Security Intrusion & Detection. Intrusion Detection Systems (IDSs)



Similar documents
CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Taxonomy of Intrusion Detection System

IDS / IPS. James E. Thiel S.W.A.T.

Chapter 9 Firewalls and Intrusion Prevention Systems

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Segurança Redes e Dados

INTRUSION DETECTION SYSTEMS and Network Security

Network- vs. Host-based Intrusion Detection

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Intrusion Detection Systems

Network Based Intrusion Detection Using Honey pot Deception

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Introduction of Intrusion Detection Systems

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

CSCE 465 Computer & Network Security

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Role of Anomaly IDS in Network

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Intruders and viruses. 8: Network Security 8-1

Second-generation (GenII) honeypots

SURVEY OF INTRUSION DETECTION SYSTEM

How To Protect A Network From Attack From A Hacker (Hbss)

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

PROFESSIONAL SECURITY SYSTEMS

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Computer Security: Principles and Practice

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Fuzzy Network Profiling for Intrusion Detection

Architecture Overview

Kingston University London

Firewalls, Tunnels, and Network Intrusion Detection

Computer Security DD2395

Science Park Research Journal

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Radware s Behavioral Server Cracking Protection

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

A Review on Network Intrusion Detection System Using Open Source Snort

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Intrusion Detection Systems

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Course Title: Penetration Testing: Security Analysis

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

IDS : Intrusion Detection System the Survey of Information Security

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

IDS and Penetration Testing Lab ISA656 (Attacker)

Security Mgt. Tools and Subsystems

Intrusion Detection for Mobile Ad Hoc Networks

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

NETWORK SECURITY (W/LAB) Course Syllabus

Intrusion Detection System (IDS)

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

SANS Top 20 Critical Controls for Effective Cyber Defense

Intrusion Detections Systems

Intrusion Detection Systems

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Distributed Systems Security

Name. Description. Rationale

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Banking Security using Honeypot

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Cisco IPS Tuning Overview

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dynamic Rule Based Traffic Analysis in NIDS

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

C. Universal Threat Management C.4. Defenses

Next Level. Elevated to the. 22 nd Chaos Communication Congress. Alien8 - Matthias Petermann

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Security Event Management. February 7, 2007 (Revision 5)

Intelligent. Data Sheet

Firewalls and Intrusion Detection

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Analyzing Intrusion Detection System Evasions Through Honeynets

How To Prevent Network Attacks

1. INTRODUCTION 2. CLASSIFICATION OF INTRUSION DETECTION SYSTEMS

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Fuzzy Network Profiling for Intrusion Detection

OWASP Logging Project - Roadmap

Hackers: Detection and Prevention

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Traffic Monitoring : Experience

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Computer Networks & Computer Security

Design and Development of. Graphical User Interface for building Snort Rules

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Network Security: The Principles of Threats, Attacks and Intrusions (Part 2)

Transcription:

Security Intrusion & Detection Security Intrusion One or combination of security events in which an intruder gains (or attempts) to gain access to a system without having authorization to do so Intrusion Detection a security service that monitors and analyzes system events to find, and provide (real-time) warning of attempts of unauthorized access to resources 16 Intrusion Detection Systems (IDSs) classify intrusion detection systems as: Host-based IDS (HIDS): monitor single host activity» Distributed Host-based IDS: combining info from multiple hosts Network-based IDS (NIDS): monitor network traffic logical components: Sensors: collect data, e.g., login info Analyzers: determine if intrusion has occurred User interface: manage / direct / view IDS 17 1

IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown in the figure observe deviations from past history problems of: false positives: a good user identified as intruder false negatives: intruders not identified must compromise Low False positives minimize false negatives 18 IDS Requirements run continually with minimal human supervision May see thousands of alarms per day! be fault tolerant after crash: prelude of attack resist subversion: monitor itself impose a minimal overhead on system: not to sign every pkt! configured according to system security policies Many dynamics in a system: load and resource variances adapt to changes in systems and users scale to monitor a large number of systems provide graceful degradation of service partial failures happen; we have to live with them allow dynamic reconfiguration difficult, Openswitch Arch 19 2

