BLOGGER TEMPLATES AND TWITTER BACKGROUNDS »

Monday, October 26, 2009

Lec 9: Intrusion Detection System

Intruders

  • significant issue hostile/unwanted trespass from benign to serious
  • user trespass :unauthorized logon, privilege abuse
  • software trespass: virus, worm, or trojan horse
  • classes of intruders: masquerader, misfeasor, clandestine user

Examples of Intrusion

  • Remote root compromise
  • Web server defacement
  • Guessing / cracking passwords
  • Copying viewing sensitive data / databases
  • Running a packet sniffer
  • Distributing pirated software
  • Using an unsecured modem to access net
  • Impersonating a user to reset password
  • Using an unattended workstation


Security Intrusion & Detection


Security Intrusion

  • A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.


Intrusion Detection

  • A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.


Hackers

The terms and hack are marked by contrasting positive and negative connotations. Computer programmers often use the words hacking and hacker to express admiration for the work of a skilled software developer, but may also use them in a negative sense to describe the production of inelegant . Some frown upon using hacking as a synonym for security cracking in distinct contrast to the larger kludges, wohacker rld, in which the word hacker is typically used to describe someone who "hacks into" a system by evading or disabling security measures.


Hacker Behavior Example

  • Select target using IP lookup tools
  • Map network for accessible services
  • Identify potentially vulnerable services
  • Brute force (guess) passwords
  • Install remote administration tool
  • Wait for admin to log on and capture password
  • Use password to access remainder of network


Criminal Enterprise

• Organized groups of hackers now a threat

– corporation / government / loosely affiliated gangs

– typically young

– often Eastern European or Russian hackers

– common target credit cards on e-commerce server

• Criminal hackers usually have specific targets

• Once penetrated act quickly and get out

• IDS / IPS help but less effective

• Sensitive data needs strong protection


Criminal Enterprise Behavior

1. act quickly and precisely to make their

activities harder to detect

2. exploit perimeter via vulnerable ports

3. use trojan horses (hidden software) to

leave back doors for re-entry

4. use sniffers to capture passwords

5. do not stick around until noticed

6. make few or no mistakes.


What is hacking?

  • Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)
  • Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK.
  • The key difference is that the ethical hacker has authorization to probe the target.


Intrusion Detection Systems

  • An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
  • An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
  • An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.


IDS Terminology

Alert/Alarm- A signal suggesting a system has been or is being attacked.

True attack stimulus- An event that triggers an IDS to produce an alarm and react as though a real attack were in progress.

False attack stimulus- The event signaling an IDS to produce an alarm when no attack has taken place.

False (False Positive)- An alert or alarm that is triggered when no actual attack has taken place.

False negative- A failure of an IDS to detect an actual attack.

Noise- Data or interference that can trigger a false positive.

Site policy- Guidelines within an organization that control the rules and configurations of an IDS.

Site policy awareness- The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.

Confidence value- A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.

Alarm filtering- The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.


Types of Intrusion-Detection systems

Network intrusion detection system (NIDS)

  • It is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts.
  • Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.


Protocol-based intrusion detection system (PIDS)

  • It consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server.
  • For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect.
  • Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.


Application protocol-based intrusion detection system (APIDS)

  • It consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols.
  • For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.


Host-based intrusion detection system (HIDS)

  • It consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state.
  • An example of a HIDS is OSSEC.


Hybrid intrusion detection system

  • It combines two or more approaches.
  • Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.
  • Intrusion detection systems can also be system-specific using custom tools and honeypots.


IDS Principles

  • Assume intruder behavior differs from
    • legitimate users
      • expect overlap as shown
      • observe deviations
      • from past history
    • problems of:
      • false positives
      • false negatives
      • must compromise


Distributed Host-Based IDS


NIDS Sensor Deployment


Passive system vs. reactive system

  • Intrusion Prevention System (IPS), the IPS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source.
  • This can happen automatically or at the command of an operator. Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening.
  • Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.
  • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators.
  • A system which terminates connections is called an intrusion prevention system application layer firewall IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".

Statistical anomaly and signature based IDSes

All Intrusion Detection Systems use one of two detection techniques: statistical anomaly based and/or signature based.

Statistical anomaly based IDS

  • A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluations.
  • It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters.
  • If the sampled traffic is outside baseline parameters an alarm will be triggered.

Signature based IDS

  • Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures.
  • In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.

Distributed Adaptive Intrusion Detection


Intrusion Detection Exchange Format


Honeypots

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.


Honeypot Deployment


SNORT

  • lightweight IDS
    • real-time packet capture and rule analysis
    • passive or inline

SNORT Rules

  • use a simple, flexible rule definition language
  • with fixed header and zero or more options
  • header includes: action, protocol, source IP, source port, direction, dest IP, dest port
  • many options

0 comments: