CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Topics Definitions and Goals Models of Intrusion Detection False Positives Architecture of an IDS Example IDS: snort Active Response (IPS) Host-based IDS and IPS IDS Evasion Techniques CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems IDS Terminology Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection The identification through intrusion signatures and report of intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing automatic responsive actions throughout the network CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks. Need to adapt to new attacks or changes in behavior. Detect intrusions in timely fashion May need to be be real-time, especially when system responds to intrusion. Problem: analyzing commands may impact response time of system. May suffice to report intrusion occurred a few minutes or hours ago. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Goals of IDS Present analysis in easy-to-understand format. Ideally a binary indicator. Usually more complex, allowing analyst to examine suspected attack. User interface critical, especially when monitoring many systems . Be accurate Minimize false positives, false negatives. Minimize time spent verifying attacks, looking for them. CIT 480: Securing Computer Systems
Deep Packet Inspection DPI = Analysis of Application Layer data Protocol Standard Compliance Is port 53 traffic DNS or a covert shell session? Is port 80 traffic HTTP or tunneled IM or P2P? Protocol Anomaly Detection Traffic is valid HTTP. But suspicious URL contains directory traversal. CIT 480: Securing Computer Systems
Models of Intrusion Detection Anomaly detection (statistical) Develop profile of normal user/host actions. Alert when actions depart too far from profile. Statistical IDS. Misuse detection (rule-based) Create signatures based on attack profiles. Look for signatures, hope for no new attacks. Rule based IDS. CIT 480: Securing Computer Systems
Possible Alarm Outcomes Intrusion Attack No Intrusion Attack Alarm Sounded No True Positive False Positive True Negative False Negative CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Base-Rate Fallacy Difficult to create IDS with high true-positive rate and low false-negative rate. If #intrusions small compared to normal traffic, then IDS will produce many false positives for each intrusion. Effectiveness of IDS can be misinterpreted due to a statistical error known as the base-rate fallacy. This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. CIT 480: Securing Computer Systems
Base-Rate Fallacy Example Example case IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100 examined. Results Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms. CIT 480: Securing Computer Systems
IDS Components IDS Manager Untrusted Internet IDS Sensor Firewall router Firewall
CIT 480: Securing Computer Systems IDS Architecture An IDS is essentially a sophisticated audit system Sensors gathers data for analysis from hosts or network. Manager analyzes data obtained from sensors according to its internal rules. Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection, analysis methods. May activate response mechanism. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Host-Based Sensors Obtain information from logs May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel. Agent generates its information Analyzes state of system. Treats results of analysis as log data. CIT 480: Securing Computer Systems
Network-Based Sensors Sniff traffic from network. Use hubs, SPAN ports, or taps to see traffic. Need sensors on all switches to see entire network. Deep packet inspection (DPI). Sensor needs same view of traffic as destination Attacker may send packets with TTL set so that they arrive at destination but expire before reaching sensor. Packet fragmentation and reassembly works differently on different OSes, so sensor sees different packet than destination in some cases. End-to-end encryption defeats content monitoring Not traffic analysis, though.
Aggregation of Information Sensors produce information at multiple layers of abstraction. Application-monitoring sensors provide one view of an event. System-monitoring sensors provide a different view of an event. Network-monitoring sensors provide yet another view (involving many packets) of an event. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Notifier Accepts information from manager Takes appropriate action Page, call, IM, or e-mail security officer. Rate-limit contacts so a single problem does not result in an overwhelming flood of notices. Respond to attack. Often GUIs Use visualization to convey information. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Example NIDS: snort Network Intrusion Detection System Sniffs packets off wire. Checks packets for matches against rule sets. Logs detected signs of misuse. Alerts adminstrator when misuse detected. CIT 480: Securing Computer Systems
Example Architecture: snort Fig 1.5, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Snort Rules Rule Header Action: pass, log, alert Network Protocol Source Address (Host or Network) + Port Destination Address (Host or Network) + Port Rule Body Content: packet ASCII or binary content TCP/IP flags and options to match Message to log, indicating nature of misuse detected CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;) CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers: External attackers intruding from Internet. Internal attackers intruding from your LANs. Where should you place IDS systems? Perimeter (outside firewall) DMZ Intranet Wireless CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems IDS Deployment Fig 1.3, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID Fig 3.2, The Tao of Network Security Monitoring CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Snort Web Interface https://upload.wikimedia.org/wikipedia/commons/5/50/Snort_ids_console.gif CIT 480: Securing Computer Systems
Sguil NSM Console https://bammv.github.io/sguil/
Intrusion Prevention Systems What else can you do with IDS alerts? Identify attack before it completes. Prevent it from completing. How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules. Is IPS a good idea? How do you deal with false positives? CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems IPS Deployment Types Inline Intranet IPS Non-Inline IPS Intranet CIT 480: Securing Computer Systems
Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. Inline: can perform blocking itself. Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Host IDS and IPS Anti-virus and anti-spyware AVG anti-virus, SpyBot S&D Log monitors swatch, logwatch Integrity checkers tripwire, osiris, samhain Monitor file checksums, etc. Application shims mod_security (usually called a WAF) CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Evading IDS and IPS Alter appearance to prevent sig match URL encode parameters to avoid match. Use ‘ or 783>412-- for SQL injection. Alter context Change TTL so IDS sees different packets than target hosts receives. Fragment packets so that IDS and target host reassemble the packets differently. CIT 480: Securing Computer Systems
Fragment Evasion Techniques Flood of fragments DoS via heavy use of CPU/RAM on IDS. Tiny fragment Break attack into multiple fragments, none of which match signature. ex: frag 1:“cat /etc”, frag 2: “/shadow” Overlapping fragments Offset of later fragments overwrites earlier fragments. ex: frag 1: “cat /etc/fred”, frag 2: offset=10, “shadow” Different OSes deal differently with overlapping. CIT 480: Securing Computer Systems
Web Evasion Techniques URL encoding GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion GET /./cgi-bin/./bad.cgi Long directory insertion GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi IDS may only read first part of URL for speed. Tab separation GET<tab>/cgi-bin/bad.cgi Tabs usually work on servers, but may not be in sig. Case sensitivity GET /CGI-BIN/bad.cgi Windows filenames are case insensitive, but signature may not be. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Countering Evasion Keep IDS/IPS signatures up to date. On daily or weekly basis. Use both host and network IDS/IPS. Host-based harder to evade as runs on host. Fragment attacks can’t evade host IDS. Network IDS still useful as overall monitor. Tune IDS/IPS to handle based on experience False positives False negatives CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Key Points Models of IDS: Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS). IDS Architecture: sensors, manager, notifier. Host vs. Network IDS Host: agent on host checks files, processes to detect attacks. Network: sniffs and analyzes packets to detect intrusions. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ? IDS/IPS Evasion Alter appearance to avoid signature match. Alter context to so IDS interprets differently than host. CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems References Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, 2003. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004. Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A Brief History and Overview,” IEEE Security & Privacy, v1 n1, Apr 2002, pp 27-30. Steven Northcutt and Julie Novak, Network Intrusion Detection, 3rd edition, New Riders, 2002. Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, 2005. Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, 2003. Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, 2006. CIT 480: Securing Computer Systems