Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at
Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems Limits of IDS Operation examples Some Products 2
What is an IDS System to detect unwanted manipulations to computer systems Identification of misuse and abnormal behavior Detect many types of malicious network traffic and computer usage 3
Motivation Other security measures are not sufficient (Authentication, Firewall, ) Attacks motivated by financial political military or personal reasons We want to detect intrusions We want to prevent intrusions 4
What does an IDS? Logging and preparing for analysis Analysis Presentation (i.e. an Alarm) Reaction (only in Intrusion Prevention Systems IPS) 5
Types of IDS Host based IDS (HIDS) Network based IDS (NIDS) Hybrid IDS (combination of HIDS and NIDS) 6
Passive vs. Reactive System Passive System Detects a potential security breach Logs the information Signals an Alert A Reactive System additionally Resets the connection Reprograms the firewall Automatically or manually 7
Host based IDS (HIDS) 1 Installed on a host Monitors system objects and remembers its attributes, e.g. file-system objects Creates a checksum (optional) Database to store objects and attributes Reports anomalies in form of logs, e-mails or similar Detects unauthorized insider activity or file modification 8
Host based IDS (HIDS) 2 Pro Detailed information about attack Con HIDS itself can be attacked (and if attacked host is down, HIDS is also down) Local installation on each host Host resources are needed 9
Network based IDS (NIDS) 1 Monitors network traffic Try to find suspicious patterns I.e. Portscan detection NIDS collaborates with other systems like Firewall Detects attempts from outside the trusted network 10
Network based IDS (NIDS) 2 Pro Controls a network segment, not only one host A defect of one host is no risk for the NIDS Con The bandwidth of the NIDS can be overloaded In switched networks Using of Taps Port mirroring on switch 11
Hybrid IDS Combination of HIDS and NIDS Management console necessary Network sensors Host sensors 12
Logging Differently on different IDS s On HIDS Detailed Information specific Analysis possible On NIDS Distributed Sensors Management station Privacy problem 13
Analysis 1 Integrity check / Target monitoring Cryptographic signature or checksum to secure the integrity of files On demand (post mortem or reactive) integrity check Simple to implement Signature detection / Misuse detection Compares network traffic with known signatures of attacks Pattern matching procedures Reassembling of fragmented packets necessary 14
Analysis 2 Anomaly detection Detects anomalies on user behavior I.e. a secretary uses at 11 p.m. applications like nmap, gcc Privacy problem!!! Stealth Probes attempts to detect attackers that act over prolonged periods of time combination of Signature detection and Anomaly detection 15
Attacks to IDS Integrity check with signature is secure if the cryptograpical system is good enough (i.e. RSA) and if private key isn t stored on the host Integrity check with checksum the integrity of the initial database can be tampered ( WORM-Medium) Signature detection can be attacked by DDoS Insertion or Evasion attacks 16
Insertion Attack Idea: uses packets accepted by the IDS accept but not by the host i.e. attacker sends packets H X* A L T Packet with * isn t accepted by host Host will Stop because IDS don t know this Signature 17
Intrusion Prevention Systems (IPS) Extended IDS Automated reactions to alarms from IDS i.e. updates a firewall blacklist Changes or interrupts actively network traffic Try to prevent attacks in real time Honeypots Tarpits 18
Honeypot Runs alone on a server Simulates services or proxy servers (Sugarcane) Logs activity Legitimated users don t know and therefore never address a honeypot Automated attacks cannot distinguish the honeypot from a normal host Used for attracting and binding attacks detecting and analyzing of new attacks protecting of production systems conservation of evidence (court of law) 19
Tarpit Tries to delay the distribution velocity of Spammers and Worms IP-, TCP- or Application-Level Tarpits Example: HTTP-Tarpit Tries to block the Harvester (Search engine that searches email addresses on web pages) of the spammer Delivers web page very late Inserts a lot of links to himself Therefore the Harvester falls into the trap 20
Limits of IDS / IPS Positive and negative failures Unknown attacks cannot detected or prevented Cryptographically methods can be a problem Legal restrictions in identification and logging of attackers Needs other tools (Firewall, Router, ) to prevent intrusion Never 100% protection 21
Operation examples 1 Operation of an NIDS: the IDS and the Firewall supplement each other. [5] 22
Operation examples 2 Operation of an HIDS: observation of specific systems or applications. [5] 23
Operation examples 3 Operation of an hybrid IDS: observation of the internal network. [5] 24
Intrusion Detection Message Exchange Format (IDMEF) Standardized communication protocol Protocol to communicate between the IDS components (Sensors Management console, ) Main requirements to the protocol Authentication of the sender Reliable information Resistance to attacks 25
Summary IDS are necessary because security incidents become more numerous and other security measures aren t sufficient IDS is an active System needs administration IDS itself can be attacked Cryptographically data can be a problem Never 100% protection Privacy must be taken into account 26
IDS/IPS Applications Snort [http://www.snort.org/ ] (NIPS) Prelude [ http://www.prelude-ids.org/ ] (Hypbid IDS) Hogwash [http://hogwash.sourceforge.net/ ], combination of IDS and Firewall Honeyd [ http://www.honeyd.org/ ], Honeypot LaBrea [ http://labrea.sourceforge.net/labrea-info.html ], Honeypot and IDS 27
Literature [1] http://en.wikipedia.org/wiki/intrusion_detection_system [2] http://de.wikipedia.org/wiki/intrusion_detection_system [3] http://en.wikipedia.org/wiki/honeypot_%28computing%29 [4] Einbruchserkennung in Netzwerke http://www.net-tex.de/net/ids.html [5] Bundesamt für Sicherheit in der Informationstechnik, Intrusion-Detection Grundlagen http://www.bsi.de/literat/studien/ids02/dokumente/grundlagenv10.pdf [6] The Internet Engineering Task Force (IETF), Intrusion Detection Message Exchange Format(IDMEF) http://www3.ietf.org/proceedings/01mar/i-d/idwg-idmef-xml-03.txt 28
Questions Explain the three kinds of IDS. What are the advantages and disadvantages? Slides 8-12 Which methods about analyzing in IDS do you know? How can these methods attacked? Slides 14-16 29
Thanks for your attention! Reinhard Wallner reinhard.wallner@student.tugraz.at