Lecture 8: Intrusion Detection NET 536 Network Security Networks and Communication Department Lecture 8: Intrusion Detection

Outline Intruders definition and main classes Intrusion Detection Classification Components Basic Principles Host-based Intrusion Detection Network-based Intrusion Detection 23-Feb-19 Networks and Communication Department

Intruders Intruder is a significant issue for networked systems is hostile or unwanted access either via network or local. Three classes of intruders: Masquerader: an individual who is not authorized to use the computer and who penetrate a system’s access controls to exploit a legitimate user’s account. ( usually outside) Misfeasor: A legitimate user who access data, program, or resources for which such access is not authorized , or who is authorized for such access but misuses them. ( usually inside) clandestine user: an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.( can be either inside or outside) varying levels of competence

Intruders Examples Performing a remote root compromise of an e-mail server Defacing a Web server. Guessing and Cracking passwords. Copying a database containing credit card numbers. Viewing sensitive data ( i.e. Payroll records and media without authorizations). Running a packet sniffer on a workstation to capture usernames and passwords.

Intrusion Techniques aim to increase privileges on system basic attack methodology target acquisition and information gathering initial access privilege escalation covering tracks key goal often is to acquire passwords so then exercise access rights of owner

Intrusion Detection Security Intrusion: Intrusion Detection: A security event, or a combination of multiple security events that constitute a security incident in which an intruder gain, or attempts to gain, access to a system (or system resource ) without having authorization to do so. Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding, and providing real- time or near real time warning of, attempts to access system resources in an unauthorized manner.

Intrusion Detection Intrusion Detection Systems ( IDSs) can be classified as follows: Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Network-based IDS: Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

Intrusion Detection An IDS comprises three logical components: Sensors: sensors are responsible for collecting data ( i.e. network packets, log files, and system call traces) Analyzers: analyzers receive inputs from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. User Interface: it enables a user to view output from the system or control behavior of the system. ( i.e. UI may associate to a manager, director, or console component)

Intrusion Detection Basic Principles of IDSs If an intruder is detected quickly enough, the intruder can be identified and ejected from the system before any damage. Therefore, The sooner that the intrusion is detected, the less the amount of damage and the more that recovery can be achieved. An effective IDS can serve as a deterrent, thus acting to prevent intrusion. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen intrusion prevention measures.

Intrusion Detection Although the typical behavior of an intruder differs from the typical behavior of an authorized user, there is an overlap in these behaviors. Twos cases may arise: false positives: authorized users identified as intruders. false negatives: intruders not identified as intruders.

Profile of Behaviors of Intruders and Authorized Users

Host-based Intrusion Detection Host-based IDS can detect both external and internal intrusions. There are two general approaches : Anomaly detection It involves a collection of information about legitimate user’s behavior over a period of time. Then, statistical tests are applied to observe them. There are two approaches to statistical anomaly detection: Threshold detection: defining threshold independent of user, for the frequency of occurrence of various events. Profile based : A profile of the activity of each user is developed and used to detect changes in behavior of individual accounts. 23-Feb-19 Networks and Communication Department

Host-based Intrusion Detection 2. Signature detection Involves an attempts to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder. Indeed, anomaly approaches attempt to define normal, or expected, behavior, whereas signature-based approaches attempt to define proper behavior. 23-Feb-19 Networks and Communication Department

Audit Records fundamental tool for intrusion detection native audit records part of all common multi-user O/S already present for use may not have info wanted in desired form detection-specific audit records created specifically to collect wanted info at cost of additional overhead on system

Statistical Anomaly Detection threshold detection count occurrences of specific event over time if exceed reasonable value assume intrusion alone is a crude & ineffective detector profile based characterize past behavior of users detect significant deviations from this profile usually multi-parameter

Statistical Anomaly Detection: Audit Record Analysis Audit Record Analysis is the foundation of statistical approaches. Analyze records to get metrics over time Example of metrics that are useful for profile-based include: Counter: is a nonnegative integer that may be incremented but not decremented until it is reset by management action. It counts certain events over a period of time( e.g. numbers of login during one hour.) Gauge: is a nonnegative integer that may be incremented or decremented. It is used to measure the current value of some entity.(e.g. number of logical connections assigned to a user application. ) Interval timer: the length of time between two related events. ( e.g. length of time between successive login to account) Resource use: Quantity of resources consumed during a specified period. (e.g. total time consumed by a program execution) cf. Stallings Tale 18.1 for examples of various metrics and models.

