Intrusion Detection CS-480b Dick Steflik

Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan promising ports for openness (80, 21, …) Service Evaluation determine the OS Target Selection pick the most vulnerable host, most running services... Vulnerability Probes Automated password attacks FTP, HTTP, NetBIOS, VNC PCAnywhere…. Application specific attacks try known vulnerabilities on present services

Intrusion Detection Systems (IDS) Inspection Based (Signature Based) Uses a database of known attack signatures observe the activity on a host or network and make judgements about whether or not an intrusion is in progress or has taken place look for known indicators –ICMP Scans, port scans, connection attempts –CPU, RAM I/O Utilization –File system activity, modification of system files, permission modifications Anomaly Based baseline the normal traffic and then look for things that are out of the norm Variations of IDS Rule based Statistical Hybrid

Decoys/Honeypots Purposely place an incorrectly configured or unprotected system where it is easily found so that a hacker will try to use it as an attack vector. All accesses will set off alarms that indicate an intrusion is in progress

IDS Systems Tripwire Windows or UNIX alarms on modification to system files c:\ c:\WINNT c:\WINNT\system c:\WINNT\system32 CyberCop Network Assoc. –suite of 4 ID tools Sun/Symantec iForce IDS Appliance Sun/Solaris and Symantec’s ManHunt IDS –ID Analysis at 2 Gbits /sec –ManHunt uses distributed network sensors and a variety of methods to identify threats, including protocol-anomaly detection, signature detection, traffic-state profiling and statistical flow analysis.

SNORT Open Source ( ) Uses: Packet Sniffer produces a tcpdump formatted output Packet Logger can log packets so that after-the-fact data mining tools can be used for analysis –Traffic Debugging and Analysis Can design a ruleset that recognizes certain traffic patterns Can do both anomaly based and Inspection based detection SPADE (Silicon Defense) – a SNORT preprocessor that logs anomalies for later analysis

ActiveScout ForeScout Technologies ( ) Intrusion Prevention Tool Method: Watches for hacker reconnaissance (port scans, NetBios Scans, ect.) Return bogus info to hacker If hackers attempts to break in with the bogus data Active Scout sets off alarms or block any further traffic for the intruder Downside: only works in conjunction with Check Point’s Firewall-1 Requires little administration and eliminates many false positives Cost w/T1 port is about $10K

Manhunt Symantec Corp. ( ) Advanced Threat Management System Signature based hybrid detection protocol anomaly detection traffic rate monitoring protocol state tracking IP packet reassembly to provide a level of detection superior to other, signature- based systems. These detection capabilities can identify threats in real time, eve Real-time Analysis and Correlation collects information from security devices throughout the network to spot trends Automatic Policy Based Responses Scaleable Across Geographic Areas of an Enterprise one Manhunt can be configured across 10 network segments

Watson Researchers Kanad Ghose Doug Summerville Viktor Skormann Mark Fowler