Scribd Logo
Upload

Welcome to Scribd!

  • Lec 12

    Uploaded by

    Binh Nguyen Huy
    6 views16 pages
    ATTT

    Original Title

    lec12

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ATTT

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views16 pages

    Lec 12

    Uploaded by

    Binh Nguyen Huy
    ATTT

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    04/01/2017

    BI 12.
    CC H THNG PHNG CHNG
    V NGN CHN TN CNG
    Bi Trng Tng,
    Vin Cng ngh thng tin v Truyn thng,
    i hc Bch khoa H Ni

    Ni dung

    Tng quan v phng chng v pht hin tn cng


    H thng pht hin tn cng (IDS)
    H thng ngn chn tn cng (IPS)
    Tng la

    1
    04/01/2017

    1. T VN
    Bi Trng Tng,
    Vin Cng ngh thng tin v Truyn thng,
    i hc Bch khoa H Ni

    Vn pht hin tn cng


    Khng th to ra mt h thng hon ton an ton bo mt
    Gii php chung: pht hin v ngn chn cc hnh vi tn
    cng, khai thc l hng an ton bo mt
    Bao gm c vn phc hi sau tn cng, truy vt tn cng, ngn
    chn tn cng k tip
    Bo v a tng (Defense in depth)
    Ch : khai thc l hng i vi c ti nguyn cng nh chnh sch
    an ton bo mt
    Cc vn :
    Khng c m hnh c th v cc nguyn l gii quyt
    Rt nhiu vn khi trin khai (v tr gim st, pht hin cc l
    hng th no, chnh xc, kh nng vt qua ca k tn cng)

    2
    04/01/2017

    Mt v d
    Gi s website ca cng ty FooCorp cung cp mt dch
    v thng qua URL:
    http://foocorp.com/amazeme.exe?profile=info/luser.txt
    Dch v cho php hin th h s c nhn ca mt nhn
    vin no trong cng ty

    Kch bn truy cp

    2. GET /amazeme.exe?profile=xxx

    Internet
    FooCorp
    FooCorps Servers
    border router

    3. GET /amazeme.exe?profile=xxx

    Front-end web server


    4. amazeme.exe?
    profile=xxx
    Remote client
    1. http://foocorp/amazeme.exe?profile=xxx 5. bin/amazeme -p xxx
    2. GET /amazeme.exe?profile=xxx 6

    3
    04/01/2017

    Kch bn truy cp

    8. 200 OK
    Output of bin/amazeme

    Internet
    FooCorp
    FooCorps Servers
    border router
    7. 200 OK
    Output of bin/amazeme

    Front-end web server

    6. Output of bin/amazeme sent back


    Remote client
    9. 200 OK
    Output of bin/amazeme
    5. bin/amazeme -p xxx

    10. Trnh duyt hin th 7

    Thc thi mt hnh vi tn cng


    http://foocorp.com/amazeme.exe?profile=../../../../../etc/passwd

    Kt qu tr v
    cha cc thng tin
    nhy cm

    4
    04/01/2017

    Lm th no pht hin?

    Cch thc 1: Trin khai mt h thng pht hin tn cng


    dng NIDS (Network-based IDS)
    Gim st tt c cc thng ip HTTP Request
    Pht hin tn cng nu cc yu cu cha /etc/passwd v/hoc
    ../../
    u im?
    Hn ch?

    GP1: S dng NIDS


    2. GET /amazeme.exe?profile=xxx

    8. 200 OK
    Output of bin/amazeme

    Internet
    Monitor sees a copy
    FooCorp
    FooCorps of incoming/outgoing
    HTTP traffic Servers
    border router

    Front-end web server

    Remote client NIDS

    bin/amazeme -p xxx
    10

    5
    04/01/2017

    Lm th no pht hin?

    Gii php 2: s dng HIDS (Host-based IDS)


    Kim tra gi tr truyn cho i s
    u im?
    Hn ch?

    11

    GP2: S dng HIDS

    Internet
    FooCorp
    FooCorps Servers
    border router

    HIDS instrumentation Front-end web server


    added inside here
    4. amazeme.exe?
    profile=xxx
    Remote client
    6. Output of bin/amazeme sent back
    bin/amazeme -p xxx

    12

    6
    04/01/2017

    Lm th no pht hin?
    Gii php 3: s dng cc tin ch qut nh k file nht k
    (log file) ca h thng
    u im
    Nhc im
    Gii php 4: gim st cc li gi h thng t web server
    u im
    Nhc im
    Nhn xt chung v cc gii php: gp 1 trong 2 vn
    ln
    Chnh xc
    Kp thi

    13

    Gii php tt hn
    Thay v pht hin tn cng, hy tm cch ngn chn
    Qut l hng: thc hin cc tn cng ln chnh ti nguyn
    cn bo v, qua pht hin cc l hng ATBM tn ti
    trn h thng
    u im?
    Nhc im?

