Professional Documents
Culture Documents
Intrusion Detection System (CS6442)
Intrusion Detection System (CS6442)
(CS6442)
SECURITY GOALS
• Monoalphabetic ciphers
• Polyalphabetic ciphers.
Monoalphabetic Ciphers
• Additive cipher
• Multiplicative cipher
• Affine cipher
Additive cipher
• Autokey Cipher
Example
• Assume that Alice and Bob agreed to use an autokey cipher
with initial key value k1 = 12. Now Alice wants to send Bob
the message “Attack is today”. Enciphering is done character
by character.
Playfair Cipher
• Let us encrypt the plaintext “hello” using the key in following
table.
What is Intrusion?
• Intrusions: attempts to compromise the confidentiality,
integrity, availability, or to bypass the security mechanisms of a
computer system or network (illegal access).
• Actions Available
– Allow the packet to go through
– Drop the packet
What firewall can do and can not do ?
• An IDS does not usually take preventive measures when an attack is detected.
• The most popular way to detect intrusions has been using the audit data generated
by the operating system.
• And audit trail is a record of activities on a system that are logged to a file in
chronologically sorted order
IDS Requirements
• Single-Tiered Architecture
– Most basic one
– Components of IDS or IPS collects and process data themselves.
– Simple system with low cost.
– Not efficient for sophisticated functionality.
– An example is host-based IDS tool that takes output of system logs (utmp
and wtmp files on unix systems) and compares it to known pattern of
attacks.
• Multi-Tiered Architecture
• Peer-to-Peer Architecture
Multi-Tiered Architecture
A Multi-Tiered Architecture: involves multiple components passing information to each
other. It consist of three primary components: sensor, agents, and manager.
• Management server: like analyzer; it analyzes data obtained from the sensors
according to its internal rules
– These are configured to run on the particular operating environment in which it is placed.
– Normally specialized to perform one and only one function.
– Example: TCP traffic examination, FTP connections and connection attempts, third party tools
like network-monitoring tools, connection tracing tools can be used.
• If a management network is used, each sensor or agent host has an additional network
interface known as a management interface that connects to the management network .
• the hosts are configured so that they cannot pass any traffic between management interfaces
and other network interfaces.
• The management servers, database servers, and consoles are attached to the management
network only.
• This architecture effectively isolates the management network from the production networks,
concealing the IDPS from attackers and ensuring that the IDPS has adequate bandwidth to
function under adverse conditions (e.g. worm attack, DDoS).
• This involves additional cost in networking equipment and other H/W, also quite inconvenient
to IDPS administrators in using separate computers for IDPS management and monitoring.
• A central collection point allows for greater ease in analyzing logs as all
login information is available at one location.
• But its advisable to write log data to a different system from the one that
produced it.
Example
• Cons:
– Increased complexity in setting up the components, interfaces,
and communication methods among them in this architecture.
– Increased cost in day-to-day maintenance and troubleshooting
challenges.
Peer-to-Peer Architecture
• Involves intrusion detection and prevention information between peer
components performing same type of functions.
• Often used by cooperating firewalls.
• One firewall obtains information about events occurring, passes this
information to another, causing change in access control list or addition of
restriction on proxide connections.
• Neither firewall act as the central server or master repository of
information.
• Simple to implement than multi-tiered architecture.
• Any peer can participate and get benefitted from information gained by
other peers.
• Lack of specialized functionality compared to multi-tiered, due to absence
of specialized components but better than single-tiered architecture.
• Well suited for organizations that have invested enough to obtain and
deploy firewalls capable of cooperating with each other but not on IDS &
IPS.
Types of IDS
• Monitoring Environment
– Host based, vs. network based
• Detection Model
– signature detection vs. anomaly detection
• Operation
– Off-line vs. real-time
• Architecture
– Centralized vs. distributed
Network-based IDPS
• A network-based IDPS monitors and analyzes network traffic
for particular network segments or devices to identify
suspicious activity.
• The IDPS network interface cards that will be performing
monitoring are placed into promiscuous mode so that they
accept all packets that they see, regardless of their intended
destinations.
• An appropriate network for components (management
network/ VLAN) need to be decided.
• Sensor placement location need to be decided
– Inline
– Passive
Inline sensor deployment
• An inline sensor is deployed
so that the traffic it monitors
passes through it.
• Some inline sensors are
hybrid firewall/IDPS devices.
• The primary motivation for
deploying sensors inline is to
stop attacks by blocking traffic.
• Most techniques for having a
sensor prevent intrusions
require that the sensor be
deployed in inline mode .
Passive Sensor deployment
• A passive sensor is deployed
so that it monitors a copy of
the actual traffic; no traffic
passes through the sensor.
