Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs



Similar documents
Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Network- vs. Host-based Intrusion Detection

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection for Mobile Ad Hoc Networks

INTRUSION DETECTION SYSTEMS and Network Security

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

A Review on Network Intrusion Detection System Using Open Source Snort

Intrusion Detection Systems

SURVEY OF INTRUSION DETECTION SYSTEM

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCE 465 Computer & Network Security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

IDS / IPS. James E. Thiel S.W.A.T.

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for


Intrusion Detection System (IDS)

Performance Evaluation of Intrusion Detection Systems

Missing the Obvious: Network Security Monitoring for ICS

Introduction of Intrusion Detection Systems

Web Application Security

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Network Based Intrusion Detection Using Honey pot Deception

B database Security - A Case Study

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Taxonomy of Intrusion Detection System

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

How To Protect A Network From Attack From A Hacker (Hbss)

Intrusion Detections Systems

Role of Anomaly IDS in Network

Name. Description. Rationale

Chapter 9 Firewalls and Intrusion Prevention Systems

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Radware s Behavioral Server Cracking Protection

ATTACK DETECTION USING A SCALABLE AND DISTRIBUTED NETWORK MONITOR

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Network Security Monitoring

Intruders and viruses. 8: Network Security 8-1

Security Event Management. February 7, 2007 (Revision 5)

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Rational AppScan & Ounce Products

Firewalls, Tunnels, and Network Intrusion Detection

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Data Mining for Network Intrusion Detection

Science Park Research Journal

Observation and Findings

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Improving Intrusion Detection Performance Using Keyword Selection and Neural Networks. Abstract

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

DIDS: Integrated host and network monitoring, live taps, lateral tracking, oh... and all in 1991

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Global Partner Management Notice

Chapter-3 Intruder Detection and Intruder Identification

CHAPTER 1 INTRODUCTION

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Lab Configure IOS Firewall IDS

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Banking Security using Honeypot

Volume 3, Issue 3, March 2015 International Journal of Advance Research in Computer Science and Management Studies

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

Firewalls and Intrusion Detection

A PEER-BASED HARDWARE PROTOCOL FOR INTRUSION DETECTION SYSTEMS

GFI White Paper PCI-DSS compliance and GFI Software products

Network & Agent Based Intrusion Detection Systems

Intrusion Detection Systems

HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Architecture Overview

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Intrusion Detection Systems

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Intrusion Detection Systems

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

Passing PCI Compliance How to Address the Application Security Mandates

IDS : Intrusion Detection System the Survey of Information Security

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Host/Platform Security. Module 11

Distributed Denial of Service Attack Tools

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

An Inspection on Intrusion Detection and Prevention Mechanisms

Network Security Demonstration - Snort based IDS Integration -

Network and Host-based Vulnerability Assessment

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Visa Data Security Bulletin (AP)

System Health and Intrusion Monitoring Using a Hierarchy of Constraints

Transcription:

Intrusion Detection Systems Oussama El-Rawas History and Concepts of IDSs Overview A brief description about the history of Intrusion Detection Systems An introduction to Intrusion Detection Systems including: Models Architecture of a recent paper on Anomaly Detection. Response/Conclusion Evolution of IDSs 1

Evolution of IDSs: Definitions IDS = Intrusion Detection System. Overall, there are 2 main types of intrusion detection: Network Intrusion detection (NID) Host-Based Intrusion Detection (HID) Network Intrusion Detection Uses Packet Sniffers to read and analyze packets exchanged between hosts. Usually Deployed with broadcast type networks (TCP/IP). Historically weak with: Switched Networks Encrypted Networks High-Speed Networks Some of the weaknesses have been tackled Host-Based Intrusion Detection Monitors the Hosts themselves and responds to attacks on them. Mainly done through audit logs. Helps to combat internal threats: Possibly 80% of all intrusions by disgruntled and/or dishonest employees. 2