Host-Based IDS, HIDS specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions two approaches, often used in combination: anomaly detection: define normal behavior» threshold detection» profile based signature detection: define proper behavior» Sequence of events 20 Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S» always available but may not be optimum detection-specific audit records: IDS specific» additional overhead but specific to IDS task» often log individual elementary actions subject action object exception -condition resourceusage time-stamp Smith Read <Library>G.exe 0 RECORDS=0 11058721679 21 3

/var/log/message-20090215 Feb 8 04:07:19 sns1 kernel: imklog 3.20.2, log source = /proc/kmsg started. Feb 8 04:07:19 sns1 rsyslogd: [origin software="rsyslogd" swversion="3.20.2" x- pid="1620" x-info="http://www.rsyslog.com"] restart Feb 10 12:50:01 sns1 gconfd (gdm-2236): Exiting Feb 10 12:50:02 sns1 gconfd (root-1877): starting (version 2.22.0), pid 1877 user 'root' Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1 Feb 10 12:50:02 sns1 gconfd (root-1877): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Feb 10 12:50:02 sns1 gdm-session-worker[1927]: WARNING: unable to log session Feb 10 12:50:07 sns1 pulseaudio[2006]: main.c: This program is not intended to be run as root (unless --system is specified). Feb 10 12:50:08 sns1 pulseaudio[2006]: module-x11-xsmp.c: X11 session manager not running. Feb 10 12:50:08 sns1 pulseaudio[2006]: module.c: Failed to load module "modulex11-xsmp" (argument: ""): initialization failed. 22 Anomaly Detection: threshold detection checks excessive events over a time interval must determine both thresholds and time intervals 1000 email in 1 session 100 login tries in 1 hour Several logins from diff. places around same time alone a crude and ineffective intruder detector an attacker learns the time interval and threshold Useful when combined with other sophisticated solutions 23 4

Idea: Anomaly Detection: profile based characterize past behavior of users / groups then detect significant deviations Method: based on analysis of audit records gather metrics:» Counter: # of ls in a session, increased but not decreased» Gauge: # of connections, increased or decreased» interval timer: interval between two emails» resource utilization: over x% in an interval analyze:» mean and standard deviation» Multivariate: correlate multiple variables; time/dst/data» Markov process: transition between different states» time series: a sequence of spam messages» operational model: known patterns Pros: no need to know security issues ahead of time 24 Signature Detection observe events on system and applying a set of rules to decide intruder behavior signatures approaches rule-based anomaly detection» analyze historical audit records for expected behavior, then match with current behavior rule-based penetration identification» rules identify known penetrations / weaknesses» often by analyzing attack scripts from Internet» supplemented with rules from security experts PS: content signatures are different Worm content signature generators: Autograph, polygraph, early bird, 25 5

Useful IDS tools OSSEC, Host-(Net)-based open-source IDS, http://www.ossec.net/ Agent/Server model, Windows/Linux/Solaris Log Analysis and Correlation Flexible XML based rules, Large Existing Rule Library Time Based Alerting, Integrity Checking Root Kit Detection, Active Response Windows Integration, Nmap Integration Snort, NIDS, http://snort.org/, No.1 now Bro, NIDS, http://www.bro-ids.org/, High learning curve, better perf Nagios, network intrusion detection, http://www.nagios.org/ Nessus, vulnerability scanner, http://www.nessus.org/nessus/ Develop your own extra-credit projects Your opportunities here! Deploy at home, generate a study over a week or month You can be a white-hat and find a solid job security 26 Useful Security Tools MS Malicious Software Removal Tool http://www.microsoft.com/security/malwareremove/default.mspx RootkitRevealer http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx NMAP, nmap.org Scan open ports Wireshark, former Ethereal, http://www.wireshark.org/ 27 6

Conditional Probability and Independence A probability is conditional on another event The condition may reduce the sample space the probability that the sum of two dice is 8 and one of them is an even number Event A= { the sum of two dice is 8 } Event B = { one die is even } AB = { (2,6), (4,4), (6,2) } P(A B) =? Total 36 choices of two dice are 6 X 6 Both faces are odd numbers: 3 X 3 B = 36 9 = 27 P(A B) = 3/27 = 1/9 P(AB) = 3/36 = 1/12, P(B) = 27/36 = 3/4 P(A B) = P(AB) / P(B) = 1/9 If A and B are independent, P(AB) = P(A)*P(B) 28 Bayesian Statistics P(AB) = P(A) * P(B A) Bayes theorem: P(A B) = ( P(A) * P(B A) ) / P(B) Extended to n possibilities: A i are independent to each other Given B, what is the Prob(A i B)? P( A B) i = n i = 1 P( A ) P( B A ) i P( A ) P( B A ) i i i A1 A4 B A2 A3 29 7