• Passive sensors can monitor
traffic through various methods
, including a switch spanning
port, a network tap and an IDS
load balancer.
• Passive techniques typically
provide no reliable way for a
sensor to block traffic.
Continued…
• Spanning port:
– It can see all network traffic going through a switch.
– Connecting sensor to a spanning port can allow it to monitor traffic going to and
from many hosts.
– Easy and inexpensive monitoring method.
– Can be problematic if switch is configured incorrectly, so the spanning port might
not be able to see all the traffic.
– If the switch is in heavy load, its spanning port might not be able to see all traffic
or might be disabled temporarily.
• Network Tap:
– It is a direct connection between a sensor and the physical network media itself,
such as a fiber optic cable.
• IDS load balancer:
– Aggregates and directs network traffic to monitoring system based on set of
rules.
• Send all traffic to multiple IDPS sensor.
• Dynamically split the traffic among multiple IDPS sensor based on volume.
• Split the traffic among multiple IDPS sensor based on IP address, protocols, or other
characteristics.
– Diverting traffic to multiple IDPS sensor may cause reduction in detection
accuracy if related events of a single event are seen by different sensors.
Security capability
The network-based IDPS provide a wide variety of security capabilities
dividing into four categories:
• Information gathering
⁻ Identifying hosts (A list host on organization’s network with IP and MAC address
is prepared to detect any new host.)
⁻ Identifying operating system
• Identify OS and their versions in the hosts through techniques such as checking port used in various
hosts
• Analyze packet header for certain unusual characteristic
⁻ Identifying applications
• Determines application version by noting the port number used or through the communication traces
between application server and client. Noted version can be used to identify potentially vulnerable
application and its unauthorized uses.
⁻ Identifying network characteristics
• Collects information about network traffic such as configuration of network devices and hosts to detect
changes .
• Logging
― IDPS perform extensive logging of data related to detected events so as to confirm
the validity of alerts, to investigate incidents and to correlate events between the
IDPS and other logging sources.
― Timestamp, connection or session ID, network, transport and application protocols,
IP address, port numbers etc.
• Detection
• Prevention
Continued…
• Detection:
― NIDS offers broad detection capabilities using combination of
techniques (signature-based, anomaly-based, stateful protocol )
• Detection Accuracy:
– Have high rate of false positive and false negative.
– Require considerable tuning and customization (threshold for port
scan, blacklist and whitelist for host IP addresses and alert setting)
according to monitored environment.
• Technology limitation:
– Cannot analyze encrypted network traffic
• To ensure that sufficient analysis is performed on payloads within
encrypted traffic, IDPSs can be deployed to analyze the payloads
before they are encrypted or after they are decrypted.
– Handling high traffic loads
• For inline IDPS sensors, dropping packets also causes disruptions
in network availability, and delays in processing packets could
cause unacceptable latency.
• either pass certain types of traffic through the sensor without
performing full analysis or drop low-priority traffic.
– Withstanding attacks against IDPS themselves.
• Attackers can generate large volumes of traffic, such as DDoS
attacks, blinding and other anomalous activity
Types of IDS: Network-based
• PROS:
– Protect the whole network and detect network based attacks (like DOS)
– Broad in scope (watches all network activities)
– Easier setup: Easy to deploy
– Better for detecting attacks from the outside
– Less expensive to implement
– Detection is based on what can be recorded on the entire network
– Examines packet headers
– Near real-time response
– OS-independent
– Detects unsuccessful attack attempts
• CONS:
– Require all traffic information.
– Generates an enormous amount of data to be analyzed
– Cannot monitor traffic at higher network traffic rates
– Cannot deal with encrypted network traffic
– Can not detect system-specific attacks (like trojan)
Host-based IDPS deployment architecture
Deployment options:
• CONS:
– Detection is based on what any single host can record
– Narrow in scope (watches only specific host activities)
– Reduce performance of host system.
– Vulnerable to situation like when host operating system is compromised
– More expensive to implement.
– Deployment is challenging
– OS dependent
– Does not see packet headers.
Evaluation criteria
• Accuracy
• Performance
• Completeness
• Timely response
• Adaptation and cost sensitivity
• Intrusion tolerance and attack resistance
Accuracy
• How correct an IDS works.
• Furthermore, a classifier that blindly predicts all the data as being intrusive
will have a 100% Recall (but a very low precision).
F-Measure
• The F-Measure mixes the properties of the previous two
metrics, being defined as the harmonic mean of precision and
recall.
• The upper-right point (1,1) characterizes an IDS that generates an alarm for
each data that is encountered. Consequently, it will have a 100% detection
rate and a 100% false alarm rate as well.
