Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002



Similar documents
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Second-generation (GenII) honeypots

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

IDS / IPS. James E. Thiel S.W.A.T.

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Taxonomy of Intrusion Detection System

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Yahoo Attack. Is DDoS a Real Problem?

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

The Truth about False Positives

1. Thwart attacks on your network.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Intrusion Detection for Mobile Ad Hoc Networks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Firewalls, Tunnels, and Network Intrusion Detection

Introduction of Intrusion Detection Systems

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Firewalls and Intrusion Detection

Penetration Testing. Presented by

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Cyber Watch. Written by Peter Buxbaum

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

IDS : Intrusion Detection System the Survey of Information Security

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Current and Future Research into Network Security Prof. Madjid Merabti

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Network- vs. Host-based Intrusion Detection

Intrusion Detection from Simple to Cloud

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

How To Protect Your Network From Attack From Outside From Inside And Outside

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Metric Matters. Dain Perkins, CISSP

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

How To Protect A Network From Attack From A Hacker (Hbss)

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

California State University, Chico. Information Security Incident Management Plan

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

CTS2134 Introduction to Networking. Module Network Security

Closing Wireless Loopholes for PCI Compliance and Security

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015

Intrusion Detection System (IDS)

Name. Description. Rationale

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Cisco IPS Tuning Overview

INTRUSION PREVENTION AND EXPERT SYSTEMS

Firewall Design Principles Firewall Characteristics Types of Firewalls

The Self-Hack Audit Stephen James Payoff

End-user Security Analytics Strengthens Protection with ArcSight

SANS Top 20 Critical Controls for Effective Cyber Defense

Managing IT Security with Penetration Testing

PROFESSIONAL SECURITY SYSTEMS

Reporting and Incident Management for Firewalls

Firewalls & Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Network Security Policy

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

The SIEM Evaluator s Guide

CSCI 4250/6250 Fall 2015 Computer and Networks Security

74% 96 Action Items. Compliance

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

co Characterizing and Tracing Packet Floods Using Cisco R

Intrusion Detection Systems

CMPT 471 Networking II

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Development of a Network Intrusion Detection System

Hackers: Detection and Prevention

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls


Network and Host-based Vulnerability Assessment

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Based Intrusion Detection Using Honey pot Deception

Bio-inspired cyber security for your enterprise

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Best Practices for Building a Security Operations Center

Blacklist Example Configuration for StoneGate

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

SURVEY OF INTRUSION DETECTION SYSTEM

Transcription:

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Page 1 Page 2 Introduction Relying on a Perimeter Defense Many mechanisms exist for protecting systems from intruders Access control, firewalls, authentication, etc. They all have one common characteristic: They don t always work Page 3 Page 4 Another Alternative Intrusion Detection! Work from the assumption that sooner or later your security measures will fail Try to detect the improper behavior of the intruder who has defeated your security Inform the system or system administrators to take action Page 5 Page 6 1

Why Intrusion Detection? If we can detect bad things, can t we simply prevent them? Possibly not: May be too expensive May involve many separate operations May involve things we didn t foresee For Example, Your intrusion detection system regards setting uid on root executables as suspicious Yet the system must allow the system administrator to do so If the system detects several such events, it becomes suspicious And reports the problem Page 7 Page 8 Couldn t the System Just Have Stopped This? Perhaps, but - The real problem was that someone got root access The changing of setuid bits was just a symptom And under some circumstances the behavior is legitimate Intrusions any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource 1 Which covers a lot of ground Implying they re hard to stop 1 Heady, Luger, Maccabe, and Servilla, The Architecture of a Network Level Intrusion Detection System, Tech Report, U. of New Mexico, 1990. Page 9 Page 10 Is Intrusion Really a Problem? The NetRanger Data Is intrusion detection worth the trouble? Yes, at least for some installations Consider the experience of NetRanger intrusion detection users Gathered during 5 months of 1997 From all of NetRanger s licensed customers A reliable figure, since the software reports incidents to the company Page 11 Page 12 2

