Wednesday, October 28, 2009

Lecture 9 - Intrusion Detection System(IDS)

Intruders

significant issue hostile/unwanted trespass

from benign to serious

user trespass

unauthorized logon, privilege abuse

software trespass

virus, worm, or trojan horse

classes of intruders:

masquerader, misfeasor, clandestine user

Examples of Intrusion

remote root compromise

web server defacement

guessing / cracking passwords

copying viewing sensitive data / databases

running a packet sniffer

distributing pirated software

using an unsecured modem to access net

impersonating a user to reset password

using an unattended workstation


Security Intrusion & Detection


Security Intrusion

a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.


Intrusion Detection

a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.


Hackers

The terms hacker and hack are marked by contrasting positive and negative connotations. Computer programmers often use the words hacking and hacker to express admiration for the work of a skilled software developer, but may also use them in a negative sense to describe the production of inelegant kludges. Some frown upon using hacking as a synonym for security cracking -- in distinct contrast to the larger world, in which the word hacker is typically used to describe someone who "hacks into" a system by evading or disabling security measures.


Hacker Behavior Example

1. select target using IP lookup tools

2. map network for accessible services

3. identify potentially vulnerable services

4. brute force (guess) passwords

5. install remote administration tool

6. wait for admin to log on and capture

password

7. use password to access remainder of

network


Criminal Enterprise

• organized groups of hackers now a threat

– corporation / government / loosely affiliated gangs

– typically young

– often Eastern European or Russian hackers

– common target credit cards on e-commerce server

• criminal hackers usually have specific targets

• once penetrated act quickly and get out

• IDS / IPS help but less effective

• sensitive data needs strong protection


Criminal Enterprise Behavior

1. act quickly and precisely to make their

activities harder to detect

2. exploit perimeter via vulnerable ports

3. use trojan horses (hidden software) to

leave back doors for re-entry

4. use sniffers to capture passwords

5. do not stick around until noticed

6. make few or no mistakes.


What is hacking?

Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)
Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target.


Intrusion Detection Systems

An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.

An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.


IDS Terminology

Alert/Alarm- A signal suggesting a system has been or is being attacked.

True attack stimulus- An event that triggers an IDS to produce an alarm and react as though a real attack were in progress.

False attack stimulus- The event signaling an IDS to produce an alarm when no attack has taken place.

False (False Positive)- An alert or alarm that is triggered when no actual attack has taken place.

False negative- A failure of an IDS to detect an actual attack.

Noise- Data or interference that can trigger a false positive.

Site policy- Guidelines within an organization that control the rules and configurations of an IDS.

Site policy awareness- The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.

Confidence value- A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.

Alarm filtering- The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.


Types of Intrusion-Detection systems

Network intrusion detection system (NIDS)

It is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.


Protocol-based intrusion detection system (PIDS)

It consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.


Application protocol-based intrusion detection system (APIDS)

It consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.


Host-based intrusion detection system (HIDS)

It consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.


Hybrid intrusion detection system

It combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude. Intrusion detection systems can also be system-specific using custom tools and honeypots.


IDS Principles

assume intruder behavior differs from

legitimate users

– expect overlap as shown

– observe deviations

from past history

– problems of:

• false positives

• false negatives

• must compromise


Normal 0 false false false MicrosoftInternetExplorer4

Distributed Host-Based IDS


NIDS Sensor Deployment


Passive system vs. reactive system

In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator. Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion prevention system, and is another form of an application layer firewall. The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".

Statistical anomaly and signature based IDSes

All Intrusion Detection Systems use one of two detection techniques: statistical anomaly based and/or signature based.

Statistical anomaly based IDS- A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters an alarm will be triggered.

Signature based IDS- Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.

Distributed Adaptive Intrusion Detection


Intrusion Detection Exchange Format


Honeypots

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.


Honeypot Deployment


SNORT

• lightweight IDS

– real-time packet capture and rule analysis

– passive or inline



SNORT Rules

• use a simple, flexible rule definition language

• with fixed header and zero or more options

• header includes: action, protocol, source IP, source

port, direction, dest IP, dest port

• many options

• example rule to detect TCP SYN-FIN attack:

Alert tcp $EXTERNAL_NET any -> $HOME_NET any \

(msg: "SCAN SYN FIN"; flags: SF, 12; \

reference: arachnids, 198; classtype: attempted-recon;)

Reference

William Stallings & Lawrie Brown. Computer

Security: Principles and Practice 1/e. Pearson.

2008.


END OF LECTURE 9


1 comment:

  1. This is the good blog with good images and good details. Please keep on posting the more stuff. I will like to hear more from you.

    Intrusion Detection

    ReplyDelete