• The line defined by connecting the two previous points represents any
classifier that uses a randomize decision engine for detecting the intrusions.
Any point on this line can be obtained by a linear combination of the two
previously mentioned strategies. Thus, the ROC curve of an IDS will
always reside above this diagonal.
• The upper-left point (0,1) represents the ideal case when there is a 100%
detection rate while having a 0% false alarm rate. Thus the closer a point in
the ROC space is to the ideal case, the more efficient the classifier is.
Performance
• The quality of a NIDS is described by the percentage of true attacks
detected combined with the number of false alerts. However, even a
high-quality NIDS algorithm is not effective if its processing cost is
too high, since the resulting loss of packets increases the probability
that an attack is not detected.
• Since the size of header is generally fixed, the overall processing cost by
applying header rules depends on the number of packets to be processed.
• For payload rule the overall processing cost is determined by the size of the
packets
• This example demonstrates that for small numbers of rules, nearly
no packets are lost, but when the number of rules exceeds the
maximum processing capability of the system the number of
dropped packets increases drastically.
• The main challenge for multivariate statistical IDs is that it is difficult to estimate
distributions for high-dimensional data.
• Time series model: A time series is a series of observations made over a certain
time interval. A new observation is abnormal if its probability of occurring at that
time is too low.
Univariate Vs Multivariate
• Univariate anomaly detection looks for anomalies in each individual
metric, while multivariate anomaly detection learns a single model for all
the metrics in the system.
• Univariate methods are simpler, so they are easier to scale to many metrics
and large datasets. However, someone would then need to unravel the
causal relationships between the anomalies in the resulting alert storm.
• This approach also produces anomaly alerts. These are hard to interpret
because all the metrics are inputs that generate a single output from the
anomaly detection system.
Knowledge-based techniques
• This group of techniques is also referred to as an expert system method.
This approach requires creating a knowledge base which reflects the
legitimate traffic profile.
• Unlike the other classes of AIDS, the standard profile model is normally
created based on human knowledge, in terms of a set of rules that try to
define normal system activity.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Packet Logger Mode
• Gee, it sure would be nice if I could save those
packets to disk…
• Multi-mode packet logging options available
– Flat ASCII, tcpdump, XML, database, etc available
• Log all data and post-process to look for
anomalous activity
NIDS Mode
• Wide variety of rules available for signature
engine (~1300 as of June 2001, grow to ~2900
at May 2005)
• Multiple detection modes available via rules
and plug-ins
– Rules/signature
– Statistical anomaly
– Protocol verification
Snort Rules
Snort Rules
• Snort rules are extremely flexible and are easy to
modify, unlike many commercial NIDS
• Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|";
reference:arachnids,485; reference:url,www.hackfix.org/subseven/;
sid:103; classtype:misc-activity; rev:4;)
Snort
Packet Stream
Data Flow
Preprocessor
(Plug-ins)
Detection Engine
(Plug-ins)
Output Stage
(Plug-ins) Alerts/Logs
Detection Engine: Rules
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;)
Conclusion
• Snort is a powerful tool, but maximizing its
usefulness requires a trained operator
• Becoming proficient with network intrusion
detection takes 12 months; “expert” 24-36?
• Snort is considered a superior NIDS when
compared to most commercial systems
• Managed network security providers should
collect enough information to make decisions
without calling clients to ask what happened
Intrusion alert correlation
Correlation can address some of the IDS weakness
• Alert flooding
– Generate a large amount of alerts
• Contexts
– Not group related attack
• False alerts
– Generate a false negative and false positive
• Scalability
– Difficult to achieve large scale deployment
• Correlation can capture high level view of
attack activity on the target network without
losing security relevant information.
Correlation process
• Pre-process
– Data normalization
– Data reduction
• Process (Alert correlation technique)
• Post-process
Pre-processing
Pre-processing aim is to convert alerts to a generic format
and reduce the number of alerts to be correlated.
• Detect Time: The time when the event(s) leading up to the alert was detected. This could be
different from the CreateTime in some circumstances.
• Source: The source that triggers the alert. It is also composed of four aggregate classes, namely,
Node, User, Process and Service.
• Target: The target of the alert. It has same aggregate classes as Source has with one additional class
named File List.
• Assessment: Information about the impact of the event, actions in response to it, and confidence in
valuation; and
• Additional Data: Additional information that does not fit into the data model.
• The alert class attribute Message Id, uniquely identify itself. There are three subclass of Alert class,
– Tool Alert class specifies the attacking tool used by the attacker.
– Overflow Alert class contains the information about buffer overflow attacks such as the size of the contents
in the buffer and the content itself.
– Correlation Alert class provides a means to group alerts together.
2. Data reduction : It is a process to reduce the number of alerts without
losing important information.