Statistical Anomaly Detection: Audit Record Analysis There are various tests that applied on the metrics to determine if current behavior is acceptable, include: mean & standard deviation multivariate markov process time series operational key advantage is no prior knowledge cf. Stallings Tale 18.1 for examples of various metrics and models.

Signature Detection : Rule-Based Intrusion Detection Signature techniques detect intrusion by observing events on system & apply rules to decide if activity is suspicious or not. 1- Rule-based anomaly detection: analyze historical audit records to identify usage patterns & auto-generate rules for them then observe current behavior & match against rules to see if conforms like statistical anomaly detection does not require prior knowledge of security flaws It requires to have a large database of rules to be effective.

Signature Detection: Rule-Based Intrusion Detection 2- Rule-based penetration identification uses expert systems technology with rules identifying known penetration, weakness patterns, or suspicious behavior rules usually machine & O/S specific rules are generated by experts who interview & codify knowledge of security admins quality depends on how well this is done compare audit records or states against rules

Base-Rate Fallacy Practically an intrusion detection system needs to detect a substantial percentage of intrusions while keeping the false alarms rate at acceptable level. if too few intrusions detected -> false security if too many false alarms -> ignore / waste time while analyzing the false alarm this is very hard to do existing systems seem not to have a good record

Network-Based Intrusion Detection Systems (NIDS) A network-based IDS (NIDS) monitors traffic at selected points on a network or interconnected set of networks. NIDS examines the traffic packet by packet in real time or close to real time in order to detect intrusion patterns. NIDS may examine network-, transport- and/or application-level protocol. NIDS includes a number of sensors to monitor packet traffic. 23-Feb-19 Networks and Communication Department

Network-Based Intrusion Detection Systems (NIDS) There are two mode of sensors: Inline sensor: is inserted into a network segment so that the traffic that is monitoring must pass through the sensor. Passive sensor: it monitors a copy of network traffic; the actual traffic doesn’t pass through the device. Passive sensor is the most common and most efficient than the inline sensor, because it doesn’t add extra handling step that contribute to packet delay. 23-Feb-19 Networks and Communication Department

Network-Based Intrusion Detection Systems (NIDS) : Intrusion Detection Techeniques As with host-based intrusion detection, network-based intrusion detection makes use of signature and anomaly detection. Signature Detection lists the following as examples of that types of attacks that are suitable for signature detection: Application layer reconnaissance and attacks: e.g. buffer overflows, password guessing, and malware transmission. Transport layer reconnaissance and attacks: e.g. SYN floods. Network layer reconnaissance and attacks: e.g. spoofed IP addresses and illegal IP header. 23-Feb-19 Networks and Communication Department

Network-Based Intrusion Detection Systems (NIDS) : Intrusion Detection Techniques Anomaly Detection Examples of attacks types of that are suitable for Anomaly Detection : Denial-of-Service (DoS) Attacks the attacker aims to increase packet traffic or increase connection attempts. Scanning the attacker probe a target system by sending different kind of packets. Using the responses received from targets, the attacker can learn many of the system’s characteristics. Worms: a program that can replicate itself and send copies from computer to computer across network connections. Worms can cause hosts to use ports that normally they do not use 23-Feb-19 Networks and Communication Department

Network-Based Intrusion Detection Systems (NIDS) : Intrusion Detection Techniques Logging of Alert When a sensor detects a potential violation, it sends an alert and logs information related to the event. NIDS can use this info to refine intrusion detection parameters and algorithms. The security admin can use this info to design prevention techniques. Typical information logged by a NIDS sensor includes the following: Timestamp (usually date & time) Connection or session ID Event or alert type Rating e.g. priority Network, transport, application protocol Source and Destination IP addresses Number of bytes transmitted over the connection Decoded payload data such as application requests and responses State-related information e.g. authentication username. 23-Feb-19 Networks and Communication Department