    14

    7
    04/01/2017

    2. H THNG PHT HIN TN


    CNG (IDS)
    Bi Trng Tng,
    Vin Cng ngh thng tin v Truyn thng,
    i hc Bch khoa H Ni

    15

    Khi nim c bn

    IDS-Intrusion Detection System: L h thng c kh nng


    theo di, gim st, pht hin v (c th) ngn chn cc
    hnh vi tn cng, khai thc tri php ti nguyn c bo
    v
    Yu cu:
    Chnh xc
    Kp thi
    Kh nng chu li cao

    16

    8
    04/01/2017

    Kin trc chung

    17

    Kin trc chung (tip)s


    B cm bin (Sensor): thu thp d liu t h thng
    c gim st.
    B pht hin : Thnh phn ny phn tch v tng hp
    thng tin t d liu thu c ca b cm bin da trn
    c s tri thc ca h thng
    B lu tr : Lu tr tt c d liu ca h thng IDS, bao
    gm: d liu ca b cm bin, d liu phn tch ca b
    pht hin, c s tri thc, cu hnh h thng nhm phc
    v qu trnh hot ng ca h thng IDS.
    B phn ng : Thc hin phn ng li vi nhng hnh
    ng pht hin c.
    Giao din ngi dng
    18

    9
    04/01/2017

    Tnh chnh xc

    nh gi qua 2 gi tr:
    FPR (False Positive Rate): t l pht hin nhm
    FNR (False Negative Rate): t l b st
    I: s kin c tn cng xy ra
    A: s kin h thng IDS pht ra cnh bo
    FPR = P(A | not I)
    FNR = P(not A | I)

    19

    FNR = 0 hay FPR = 0 ?


    Trong v d v cng ty FooCorp, pht hin cc URL c
    hi:
    void my_detector_that_never_misses(char *URL)
    {
    printf("yep, it's an attack!\n");
    }
    Nhn xt: FNR = 0 (Woo-hoo!)
    FPR = 0
    void my_detector_that_never_mistakes(char *URL)
    {
    printf(nope, not an attack!\n");
    }

    20

    10
    04/01/2017

    Tnh chnh xc (tip)


    Cn cn bng gia FPR v FNR
    Nn la chn h thng c FPR thp hay FNR thp?
    Ph thuc vo s mc thit hi ca h thng vi mi dng li
    xy ra
    Ph thuc vo t l tn cng trn thc t
    V d: Gi s h thng c FPR = 0.1% v FNR = 2%
    Trng hp 1: mi ngy h thng c 1000 truy cp, trong c 5
    truy cp l tn cng:
    Pht hin nhm: 995 x 0.1% ~ 1 truy cp hp l/1 ngy
    B st: 5 x 2% ~ 0.1 (b st <1 tn cng/1 tun)
    Trng hp 2: 1.000.000 truy cp mi ngy, trong 5 truy cp l
    tn cng:
    Pht hin nhm: 999995 x 0.1% ~ 1000 truy cp hp l/1 ngy

    21

    Pht hin lm dng(misuse detection)

    c im: s dng d liu v cc dng tn cng bit


    Pht hin da trn du hiu (signature-based)
    Pht hin da trn l hng (vulnerability signature)
    u im?
    Nhc im?

    22

    11
    04/01/2017

    Pht hin bt thng(anomaly detection)

    c im: xy dng m hnh cc hnh vi bnh thng.


    nh du nghi ng v o lng cc hnh vi nm ngoi
    m hnh.
    Pht hin da trn ngng (threshold-based)
    Pht hin da trn c im (specification-based)
    Pht hin da trn hnh vi (behavioral-based)
    u im?
    Nhc im?

    23

    NIDS v HIDS
    NIDS: Network-based IDS
    Mt s thnh phn chc nng trong b pht hin:
    B phn tch giao thc
    B phn tch du hiu: pht hin cc dng tn cng bit
    Shadow execution
    Trnh ghi nht k
    u im
    Nhc im

    24

    12
    04/01/2017

    NIDS v HIDS (tip)

    Host-based IDS
    Mt s thnh phn ca b pht hin:
    B qut gi tin
    B qut file
    B qut b nh chnh
    Phn tch thi gian thc
    Sandbox execution
    u im?
    Nhc im?

    25

    2. H THNG TNG LA
    Bi Trng Tng,
    Vin Cng ngh thng tin v Truyn thng,
    i hc Bch khoa H Ni

    26

    13
    04/01/2017

    Khi nim c bn
    Firewall: h thng ngn cch gia mt s vng ti nguyn
    v phn cn li.
    in hnh: mng ni b (intranet) v mng cng cng (Internet)
    Kim sot truy cp vo ti nguyn:
    Dch v
    Ngi dng
    Th hin qua
    Hng
    chnh sch
    Hnh vi
    Ch : tng la khng th kim sot cc truy cp bn
    trong

    27

    B lc gi
    L hnh thc n gin nht ca tng la
    Kim sot truy cp da trn cc thng tin trn phn tiu
    :
    a ch IP
    Cng dch v
    Giao thc
    Cc c trng thi
    in hnh: ACL-Access Control List
    Hn ch: VPN, SSL/TLS

    28

    14
    04/01/2017

    Proxy
    Hot ng trn tng ng dng
    Tng cng kim sot d liu ca cc dch v
    Hn ch: lm tng tr, phc tp
    Web
    server

    Proxy
    server
    client

    client

    29

    Cc m hnh chnh
    Screening host

    30

    15
    04/01/2017

    Dual home host

    31

    Screening subnet

    32

    16

    You might also like