Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam
How insecure are we? Attacks on computer infrastructures are a serious problem. Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident. Telecom and computer fraud totaled $10 billion in the US alone. *Source: Eugene H Spafford. Security Seminar, Department of Computer Sciences, Purdue University, Jan 1996.
IDS Based on Data Source Host Based IDS –Its role is to identify tampering or malicious activity occurring on the system. –This is achieved by monitoring log files, users, and the file system. Network Based IDS –Its role is to identify tampering or malicious activity occurring in the network traffic. –This is achieved by monitoring network traffic on the wire for specific activities/signatures that represent an attack. Hybrid IDS –Combination of network and host based IDS.
Host Based - Network Based
Advantages NetworkHost Lowers cost of ownershipLower cost of entry Detects what HIDS missDetects what NIDS miss Difficult to remove evidenceVerifies success/failure of attack Real-time detection & responseSuited for encrypted environments Detects unsuccessful attacksMonitors specific activities OS independentRequires no additional hardware
Host Based IDS Specific files to be monitored are defined in a configuration file. Digest of the file is stored in a database. Multiple digest algorithms can be used. Examples: TRIPWIRE/AIDE/SAMHAIN
TRIPWIRE Can be reconfigured to prevent false-alarms. Flexible policy language with predefined policy files and wildcard support. AIDE Similar to lighter version TRIPWIRE SAMHAIN Support for Stealth mode of operation. Encrypted and authenticated client/server connections.
Network Based IDS Packet Sniffing front end. Pattern matching engine. Backend database. Examples: SNORT/SHOKI/BRO
SNORT Provides its own language. Passive, doesn’t terminate malicious activity. SHOKI Multi-filter rule sets that match individual packets. SNORT rules can be converted to SHOKI filters. BRO Can also operate as packet sniffer/logger. Flexible rule based language to describe traffic. Can perform protocol analysis, content searching/matching.
SNORT Rules var EXTERNAL_NET ![ /16, /16] var HTTP_SERVERS [ /16, /16] var HTTP_PORTS 80 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace output alert_fast: alarms.log include file1.config alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)
Bro’ Rules rule sid-1328 { header ip[9:1] == 6 header ip[12:4] != /16, /16 header ip[16:4] == /16, /16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" } SHOKI Rules tcp THRESHOLD:1:10:20 SAMP-6 http h([t]*p):// ALL tcp HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL tcp PORT_SCAN:3:30:50 SAMP-8 p_scan 0x ALL
ACID screen capture for SNORT
Hybrid IDS Can be clustered Centralized database Provides file protection by using digest Network sensing using packet sniffing Blends strengths of HIDS & NIDS Examples: MANHUNT/PRELUDE/DRAGON
MANHUNT Detects new and modified attacks Dynamically reassign ports scanned Flowchaser and Trackback to fight DDoS PRELUDE Incorporates information from other IDS Provides hooks to firewalls, honeypots, etc Uses multiple sensors and a report server DRAGON Provides IDS evasion counter measures, by Keeping a large database of known hacker techniques and searching for anomalies.
Goals Design a hybrid system Send instantaneous alerts to network administrator and other hosts Use secure communication channels Keep configuration file secure Keep checksum database secure Maintain list of intruders Maintain a log of attacks
Design Intruder Database Firewall Other Hosts Administrator Host
Implementation Dedicated Sockets for Communication Messages encrypted using AES Configuration file included in list of secure files Checksums encoded using AES Network Administrator maintains log of intrusions Hosts maintain a list of intruders
Sample execution
Future Work Network sensors to defend DDoS attacks Incorporate different hashing algorithms Add feature to track sources of DDoS Incorporate data from existing IDS Add a file change notification component Lessons Learned Hybrid IDS involves a lot of components Comm. between hosts and admins must be secure Configuration files are vulnerable Hybrid IDS provides better security
References Intrusion Detection Systems By Ricky M. Magalhaes An Introduction to Intrusion Detection By Aurobindo Sundaram, ACM Crossroads Network Vs. Host Based Intrusion Detection IDS Products Intrusion Detection and Network Auditing on the Internet