Security Intrusion & Detection Security Intrusion One or combination of security events in which an intruder gains (or attempts) to gain access to a system without having authorization to do so Intrusion Detection a security service that monitors and analyzes system events to find, and provide (real-time) warning of attempts of unauthorized access to resources 16 Intrusion Detection Systems (IDSs) classify intrusion detection systems as: Host-based IDS (HIDS): monitor single host activity» Distributed Host-based IDS: combining info from multiple hosts Network-based IDS (NIDS): monitor network traffic logical components: Sensors: collect data, e.g., login info Analyzers: determine if intrusion has occurred User interface: manage / direct / view IDS 17 1
IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown in the figure observe deviations from past history problems of: false positives: a good user identified as intruder false negatives: intruders not identified must compromise Low False positives minimize false negatives 18 IDS Requirements run continually with minimal human supervision May see thousands of alarms per day! be fault tolerant after crash: prelude of attack resist subversion: monitor itself impose a minimal overhead on system: not to sign every pkt! configured according to system security policies Many dynamics in a system: load and resource variances adapt to changes in systems and users scale to monitor a large number of systems provide graceful degradation of service partial failures happen; we have to live with them allow dynamic reconfiguration difficult, Openswitch Arch 19 2
Host-Based IDS, HIDS specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions two approaches, often used in combination: anomaly detection: define normal behavior» threshold detection» profile based signature detection: define proper behavior» Sequence of events 20 Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S» always available but may not be optimum detection-specific audit records: IDS specific» additional overhead but specific to IDS task» often log individual elementary actions subject action object exception -condition resourceusage time-stamp Smith Read <Library>G.exe 0 RECORDS=0 11058721679 21 3
/var/log/message-20090215 Feb 8 04:07:19 sns1 kernel: imklog 3.20.2, log source = /proc/kmsg started. Feb 8 04:07:19 sns1 rsyslogd: [origin software="rsyslogd" swversion="3.20.2" x- pid="1620" x-info="http://www.rsyslog.com"] restart Feb 10 12:50:01 sns1 gconfd (gdm-2236): Exiting Feb 10 12:50:02 sns1 gconfd (root-1877): starting (version 2.22.0), pid 1877 user 'root' Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1 Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Feb 10 12:50:02 sns1 gdm-session-worker[1927]: WARNING: unable to log session Feb 10 12:50:07 sns1 pulseaudio[2006]: main.c: This program is not intended to be run as root (unless --system is specified). Feb 10 12:50:08 sns1 pulseaudio[2006]: module-x11-xsmp.c: X11 session manager not running. Feb 10 12:50:08 sns1 pulseaudio[2006]: module.c: Failed to load module "modulex11-xsmp" (argument: ""): initialization failed. 22 Anomaly Detection: threshold detection checks excessive events over a time interval must determine both thresholds and time intervals 1000 email in 1 session 100 login tries in 1 hour Several logins from diff. places around same time alone a crude and ineffective intruder detector an attacker learns the time interval and threshold Useful when combined with other sophisticated solutions 23 4
Idea: Anomaly Detection: profile based characterize past behavior of users / groups then detect significant deviations Method: based on analysis of audit records gather metrics:» Counter: # of ls in a session, increased but not decreased» Gauge: # of connections, increased or decreased» interval timer: interval between two emails» resource utilization: over x% in an interval analyze:» mean and standard deviation» Multivariate: correlate multiple variables; time/dst/data» Markov process: transition between different states» time series: a sequence of spam messages» operational model: known patterns Pros: no need to know security issues ahead of time 24 Signature Detection observe events on system and applying a set of rules to decide intruder behavior signatures approaches rule-based anomaly detection» analyze historical audit records for expected behavior, then match with current behavior rule-based penetration identification» rules identify known penetrations / weaknesses» often by analyzing attack scripts from Internet» supplemented with rules from security experts PS: content signatures are different Worm content signature generators: Autograph, polygraph, early bird, 25 5
Useful IDS tools OSSEC, Host-(Net)-based open-source IDS, http://www.ossec.net/ Agent/Server model, Windows/Linux/Solaris Log Analysis and Correlation Flexible XML based rules, Large Existing Rule Library Time Based Alerting, Integrity Checking Root Kit Detection, Active Response Windows Integration, Nmap Integration Snort, NIDS, http://snort.org/, No.1 now Bro, NIDS, http://www.bro-ids.org/, High learning curve, better perf Nagios, network intrusion detection, http://www.nagios.org/ Nessus, vulnerability scanner, http://www.nessus.org/nessus/ Develop your own extra-credit projects Your opportunities here! Deploy at home, generate a study over a week or month You can be a white-hat and find a solid job security 26 Useful Security Tools MS Malicious Software Removal Tool http://www.microsoft.com/security/malwareremove/default.mspx RootkitRevealer http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx NMAP, nmap.org Scan open ports Wireshark, former Ethereal, http://www.wireshark.org/ 27 6