NetRanger s Results Kinds of Attacks Seen 556,464 security alarms in 5 months Some serious, some not Serious defined as attempting to gain unauthorized access For NetRanger customers, serious attacks occurred.5 to 5 times per month Electronic commerce sites hit most Often occurred in waves When someone published code for a particular attack, it happened a lot Because of Script Kiddies 100% of web attacks were on web commerce sites Page 13 Page 14 Where Did Attacks Come From? Kinds of Intrusions Just about everywhere 48% from ISPs But also attacks from major companies, business partners, government sites, universities, etc. 39% from outside US Only based on IP address, though External intrusions Internal intrusions Page 15 Page 16 External Intrusions Internal Intrusions What most people think of An unauthorized (usually remote) user trying to illicitly access your system Using various security vulnerabilities to break in The typical case of a hacker attack An authorized user trying to gain privileges beyond those he is entitled to 80% of all intrusions and attacks are by insiders according to FBI reports More dangerous, because insiders have a foothold and know more Page 17 Page 18 3

Basics of Intrusion Detection Intrusion Detection and Logging Watch what s going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access Hopefully all at a reasonable cost A natural match The intrusion detection system examines the log Which is being kept, anyway Secondary benefits of using the intrusion detection system to reduce the log Page 19 Page 20 On-Line Vs. Off-Line Intrusion Detection Intrusion detection mechanisms can be complicated and heavy-weight Often better to run them off-line E.g., at nighttime Disadvantage is that you don t catch intrusions as they happen Failures In Intrusion Detection False positives Legitimate activity identified as an intrusion False negatives An intrusion not noticed Subversion errors Attacks on the intrusion detection system Page 21 Page 22 Desired Characteristics in Intrusion Detection Continuously running Fault tolerant Subversion resistant Minimal overhead Must observe deviations Easily tailorable Evolving Difficult to fool Host Intrusion Detection Run the intrusion detection system on a single computer Look for problems only on that computer Often by examining the logs of the computer Page 23 Page 24 4

Advantages of the Host Approach Network Intrusion Detection Lots of information to work with Only need to deal with problems on one machine Can get information in readily understandable form Do the same for a local (or wide) area network Either by using distributed systems techniques Or (more commonly) by sniffing network traffic Page 25 Page 26 Advantages of Network Approach Network Intrusion Detection and Data Volume Need not use up any resources on users machines Lots of information passes on the network Easier to properly configure for large installations If you grab it all, you will produce vast amounts of data Can observe things affecting multiple machines Which will require vast amounts of time to process Page 27 Page 28 Network Intrusion Detection and Sensors Styles of Intrusion Detection Use programs called sensors to grab only relevant data Sensors quickly examine network traffic Record the relevant stuff Discard the rest If you design sensors right, greatly reduces the problem of data volume Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Page 29 Page 30 5

Misuse Detection Determine what actions are undesirable Watch for those to occur Signal an alert when they happen Often referred to as signature detection Level of Misuse Detection Could look for specific attacks E.g., Synattacks or IP spoofing But that only detects already-known attacks Better to also look for known suspicious behavior Like trying to become root Or changing file permissions Page 31 Page 32 How Is Misuse Detected? Pluses and Minuses of Misuse Detection By examining logs Only works after the fact By monitoring system activities Often hard to trap what you need to see By scanning the state of the system Can t trap actions that don t leave traces By sniffing the network For network intrusion detection systems + Few false positives + Simple technology + Hard to fool Only detects known problems Gradually becomes less useful if not updated Sometimes signatures are hard to generate Page 33 Page 34 Misuse Detection and Commercial Systems Anomaly Detection Essentially all commercial intrusion detection systems detect misuse Primarily using signatures of attacks Many of these systems are very similar With only different details Differentiated primarily by quality of their signature library How large, how quickly updated Misuse detection can only detect known problems And many potential misuses can also be perfectly legitimate Anomaly detection instead builds a model of valid behavior And watches for deviations Page 35 Page 36 6

Methods of Anomaly Detection Statistical models User behavior Program behavior Overall system/network behavior Expert systems Misuse detection and anomaly detection sometimes blur together Pluses and Minuses of Anomaly Detection + Can detect previously unknown attacks Hard to identify and diagnose nature of attacks Unless careful, may be prone to many false positives Depending on method, can be expensive and complex Page 37 Page 38 Anomaly Detection and Academic Systems Most academic research on IDS in this area More interesting problems Greater promise for the future But few really effective systems currently use it Not entirely clear that will ever change Customizing and Evolving Intrusion Detection A single intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered Intrusion detection systems must change to meet needs Page 39 Page 40 How Do Intrusion Detection Systems Evolve? A Problem With Evolving Intrusion Detection Systems Manually or semi-automatically New information added that allows them to detect new kinds of attacks Automatically Deduce new problems or things to watch for without human intervention Very clever intruders can use the evolution against them Instead of immediately performing dangerous actions, evolve towards them If the intruder is more clever than the system, the system gradually accepts the new behavior Page 41 Page 42 7

