Intrusion Detection
What is Intrusion Literal meaning: The definition of an intrusion is an unwelcome interruption or a situation where somewhere private has an unwelcome visit or addition. Computer security: To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state.
Principles Characteristics of Computer system that are not under attack The actions of users and processes generally conform to a statistically predictable pattern. A user who does only word processing when using the computer is unlikely to perform a system maintenance function. The actions of users and processes do not include sequences of commands to subvert (threaten) security policy of the system. In theory, any such sequence is excluded; in practice, only sequences known to subvert the system can be detected. The actions of processes conform to a set of specifications describing actions that the processes are allowed to do (or not allowed to do).
Principles Computer under attack (intrusion) fail to meet at least one of the previous characteristics. Basic Detection: Characteristics listed above guide the detection of intrusion.
Attack tools and intrusion detection system An attack tool is automated script designed to violate a security policy An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station. How IDS is different to firewall?
Goal of IDS Detects Wide variety of intrusions Inside / outside, virus, worms, Trojan horse, keylogger Detects intrusions in a timely fashion Timely – not necessarily in real time. Real time intrusion detection raise the issue of responsiveness. Delay on intrusion detection probably useless Present the analysis in a simple, easy-to-understand format Be accurate False Positive - reports attracts but no attack False Negative – fail to report attack when no attack
Model Different models Can be adaptive or static Other basic Adaptive: That alter their behavior on the basic of system states or condition Static: Initialized from collected data and do not change Other basic Anomaly Modeling Misuse Modeling Specification Modeling
Anomaly Modeling Analyzes a set of characteristics of the system and compares their behavior with a set of expected values. Use the assumption that unexpected behavior is evidence of an intrusion Eg: Microsoft windows lock user out after some number n of fail login attempts ATM blocks user account with n number of attempts
Misuse Modeling Misuse detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it reports a potential intrusion, Requires a knowledge of system vulnerabilities we define abnormal system behavior at first, and then define any other behavior, as normal behavior. In other words, anything we don't know is normal.
Specification Modeling Specification-based detection determines whether or not a sequence of instructions violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. How different than previous two model Anomaly detection : Art of looking for unusual states Misuse detection: Art of looking for states known to be bad Specification detection: it looks state known not to be good. When system enters such state it reports possible intrusion
Architecture IDS is like automated auditing mechanism Consists three parts Agents: Corresponds to logger. It acquires information from a target (such as computer system) Director: Corresponds to analyzer. It analyze the data as required. Then pass information to the notifier Notifier: determines whether and how to notify the necessary entity
Architecture
Agent Obtain information from data source Source may be log file, another process or a network Acquired information is sent to director Sometime preprocessing required to convert into specific format Example: Agent will sent time and location of fail login attempt to director. Director will wait for certain number of fail login attempt and may disable account
Agent: types Host-based information gathering Usually use system and application logs to obtain record of events and analyze them to determine what to pass to the director Log may be security related or other log Network based information gathering Use variety of device and software to monitor network traffic It can detect network-oriented attack like denial of service, DNS poisioning May use network sniffing to read the network traffic
Agent: Types (2) Combined sources Aggregate of information needed Collected both from host and network
Director Analyze the data from the agent as required Director itself reduces the incoming log entries to eliminate unnecessary and redundant records Then use analysis engine to determine if an attack is underway May use any of, or a mixture of, several technique to perform its analysis Functioning of director is crucial to effectiveness of intrusion detection system May use dedicated system
Notifier Notifier accepts information from the director and takes appropriate action Notify user if necessary May use graphical interface Graph showing spread of worms Red / Green signal to show under attack or not
Organization of IDS Can be organized in several ways Three paradigm used along this slide to organize IDS 1st examine network traffic 2nd explore how to combine network and host sources 3rd distribute the director among multiple system
Monitoring Network Traffic for Intrusion: NSM Develops a profile of expected usage of network and compares current usage with that profile Runs of local area network Measures network utilization and other characteristics It reports anomalous behavior over network Eg: NSM (Network Security Monitor) Monitors the source, destination and service of network traffic Provides graphical user display to enable the system security officer to see at a glance of the network
Combining Host and Network Monitoring: DIDS Combines the abilities of NSM with intrusion detection monitoring of individual host Motivation: neither network-based nor host-based is sufficient Eg: Intruder attempting to log on system with out password wont be detected be network based monitoring Intruder using network to use resources wont be detected by host-based monitoring Distributed Intrusion Detection System (DIDS), created in 1991 in University of California is the example Used network identification number (NID) to identify user
Autonomous Agents: AAFID Previous two model has single point to failure i.e. director Solution: Partition the IDS into multiple components that function independently of one another and yet communicate to correlate information Eg: Autonomous agents for intrusion detection (AAFID) All modern IDS use this approach
Intrusion Response Once an intrusion is detected, how can the system protected? Intrusion Response deals with this problem Its goal is to handle the attempted attack in such a way that the damage is minimized Responded in two ways Incident Prevention Intrusion Handling
Incident Prevention Intrusion attempts will be detected and stopped before they succeed. Involves closely monitoring the system and taking action to defeat the attack Eg: Lock the system after n number of unsuccessful login attempt Jailing of attacker Allows attacker to think that their attack have succeeded, but places them in a confined area in which their behavior can be controlled and even manipulated
Intrusion Handling Security policy of site is violated after intrusion Handling the intrusion means restoring the system to comply with the site security policy AND Taking action against the attacker that the policy specifies Consists six phases
Six phases of intrusion handling Preparation for an attack This step occurs before any attack are detected. It establishes procedures and mechanism for detection and responding to attacks. 2. Identification of an attack This triggers the remaining phase 3. Containment (Confinement) of attack [Containment = control] This step limits the damage as much as possible
Six phases of intrusion of detection 4. Eradication of the attack This step stop the attack and block further similar attacks 5. Recovery from the attack This step restores the system to a secure state (with respect to site security policy) 6. Follow-up the attack
Containment Phase Literal meaning: Control, Suppression Means limiting the access of the attacker to system resources The domain of the attacker is reduced as much as possible Two approaches Passively Monitoring Constraining Access to prevent further damage [Damage: any action that causes system to deviate from secure state]
Containment phase (2) Passive monitoring Simply records the attackers action for later use Do not interfere with the attacker It reveals information about attack, possibly, the goals of attackers Constraining access to prevent further damage Steps are taken to constrain the action of the attacker Protection domain of attacker is reduced
Eradication Phase Means stopping attack Usual approach is to deny access to system completely or to terminate the processes involved in the attack (Such as terminating the network connection) Ensures that the attack does not immediately resume Common method for implementation blocking is to place wrapper around suspected target.
Follow-Up Phase In this phase system take some action external to the system against attacker Involves taking action against the attacker, identifying problem in the handling of the incident, and recording lesson learned Pursue some form of legal action Counterattacking – Two forms Legal mechanism: such as filing complaints, requires evidence Technical attack: damage the attacker seriously, discourage future attack
Consequence to be considered during counter attack May harm the innocent party. Attacker may be the imposter May have side effect. The counterattack is antithetical to the shared use of a network (directly opposed or contrasted; mutually incompatible.) The counter attack may be legally actionable Counterattack conclusion: Exceptional circumstances, may be appropriate. In general it should be avoided