Base Rate Fallacy Example Very often used in Medical research A test that predicts with 99% accuracy if you have the deadly Mad Cow disease The overall disease has an overall incidence rate of 1/10,000 in the whole population You just tested positive!!!!! What is the probability you have the disease??? You like to know the prob. that you are well although the test is positive, P(well positive) =? 30 What are my probability to have the disease? 99% About 50% About 10% Less than 1% 0%, since I have paid the premium of $5M life insurance 100%, since my wife is celebrating the test result, after seeing the life insurance premium check cleared P( {you are well although the test is positive} ) = P(well positive) = P(positive well) * P(well) / ( P(positive sick)*p(sick)+p(postive well)*p(well) ) = 0.01*0.9999/ ( 0.99*0.0001 + 0.01*0.9999 ) > 0.99 31 8

Distributed Host-Based IDS: more promising Correlate more info Components Host agent LAN monitor agent Central manager 32 Distributed Host-Based IDS Host Audit record Expert System at central agent 33 9

Network-Based IDS (NIDS) network-based IDS monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors Inline sensors: possibly as part of net devices» E.g., NIC in a Promiscuous mode Passive sensors: monitors copy of traffic 34 NIDS Sensor Deployment: where to put them? Loc. 1: threats from outside; help firewalls; attacks to Web/mail servers; check outgoing Loc 2: types and numbers of external attacks; high workload Loc 3: servers and services specific; internal/external traffic Loc 4: critical systems; use limited resources 35 10

Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations anomaly detection denial of service attacks (flood or algorithmetic), scanning (fast/slow), worms (duplicated itself) when a potential violation detected, a sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection 36 Distributed Adaptive Intrusion Detection Perimeter defense and detection Firewalls, HIDS, NIDS Limited data to analyze; not recognize new, slow to response High-rate vs low-rate attacks»low-rate attacks are below thresholds Collaborate more IDSs together More sensors at broader areas, gossip protocol more data, higher statistical accuracy, instead long time to gather data on a single host»when unsure about an attack, false positive rate may be too high»once an attack is collaboratively identified, (when see similar activities in other network,) predict the attack is on the way, false positive rate becomes low Host-based IDS provides rich App info 37 11

Distributed Adaptive Intrusion Detection Gossip about suspects PEP: policy enforce point DDI: distributed detection and inference 38 Intrusion Detection Exchange Format 39 12

http://www.honeypots.net/ Honeypots Another opportunity for extra credit Honeyd, http://www.honeyd.org/, BSD, Linux, Win, Solaris are decoy systems filled with fabricated info instrumented with monitors or event-loggers divert and hold attacker to collect activity info without exposing production systems initially were single-pc systems more recently are/emulate entire networks Virtual Machines (VMs) makes this easier VMware 40 Honeypot Deployment Loc 1: outside external firewall; divert attackers Don t see insiders Loc 2: with external available services Don t see all attacks Allow traffic to pots Loc 3: attract internal attacks; check firewalls Allow traffic to pots If allowed, potential expose internal hosts 41 13

SNORT lightweight (host and network) IDS real-time packet capture and rule analysis passive or inline Logical components Packet decoder: isolate headers at different layers Detection engine Logger alerter 42 SNORT Rules use a simple, flexible rule definition language with fixed rule header and zero or more options Rule header includes: action, protocol, source IP, source port, direction, dest IP, dest port many Rule options Metadata, payload, non-payload, post-detection example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) 43 14

Summary introduced intruders & intrusion detection hackers, criminals, insiders intrusion detection approaches host-based (single and distributed) network distributed adaptive exchange format honeypots SNORT HW_Ch6 Review questions 6.2, 6.6, 6.7, 6.9 Problem 6.6, 6.7, 6.8 44 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information