Practicalities of Operation Most commercial intrusion detection systems are add-ons They run as normal applications They must make use of readily available information Audit logged information Sniffed packets Output of systems calls they make Practicalities of Audit Logs for IDS Operating systems only log certain stuff They don t necessarily log what an intrusion detection system really needs They produce large amounts of data Expensive to process Expensive to store If attack was successful, may be corrupted And performance is very important Page 43 Page 44 What Does an IDS Do When It Detects an Attack? Automated response Shut down the attacker Or more carefully protect the attacked service Alarms Notify a system administrator Who investigates and takes action Page 45 Consequences of the Choices Automated Too many false positives and your network stops working Is the automated response effective? Alarm Too many false positives and your administrator ignores them Is the administrator able to determine what s going on fast enough? Page 46 Emerald DIDS NetRanger CIDF Sample Intrusion Detection Systems Emerald From SRI In a family of intrusion detection systems IDES and NIDES were earlier versions Addresses practical intrusion detection problems Heterogeneity Scaling Multiple levels of abstraction Page 47 Page 48 8

Emerald Characteristics Emerald Architecture Combines multiple approaches to detecting problems Has built-in capabilities to invoke code to deal with problems Component-based architecture Intended to scale well Divided into generic components and specific object components Generic components provide base engine for intrusion detection No code relating to specific events or characteristics here Bulk of code in specific object components Page 49 Page 50 Object Monitors Object Monitor Architecture Code intended to watch for intrusions on particular types of system objects Resolver Types of services (FTP, HTTP) Network elements (firewalls, routers) Possible kinds of attacks Profiler Target-Specific Resource Object Signature Page 51 Page 52 Signature Object Monitor Architecture Analyzes behavior to find known problems Uses expert systems technology Allowing detection beyond pattern matching of signatures But also watches for problems expert system knows about Profiler Resolver Target-Specific Resource Object Signature Page 53 Page 54 9

Profiler Object Monitor Architecture Statistically-based subsystem to watch for unusual behavior Types of statistical variables: Categorical (discrete types) Continuous (numerical qualities) Traffic intensity (volume over time) Event distribution (e.g., meta-measure of other measures) Profiler Resolver Target-Specific Resource Object Signature Page 55 Page 56 Resolver Customizing Emerald Coordinator of monitor s external reporting system Implements monitor s response policy E.g., could shut down all HTTP traffic if things look very bad Or could simply request more detailed monitoring On installation, administrator chooses from library of resource objects Depending on what his system does and what threats he anticipates Can also develop new resource objects for new/particular threats Goal is high reusability of code Page 57 Page 58 Analyzing Systems From Multiple Perspectives Emerald is designed to allow correlation of multiple analyses E.g., detecting common types of events from different monitors Or combining low-rate events from different monitors Or analyzing the same system from multiple perspectives DIDS Distributed Intrusion Detection System Multi-host anomaly and misuse detection system First intrusion detection system to aggregate audit reports from multiple hosts Developed at UC Davis Page 59 Page 60 10

NetRanger The Common Intrusion Detection Framework (CIDF) A commercial intrusion detection system For use in network environments Examines data flows Denying access to suspicious flows Using misuse detection techniques An attempt to allow intrusion detection systems to interoperate Possibly combining advantages of all An architecture, a communication specification, and a language IETF also working on intrusion detection standard Page 61 Page 62 Basic CIDF Architecture Several kinds of components: Event generators (E-boxes) Event analyzers (A-boxes) Event databases (D-boxes) Response units (R-boxes) Page 63 CIDF Generalized Intrusion Detection Objects (Gidos) The means of communicating among other components Some examples: Encoding occurrence of particular event at particular time Encoding a conclusion about a set of events Transporting instruction to carry out an action Page 64 Conclusions Intrusion detection systems are helpful enough that those who care about security should use them They are not yet terribly sophisticated Which implies they aren t that effective Much research continues to improve them Page 65 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information