical Controls for Effective Cyber Defense

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

GFI White Paper PCI-DSS compliance and GFI Software products

FISMA / NIST REVISION 3 COMPLIANCE

Design and Development of. Graphical User Interface for building Snort Rules

INTRUSION DETECTION SYSTEM

Computer Security: Principles and Practice

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Second-generation (GenII) honeypots

A Decision Maker s Guide to Securing an IT Infrastructure

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Cisco IPS Tuning Overview

B database Security - A Case Study

Guideline on Auditing and Log Management

RSA Security Analytics

The Self-Hack Audit Stephen James Payoff

Network Incident Report

Banking Security using Honeypot

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Intrusion Detection Systems

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Section 12 MUST BE COMPLETED BY: 4/22

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Transcription:

Segurança Redes e Dados I N T R U S Õ E S 2 0 1 2 / 2 0 1 2 M A N U E L E D U A R D O C O R R E I A P E D R O B R A N D Ã O

Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown 2 Some slides from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011).

3 Definitions

Intrusion Prevention Want to keep bad guys out Intrusion prevention is a traditional focus of computer security Authentication is to prevent intrusions Firewalls a form of intrusion prevention Virus defenses aimed at intrusion prevention Like locking the door on your car 4

Intrusion Detection Systems Who is likely intruder? May be outsider who got thru firewall May be evil insider What do intruders do? Launch well-known attacks Launch variations on well-known attacks Launch new/little-known attacks Borrow system resources Use compromised system to attack others. etc. 5

Intruders significant issue hostile/unwanted trespass from benign to serious user trespass unauthorized logon, privilege abuse software trespass virus, worm, or Trojan horse classes of intruders: masquerader, misfeasor, clandestine user 6 Intruder: (I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (from RFC4949)

Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software on unwilling machines using an unsecured modem to access net impersonating a user to reset password using an unattended workstation 7

Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection (I) Sensing and analysing system events for the purpose of noticing (i.e., becoming aware of) attempts to access system resources in an unauthorized manner. This includes the following subtypes: - "Active detection": Real-time or near-real-time analysis of system event data to detect current intrusions, which result in an immediate protective response. - "Passive detection": Off-line analysis of audit data to detect past intrusions, which are reported to the system security officer for corrective action. From RFC4949 Internet Security Glossary, Version 2 8

Hacker Hacker and Cracker 1. (I) Someone with a strong interest in computers, who enjoys learning about them, programming them, and experimenting and otherwise working with them 2. (O) "An individual who spends an inordinate amount of time working on computer systems for other than professional purposes. 3. (D) Synonym for "cracker". Deprecated Usage: Today, the term is frequently (mis)used (especially by journalists) with definition 3. cracker (I) Someone who tries to break the security of, and gain unauthorized access to, someone else's system, often with malicious intent. (See: adversary, intruder, packet monkey, script kiddy. Compare: hacker.) 9

Crackers motivated by thrill of access and status hacking community a strong meritocracy status is determined by level of competence benign intruders might be tolerable do consume resources and may slow performance can t know in advance whether benign or malign IDS/IPS/VPNs can help counter awareness led to establishment of Computer Emergency Response Teams (CERTs) collect/disseminate vulnerability info/responses 10

Cracker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network 11

Criminal Enterprise organized groups of crackers now a threat corporation / government / loosely affiliated gangs typically young often Eastern European or Russian hackers common target credit cards on e-commerce server criminal crackers usually have specific targets once penetrated act quickly and get out IDS/IPS help but less effective sensitive data needs strong protection 12

Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use Trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes. 13

Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor IDS/IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data 14

Insider Behavior Example 15 create network accounts for themselves and their friends access accounts and applications they wouldn't normally use for their daily jobs e-mail former and prospective employers conduct furtive instant-messaging chats visit web sites that cater to disgruntled employees, such as f'dcompany.com perform large downloads and file copying access the network during off hours.

Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software vulnerabilities to execute code to get backdoor e.g. buffer overflow or to gain protected information e.g. password guessing or acquisition 16

17 IDS approaches

Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - manage/direct/view IDS 18

IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown observe deviations from past history problems of: false positives false negatives must compromise 19

IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration 20

Host-Based IDS Monitor activities on hosts for Known attacks Suspicious behavior Designed to detect attacks such as Buffer overflow Escalation of privilege, Can detect both external and internal intrusions 21 Little or no view of network activities

Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S always available but may not be optimum detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions 22 e.g. may contain fields for: subject, action, object, exceptioncondition, resource-usage, time-stamp

Distributed Host-Based IDS 23

Distributed Host-Based IDS 24

OSSEC Some examples of Host IDSs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Tripwire Open Source version data integrity tool useful for monitoring and alerting on specific file change(s) There s a commercial one AIDE (Advanced Intrusion Detection Environment) file and directory integrity checker. 25

Network-Based IDS Monitor activity at selected points of the network for Known attacks Suspicious network activity May examine network, transport and/or application level protocol activity directed toward systems Designed to detect attacks such as Denial of service Network probes Malformed packets, etc. Comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic) 26 Some overlap with firewall Little or no view of host-based attacks

Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic) 27

NIDS Sensor Deployment 28

Snort Some examples of Net IDSs 29 network intrusion prevention and detection system (IDS/IPS) [ ] Combining the benefits of signature, protocol, and anomaly-based inspection Bro While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.

Distributed Adaptive Intrusion Detection 30

31 Intrusion Detection Exchange Format By the IETF Intrusion Detection Working Group

OSSIM Some examples of SIEM tools 32 provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services. ACARM-ng Alert Correlation, Assessment and Reaction Module - next generation responsible for collection and correlation alerts sent by network and host sensors also referred to as NIDS and HIDS respectively Cyberoam iview delivers identity-based logging and reporting across multiple devices, protocols and locations, enabling organizations to discover not just the threats, but also allows them to correlate these with the who, what, why, where, when of an attack. SIEM Security Information and Event Management

are decoy systems Honeypots filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems initially were single systems more recently are/emulate entire networks 33

34 Honeypot Deployment DMZ

35 Intrusion Detection Techniques

Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations anomaly detection of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection 36

Signature Detection Example Failed login attempts may indicate password cracking attack IDS could use the rule N failed login attempts in M seconds as signature If N or more failed login attempts in M seconds, IDS warns of attack Note that such a warning is specific Admin knows what attack is suspected Easy to verify attack (or false alarm) 37

Signature Detection Suppose IDS warns whenever N or more failed logins in M seconds Set N and M so false alarms not common Can do this based on normal behavior But, if Trudy knows the signature, she can try N 1 logins every M seconds Then signature detection slows down Trudy, but might not stop her 38

Signature Detection Many techniques used to make signature detection more robust Goal is to detect almost signatures For example, if about N login attempts in about M seconds Warn of possible password cracking attempt What are reasonable values for about? Can use statistical analysis, heuristics, etc. Must not increase false alarm rate too much 39

Signature Detection Advantages of signature detection Simple Detect known attacks Know which attack at time of detection Efficient (if reasonable number of signatures) Disadvantages of signature detection Signature files must be kept up to date Number of signatures may become large Can only detect known attacks Variation on known attack may not be detected 40

Anomaly Detection Anomaly detection systems look for unusual or abnormal behavior There are (at least) two challenges What is normal for this system? How far from normal is abnormal? No avoiding statistics here! mean defines normal variance gives distance from normal to abnormal 41

How to Measure Normal? How to measure normal? Must measure during representative behavior Must not measure during an attack or else attack will seem normal! Normal is statistical mean 42 Must also compute variance to have any reasonable idea of abnormal