Evolution of IDSs Concept born in 1980: Computer Security Threat Monitoring and Surveillance by James Anderson. Importance of auditing and audit trails Start of HIB IDSs. 1983: SRI International (Dr. Dorothy Denning) in a Government project Analyze audit trails Create activity based user profiles First IDS Model: IDES Evolution of IDSs 1984: SRI track and analyze audit data on ARPANET. Dr. Denning: An Intrusion Detection Model Revealed necessary info for commercial IDSs Basis of most work on IDSs 1988: University of California Davis, Lawrence Livermore Labs The Haystack Project (US Air Force) Comparing audit data to defined patterns. DIDS (Distributed IDS) for client and server tracking. Evolution of IDSs 1989: Haystack Labs Founded Stalker, a host-based pattern matching system that included robust search capabilities to manually and automatically query the audit data. 1990: Birth of NID. Introduce by UC Davis's Todd Heberlein. Developed the Network Security Monitor (NSM) Deployed at major government installations Contributed to DIDS Birth of Hybrid Intrusion Detection. 3

Evolution of IDSs Early 1990's: Commercial IDS development Haystack: first to market with Stalker SAIC: Computer Misuse Detection System (CMDS). Host-based IDS. Air Force Cryptologic Support Center: Automated Security Measurement System (ASIM). Better Scalability and Portability compared to other NIDs First to incorporate both hardware and software into NID Evolution of IDSs 1994: ASIM Developers formed the Wheel Group NetRanger: First commercially viable NID device 1997 and beyond: IDSs gain popularity and revenue. ISS develops NID called RealSecure Cisco purchase Wheel group Centrax Corp.: Merger of Haystack Labs and and CMDS team from SAIC IDSs gain popularity Evolution of IDSs 4

Intrusion Detection Systems Intrusion Detection Systems System regular behavior includes: Predictable user/process patterns. Command patterns that don't compromise system security. Processes conforming to specification. Systems under attack fail to conform with at least one of the above => Basis of intrusion detection. Based on: D. Denning, An Intrusion Detection Model. Intrusion Detection Systems: Role To detect intrusions with known and unknown techniques irrespective of the source. To provide timely detection of intrusions. To present status data to the user (security officer). To be accurate. 5

Intrusion Detection Systems: Models The IDS Model: responsible for classifying a sequence of states and actions. Different Models related to ways a system might not conform with regular behavior: Deviation from usual actions => Anomaly Model Actions that compromise security => Misuse Model Out-of-spec actions from programs => Specification-based Model All Models can be either static or adaptive Intrusion Detection Systems Anomaly Modeling Definition: Anomaly detection analyzes a set of characteristics of the system and compares their behavior with a set of expected values. It reports when the computed statistics do not match the expected measurements. Based on statistical models Intrusion Detection Systems: Anomaly Modeling 3 possible statistical models used: Threshold based Statistical Moments Based on statistical data (mean, std. Deviation) Adaptive Models behavior Selection of features and statistics crucial to performance Possible application for Neural Networks Markov Model Needs training data to make a model (non-attack) Describes the probability of transitioning from one state to another Transitioning to a state of low probability is reported as an anomaly 6

Intrusion Detection Systems: Anomaly Modeling Examples: IDES Statistics based Adaptive: biased towards newer statistical information Haystack Intrusion Detection Systems: Misuse Modeling Definition: Misuse detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it reports a potential intrusion. Applies a rule set on a sequence of instructions: Static Adaptive New rules can be added any time. Site Centric Intrusion Detection Systems: Misuse Modeling Example: Kumar and Spafford, IDIOT (Intrusion Detection In Our Time) Event is a change in state Attacks classified in five ways: Existence: creation of an entity Sequence: sequential events Partial order: several sequences Duration: Existence for an a certain time Interval: events separated by N units of time Monitors audit logs 7