Conditional Probability and Independence A probability is conditional on another event The condition may reduce the sample space the probability that the sum of two dice is 8 and one of them is an even number Event A= { the sum of two dice is 8 } Event B = { one die is even } AB = { (2,6), (4,4), (6,2) } P(A B) =? Total 36 choices of two dice are 6 X 6 Both faces are odd numbers: 3 X 3 B = 36 9 = 27 P(A B) = 3/27 = 1/9 P(AB) = 3/36 = 1/12, P(B) = 27/36 = 3/4 P(A B) = P(AB) / P(B) = 1/9 If A and B are independent, P(AB) = P(A)*P(B) 28 Bayesian Statistics P(AB) = P(A) * P(B A) Bayes theorem: P(A B) = ( P(A) * P(B A) ) / P(B) Extended to n possibilities: A i are independent to each other Given B, what is the Prob(A i B)? P( A B) i = n i = 1 P( A ) P( B A ) i P( A ) P( B A ) i i i A1 A4 B A2 A3 29 7
Base Rate Fallacy Example Very often used in Medical research A test that predicts with 99% accuracy if you have the deadly Mad Cow disease The overall disease has an overall incidence rate of 1/10,000 in the whole population You just tested positive!!!!! What is the probability you have the disease??? You like to know the prob. that you are well although the test is positive, P(well positive) =? 30 What are my probability to have the disease? 99% About 50% About 10% Less than 1% 0%, since I have paid the premium of $5M life insurance 100%, since my wife is celebrating the test result, after seeing the life insurance premium check cleared P( {you are well although the test is positive} ) = P(well positive) = P(positive well) * P(well) / ( P(positive sick)*p(sick)+p(postive well)*p(well) ) = 0.01*0.9999/ ( 0.99*0.0001 + 0.01*0.9999 ) > 0.99 31 8
Distributed Host-Based IDS: more promising Correlate more info Components Host agent LAN monitor agent Central manager 32 Distributed Host-Based IDS Host Audit record Expert System at central agent 33 9
Network-Based IDS (NIDS) network-based IDS monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors Inline sensors: possibly as part of net devices» E.g., NIC in a Promiscuous mode Passive sensors: monitors copy of traffic 34 NIDS Sensor Deployment: where to put them? Loc. 1: threats from outside; help firewalls; attacks to Web/mail servers; check outgoing Loc 2: types and numbers of external attacks; high workload Loc 3: servers and services specific; internal/external traffic Loc 4: critical systems; use limited resources 35 10
Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations anomaly detection denial of service attacks (flood or algorithmetic), scanning (fast/slow), worms (duplicated itself) when a potential violation detected, a sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection 36 Distributed Adaptive Intrusion Detection Perimeter defense and detection Firewalls, HIDS, NIDS Limited data to analyze; not recognize new, slow to response High-rate vs low-rate attacks»low-rate attacks are below thresholds Collaborate more IDSs together More sensors at broader areas, gossip protocol more data, higher statistical accuracy, instead long time to gather data on a single host»when unsure about an attack, false positive rate may be too high»once an attack is collaboratively identified, (when see similar activities in other network,) predict the attack is on the way, false positive rate becomes low Host-based IDS provides rich App info 37 11
Distributed Adaptive Intrusion Detection Gossip about suspects PEP: policy enforce point DDI: distributed detection and inference 38 Intrusion Detection Exchange Format 39 12
http://www.honeypots.net/ Honeypots Another opportunity for extra credit Honeyd, http://www.honeyd.org/, BSD, Linux, Win, Solaris are decoy systems filled with fabricated info instrumented with monitors or event-loggers divert and hold attacker to collect activity info without exposing production systems initially were single-pc systems more recently are/emulate entire networks Virtual Machines (VMs) makes this easier VMware 40 Honeypot Deployment Loc 1: outside external firewall; divert attackers Don t see insiders Loc 2: with external available services Don t see all attacks Allow traffic to pots Loc 3: attract internal attacks; check firewalls Allow traffic to pots If allowed, potential expose internal hosts 41 13
SNORT lightweight (host and network) IDS real-time packet capture and rule analysis passive or inline Logical components Packet decoder: isolate headers at different layers Detection engine Logger alerter 42 SNORT Rules use a simple, flexible rule definition language with fixed rule header and zero or more options Rule header includes: action, protocol, source IP, source port, direction, dest IP, dest port many Rule options Metadata, payload, non-payload, post-detection example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) 43 14
Summary introduced intruders & intrusion detection hackers, criminals, insiders intrusion detection approaches host-based (single and distributed) network distributed adaptive exchange format honeypots SNORT HW_Ch6 Review questions 6.2, 6.6, 6.7, 6.9 Problem 6.6, 6.7, 6.8 44 15