Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IPv4 - The Internet Protocol Version 4
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.
Bro: A System for Detecting Network Intruders in Real-Time Overview Structure Language Implementation Decisions Attack Against the System Application Processing.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Examining IP Header Fields
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Defending Against Network Intrusion (Firewalls, Intrusion Detection Systems) IS511.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
CSE679: Computer Network Review r Review of the uncounted quiz r Computer network review.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Network Programming Eddie Aronovich mail:
CS 4396 Computer Networks Lab
Module 7: Advanced Application and Web Filtering.
CSCI 465 D ata Communications and Networks Lecture 27 Martin van Bommel CSCI 465 Data Communications & Networks 1.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.
DoS/DDoS attack and defense
1 CSE 5346 Spring Network Simulator Project.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Role Of Network IDS in Network Perimeter Defense.
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SDN and Security Security as a service in the cloud
Defending Against Network Intrusion
Domain 4 – Communication and Network Security
15-744: Computer Networking
TCP.
Principles of Computer Security
Firewalls.
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
ITIS 6167/8167: Network and Information Security
Statistical based IDS background introduction
Session 20 INST 346 Technologies, Infrastructure and Architecture
Transport Layer 9/22/2019.
Presentation transcript:

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen

What is Bro? Bro is a stand-alone system that observes network traffic directly to detect intruders Emphasizes monitoring over blocking

Goals High speed passive network monitoring: 100Mbps at most Real time notifications Division between policy and mechanism Extensibility Assumption that the monitor will be attacked Should be difficult for users to make mistakes

System Structure/Flow Network -> Packet Filter -> Event Engine -> Policy Script Interpreter -> Real time notifications, other actions

As abstraction level increases, more processing can be performed at each level

Packet filter Uses libpcap for platform independence With BPF, packet discarding can occur in kernel space Captures only headers for packets with SYN, FIN, and RST flags Captures entire packet otherwise

Event engine Tracks TCP connection states Upon receiving an initial SYN Generates the following events: –SYN-ACK: connection_established –RST: connection_rejected –FIN: connection_finished For UDP, udp_request and udp_reply are generated based on source and dest. addresses

Policy Scripts Grabs events asynchronously from a FIFO queue Executes policy scripts in a special Bro language Calls predefined handlers in the script for different events generated

Event actions Scripts can generate new events from an event handler Log notifications with syslog Write packet traces to disk Or modify the internal state for further processing

Bro Language Designed to “avoid simple mistakes” Strongly typed Variable references always valid at runtime Domain specific: variable types include port and addr Does not support looping constructs to ensure constant time processing

Attacks on the monitor Overload Crash Subterfuge

Overload attack Overload the monitor until it drops packets Accomplished by indiscriminate flooding Or by repeatedly triggering events that require CPU or disk processing Attacker then conducts intrusion while packets are being dropped

Overloading defenses Attacker will not always know the full power and typical load of the monitor Attacker will not know the exact policy conditions and actions Event engine can also generate events in the case of dropped packets

Crashing attack Crash the monitor and attempt intrusion unnoticed Find a flaw to trigger an immediate crash Or exhaust available memory and/or disk space (e.g. through connection states)

Crashing defenses Attacker does not know the size of the disk Cannot assume that the monitor will not generate alerts after the disk is full Monitor process uses UNIX alarm signals to periodically test availability

Subterfuge Rely on unnoticed flaws in the system that create a difference between what the monitor sees and what an end-host sees Trick monitor into discarding packets with bad checksums Use a TTL that takes packets past monitoring point but not to end-host Set the MTU such that it passes through monitor but is rejected downstream

A sample attack Send packets with a smaller TTL containing benign keywords Send packets with a TTL that reach the host containing the actual malicious commands Give both sets the same TCP sequence numbers Monitor cannot decide which version to accept

Illustration

Subterfuge Defenses Generate an error upon receiving “retransmitted” packets with different payloads “Bifurcating analysis” –Spawn multiple threads for each possible interpretation of data

Application-specific processing Bro supports finger, FTP, portmapper, telnet, and rlogin protocols Extensible architecture allows easy addition of other protocols

Port scan detection Uses predefined thresholds for the ratio of attempted connections of each source address to unique destination peers and ports No restrictions on port or address order But generates false positives due to passive connections to FTP servers

Real world experiences Broken TCP implementations generate false positives; difficult to differentiate from subterfuge attacks Many unbalanced fragmented packets Incorrect application protocol implementations also cause problems

Future improvements Implement support for more applications Actively block bad connections Bifurcation analysis Sensors on end-hosts