Intrusion Detection Systems: Specification-based Modeling Definition: Specification-based detection determines whether or not a sequence of instructions violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. Relies mainly on system traces System Trace is a sequence of events during the execution of a system of processes All programs running need to be modeled Spec-based Modeling in its infancy. Intrusion Detection Systems: Architecture Three major parts of the IDS architecture: The Agent The Director The Notifier Intrusion Detection Systems: Architecture Agent: gathers information on the system from different sources (log files, processes, network), and relays it to the director Possible preprocessing 2 types of Agents: Host based Gathers information from local host sources (log file, Policy checker) Focused on inside intrusion Network Based Monitors Traffic and Content through network sniffers Focused on outside intrusion and network oriented attacks (ex: DOS) 8

Intrusion Detection Systems: Architecture Director: Uses an analysis engine the existence of an attack based on information gathered by the agents, and relays its result to the Notifier This is the Brain of the IDS Could possibly be adaptive Notifier: receives outputs from the director and reports it to the user through different means (GUI, log files, email). Intrusion Detection Systems: Architecture Init IDS Agent Director Notifier Accurately Detecting Source Code of Attacks that Increase Privilege, by R.K. Cunningham and C.S. Stevenson. This paper addresses anomaly detection in software code on Unix based systems. 9

Usually IDS depend on audit logs to detect attacks Too Slow for some attacks Allows the malware to disable the IDS and gain privileges => Detect the software before the attack takes place by identifying potentially malicious code. Two types of privilege gaining programs: Give access to unauthorized user Increase privileges of an existing user The attack is assumed to be launched from the unknowing victim Steps of the attack: Download malware Compiling on local machine Execute the attack using compiled code Deals with C and shell script only. Most Antivirus and IDS software use Signature matching Heuristics (to detect the steps taken by malicious code) This system uses a 3 step approach Language identification Feature extraction Classifier 10

For testing and training, sample malicious code obtained from open-source projects an hacker sites. C code: 5271 training files, 496 attack files 3323 test files, 67 attack files Shell code: 476 training files, 119 attack files 650 test files, 33 attack files Language Identification: A rule based idetifier C identified by: Preprocessor directives Reserved words (not English nor shell) C comments Shell identified by: '!#' Shell comments '#' '$' prefixes On 450MHz Sparc Ultra 60: 90μs/KB 11

Features are defined by regular expressions: <Feature type, Code category, ecoding scheme> Code categories: Comments Strings Code sans-strings Code Encoding scheme: Once Count Normalize C detector: 19 features described by regular expressions. Creating and deleting file links (link, unlink, rmdir) Getting privileged programs to execute malicious code (embedded) Attack actions (using chown, passwd,...) Fed into MLP Neural Network (N, 2N, N), where N=19. 12

Classifier configurations: Code with comments: Embedded executable Exploit comment Calls to execute command Presence of main() Local include file Sans-comment Embedded executable Calls to execute command Presence of main() Link and system calls Near zero false alarm rate Fast, needing 666μs/KB 77% C code analysis 21% File read 2% other Shell detector Adapted the regular expressions from C to Shell, and defined additional regular expressions: Altering Environment Variables Acquiring priviliged interactive shell Shell code used to create new users. Backward feature selection determines features that give the most performance. 13

Classifier configurations: With comments: Comment Localhost Chown (increase ownership) Interactive (enter interactive shell) Shared (create shared object) Sans-comments: Embedded executable: checking for embedded hex or octal code Subshell: check for invocation of subshell Classifier is an MLP (N, 2N, N) with N=12 for code with comments N=16 for code without comments More difficult and lengthy than C to Classify because of more complex regular expressions. Performance: 1071μs/KB 74% Shell code analyzer 21% reading files 4% other Main weakness is the ability to add dummy code to modify features extracted 14

References Computer Security, by Matt Bishop, Pearson Education Inc. 2003. The Evolution of Intrusion Detection Systems, by Paul Innella, Nov 16 2001, http://www.securityfocus.com/infocus/1514 Accurately Detecting Source Code of Attacks That Increase Privilege, R.K. Cunningham and C.S. Stevenson. Questions? 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information