How to Measure Abnormal? Abnormal is relative to some normal Abnormal indicates possible attack Statistical discrimination techniques include Bayesian statistics Linear discriminant analysis (LDA) Quadratic discriminant analysis (QDA) Neural nets, hidden Markov models (HMMs), etc. Fancy modeling techniques also used Artificial intelligence Artificial immune system principles Many, many, many others 43

Anomaly Detection (1) Spse we monitor use of three commands: open, read, close Under normal use we observe Alice: open, read, close, open, open, read, close, Of the six possible ordered pairs, we see four pairs are normal for Alice, (open,read), (read,close), (close,open), (open,open) Can we use this to identify unusual activity? 44

Anomaly Detection (1) We monitor use of the three commands open, read, close If the ratio of abnormal to normal pairs is too high, warn of possible attack Could improve this approach by Also use expected frequency of each pair Use more than two consecutive commands Include more commands/behavior in the model More sophisticated statistical discrimination 45

Anomaly Detection (2) Over time, Alice has accessed file F n at rate H n H 0 H 1 H 2 H 3.10.40.40.10 46 Recently, Alice has accessed F n at rate A n A 0 A 1 A 2 A 3.10.40.30.20 Is this normal use for Alice? We compute S = (H 0 A 0 ) 2 +(H 1 A 1 ) 2 + +(H 3 A 3 ) 2 =.02 o We consider S < 0.1 to be normal, so this is normal How to account for use that varies over time?

Anomaly Detection (2) To allow normal to adapt to new use, we update averages: H n = 0.2A n + 0.8H n In this example, H n are updated H 2 =.2.3+.8.4=.38 and H 3 =.2.2+.8.1=.12 And we now have 47 H 0 H 1 H 2 H 3.10.40.38.12

Anomaly Detection (2) The updated long term average is 48 Suppose new observed rates H 0 H 1 H 2 H 3.10.40.38.12 A 0 A 1 A 2 A 3.10.30.30.30 Is this normal use? Compute S = (H 0 A 0 ) 2 + +(H 3 A 3 ) 2 =.0488 o Since S =.0488 < 0.1 we consider this normal And we again update the long term averages: H n = 0.2A n + 0.8H n

Anomaly Detection (2) The starting averages were: H 0 H 1 H 2 H 3.10.40.40.10 49 After 2 iterations, averages are: H 0 H 1 H 2 H 3.10.38.364.156 Statistics slowly evolve to match behavior This reduces false alarms for SA But also opens an avenue for attack o Suppose Trudy always wants to access F 3 o Can she convince IDS this is normal for Alice?

Anomaly Detection (2) To make this approach more robust, must incorporate the variance Can also combine N stats S i as, say, T = (S 1 + S 2 + S 3 + + S N ) / N to obtain a more complete view of normal 50

Anomaly Detection Issues Systems constantly evolve and so must IDS Static system would place huge burden on admin But evolving IDS makes it possible for attacker to (slowly) convince IDS that an attack is normal Attacker may win simply by going slow What does abnormal really mean? Indicates there may be an attack Might not be any specific info about attack How to respond to such vague information? In contrast, signature detection is very specific 51

Advantages? Anomaly Detection Chance of detecting unknown attacks Disadvantages? Cannot use anomaly detection alone must be used with signature detection Reliability is unclear May be subject to attack 52 Anomaly detection indicates something unusual, but lacks specific info on possible attack

Anomaly Detection: The Bottom Line Anomaly-based IDS is active research topic Many security experts have high hopes for its ultimate success Often cited as key future security technology Hackers are not convinced! Title of a talk at Defcon: Why Anomaly-based IDS is an Attacker s Best Friend Anomaly detection is difficult and tricky As hard as AI? 53

Summary introduced intruders & intrusion detection nomenclature intrusion detection approaches host-based (single and distributed) network distributed adaptive Security Information and Event Management honeypots intrusion detection techniques Signature and anomaly 54

The end

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information