Distributed Intrusion Detection Mamata Desai ( ) M.Tech.,CSE dept, IIT Bombay

Overview  What is intrusion ?  Dealing with intrusion  Intrusion detection principles  Our problem definition  Packages analyzed  Our approach  Experiments and Results  Conclusions

What is intrusion ?  The potential possibility of a deliberate unauthorized attempt to: 1.Access information 2.Manipulate information 3.Render a system unreliable or unusable  Types of intrusions: –External attacks Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks –Internal penetrations – Masqueraders, clandestine users –Misfeasors – authorized misuse

Example attacks  Password cracking  Buffer overflow  Network reconnaissance  Denial of service (DoS)  IP spoofing

Dealing with intrusion  Prevention –isolate from n/w, strict auth, encryption  Preemption –“do unto others, before they do unto you”  Deterrence –dire warnings: “we have a bomb too”  Deflection –diversionary techniques to lure away  Counter measures  Detection

Intrusion Detection principles  Anomaly-based –Form an opinion on what constitutes “normal”, and decide on a threshold to flag as “abnormal” –Cannot distinguish illegal from abnormal  Signature-based –Model signatures of previous attacks and flag matching patterns –Cannot detect new intrusions  Compound

System characteristics  Time of detection  Granularity of data processing  Source of audit data  Response to detected intrusions –passive v/s active  Locus of data-processing  Locus of data-collection  Security  Degree of inter-operability

Host-based v/s Network-based IDS  Host-based IDS 1.Verifies success or failure of an attack 2.Monitors specific system activities 3.Detects attacks that n/w based systems miss 4.Well-suited for encrypted and switched environments 5.Near-real-time detection and response 6.Requires no additional hardware 7.Lower cost of entry

…contd.  Network-based IDS 1.Lower cost of ownership 2.Detects attacks that host-based systems miss 3.More difficult for an attacker to remove evidence 4.Real-time detection and response 5.Detects unsuccessful attacks and malicious intent 6.Operating system independence 7.Performance issues

Our problem definition  Portscanning  Our laboratory setup –Multiple machines with similar configuration  Portscan on a single machine  Distributed portscan - Small evasive scans on multiple machines  Aim – Detect such distributed scans

Typical lab setup

Types of Portscans  Scan types: –TCP connect() scan –Stealth SYN scan –Stealth FIN scan –Xmas scan –Null scan  Scan sweeps: –One-to-one, one-to-many, many-to-one, many- to-many

SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send ACK y+1 Receive ACK segment Send ACK+FIN+RST Receive ACK+FIN+RST … more packet exchanges Normal sequence of packets

SourceTargetNetwork Messages Send SYN, seq=x Receive SYN segment Send SYN, seq=y, ACK x+1 Receive SYN + ACK segment Send RST Receive RST Stealth SYN scan

SourceTargetNetwork Messages Stealth FIN scan Send FIN Receive FIN

SourceTargetNetwork Messages Stealth Xmas scan Send FIN+PSH+URG Receive FIN+PSH+URG

Packages analyzed  Sniffit ( –A network sniffer for TCP/UDP/ICMP packets –Interactive mode  Tcpdump ( –A tool for network monitoring and data acquisition  Nmap ( –“Network mapper” for network exploration, security auditing –Various types of TCP/UDP scans, ping scans

…contd  Portsentry ( –Host-based TCP/UDP portscan detection and active defense system –Stealth scan detection –Reacts to portscans by blocking hosts –Internal state engine to remember previously connected hosts –All violations reported to syslog  Snort ( –Network-based IDS – real-time analysis and traffic logging –Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks –Rules language to describe traffic to collect or pass –Alerts via syslog, user files, WinPopUp messages –3 functional modes – sniffer, packet logger, NIDS

…contd  Portsentry –Binds to all ports to be monitored –A static “list” of ports monitored –State engine – different hosts  Snort –Preprocessor – connections to P ports in T seconds –V1.8 – only one-to-one and one-to-many portscans detected

Our approach  Pick up network packets  Based on which type of portscan is to be analyzed, identify the scan signature  Add each source and target IP address, to the correlation lists  Use the correlation lists to infer the scan sweep – one-to-one, one-to-many, many-to- one, many-to-many

Experimental Setup

Detection algorithm  Examine each TCP packet on the network.  Extract source and target IP addrs and ports.  For each scan type to be detected, maintain a list of “valid” connections.  When a scan signature is detected, add source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.

…contd  Identical correlation lists record source and target IP addrs info, along with number of scans.  Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.

Experiments SourceTargetTCP ports pro-13pro-1925, 119 pro-15pro-2121, 23, 80 pro-17pro-2322, 79 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21 22, 23, 25, 53 69, 79, 80, 88 pro-15pro-19 pro , 111, , 143, 194, 220 One-to-one scan One-to-many scan

…contd SourceTargetTCP ports pro-13pro-21443, 513, 518 pro-15pro-21873, 3130, 6667 pro-17pro-21107, 20, 21, 23 SourceTargetTCP ports pro-13pro-19 pro-21 pro-23 7, 20, 21, 79 80, 113, 119, , 194, 667 pro-15…… pro-17…… Many-to-one scan Many-to-many scan

Conclusions  All the scans performed by nmap were detected successfully by our detector and the correlations were accurate.  Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.